Difference between revisions of "Iptables"

From MineOS
Jump to: navigation, search
m
(Confirm iptables is working correctly)
Line 1: Line 1:
 
iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port.  iptables is installed by default, but is runs with an accept-all policy.  This will be turned on/locked down in 0.3.1.
 
iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port.  iptables is installed by default, but is runs with an accept-all policy.  This will be turned on/locked down in 0.3.1.
 
== Confirm iptables is working correctly ==
 
 
<nowiki># iptables -V
 
iptables v1.4.9.1
 
</nowiki>
 
 
If you receive an error, it means something was left out of the kernel. Rebuild the kernel with all the networking support added and try again.
 
  
 
== Checking iptables rules ==
 
== Checking iptables rules ==

Revision as of 05:26, 31 July 2011

iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port. iptables is installed by default, but is runs with an accept-all policy. This will be turned on/locked down in 0.3.1.

Contents

Checking iptables rules

# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Adding iptables-rules

By default, the policy is to ACCEPT all input, output, and forward packets. This is the fully unsecured state.

The proper way to secure a server is to lock out ALL inbound contact, and add only that which you need.

Note: if you are completing this step via PuTTY, it is essential you 'ACCEPT' ssh before you change the default policy to 'DROP'.

command inbound outbound port action behavior
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT matched unaffected 22 (SSH) ACCEPT Allow SSH inbound
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT matched unaffected 80 (HTTP) ACCEPT Allow HTTP inbound
iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT matched unaffected 25565 ACCEPT Allow MC clients inbound
iptables -P INPUT DROP matched unaffected * DROP All unmatched packets are dropped (policy change)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT matched unaffected * ACCEPT Permit packets in to firewall itself that are part of existing and related connections.

Saving iptables-rules

Once you have a working set of rules you are happy with, you will want to save them, to ensure they persist through reboots.

iptables-save > /etc/iptables-rules

Applying saved rules

To apply the set of rules saved from the above step, execute the following line:

iptables-restore < /etc/iptables-rules

Applying rules on startup

/etc/rc.local is the boot-up script. Any user-specified commands may be entered here, such as iptables.

  1. vi /etc/rc.local
  2. Add iptables-restore < /etc/iptables-rules
  3. Save and quit; reboot