IPTables, what is it?!
The main firewall tool on ubuntu is iptables, which includes some useful tools like iptables-restore, iptables-save ed iptables. Iptables let you define throughput, input and out network policies and exceptions, otherwise accepting or denying specific kind of connection.
Vi sono 2 modi per utilizzare iptables:
Quick and temporary, every rule will be forget on system reboot. You can set a rule or a policy a time, so it can be necessary to concatenate multiple commands together to avoid to ends up having a system unable to be reached from outside.
Policies INPUT, FORWARD and OUTPUT:Shell1iptables -P
Defining a rule to open or close a specific portShell1iptables -A
RULES ON FILE
Efficient for definitive configurations, the file can be used one-time or for a permanent configuration.
The config file must follows some rules: to define policies they must be preceeded by *filter while each definition must starts with colon character (:), besides the last row of the file must contains COMMIT to confirm the execution of the defined rules. The sharp character (#) is the symbol for comments.
A config example:Shell12345678# Policies*filter:INPUT:FORWARD:OUTPUT-A INPUT-A OUTPUTCOMMIT
Once wrote the config file, you should use the following commands to be able to load or save a configuration from or to a file.
Apply and save the configuration
Load config from file:Shell1iptables-restore < [file name]
Save config to file:Shell1iptables-save > [file name]
Save config permanently (“sudo -i” is not needed if you logged as root) :Shell12sudo -iiptables-save > /etc/iptables.up.rules
You are free to pick all or only the configs you need to make your own personal configuration file (except the first 3, they are mandatory) or to run a series of concatenated iptables commands. Just remember to append COMMIT ad the end of your config file
Read and clean up (LIST & FLUSH)
Before starting your config, it might be necessary to remove or check the current applied rules on your system.
List the current system rules (LIST):Shell1iptables -L
Cleanup the rule list (FLUSH):Shell1234# Allowing incoming connectioniptables -P INPUT ALLOW# Flush all rulesiptables -F
Policies let you define the firewall default behavior against different types of connections. A good basic policy should deny (DROP) any incoming or forwarded (FORWARD) connection and allow all outgoing ones (OUTPUT).
Basic policies definition in config file:Shell1234*filter:INPUT DROP:FORWARD DROP:OUTPUT ACCEPT
Defining such policies by command line is pretty easy and not far from the config file, just remember to concatenate them with loopback, persistence and SSH access to prevent to end up without any chance to access your server remotely anymore:Shell123iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPT
Allowing all incoming connection from loopback interface (kind of a service door for the system to communicate with itself: localhost / 127.0.0.1)Shell1-A INPUT -i lo -j ACCEPT
Connection persistence (ESTABLISHED and RELATED)
Connections, in IpTables, can be of 3 types: New, Established and Related; so it’s necessary to grant access to Established and Related connection to allow automatically responses to connections established by the server itself to outside.Shell1-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
SSH (must have for working remotely)
Open the TCP port 22 to allow incoming ssh connectionsShell1-A INPUT -p tcp --dport 22 -j ACCEPT
Open the TCP port 80 to allow incoming connection to your web server (like apache for example).Shell1-A INPUT -p tcp --dport 80 -j ACCEPT
Open the TCP port 443 to allow incoming connection to your secure web server (like apache for example).Shell1-A INPUT -p tcp --dport 443 -j ACCEPT
Open the UDP port 53 to be able to provide DNS services (like bind9 for example, you can read a complete guide here) to other computers inside your network or in the internet and allow requests on TCP at any port requested by starting port 53.Shell12-A INPUT -p udp --dport 53 -j ACCEPT-A INPUT -p tcp --sport 53 -j ACCEPT
Open TCP ports 139,445, UDP 137 and 138 to let SAMBA server be reachableShell1234-A INPUT -p tcp --dport 139 -j ACCEPT-A INPUT -p tcp --dport 445 -j ACCEPT-A INPUT -p udp --dport 137 -j ACCEPT-A INPUT -p udp --dport 138 -j ACCEPT
Open the TCP port 21 to enable FTP accessShell1-A INPUT -p tcp --dport 21 -j ACCEPT
Open the TCP ports 25 and 587 for SMTP serverShell12-A INPUT -p tcp --dport 25 -j ACCEPT-A INPUT -p tcp –dport 587 -j ACCEPT
Open the TCP port 143 to enable IMAP server accessShell1-A INPUT -p tcp --dport 143 -j ACCEPT
Open the TCP port 993 for IMAP secure serverShell1-A INPUT -p tcp --dport 993 -j ACCEPT
Open TCP ports 110 and 995 for POP3 serverShell12-A INPUT -p tcp --dport 110 -j ACCEPT-A INPUT -p tcp --dport 993 -j ACCEPT
Open TCP ports 12957, 32976 and UDP port 17771 to let the tunnelling logmein-hamachi service to work properly.Shell123-A INPUT -p tcp --dport 12957 -j ACCEPT-A INPUT -p tcp --dport 32976 -j ACCEPT-A INPUT -p udp --dport 17771 -j ACCEPT
COMMIT (only when using the config file)
As said before, it’s necessary to insert that command at the end of the config file, while it’s not recognized when working with the command line because rules are applied immediately.Shell12# End of rules and policiesCOMMIT
Questo post è disponibile anche in: Italian