特殊:Badtitle/NS100:IptablesHowTo:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
第11行: | 第11行: | ||
Typing | Typing | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -L | |||
</nowiki></pre> | </nowiki></pre> | ||
lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see | lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see | ||
第28行: | 第29行: | ||
We can allow established sessions to receive traffic: | We can allow established sessions to receive traffic: | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
</nowiki></pre> | </nowiki></pre> | ||
第35行: | 第37行: | ||
To allow incoming traffic on port 22 (traditionally used by SSH), you could tell iptables to allow all TCP traffic on port 22 of your network adapter. | To allow incoming traffic on port 22 (traditionally used by SSH), you could tell iptables to allow all TCP traffic on port 22 of your network adapter. | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT | |||
</nowiki></pre> | </nowiki></pre> | ||
Specifically, this appends (-A) to the table INPUT the rule that any traffic to the interface (-i) eth0 on the destination port for ssh that iptables should jump (-j), or perform the action, ACCEPT. | Specifically, this appends (-A) to the table INPUT the rule that any traffic to the interface (-i) eth0 on the destination port for ssh that iptables should jump (-j), or perform the action, ACCEPT. | ||
第40行: | 第43行: | ||
Lets check the rules: (only the first few lines shown, you will see more) | Lets check the rules: (only the first few lines shown, you will see more) | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -L | |||
Chain INPUT (policy ACCEPT) | Chain INPUT (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
第48行: | 第52行: | ||
Now, let's allow all web traffic | Now, let's allow all web traffic | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT | |||
</nowiki></pre> | </nowiki></pre> | ||
Checking our rules, we have | Checking our rules, we have | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -L | |||
Chain INPUT (policy ACCEPT) | Chain INPUT (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
第65行: | 第71行: | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -A INPUT -j DROP | |||
# iptables -L | |||
Chain INPUT (policy ACCEPT) | Chain INPUT (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
第80行: | 第88行: | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -I INPUT 4 -i lo -j ACCEPT | |||
# iptables -L | |||
Chain INPUT (policy ACCEPT) | Chain INPUT (policy ACCEPT) | ||
target prot opt source destination | target prot opt source destination | ||
第91行: | 第101行: | ||
The last two lines look nearly the same, so we will list iptables in greater detail. | The last two lines look nearly the same, so we will list iptables in greater detail. | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -L -v | |||
</nowiki></pre> | </nowiki></pre> | ||
第96行: | 第107行: | ||
In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way: | In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way: | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |||
</nowiki></pre> | </nowiki></pre> | ||
See Tips section for more ideas on logging. | See Tips section for more ideas on logging. | ||
第105行: | 第117行: | ||
Save your firewall rules to a file | Save your firewall rules to a file | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables-save > /etc/iptables.up.rules | |||
</nowiki></pre> | </nowiki></pre> | ||
Then modify the ''/etc/network/interfaces'' script to apply the rules automatically (the bottom line is added) | Then modify the ''/etc/network/interfaces'' script to apply the rules automatically (the bottom line is added) | ||
第110行: | 第123行: | ||
auto eth0 | auto eth0 | ||
iface eth0 inet dhcp | iface eth0 inet dhcp | ||
pre-up iptables-restore < /etc/iptables.up.rules | |||
</nowiki></pre> | </nowiki></pre> | ||
第117行: | 第130行: | ||
auto eth0 | auto eth0 | ||
iface eth0 inet dhcp | iface eth0 inet dhcp | ||
pre-up iptables-restore < /etc/iptables.up.rules | |||
post-down iptables-restore < /etc/iptables.down.rules | |||
</nowiki></pre> | </nowiki></pre> | ||
第125行: | 第138行: | ||
The above steps go over how to setup your firewall rules and presume they will be relatively static (and for most people they should be). But if you do a lot of development work, you may want to have your iptables saved everytime you reboot. You could add a line like this one in <code><nowiki>/etc/network/interfaces</nowiki></code>: | The above steps go over how to setup your firewall rules and presume they will be relatively static (and for most people they should be). But if you do a lot of development work, you may want to have your iptables saved everytime you reboot. You could add a line like this one in <code><nowiki>/etc/network/interfaces</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
pre-up iptables-restore < /etc/iptables.up.rules | |||
post-down iptables-save > /etc/iptables.up.rules | |||
</nowiki></pre> | </nowiki></pre> | ||
The line "post-down iptables-save > /etc/iptables.up.rules" will save the rules to be used on the next boot. | The line "post-down iptables-save > /etc/iptables.up.rules" will save the rules to be used on the next boot. | ||
第133行: | 第146行: | ||
If you edit your iptables beyond this tutorial, you may want to use the <code><nowiki>iptables-save</nowiki></code> and <code><nowiki>iptables-restore</nowiki></code> feature to edit and test your rules. To do this open the rules file in your favorite text editor (in this example gedit). | If you edit your iptables beyond this tutorial, you may want to use the <code><nowiki>iptables-save</nowiki></code> and <code><nowiki>iptables-restore</nowiki></code> feature to edit and test your rules. To do this open the rules file in your favorite text editor (in this example gedit). | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables-save > /etc/iptables.test.rules | |||
# gedit /etc/iptables.test.rules | |||
</nowiki></pre> | </nowiki></pre> | ||
You will have a file that appears similiar to (following the example above): | You will have a file that appears similiar to (following the example above): | ||
<pre><nowiki> | <pre><nowiki> | ||
# Generated by iptables-save v1.3.1 on Sun Apr 23 06:19:53 2006 | |||
*filter | *filter | ||
:INPUT ACCEPT [368:102354] | :INPUT ACCEPT [368:102354] | ||
第147行: | 第163行: | ||
-A INPUT -j DROP | -A INPUT -j DROP | ||
COMMIT | COMMIT | ||
# Completed on Sun Apr 23 06:19:53 2006 | |||
</nowiki></pre> | </nowiki></pre> | ||
Notice that these are iptables commands minus the <code><nowiki>iptable</nowiki></code> command. Feel free to edit this to file and save when complete. Then to test simply: | Notice that these are iptables commands minus the <code><nowiki>iptable</nowiki></code> command. Feel free to edit this to file and save when complete. Then to test simply: | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables-restore < /etc/iptables.test.rules | |||
</nowiki></pre> | </nowiki></pre> | ||
After testing, if you have not added the <code><nowiki>iptables-save</nowiki></code> command above to your <code><nowiki>/etc/network/interfaces</nowiki></code> remember not to lose your changes: | After testing, if you have not added the <code><nowiki>iptables-save</nowiki></code> command above to your <code><nowiki>/etc/network/interfaces</nowiki></code> remember not to lose your changes: | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables-save > /etc/iptables.up.rules | |||
</nowiki></pre> | </nowiki></pre> | ||
第158行: | 第177行: | ||
For further detail in your syslog you may want create an additional Chain. This will be a very brief example of my /etc/iptables.up.rules showing how I setup my iptables to log to syslog: | For further detail in your syslog you may want create an additional Chain. This will be a very brief example of my /etc/iptables.up.rules showing how I setup my iptables to log to syslog: | ||
<pre><nowiki> | <pre><nowiki> | ||
# Generated by iptables-save v1.3.1 on Sun Apr 23 05:32:09 2006 | |||
*filter | *filter | ||
:INPUT ACCEPT [273:55355] | :INPUT ACCEPT [273:55355] | ||
第173行: | 第193行: | ||
-A LOGNDROP -j DROP | -A LOGNDROP -j DROP | ||
COMMIT | COMMIT | ||
# Completed on Sun Apr 23 05:32:09 2006 | |||
</nowiki></pre> | </nowiki></pre> | ||
Note a new CHAIN called <code><nowiki>LOGNDROP</nowiki></code> at the top of the file. Also, the standard <code><nowiki>DROP</nowiki></code> at the bottom of the INPUT chain is replaceed with <code><nowiki>LOGNDROP</nowiki></code> and add protocol descriptions so it makes sense looking at the log. Lastly we drop the traffic at the end of the <code><nowiki>LOGNDROP</nowiki></code> chain. The following gives some idea of what is happening: | Note a new CHAIN called <code><nowiki>LOGNDROP</nowiki></code> at the top of the file. Also, the standard <code><nowiki>DROP</nowiki></code> at the bottom of the INPUT chain is replaceed with <code><nowiki>LOGNDROP</nowiki></code> and add protocol descriptions so it makes sense looking at the log. Lastly we drop the traffic at the end of the <code><nowiki>LOGNDROP</nowiki></code> chain. The following gives some idea of what is happening: | ||
第183行: | 第204行: | ||
If you need to disable the firewall temporarily, you can flush all the rules using | If you need to disable the firewall temporarily, you can flush all the rules using | ||
<pre><nowiki> | <pre><nowiki> | ||
# iptables -F | |||
</nowiki></pre> | </nowiki></pre> | ||
2007年5月24日 (四) 10:54的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/IptablesHowTo }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/af | • {{#if: UbuntuHelp:IptablesHowTo|Afrikaans| [[::IptablesHowTo/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/ar | • {{#if: UbuntuHelp:IptablesHowTo|العربية| [[::IptablesHowTo/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/az | • {{#if: UbuntuHelp:IptablesHowTo|azərbaycanca| [[::IptablesHowTo/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/bcc | • {{#if: UbuntuHelp:IptablesHowTo|جهلسری بلوچی| [[::IptablesHowTo/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/bg | • {{#if: UbuntuHelp:IptablesHowTo|български| [[::IptablesHowTo/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/br | • {{#if: UbuntuHelp:IptablesHowTo|brezhoneg| [[::IptablesHowTo/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/ca | • {{#if: UbuntuHelp:IptablesHowTo|català| [[::IptablesHowTo/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/cs | • {{#if: UbuntuHelp:IptablesHowTo|čeština| [[::IptablesHowTo/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/de | • {{#if: UbuntuHelp:IptablesHowTo|Deutsch| [[::IptablesHowTo/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/el | • {{#if: UbuntuHelp:IptablesHowTo|Ελληνικά| [[::IptablesHowTo/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/es | • {{#if: UbuntuHelp:IptablesHowTo|español| [[::IptablesHowTo/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/fa | • {{#if: UbuntuHelp:IptablesHowTo|فارسی| [[::IptablesHowTo/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/fi | • {{#if: UbuntuHelp:IptablesHowTo|suomi| [[::IptablesHowTo/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/fr | • {{#if: UbuntuHelp:IptablesHowTo|français| [[::IptablesHowTo/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/gu | • {{#if: UbuntuHelp:IptablesHowTo|ગુજરાતી| [[::IptablesHowTo/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/he | • {{#if: UbuntuHelp:IptablesHowTo|עברית| [[::IptablesHowTo/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/hu | • {{#if: UbuntuHelp:IptablesHowTo|magyar| [[::IptablesHowTo/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/id | • {{#if: UbuntuHelp:IptablesHowTo|Bahasa Indonesia| [[::IptablesHowTo/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/it | • {{#if: UbuntuHelp:IptablesHowTo|italiano| [[::IptablesHowTo/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/ja | • {{#if: UbuntuHelp:IptablesHowTo|日本語| [[::IptablesHowTo/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/ko | • {{#if: UbuntuHelp:IptablesHowTo|한국어| [[::IptablesHowTo/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/ksh | • {{#if: UbuntuHelp:IptablesHowTo|Ripoarisch| [[::IptablesHowTo/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/mr | • {{#if: UbuntuHelp:IptablesHowTo|मराठी| [[::IptablesHowTo/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/ms | • {{#if: UbuntuHelp:IptablesHowTo|Bahasa Melayu| [[::IptablesHowTo/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/nl | • {{#if: UbuntuHelp:IptablesHowTo|Nederlands| [[::IptablesHowTo/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/no | • {{#if: UbuntuHelp:IptablesHowTo|norsk| [[::IptablesHowTo/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/oc | • {{#if: UbuntuHelp:IptablesHowTo|occitan| [[::IptablesHowTo/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/pl | • {{#if: UbuntuHelp:IptablesHowTo|polski| [[::IptablesHowTo/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/pt | • {{#if: UbuntuHelp:IptablesHowTo|português| [[::IptablesHowTo/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/ro | • {{#if: UbuntuHelp:IptablesHowTo|română| [[::IptablesHowTo/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/ru | • {{#if: UbuntuHelp:IptablesHowTo|русский| [[::IptablesHowTo/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/si | • {{#if: UbuntuHelp:IptablesHowTo|සිංහල| [[::IptablesHowTo/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/sq | • {{#if: UbuntuHelp:IptablesHowTo|shqip| [[::IptablesHowTo/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/sr | • {{#if: UbuntuHelp:IptablesHowTo|српски / srpski| [[::IptablesHowTo/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/sv | • {{#if: UbuntuHelp:IptablesHowTo|svenska| [[::IptablesHowTo/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/th | • {{#if: UbuntuHelp:IptablesHowTo|ไทย| [[::IptablesHowTo/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/tr | • {{#if: UbuntuHelp:IptablesHowTo|Türkçe| [[::IptablesHowTo/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/vi | • {{#if: UbuntuHelp:IptablesHowTo|Tiếng Việt| [[::IptablesHowTo/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/yue | • {{#if: UbuntuHelp:IptablesHowTo|粵語| [[::IptablesHowTo/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/zh | • {{#if: UbuntuHelp:IptablesHowTo|中文| [[::IptablesHowTo/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/zh-hans | • {{#if: UbuntuHelp:IptablesHowTo|中文(简体)| [[::IptablesHowTo/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:IptablesHowTo | UbuntuHelp:IptablesHowTo | {{#if: | :}}IptablesHowTo}}/zh-hant | • {{#if: UbuntuHelp:IptablesHowTo|中文(繁體)| [[::IptablesHowTo/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:IptablesHowTo|:IptablesHowTo|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :IptablesHowTo/zh | | {{#ifexist: IptablesHowTo/zh | | {{#ifeq: {{#titleparts:IptablesHowTo|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:IptablesHowTo|1|-1|}} | zh | | }}
THIS IS NOT COMPLETE AND SHOULD BE COMPLETED BY SOMEONE WHO KNOWS MORE THAN ME! THANKS
Basic Iptables How to for Ubuntu Server Edition
Iptables is a firewall, installed by default on the Ubuntu Server. On regular Ubuntu install, iptables is installed but allows all traffic (thus firewall is ineffective / inactive)
There is a wealth of information available about iptables, but much of it is fairly complex, and if you want to do a few basic things, this How To is for you.
Basic Commands
Typing
# iptables -L
lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Allowing Established Sessions
We can allow established sessions to receive traffic:
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allowing Incoming Traffic on Specific Ports
You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.
To allow incoming traffic on port 22 (traditionally used by SSH), you could tell iptables to allow all TCP traffic on port 22 of your network adapter.
# iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT
Specifically, this appends (-A) to the table INPUT the rule that any traffic to the interface (-i) eth0 on the destination port for ssh that iptables should jump (-j), or perform the action, ACCEPT.
Lets check the rules: (only the first few lines shown, you will see more)
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Now, let's allow all web traffic
# iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
Checking our rules, we have
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www
We have specifically allowed tcp traffic to the ssh and web ports, but as we have not blocked anything, all traffic can still come in.
Blocking Traffic
Once a decision is made about a packet, no more rules affect it. As our rules allowing ssh and web traffic come first, as long as our rule to block all traffic comes after them, we can still accept the traffic we want. All we need to do is put the rule to block all traffic at the end. The -A command tells iptables to append the rule at the end, so we'll use that again.
# iptables -A INPUT -j DROP # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www DROP all -- anywhere anywhere
Because we didn't specify an interface or a protocol, any traffic for any port on any interface is blocked, except for web and ssh.
Editing iptables
The only problem with our setup so far is that even the loopback port is blocked. We could have written the drop rule for just eth0 by specifying -i eth0, but we could also add a rule for the loopback. If we append this rule, it will come too late - after all the traffic has been dropped. We need to insert this rule onto the fourth line.
# iptables -I INPUT 4 -i lo -j ACCEPT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere
The last two lines look nearly the same, so we will list iptables in greater detail.
# iptables -L -v
Logging
In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way:
# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
See Tips section for more ideas on logging.
Saving iptables
If you were to reboot your machine right now, your iptables configuration would disapear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save
and iptables-restore
.
Configuration on startup
Save your firewall rules to a file
# iptables-save > /etc/iptables.up.rules
Then modify the /etc/network/interfaces script to apply the rules automatically (the bottom line is added)
auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.up.rules
You can also prepare a set of down rules and apply it automatically
auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.up.rules post-down iptables-restore < /etc/iptables.down.rules
Tips
If you manually edit iptables on a regular basis
The above steps go over how to setup your firewall rules and presume they will be relatively static (and for most people they should be). But if you do a lot of development work, you may want to have your iptables saved everytime you reboot. You could add a line like this one in /etc/network/interfaces
:
pre-up iptables-restore < /etc/iptables.up.rules post-down iptables-save > /etc/iptables.up.rules
The line "post-down iptables-save > /etc/iptables.up.rules" will save the rules to be used on the next boot.
Using iptables-save/restore to test rules
If you edit your iptables beyond this tutorial, you may want to use the iptables-save
and iptables-restore
feature to edit and test your rules. To do this open the rules file in your favorite text editor (in this example gedit).
# iptables-save > /etc/iptables.test.rules # gedit /etc/iptables.test.rules
You will have a file that appears similiar to (following the example above):
# Generated by iptables-save v1.3.1 on Sun Apr 23 06:19:53 2006 *filter :INPUT ACCEPT [368:102354] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [92952:20764374] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j DROP COMMIT # Completed on Sun Apr 23 06:19:53 2006
Notice that these are iptables commands minus the iptable
command. Feel free to edit this to file and save when complete. Then to test simply:
# iptables-restore < /etc/iptables.test.rules
After testing, if you have not added the iptables-save
command above to your /etc/network/interfaces
remember not to lose your changes:
# iptables-save > /etc/iptables.up.rules
More detailed Logging
For further detail in your syslog you may want create an additional Chain. This will be a very brief example of my /etc/iptables.up.rules showing how I setup my iptables to log to syslog:
# Generated by iptables-save v1.3.1 on Sun Apr 23 05:32:09 2006 *filter :INPUT ACCEPT [273:55355] :FORWARD ACCEPT [0:0] :LOGNDROP - [0:0] :OUTPUT ACCEPT [92376:20668252] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j LOGNDROP -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 7 -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 7 -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 7 -A LOGNDROP -j DROP COMMIT # Completed on Sun Apr 23 05:32:09 2006
Note a new CHAIN called LOGNDROP
at the top of the file. Also, the standard DROP
at the bottom of the INPUT chain is replaceed with LOGNDROP
and add protocol descriptions so it makes sense looking at the log. Lastly we drop the traffic at the end of the LOGNDROP
chain. The following gives some idea of what is happening:
--limit
sets the number of times to log the same rule to syslog--log-prefix "Denied..."
adds a prefix to make finding in the syslog easier--log-level 7
sets the syslog level to informational (see man syslog for more detail, but you can probably leave this)
Disabling the firewall
If you need to disable the firewall temporarily, you can flush all the rules using
# iptables -F
Easy configuration via GUI
A new user can use Firestarter (a gui), available in repositories (Synaptic or apt-get) to configure her/his iptable rules, without needing the command line knowledge. Please see the tutorial though... Configuration is easy, but may not be enough for the advanced user. However, it should be enough for the most home users... The (read:my) suggested outbound configuration is "restrictive", with whitelisting each connection type whenever you need it (port 80 for http, 443 for secure http -https-, 1863 for msn chat etc) from the "policy" tab within firestarter. You can also use it to see active connections from and to your computer... The firewall stays up once it is configured using the wizard. Dial-up users will have to specify it to start automatically on dial up in the wizard.
Homepage for firestarter: http://www.fs-security.com/ (again, available in repositories, no compiling required) Tutorial: http://www.fs-security.com/docs/tutorial.php
Personal note: Unfortunately, it does not have the option to block (or ask the user about) connections of specific applications/programs... Thus, my understanding is that once you enable port 80 (i.e. for web access), any program that uses port 80 can connect to any server and do anything it pleases...
Further Information
Netfilter and Iptables Multilingual Documentation
Easy Firewall Generator for IPTables
Credits
Thanks to Rusty Russell and his How-To, as much of this is based off that.