IP Tables Firewall Example

From IARC 207 Wiki
Revision as of 13:55, 23 December 2015 by imported>Bob (Created page with "From here but then I expanded a bit for my needs (and dropped the block china part):</br> https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

From here but then I expanded a bit for my needs (and dropped the block china part):
https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables

I'm still learning how this all goes together however... and one thing. for some reason here, flushing the iptables rules rather than restarting the computer locks you out. It must be something I don't have quite right so watch out for that when configuring and testing. As far as I can tell though, this rule set is a good base and my intention is that it restricts access to just the UAF domain for the radio as well as ssh.


Dump the following into /etc/iptables.firewall.rules 

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# from Jim:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -s 137.229.94.2 -d 244.0.0.1 -j ACCEPT
#-A INPUT -s 224.0.0.1 -p udp -m udp -j ACCEPT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
#-A INPUT -p tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT

-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
-A INPUT -s 199.165.0.0/16  -p tcp -m tcp --dport 7808 -j ACCEPT
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7808 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7808 -j DROP

-A INPUT -s 137.229.0.0/16  -p tcp -m tcp --dport 7809 -j ACCEPT
-A INPUT -s 127.0.0.0/8  -p tcp -m tcp --dport 7809 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -p tcp --dport 7809 -j DROP


-A INPUT -s 137.229.0.0/16 -p udp -m udp -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls (disabled once I saw what all was getting blocked)
##-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Those are our rules. Then, need to tell the computer to run them at boot up: 

sudo nano /etc/network/if-pre-up.d/firewall

Add the following to that file: 

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Next, make sure it is executable: 

sudo chmod +x /etc/network/if-pre-up.d/firewall


Should be golden.

Retrieved from "http://ocotal.iarc.uaf.edu/index.php?title=IP_Tables_Firewall_Example&oldid=2467"