Difference between revisions of "IP Tables Firewall Example"
Jump to navigation
Jump to search
imported>Bob (Created page with "From here but then I expanded a bit for my needs (and dropped the block china part):</br> https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-...") |
|||
Line 1: | Line 1: | ||
− | From here but then I expanded a bit for my needs (and dropped the block china part): | + | From here but then I expanded a bit for my needs (and dropped the block china part): |
− | https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables | + | *https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables |
I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out. It must be something I don't have quite right so watch out for that when configuring and testing. As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh. | I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out. It must be something I don't have quite right so watch out for that when configuring and testing. As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh. | ||
Line 30: | Line 30: | ||
-A OUTPUT -j ACCEPT | -A OUTPUT -j ACCEPT | ||
− | # Allow HTTP and HTTPS connections from | + | # Allow HTTP and HTTPS connections from UAF (the normal ports for websites and SSL). |
− | + | -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT | |
− | + | -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT | |
+ | -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT | ||
+ | -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT | ||
+ | # Allow Ser2net connections from UAF | ||
-A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT | -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT | ||
-A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT | -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT | ||
-A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7808 -j ACCEPT | -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7808 -j ACCEPT | ||
+ | |||
+ | # I think this drops all others to 7808. | ||
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP | -A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP | ||
+ | # Allow Ser2net connections from UAF | ||
-A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT | -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT | ||
+ | -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT | ||
-A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7809 -j ACCEPT | -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7809 -j ACCEPT | ||
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP | -A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP | ||
Line 47: | Line 54: | ||
# Allow SSH connections | # Allow SSH connections | ||
− | # | + | # Access controlled through sshd configuration and jail2ban usage |
# The -dport number should be the same port number you set in sshd_config | # The -dport number should be the same port number you set in sshd_config | ||
# | # |
Revision as of 11:35, 28 January 2016
From here but then I expanded a bit for my needs (and dropped the block china part):
I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out. It must be something I don't have quite right so watch out for that when configuring and testing. As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh.
Dump the following into /etc/iptables.firewall.rules
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # from Jim: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT -A INPUT -s 137.229.94.2 -d 244.0.0.1 -j ACCEPT #-A INPUT -s 224.0.0.1 -p udp -m udp -j ACCEPT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from UAF (the normal ports for websites and SSL). -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT # Allow Ser2net connections from UAF -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7808 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7808 -j ACCEPT # I think this drops all others to 7808. -A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP # Allow Ser2net connections from UAF -A INPUT -s 137.229.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT -A INPUT -s 199.165.0.0/16 -p tcp -m tcp --dport 7809 -j ACCEPT -A INPUT -s 127.0.0.0/8 -p tcp -m tcp --dport 7809 -j ACCEPT -A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP -A INPUT -s 137.229.0.0/16 -p udp -m udp -j ACCEPT # Allow SSH connections # Access controlled through sshd configuration and jail2ban usage # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Log iptables denied calls (disabled once I saw what all was getting blocked) ##-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMIT
Those are our rules. Then, need to tell the computer to run them at boot up:
sudo nano /etc/network/if-pre-up.d/firewall
Add the following to that file:
#!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules
Next, make sure it is executable:
sudo chmod +x /etc/network/if-pre-up.d/firewall
Should be golden.