Monday, 27 February 2017

Iptables and Firewalld Configuration

Iptables Commands::

===============

Iptables contains 4 builtin tables ::

1. Filter Table

    INPUT chain – Incoming to firewall. For packets coming to the local server.
    OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local server.
    FORWARD chain – Packet for another NIC on the local server. For packets routed through the local server.

2. NAT Table

    PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
    POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
    OUTPUT chain – NAT for locally generated packets on the firewall.

3. Mangle Table

    PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).
    POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).
    OUTPUT chain – NAT for locally generated packets on the firewall.

4. Raw Table

    PREROUTING chain
    OUTPUT chain

Some simple commands , Please try to understand the use of these commands.

# iptables -n -L -v --line-numbers   , where  -L : List rules, -v : Display detailed information., -n : Display IP address and port in numeric format.

To prevent accessing a website, for example linuxgeeknotes.blogspot.in::

# host -t a  linuxgeeknotes.blogspot.in gives ipaddress 67.123.116.0
# whois 67.123.116.0 | grep CIDR

# iptables -A OUTPUT -p tcp -d 67.123.116.0/17 -j DROP
# iptables -A OUTPUT -p tcp -d linuxgeeknotes.blogspot.in -j DROP



To log and block IP spoofing on public interface called eth1::

# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A:"
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP


Drop and Accept traffic using mac address::

# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT


Block and allow ping requests::

# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

To open a range of ports::

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

To allow a range of ip to port 80

# iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT


Replace ACCEPT with DROP to block port:
Open port ssh tcp port 22

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT 

Open cups (printing service) udp/tcp port 631 for LAN users ##

# iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT   Allow time sync via NTP for lan users (open udp port 123) ##

# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

Open tcp port 25 (smtp) for all ##
# iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

Open dns server ports for all ##
# iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

Open http/https (Apache) server port to all ##
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Open tcp port 110 (pop3) for all ##
# iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

Open tcp port 143 (imap) for all ##
# iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

Open access to Samba file server for lan users only ##
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

## open access to proxy server for lan users only #
# iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT

## open access to mysql server for lan users only #
# iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

Limiting the number of connections for a particular service.

# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP

# iptables -F      , -F Deleting (flushing) all the rules. # iptables -X      , -X Delete chain. # iptables -t nat -F , -t table_name # iptables -t nat -X # iptables -t mangle -F

# iptables -t mangle -X



Firewalld Commands::
====================


The firewalld daemon manages groups of rules using entities called zones.

Firewalld uses zones and services instead of chain and rules.

Some of the firewalld commands are as follows. Please look into it and try to understand::

# systemctl start firewalld

# systemctl enable firewalld

# systemctl stop firewalld

# systemctl disable firewalld

# firewall-cmd --state

# systemctl status firewalld

# firewall-cmd --reload

# firewall-cmd --zone=public --add-service=http --permanent

# firewall-cmd --zone=public --remove-service=http --permanent

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'

# firewall-cmd --zone=public --add-port=12345/tcp --permanent

# firewall-cmd --zone=public --remove-port=12345/tcp --permanent

# firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345

# firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.1.2 accept'

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.2" port port=22 protocol=tcp reject'

# firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="10.1.0.3" forward-port port=80 protocol=tcp to-port=6532'

No comments:

Post a Comment