Differences

This shows you the differences between two versions of the page.

--- iptables:basic_firewall [2016/10/20 19:20] – peter
+++ iptables:basic_firewall [2019/11/29 16:38] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IPTables - Basic Firewall ======
-===== Verify the IPTables package is installed =====
-<code bash>
-dpkg --list | grep iptables
-</code>
-Returns
-<code>
-ii  iptables                            1.6.0-2ubuntu3                      amd64        administration tools for packet filtering and NAT
-</code>
-===== Verify the Kernel Module is loaded =====
-<code bash>
-lsmod | grep ip_tables
-</code>
-Returns
-<code>
-ip_tables              24576  4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw
-</code>
-===== Creating iptables rules =====
-<code bash>
-iptables -P INPUT DROP
-iptables -P OUTPUT DROP
-# Allowing Loopback Traffic.
-iptables -I INPUT -i lo -j ACCEPT
-# Allow established connections.
-iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-# Allow SSH access.
-# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
-iptables -A INPUT -p tcp --dport 22 -s 192.168.1.2 -j ACCEPT
-# Enable Web.
-# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
-# Enable FTP.
-# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
-# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
-# To block an IP range.
-iptables -I INPUT 3 -s 192.168.123.0/24 -j DROP
-</code>
-===== Enable kernel modules =====
-To have FTP work correctly with iptables, ensure that the **ip_conntrack_ftp** module is loaded.
-<code bash>
-modprobe ip_conntrack_ftp
-</code>
-Check that the module is loaded
-<code bash>
-lsmod | grep conntrack
-</code>
-Returns
-<code>
-nf_conntrack_ftp       20480  1 nf_nat_ftp
-nf_conntrack_ipv4      16384  84
-nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
-xt_conntrack           16384  81
-nf_conntrack          106496  9 nf_nat_ftp,nf_nat,xt_state,xt_connlimit,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
-x_tables               36864  25 xt_pkttype,ip6table_filter,ip6table_mangle,xt_length,xt_comment,xt_CHECKSUM,xt_recent,ip_tables,xt_tcpudp,xt_string,ipt_MASQUERADE,xt_limit,xt_state,xt_connlimit,xt_conntrack,xt_LOG,xt_nat,xt_multiport,iptable_filter,ebtables,ipt_REJECT,iptable_mangle,ip6_tables,xt_addrtype,iptable_raw
-</code>
-===== Setup an init script =====
-<file bash /etc/init.d/firewall-sharewiz>
-#!/bin/bash
-#
-# Start and stop the Firewall.
-# Modify the following settings as required:
-### BEGIN INIT INFO
-# Provides:          firewall-sharewiz
-# Required-Start:    $network
-# Required-Stop:
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-### END INIT INFO
-IPTABLES=/sbin/iptables
-NAME=firewall-sharewiz
-opts="start stop restart reload status"
-#if [[ $1 == start ]] ; then
-case "$1" in
-    start)
-        /sharewiz/firewall/firewall.sh
-;;
-    stop)
-        $IPTABLES --flush
-        $IPTABLES -t nat --flush
-        $IPTABLES -F -t mangle
-        $IPTABLES -P INPUT ACCEPT
-        $IPTABLES -P OUTPUT ACCEPT
-        $IPTABLES -P FORWARD ACCEPT
-        $IPTABLES -t nat -P POSTROUTING ACCEPT
-        $IPTABLES -t nat -P PREROUTING ACCEPT
-        $IPTABLES -t nat -P OUTPUT ACCEPT
-;;
-    restart|reload)
-#        $0 stop
-#        $0 start
-        $IPTABLES --flush
-        $IPTABLES -t nat --flush
-        $IPTABLES -F -t mangle
-        $IPTABLES -P INPUT ACCEPT
-        $IPTABLES -P OUTPUT ACCEPT
-        $IPTABLES -P FORWARD ACCEPT
-        $IPTABLES -t nat -P POSTROUTING ACCEPT
-        $IPTABLES -t nat -P PREROUTING ACCEPT
-        $IPTABLES -t nat -P OUTPUT ACCEPT
-        /sharewiz/firewall/firewall.sh
-;;
-    status)
-        $IPTABLES --list
-        $IPTABLES -t nat --list
-        $IPTABLES -t mangle --list
-;;
-    *)
-        echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|status}" >&2
-        exit 1
-;;
-esac
-exit 0·
-</file>