Difference between revisions of "IPTables"
From Bashlinux
(Created page with "__NOTOC__ === Howto setup iptables on CentOS/Fedora === Rules are always read from <tt>/etc/sysconfig/iptables</tt>, but if any "save" option is enable in <tt>/etc/sysconfig/i...") |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
__NOTOC__ |
__NOTOC__ |
||
+ | == Distro tools == |
||
− | === Howto setup iptables on CentOS/Fedora === |
||
+ | * [[firewalld]] - CentOS 7/Fedora 18 and newer |
||
− | Rules are always read from <tt>/etc/sysconfig/iptables</tt>, but if any "save" option is enable in <tt>/etc/sysconfig/iptables</tt>, the rules added from the command line are keep in memory, but won't be available on system reboot. |
||
+ | * [[lokkit]] - CentOS 6/Fedora 17 and older |
||
− | |||
+ | * [[ufw]] - Ubuntu/Debian |
||
− | It happens in Fedora that rules in <tt>/etc/sysconfig/iptables</tt> are overridden until iptables daemon is restarted. |
||
− | |||
− | To make the system load our rules on reboot and every time, you must ensure the rules that <tt>/etc/iptables.rules</tt> file does exist, an has the rules you just created. |
||
+ | == Customizing the firewall == |
||
=== How to setup a gateway with 2 Virtual NICs on GNU/Debian === |
=== How to setup a gateway with 2 Virtual NICs on GNU/Debian === |
||
For any given host with 2 virtual NICs (IP aliases) |
For any given host with 2 virtual NICs (IP aliases) |
||
Line 26: | Line 25: | ||
net.ipv4.ip_forward = 1 |
net.ipv4.ip_forward = 1 |
||
* Load the previous modification: |
* Load the previous modification: |
||
− | sysctl -p |
+ | # sysctl -p |
+ | |||
+ | === How to block an IP after 4 failed ssh login attempts === |
||
+ | Setup a post-firewall script with |
||
+ | iptables -N SSH_CHECK |
||
+ | iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j SSH_CHECK |
||
+ | iptables -A SSH_CHECK -m recent --set --name SSH |
||
+ | iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP |
||
+ | |||
+ | === How to forwart a port to another host === |
||
+ | # iptables -t nat -A POSTROUTING -d RE.MO.TE.IP -p tcp --dport 80 -j SNAT --to LO.CA.L.IP |
||
+ | # iptables -t nat -A PREROUTING -d LO.CA.L.IP -p tcp --dport 80 -j DNAT --to RE.MO.TE.IP |
||
+ | Where <tt>RE.MO.TE.IP</tt> is the IP of the host that will get the traffic |
Latest revision as of 03:59, 25 June 2015
Distro tools
Customizing the firewall
How to setup a gateway with 2 Virtual NICs on GNU/Debian
For any given host with 2 virtual NICs (IP aliases)
- WAN = eth0 -> 10.11.12.10
- LAN = eth0:1 -> 192.168.10.10
The steps to setup the host as gateway are
- Add to iptables the proper
nat
rules in order to ensureSNAT
traffic pass through the "Out to the world" NIC.
*nat :PREROUTING ACCEPT [891:110412] :POSTROUTING ACCEPT [92:11129] :OUTPUT ACCEPT [241:27547] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j SNAT --to-source 10.11.12.10 COMMIT
- Because both network IPs are in the same NIC, then add to the filter section a forward in both directions:
-A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth0 -j ACCEPT
- Ensure ip4 traffic is being forwarded on kernel enabling it on /etc/sysctl
net.ipv4.ip_forward = 1
- Load the previous modification:
# sysctl -p
How to block an IP after 4 failed ssh login attempts
Setup a post-firewall script with
iptables -N SSH_CHECK iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j SSH_CHECK iptables -A SSH_CHECK -m recent --set --name SSH iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
How to forwart a port to another host
# iptables -t nat -A POSTROUTING -d RE.MO.TE.IP -p tcp --dport 80 -j SNAT --to LO.CA.L.IP # iptables -t nat -A PREROUTING -d LO.CA.L.IP -p tcp --dport 80 -j DNAT --to RE.MO.TE.IP
Where RE.MO.TE.IP is the IP of the host that will get the traffic