Difference between revisions of "IPTables"
From Bashlinux
(Created page with "__NOTOC__ === Howto setup iptables on CentOS/Fedora === Rules are always read from <tt>/etc/sysconfig/iptables</tt>, but if any "save" option is enable in <tt>/etc/sysconfig/i...") |
|||
Line 1: | Line 1: | ||
__NOTOC__ |
__NOTOC__ |
||
+ | == Distro tools == |
||
− | === Howto setup iptables on CentOS/Fedora === |
||
+ | * [[firewalld]] - CentOS 7/Fedora 18 and newer |
||
− | Rules are always read from <tt>/etc/sysconfig/iptables</tt>, but if any "save" option is enable in <tt>/etc/sysconfig/iptables</tt>, the rules added from the command line are keep in memory, but won't be available on system reboot. |
||
+ | * [[lokkit]] - CentOS 6/Fedora 17 and older |
||
− | |||
+ | * [[ufw]] - Ubuntu/Debian |
||
− | It happens in Fedora that rules in <tt>/etc/sysconfig/iptables</tt> are overridden until iptables daemon is restarted. |
||
− | |||
− | To make the system load our rules on reboot and every time, you must ensure the rules that <tt>/etc/iptables.rules</tt> file does exist, an has the rules you just created. |
||
+ | == Customizing the firewall == |
||
=== How to setup a gateway with 2 Virtual NICs on GNU/Debian === |
=== How to setup a gateway with 2 Virtual NICs on GNU/Debian === |
||
For any given host with 2 virtual NICs (IP aliases) |
For any given host with 2 virtual NICs (IP aliases) |
||
Line 27: | Line 26: | ||
* Load the previous modification: |
* Load the previous modification: |
||
sysctl -p |
sysctl -p |
||
+ | |||
+ | === How to block an IP after 4 failed ssh login attempts === |
||
+ | Setup a post-firewall script with |
||
+ | iptables -N SSH_CHECK |
||
+ | iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j SSH_CHECK |
||
+ | iptables -A SSH_CHECK -m recent --set --name SSH |
||
+ | iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP |
||
+ | |||
+ | === How to forwart a port to another host === |
Revision as of 03:57, 25 June 2015
Distro tools
Customizing the firewall
How to setup a gateway with 2 Virtual NICs on GNU/Debian
For any given host with 2 virtual NICs (IP aliases)
- WAN = eth0 -> 10.11.12.10
- LAN = eth0:1 -> 192.168.10.10
The steps to setup the host as gateway are
- Add to iptables the proper
nat
rules in order to ensureSNAT
traffic pass through the "Out to the world" NIC.
*nat :PREROUTING ACCEPT [891:110412] :POSTROUTING ACCEPT [92:11129] :OUTPUT ACCEPT [241:27547] -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j SNAT --to-source 10.11.12.10 COMMIT
- Because both network IPs are in the same NIC, then add to the filter section a forward in both directions:
-A FORWARD -i eth0 -j ACCEPT -A FORWARD -o eth0 -j ACCEPT
- Ensure ip4 traffic is being forwarded on kernel enabling it on /etc/sysctl
net.ipv4.ip_forward = 1
- Load the previous modification:
sysctl -p
How to block an IP after 4 failed ssh login attempts
Setup a post-firewall script with
iptables -N SSH_CHECK iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j SSH_CHECK iptables -A SSH_CHECK -m recent --set --name SSH iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP