I'm a dragonfly

Jé pa l'temps #11 - Iptables

jplt adminsys security

Best practice with the firewall : we block all traffic and authorize what we need and of course, RTFM !

Displaying iptables rules

sudo iptables -L --line-numbers

By default, this command only displays filter table. For displaying others tables, we have to add -t option following by nat, mangle or raw. However, filter table is the only needed table for configuring firewall.

Command options

-A CHAIN : Append a rule on the chain.

  • PREROUTING: Packets will enter this chain before a routing decision is made.
  • INPUT: Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the “local-delivery” routing table: ip route show table local.
  • FORWARD: All packets that have been routed and were not for local delivery will traverse this chain.
  • OUTPUT: Packets sent from the machine itself will be visiting this chain.
  • POSTROUTING: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.

-p protocol : Specify the protocol.

  • tcp
  • udp

-i name : Specify the interface.

  • Name of the interface

-j target : Specify what doing if packet matches this rule.

  • ACCEPT
  • DROP

--dport port : Specify destination port.

--sport port : Specify source port.

-m : match.

Configuring firewall

Authorize entrance traffic

⚠️ sudo iptables -F blocks all access even current access…

Configuration initialization

sudo iptables -F
sudo iptables -X

Authorize already opened connection

iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Authorize input ssh connection

iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT

Athorize web trafic on port 80

iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT

— — — — — — — — — — — — — — — — — — — — — —

La série « Jé pa l’temps » est une série de tutoriels rapides en mode “prise de note” pour avoir une trace de tout ce dont je ne peux me rappeler et pourquoi pas le partager à d’autre. On va à l’essentiel, laissons les jolis pavés à d’autres sites comme medium… LOL !