-
-
Save sandeepshetty/df41bce7bf916bfaf75d to your computer and use it in GitHub Desktop.
iptables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Using iptables: | |
| # Check your Linode's default firewall rules by entering the following command: | |
| $ sudo iptables -L | |
| # Examine output. | |
| Chain INPUT (policy ACCEPT) | |
| target prot opt source destination | |
| Chain FORWARD (policy ACCEPT) | |
| target prot opt source destination | |
| Chain OUTPUT (policy ACCEPT) | |
| target prot opt source destination | |
| # Create a file to hold your firewall rules | |
| # By default, the rules will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked. | |
| $ sudo nano /etc/iptables.firewall.rules | |
| *filter | |
| # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -d 127.0.0.0/8 -j REJECT | |
| # Accept all established inbound connections | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow all outbound traffic - you can modify this to only allow certain traffic | |
| -A OUTPUT -j ACCEPT | |
| # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). | |
| -A INPUT -p tcp --dport 80 -j ACCEPT | |
| -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # Allow SSH connections | |
| # | |
| # The -dport number should be the same port number you set in sshd_config | |
| # | |
| -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| # Allow ping | |
| -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
| # Log iptables denied calls | |
| -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
| # Drop all other inbound - default deny unless explicitly allowed policy | |
| -A INPUT -j DROP | |
| -A FORWARD -j DROP | |
| COMMIT | |
| # Note: If you plan on using lingview add these rules: https://www.linode.com/docs/security/securing-your-server#step_6 | |
| # Activate firewall rules | |
| $ sudo iptables-restore < /etc/iptables.firewall.rules | |
| # Check rules | |
| $ sudo iptables -L | |
| Examine output | |
| Chain INPUT (policy ACCEPT) | |
| target prot opt source destination | |
| ACCEPT all -- anywhere anywhere | |
| REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable | |
| ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED | |
| ACCEPT tcp -- anywhere anywhere tcp dpt:http | |
| ACCEPT tcp -- anywhere anywhere tcp dpt:https | |
| ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh | |
| ACCEPT icmp -- anywhere anywhere | |
| LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " | |
| DROP all -- anywhere anywhere | |
| Chain FORWARD (policy ACCEPT) | |
| target prot opt source destination | |
| DROP all -- anywhere anywhere | |
| Chain OUTPUT (policy ACCEPT) | |
| target prot opt source destination | |
| ACCEPT all -- anywhere anywhere | |
| # Ensure firewall rules are activated on restart | |
| $ sudo nano /etc/network/if-pre-up.d/firewall | |
| $ nano /etc/network/if-pre-up.d/firewall | |
| #!/bin/sh | |
| /sbin/iptables-restore < /etc/iptables.firewall.rules | |
| $ sudo chmod +x /etc/network/if-pre-up.d/firewall |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment