linux:iptables

iptables-Firewall

Eine Beispiel-Firewall, die als Grundlage für eine eigene iptables-Konfiguration dienen kann. Die Regeln sind in dem von iptables-save/iptables-restore genutzten Format.

Unter ArchLinux enthält das iptables-Paket die beiden Systemd-Units iptables.service und ip6tables.service. Wenn sie aktiviert sind, werden beim booten die Firewall-Regeln aus /etc/iptables/rules.v4 und /etc/iptables/rules.v6 geladen.

Instruktionen für Ubuntu und RHEL/CentOS gibt es z.B. hier im Thomas-Krenn-Wiki.

IPv4

# 
# /etc/iptables/rules.v4
# 

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:other_packets - [0:0]
:reject_packets - [0:0]
:service_sec - [0:0]
:services - [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j other_packets
-A INPUT -j services
-A INPUT -m limit --limit 10/sec -j reject_packets
-A INPUT -j DROP

-A OUTPUT -j ACCEPT

# Invalid packets and ICMP (ping et. al.)
-A other_packets -m state --state INVALID -j DROP
-A other_packets -p icmp -m limit --limit 1/sec -j ACCEPT
-A other_packets -j RETURN

# Reject with ICMP codes
-A reject_packets -p tcp -j REJECT --reject-with tcp-reset
-A reject_packets -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_packets -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject_packets -j REJECT --reject-with icmp-proto-unreachable
-A reject_packets -j RETURN

# Service security chain to block port scanners and DDoS
-A service_sec -p tcp -m tcp   --tcp-flags FIN,SYN,RST,ACK SYN                             -m limit --limit 2/sec  -j ACCEPT
-A service_sec -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN                             -m state --state NEW    -j DROP
-A service_sec -p tcp -m tcp   --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE                    -m limit --limit 1/hour -j ACCEPT
-A service_sec -p tcp -m tcp   --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 1/hour -j ACCEPT
-A service_sec
-j RETURN

# Services (jump to service_sec first, then ACCEPT)
# 22     => SSH
# 80/443 => HTTP/HTTPS
-A services -p tcp -m tcp --dport 22 -m state --state NEW -j service_sec
-A services -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A services -p tcp -m tcp --dport 80 -m state --state NEW -j service_sec
-A services -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A services -p tcp -m tcp --dport 443 -m state --state NEW -j service_sec
-A services -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A services -j RETURN
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

IPv6

# 
# /etc/iptables/rules.v6
# 
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:reject_packets - [0:0]
:services - [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s ::1/128 ! -i lo -j DROP
-A INPUT -s fc00::/7 -i eth0 -j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j services
-A INPUT -m limit --limit 10/sec -j reject_packets

-A reject_packets -p tcp       -j REJECT --reject-with tcp-reset
-A reject_packets -p udp       -j REJECT --reject-with icmp6-port-unreachable
-A reject_packets -p ipv6-icmp -j REJECT --reject-with icmp6-adm-prohibited
-A reject_packets              -j REJECT --reject-with icmp6-adm-prohibited
-A reject_packets              -j RETURN

-A services -p tcp -m tcp --dport  22 -j ACCEPT
-A services -p tcp -m tcp --dport  80 -j ACCEPT
-A services -p tcp -m tcp --dport 443 -j ACCEPT
-A services
-j RETURN
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
  • linux/iptables.txt
  • Zuletzt geändert: 2021/12/30 10:51
  • (Externe Bearbeitung)