iptables Cheat Sheet: Creating Firewall Rules for Common Scenarios, Cheat Sheet of Computer Science

Download iptables Cheat Sheet: Creating Firewall Rules for Common Scenarios and more Cheat Sheet Computer Science in PDF only on Docsity! Introduction Iptables is a software firewall for Linux distributions. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules that are useful in common, everyday scenarios. This includes iptables examples of allowing and blocking various services by port, network interface, and source IP address. How To Use This Guide Most of the rules that are described here assume that your iptables is set to DROP incoming traffic, through the default input policy, and you want to selectively allow inbound traffic Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently Use the Contents menu on the right side of this page (at wide page widths) or your browser’s find function to locate the sections you need Copy and paste the command-line examples given, substituting the highlighted values with your own Keep in mind that the order of your rules matter. All of these iptables commands use the -A option to append the new rule to the end of a chain. If you want to put it somewhere else in the chain, you can use the -I option which allows you to specify the position of the new rule (or place it at the beginning of the chain by not specifying a rule number). Remember that you can check your current iptables ruleset with sudo iptables -S and sudo iptables -L . Let’s take a look at the iptables commands! Saving Rules Iptables rules are ephemeral, which means they need to be manually saved for them to persist after a reboot. On Ubuntu, one way to save iptables rules is to use the iptables-persistent package. Install it with apt like this: During the installation, you will be asked if you want to save your current firewall rules. If you update your firewall rules and want to save the changes, run this command: Other Linux distributions may have alternate ways of making your iptables changes permanent. Please refer to the relevant documentation for more information. Listing and Deleting Rules If you want to learn how to list and delete iptables rules, check out this tutorial: How To List and Delete Iptables Firewall Rules. Note: When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via a web-based console to fix your access. If you’re using DigitalOcean, you can read our Recovery Console product documentation for more information. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved firewall rules allow SSH access, another method is to reboot your server. $ sudo apt install iptables-persistent Copy $ sudo netfilter-persistent save Copy This is the same as the previous example, with the addition of -i eth0 . The network interface can be specified in any firewall rule, and is a great way to limit the rule to a particular network. Service: SSH If you’re using a server without a local console, you will probably want to allow incoming SSH connections (port 22 so you can connect to and manage your server. This section covers how to configure your firewall with various SSH-related rules. Allowing All Incoming SSH To allow all incoming SSH connections run these commands: The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Allowing Incoming SSH from Specic IP address or subnet To allow incoming SSH connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 203.0.113.0/24 subnet, run these commands: The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Allowing Outgoing SSH If your firewall OUTPUT policy is not set to ACCEPT , and you want to allow outgoing SSH connections—your server initiating an SSH connection to another server—you can run these commands: $ sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISH $ sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED Copy $ sudo iptables -A INPUT -p tcp -s 203.0.113.0/24 --dport 22 -m conntrack --ct $ sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED Copy Allowing Incoming Rsync from Specic IP Address or Subnet Rsync, which runs on port 873, can be used to transfer files from one computer to another. To allow incoming rsync connections from a specific IP address or subnet, specify the source IP address and the destination port. For example, if you want to allow the entire 203.0.113.0/24 subnet to be able to rsync to your server, run these commands: The second command, which allows the outgoing traffic of established rsync connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Service: Web Server Web servers, such as Apache and Nginx, typically listen for requests on port 80 and 443 for HTTP and HTTPS connections, respectively. If your default policy for incoming traffic is set to drop or deny, you will want to create rules that will allow your server to respond to those requests. Allowing All Incoming HTTP To allow all incoming HTTP (port 80 connections run these commands: The second command, which allows the outgoing traffic of established HTTP connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Allowing All Incoming HTTPS To allow all incoming HTTPS (port 443 connections run these commands: $ sudo iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED - Copy $ sudo iptables -A INPUT -p tcp -s 203.0.113.0/24 --dport 873 -m conntrack --c $ sudo iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED Copy $ sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISH $ sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED Copy The second command, which allows the outgoing traffic of established HTTP connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Allowing All Incoming HTTP and HTTPS If you want to allow both HTTP and HTTPS traffic, you can use the multiport module to create a rule that allows both ports. To allow all incoming HTTP and HTTPS (port 443 connections run these commands: The second command, which allows the outgoing traffic of established HTTP and HTTPS connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Service: MySQL MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you need to be sure to allow that traffic. Allowing MySQL from Specic IP Address or Subnet To allow incoming MySQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 203.0.113.0/24 subnet, run these commands: The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Allowing MySQL to Specic Network Interface $ sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED Copy $ sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --cts $ sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ct Copy $ sudo iptables -A INPUT -p tcp -s 203.0.113.0/24 --dport 3306 -m conntrack -- $ sudo iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHE Copy Allowing All Incoming IMAPS To allow your server to respond to IMAPS connections, port 993, run these commands: The second command, which allows the outgoing traffic of established IMAPS connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Allowing All Incoming POP3 To allow your server to respond to POP3 connections, port 110, run these commands: The second command, which allows the outgoing traffic of established POP3 connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Allowing All Incoming POP3S To allow your server to respond to POP3S connections, port 995, run these commands: The second command, which allows the outgoing traffic of established POP3S connections, is only necessary if the OUTPUT policy is not set to ACCEPT . Conclusion That should cover many of the commands that are commonly used when configuring an iptables firewall. Of course, iptables is a very flexible tool so feel free to mix and match the commands with different options to match your specific needs if they aren’t covered here. If you’re looking for help determining how your firewall should be set up, check out this tutorial: How To Choose an Effective Firewall Policy to Secure your Servers. $ sudo iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED Copy $ sudo iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED Copy $ sudo iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED Copy ### NAT ### iptables -F && iptables -t nat -F iptables -t nat -A PREROUTING -d 10.1.31.116/24 -p UDP --dport 53 -j DNA iptables -t nat -A PREROUTING -d 10.1.31.116/24 -p TCP --dport 80 -j DNA iptables -t nat -A POSTROUTING -s 10.101.10.128/25 -o enp0s9 -j SNAT --t ### INPUT ### iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j REJECT ### OUTPUT ### iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -j REJECT ### FORWARD ### iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #DMZ peut faire des requetes DNS iptables -A FORWARD -s 10.101.10.0/25 -p udp --dport 53 -d 10.101.10.130 #Local vers DMZ et internet iptables -A FORWARD -s 10.101.10.128/25 -d 10.101.10.0/25 -j ACCEPT iptables -A FORWARD -s 10.101.10.128/25 -o enp0s9 -j ACCEPT # connexion internet vers DMZ iptables -A FORWARD -i enp0s9 -d 10.101.10.130 -p udp --dport 53 -j ACCE iptables -A FORWARD -i enp0s9 -d 10.101.10.20 -p tcp --dport 80 -j ACCEP iptables -A FORWARD -j REJECT iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT #request iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT #reply