Iptables
From Noah.org
Contents |
Linux iptables Basic Examples
The following are simple iptables firewalls for Linux. I use these as starter firewalls when I setup a machine. I don't like using iptables-restore. I prefer to simply script the iptables commands that I would type at the command line.
Most of these scripts start by reinitializing iptables, so you will loose any rules, chains, or accounting information that iptables knows about. For example, this deletes any policies, chains, and rules in place.
iptables -P INPUT ACCEPT # open up default policy on built-in chain iptables -P OUTPUT ACCEPT # open up default policy on built-in chain iptables -P FORWARD ACCEPT # open up default policy on built-in chain iptables -F # delete all rules from all chains iptables -X # delete all user chains (non built-in chains)
Block everything firewall
This blocks everything. You will only be able to access the machine from the console. Don't do this if you are working remotely because your connection will instantly be dropped. Another way to do this would be to disable the network interface. The advantage of blocking everything with iptables instead of shutting down a network interface is that this leaves the kernel network layer still running. Running apps will not complain about the network being unavailable. This also blocks all network interfaces at once, so if you have a machine with multiple interfaces this will take care of them all.
#!/bin/sh iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
Allow everything firewall
This opens up everything. It's the exact opposite of Block everything. The firewall is still technically running, but every packet is allowed through. This is the safe way to open the firewall without accidentally locking yourself out.
#!/bin/sh iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X
Minimal emergency firewall
I use this to shut down everything except SSH port 22. This is my panic script. If something seems suspicious then I use this script to put a machine into as safe a state as possible while still allowing remote SSH connections.
Note that a machine with these rules won't even be visible on the network. If you want to scan it with nmap you will have to use "nmap -P0" which scans without first checking with ICMP (ping).
#!/bin/sh # Minimal emergency firewall (block everything except SSH). iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -P INPUT DROP iptables -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT iptables -P OUTPUT DROP
Basic firewall init.d script
For my real firewall I use an init.d script. The following init script is based on the scripts given previously. Save this in /etc/init.d/firewall. This includes options to start, stop, or show the status of iptables. The "stop" command doesn't really stop iptables. It just deletes all firewall rules.
#!/bin/sh # # This is a simple iptables firewall script. # This can be used stand-alone or put in /etc/init.d/firewall. # This works on both Ubuntu and RedHat systems. # On Ubuntu, run "update-rc.d firewall defaults" to install this on startup. # On RedHat, run "chkconfig --add firewall" to install this on startup. # Note that RedHat has its own iptables init script that needs to be turned # off if this script is to be used. # # Noah Spurrier # $Id: firewall 100 2007-10-30 23:31:14Z noah $ # # chkconfig: 2345 08 92 # description: This configures iptables. # ### BEGIN INIT INFO # Provides: firewall # Required-Start: $network $local_fs $remote_fs # Required-Stop: $network $local_fs $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: S 0 1 6 # Short-Description: This loads iptables with firewall rules. # Description: This loads iptables with firewall rules. Placed this in /etc/init.d. # This isn't technically a daemon control script. # This just puts a familiar interface around iptables. ### END INIT INFO PATH=/usr/sbin:/usr/bin:/sbin:/bin case "$1" in start) # Flush any old policies and rules. iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X # New TCP connections must be SYN packets, else DROP # iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Drop illegal packets iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # NULL packets iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # # Accept some remote connections. # # SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # HTTP iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTPS iptables -A INPUT -p tcp --dport 443 -j ACCEPT # SMTP iptables -A INPUT -p tcp --dport 25 -j ACCEPT # IMAP4 SSL iptables -A INPUT -p tcp --dport 993 -j ACCEPT # POP3 SSL iptables -A INPUT -p tcp --dport 995 -j ACCEPT # DNS iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT # VPN #iptables -A INPUT -i tun+ -j ACCEPT # # VMware # iptables -A INPUT -p tcp --dport 902 -j ACCEPT # # SNMP # iptables -A FWALL-INPUT-p udp -m udp --dport 161 -j ACCEPT # iptables -A FWALL-INPUT-p udp -m udp --sport 1023:2999 -j ACCEPT # VNC -- This is normally a bad idea. #iptables -A INPUT -p tcp --dport 5900 -j ACCEPT # VNC server #iptables -A INPUT -p tcp --dport 5500 -j ACCEPT # listening client # A better way to do this is to allow localhost connections and then # use SSH port tunneling to expose VNC to remote connections. #iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5900 -j ACCEPT # VNC server # # Accept some localhost connections. # # BIND RNDC iptables -A INPUT -p tcp -s 127.0.0.1 --dport 953 -j ACCEPT # IMAP4 iptables -A INPUT -p tcp -s 127.0.0.1 --dport 143 -j ACCEPT # POP3 iptables -A INPUT -p tcp -s 127.0.0.1 --dport 110 -j ACCEPT # MySQL iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3306 -j ACCEPT # # PostgreSQL # iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT # # Oracle # iptables -A INPUT -p tcp -s 127.0.0.1 --dport 1521 -j ACCEPT # # Oracle TTC # iptables -A INPUT -p tcp -s 127.0.0.1 --dport 2483 -j ACCEPT # # Oracle TTC SSL # iptables -A INPUT -p tcp -s 127.0.0.1 --dport 2484 -j ACCEPT # # Subversion svnserve (or just use the svn+ssh: URL scheme) # iptables -A INPUT -p tcp -s 127.0.0.1 --dport 3690 -j ACCEPT # Allow some ICMP (ping) # ICMP is low priority so I put this after other rules. iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT iptables -A INPUT -p icmp -j DROP # Match related and established state connections. # This allows client-side connections such as ftp work properly. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Default policies to handle everything not covered by a rule. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; stop) iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -X ;; status) iptables -L -v ;; *) echo "Usage: $0 {start|stop|status}" >&2 exit 1 ;; esac exit 0
Funny story
At one time I had an iptables rule on all my machines that limited pings to 1 per second. By default the ping command sends 1 ICMP packet per second. Everything was fine and eventually I forgot about the rule. Months later I noticed that mtr was reporting high packet loss to a machine. A co-worker helped me investigate and the packet loss only got worse. Then the machine would intermittently stop accepting new SSH connections. All outside connections go through a load balancer. The load balancer is setup to probe each cluster and if a machine does not respond to a ping every 10 minutes then the load balancer removes that machine from rotation (even if there is only one machine in a cluster). So as we tried to debug our packet loss with ping and mtr it would cause iptables to block ICMP and if the load balancer happened to be doing a probe then it would take the machine off the network. We thought things were really bad because we couldn't even connect to the server through through the load balancer interface. Huge packet loss and dropped SSH connections -- we were thinking to check for bad cables, bad switch, or a bad load balancer. Then we checked the load balancer logs and saw that it had removed the machine because of failed ping probes. Eventually I tried shutting off iptables and the problem went away. Finally we decided to look at the iptables rules which revealed the rule that was causing all the grief. This will cause apparent packet loss if two engineers both ping at the same time:
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
Load firewall on boot
When you shutdown your server all the iptables rules will be lost. You need to run a firewall script every time you boot. Some people use firestarter, but I prefer edit my own simple init script.
RedHat
For RedHat you need to edit:
/etc/sysconfig/iptables
Don't confuse this with /etc/sysconfig/iptables-config. Also note that RedHat has a tool called system-security-level that overwrites /etc/sysconfig/iptables, so if you run system-security-level you will loose your changes. You can edit the file manually or you can use system-security-level. Choose one or the other, not both.
You can also setup the firewall the way you want using the iptables command and then save the settings using RedHat's inti.d script:
/etc/init.d/iptables save
Ubuntu/Debian
For Ubuntu/Debian you can put an init script into /etc/init.d then link to an 'S' file in /etc/rc2.d
cp firewall /etc/init.d/firewall chmod 755 /etc/init.d/firewall cd /etc/rc2.d/ ln -s ../init.d/firewall S99firewall
Traffic shaping
Most iptables installs come with the "TOS" module (Type Of Service):
iptables -m tos -h
This lets you set priority options for packets.
This is a complex topic. I need to expand this with a simple setup that shows how to boost priority of interactive applications like SSH and possibly HTTP, while lowering priority for everything else. | Gentoo Wiki is one of the better documentation sources I have found.
TCNG seems interesting. I have yet to try it:
I tried this without much luck:
http://lartc.org/howto/lartc.cookbook.ultimate-tc.html#AEN2210
This page also has some notes: http://www.void.gr/kargig/blog/2005/07/27/traffic-shaping-a-dsl-line-with-linux/
Handy commands
Ban -- block an annoying machine
This blocks a specific IP address from reaching your server. This is useful if you are getting annoying traffic from another machine and you want to get rid of them. Replace 255.255.255.255 with the IP address you want to drop.
iptables -I INPUT -j DROP -s 255.255.255.255
I set these aliases in my .bash_aliases file (sourced by .bashrc):
alias ban='iptables -I INPUT -j DROP -s' alias unban='iptables -D INPUT -j DROP -s'
A very useful tool to do this automatically is fail2ban.
Show packet and byte counts
This shows the counters for each rule in a chain. This shows the number of packets and bytes that have gone through a specific chain. You can use this to measure traffic.
iptables -L INPUT -v