en:bpi-r2:network:iptables
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
en:bpi-r2:network:iptables [2018/02/04 17:21] – frank | en:bpi-r2:network:iptables [2023/06/08 17:06] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== IPTables ====== | ||
+ | |||
+ | FIXME | ||
+ | |||
+ | {{ : | ||
+ | ===== IPv4 ===== | ||
+ | |||
+ | < | ||
+ | #delete previous rules | ||
+ | ${ipt} -F | ||
+ | ${ipt} -X | ||
+ | ${ipt} -t nat -F | ||
+ | ${ipt} -t nat -X | ||
+ | ${ipt} -t mangle -F | ||
+ | ${ipt} -t mangle -X | ||
+ | |||
+ | # Default-Rule for IPv4: drop all | ||
+ | ${ipt} -P INPUT DROP | ||
+ | ${ipt} -P OUTPUT | ||
+ | ${ipt} -P FORWARD DROP | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # policy for TCP-Reset/ | ||
+ | ${ipt} -N REJECTED | ||
+ | if [[ ! " | ||
+ | then | ||
+ | echo " | ||
+ | ${ipt} -A REJECTED -m limit --limit 10/min -j LOG --log-prefix " | ||
+ | fi | ||
+ | ${ipt} -A REJECTED -p tcp -j REJECT --reject-with tcp-reset | ||
+ | ${ipt} -A REJECTED -p udp -j REJECT --reject-with icmp-port-unreachable | ||
+ | ${ipt} -A REJECTED -j DROP | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # localhost | ||
+ | ${ipt} -A INPUT -i lo -j ACCEPT | ||
+ | ${ipt} -A OUTPUT -o lo -j ACCEPT | ||
+ | |||
+ | ${ipt} -A OUTPUT -j ACCEPT | ||
+ | ${ipt} -A INPUT -m state --state RELATED, | ||
+ | ${ipt} -A INPUT -p icmp -m limit --limit 5/s --icmp-type echo-request -j ACCEPT # ICMP incoming, max 5/s | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | #Block Teredo-Stuff | ||
+ | #${ipt} -I FORWARD -p udp --dport 3544 -j REJECTED | ||
+ | #${ipt} -I FORWARD -p udp --sport 3544 -j REJECTED | ||
+ | # | ||
+ | ${ipt} -A FORWARD -p 41 -j REJECTED #IPv6 Encapsulation | ||
+ | ${ipt} -A FORWARD -p 43 -j REJECTED #Routing Header for IPv6 | ||
+ | ${ipt} -A FORWARD -p 44 -j REJECTED #Fragment Header for IPv6 | ||
+ | ${ipt} -A FORWARD -p 58 -j REJECTED #ICMP for IPv6 | ||
+ | ${ipt} -A FORWARD -p 59 -j REJECTED #No Next Header for IPv6 | ||
+ | ${ipt} -A FORWARD -p 60 -j REJECTED # | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | #ssh with rate-limit (replacing hosts.allow) | ||
+ | ${ipt} -I INPUT -p tcp --dport 22 -i ${if_ext} -m state --state NEW -m recent --set | ||
+ | ${ipt} -I INPUT -p tcp --dport 22 -i ${if_ext} -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j REJECTED #4 connections in 1 minute | ||
+ | ${ipt} -A INPUT -p tcp --dport | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | ${ipt} -A FORWARD -i ${if_int} -o ${if_ext} -j ACCEPT #Forwarding Int->Ext | ||
+ | ${ipt} -A FORWARD -i ${if_ext} -o ${if_int} -m state --state ESTABLISHED, | ||
+ | |||
+ | ${ipt} -A INPUT -i ${if_int} -j ACCEPT #accept all request from internal | ||
+ | </ | ||
+ | ... (some other rules, e.g. [[# | ||
+ | < | ||
+ | # REJECT/ | ||
+ | ${ipt} -A INPUT -j REJECTED | ||
+ | ${ipt} -A OUTPUT | ||
+ | ${ipt} -A FORWARD -j REJECTED | ||
+ | </ | ||
+ | |||
+ | additional options: | ||
+ | < | ||
+ | # | ||
+ | echo 1 > / | ||
+ | |||
+ | if [ -f / | ||
+ | echo " | ||
+ | echo 0 > / | ||
+ | fi | ||
+ | |||
+ | if [ -f / | ||
+ | echo " | ||
+ | echo 1 > / | ||
+ | fi | ||
+ | |||
+ | </ | ||
+ | ==== Port-Forwardings ==== | ||
+ | |||
+ | === setup === | ||
+ | |||
+ | forward port 522 to Client 192.168.0.5 port 22 | ||
+ | |||
+ | ${ipt} -t nat -A PREROUTING -p tcp --dport 522 -j DNAT --to-destination 192.168.0.5: | ||
+ | |||
+ | === show === | ||
+ | |||
+ | iptables -L -t nat | ||
+ | | ||
+ | Chain PREROUTING (policy ACCEPT) | ||
+ | target | ||
+ | DNAT | ||
+ | |||
+ | ==== active-ftp ==== | ||
+ | |||
+ | to allow active-ftp from a client you need to load 2 modules and set 1 iptables-rule | ||
+ | |||
+ | modprobe ip_conntrack_ftp | ||
+ | modprobe ip_nat_ftp ports=21 | ||
+ | |||
+ | |||
+ | ${ipt} -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED, | ||
+ | |||
+ | |||
+ | ===== IPv6 ===== | ||