IPTables, what is it?!
The main firewall tool on ubuntu is iptables, which includes some useful tools like iptables-restore, iptables-save ed iptables. Iptables let you define throughput, input and out network policies and exceptions, otherwise accepting or denying specific kind of connection.
Vi sono 2 modi per utilizzare iptables:
-
COMMAND LINE
Quick and temporary, every rule will be forget on system reboot. You can set a rule or a policy a time, so it can be necessary to concatenate multiple commands together to avoid to ends up having a system unable to be reached from outside.
Policies INPUT, FORWARD and OUTPUT:
1iptables -PDefining a rule to open or close a specific port
1iptables -A -
RULES ON FILE
Efficient for definitive configurations, the file can be used one-time or for a permanent configuration.
The config file must follows some rules: to define policies they must be preceeded by *filter while each definition must starts with colon character (:), besides the last row of the file must contains COMMIT to confirm the execution of the defined rules. The sharp character (#) is the symbol for comments.A config example:
12345678# Policies*filter:INPUT:FORWARD:OUTPUT-A INPUT-A OUTPUTCOMMITOnce wrote the config file, you should use the following commands to be able to load or save a configuration from or to a file.
-
Apply and save the configuration
Load config from file:
1iptables-restore < [file name]Save config to file:
1iptables-save > [file name]Save config permanently (“sudo -i” is not needed if you logged as root) :
12sudo -iiptables-save > /etc/iptables.up.rules
-
Firewall configuration
You are free to pick all or only the configs you need to make your own personal configuration file (except the first 3, they are mandatory) or to run a series of concatenated iptables commands. Just remember to append COMMIT ad the end of your config file
-
Read and clean up (LIST & FLUSH)
Before starting your config, it might be necessary to remove or check the current applied rules on your system.
List the current system rules (LIST):
1iptables -LCleanup the rule list (FLUSH):
1234# Allowing incoming connectioniptables -P INPUT ALLOW# Flush all rulesiptables -F -
Filter policy
Policies let you define the firewall default behavior against different types of connections. A good basic policy should deny (DROP) any incoming or forwarded (FORWARD) connection and allow all outgoing ones (OUTPUT).
Basic policies definition in config file:
1234*filter:INPUT DROP:FORWARD DROP:OUTPUT ACCEPTDefining such policies by command line is pretty easy and not far from the config file, just remember to concatenate them with loopback, persistence and SSH access to prevent to end up without any chance to access your server remotely anymore:
123iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPT -
LOOPBACK
Allowing all incoming connection from loopback interface (kind of a service door for the system to communicate with itself: localhost / 127.0.0.1)
1-A INPUT -i lo -j ACCEPT -
Connection persistence (ESTABLISHED and RELATED)
Connections, in IpTables, can be of 3 types: New, Established and Related; so it’s necessary to grant access to Established and Related connection to allow automatically responses to connections established by the server itself to outside.
1-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -
SSH (must have for working remotely)
Open the TCP port 22 to allow incoming ssh connections
1-A INPUT -p tcp --dport 22 -j ACCEPT -
HTTP
Open the TCP port 80 to allow incoming connection to your web server (like apache for example).
1-A INPUT -p tcp --dport 80 -j ACCEPT -
HTTPS
Open the TCP port 443 to allow incoming connection to your secure web server (like apache for example).
1-A INPUT -p tcp --dport 443 -j ACCEPT -
DNS
Open the UDP port 53 to be able to provide DNS services (like bind9 for example, you can read a complete guide here) to other computers inside your network or in the internet and allow requests on TCP at any port requested by starting port 53.
12-A INPUT -p udp --dport 53 -j ACCEPT-A INPUT -p tcp --sport 53 -j ACCEPT -
SAMBA
Open TCP ports 139,445, UDP 137 and 138 to let SAMBA server be reachable
1234-A INPUT -p tcp --dport 139 -j ACCEPT-A INPUT -p tcp --dport 445 -j ACCEPT-A INPUT -p udp --dport 137 -j ACCEPT-A INPUT -p udp --dport 138 -j ACCEPT -
FTP
Open the TCP port 21 to enable FTP access
1-A INPUT -p tcp --dport 21 -j ACCEPT -
SMTP
Open the TCP ports 25 and 587 for SMTP server
12-A INPUT -p tcp --dport 25 -j ACCEPT-A INPUT -p tcp –dport 587 -j ACCEPT -
IMAP
Open the TCP port 143 to enable IMAP server access
1-A INPUT -p tcp --dport 143 -j ACCEPT -
IMAPS
Open the TCP port 993 for IMAP secure server
1-A INPUT -p tcp --dport 993 -j ACCEPT -
POP3
Open TCP ports 110 and 995 for POP3 server
12-A INPUT -p tcp --dport 110 -j ACCEPT-A INPUT -p tcp --dport 993 -j ACCEPT -
Hamachi
Open TCP ports 12957, 32976 and UDP port 17771 to let the tunnelling logmein-hamachi service to work properly.
123-A INPUT -p tcp --dport 12957 -j ACCEPT-A INPUT -p tcp --dport 32976 -j ACCEPT-A INPUT -p udp --dport 17771 -j ACCEPT -
COMMIT (only when using the config file)
As said before, it’s necessary to insert that command at the end of the config file, while it’s not recognized when working with the command line because rules are applied immediately.
12# End of rules and policiesCOMMIT
-
Questo post è disponibile anche in: Italian