iptables-Firewall
Eine Beispiel-Firewall, die als Grundlage für eine eigene iptables-Konfiguration dienen kann. Die Regeln sind in dem von iptables-save
/iptables-restore
genutzten Format.
Unter ArchLinux enthält das iptables-Paket die beiden Systemd-Units iptables.service
und ip6tables.service
. Wenn sie aktiviert sind, werden beim booten die Firewall-Regeln aus /etc/iptables/rules.v4
und /etc/iptables/rules.v6
geladen.
Instruktionen für Ubuntu und RHEL/CentOS gibt es z.B. hier im Thomas-Krenn-Wiki.
IPv4
# # /etc/iptables/rules.v4 # *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :other_packets - [0:0] :reject_packets - [0:0] :service_sec - [0:0] :services - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j other_packets -A INPUT -j services -A INPUT -m limit --limit 10/sec -j reject_packets -A INPUT -j DROP -A OUTPUT -j ACCEPT # Invalid packets and ICMP (ping et. al.) -A other_packets -m state --state INVALID -j DROP -A other_packets -p icmp -m limit --limit 1/sec -j ACCEPT -A other_packets -j RETURN # Reject with ICMP codes -A reject_packets -p tcp -j REJECT --reject-with tcp-reset -A reject_packets -p udp -j REJECT --reject-with icmp-port-unreachable -A reject_packets -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject_packets -j REJECT --reject-with icmp-proto-unreachable -A reject_packets -j RETURN # Service security chain to block port scanners and DDoS -A service_sec -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 2/sec -j ACCEPT -A service_sec -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A service_sec -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 1/hour -j ACCEPT -A service_sec -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 1/hour -j ACCEPT -A service_sec -j RETURN # Services (jump to service_sec first, then ACCEPT) # 22 => SSH # 80/443 => HTTP/HTTPS -A services -p tcp -m tcp --dport 22 -m state --state NEW -j service_sec -A services -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A services -p tcp -m tcp --dport 80 -m state --state NEW -j service_sec -A services -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A services -p tcp -m tcp --dport 443 -m state --state NEW -j service_sec -A services -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A services -j RETURN COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT
IPv6
# # /etc/iptables/rules.v6 # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :reject_packets - [0:0] :services - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s ::1/128 ! -i lo -j DROP -A INPUT -s fc00::/7 -i eth0 -j DROP -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -j services -A INPUT -m limit --limit 10/sec -j reject_packets -A reject_packets -p tcp -j REJECT --reject-with tcp-reset -A reject_packets -p udp -j REJECT --reject-with icmp6-port-unreachable -A reject_packets -p ipv6-icmp -j REJECT --reject-with icmp6-adm-prohibited -A reject_packets -j REJECT --reject-with icmp6-adm-prohibited -A reject_packets -j RETURN -A services -p tcp -m tcp --dport 22 -j ACCEPT -A services -p tcp -m tcp --dport 80 -j ACCEPT -A services -p tcp -m tcp --dport 443 -j ACCEPT -A services -j RETURN COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT