Iptables näiteskriptid ja infot

Allikas: Lambda
---------- huge tutorial -------------------------



---------------- setup --------------------------------

kernel options must be configured:

  Networking Options->
    Network packet filtering (replaces ipchains)  ---> 
      IP: Netfilter Configuration  --->
       It is safe to enable all modules, I recommend compiling the ftp and other connection tracking modules as modules and not into the kernel so that you can verify they are loaded and functioning.

iptables package must be installed

run all iptables commands as root

test results of commands: they should have immediate effect

---------------- first example script ----------------
set -x
# Load needed kernel modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Clear any existing firewall stuff before we start
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
----------------- second example script -------------
# flush all chains
iptables -F
# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT
------------ third example script ---------------
# firewall.sh - Configurable per-host firewall for workstations and
# servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL
# Cleanup old rules
 # All the time firewall is in a secure, closed state

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables --flush        # Flush all rules, but keep policies 
iptables --delete-chain

## Workstation Minimal firewall ###

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source --destination -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT 
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

####### HOLES ####### Edit holes below, then run this script again
#iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#iptables -A INPUT -p tcp --dport http -j ACCEPT
#iptables -A INPUT -p tcp --dport https -j ACCEPT
##################### Edit above

iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP

# Save
iptables-save > /etc/sysconfig/iptables
echo ": Done."
----------- complex example script for routing and nat: two subnets ----
iptables -I INPUT -s localhost -i eth0 -j DROP
iptables -A INPUT -m tcp -m match multiport --dport 22,21,80,443 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp multiports --dports 57,63 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "[INPUT DROPPED]:" --log-level debug
iptables -I FORWARD -d -i eth2 -j ACCEPT
iptables -A FORWARD -d -i eth1 -j ACCEPT
iptables -A FORWARD -s -i eth1 -j ACCEPT
iptables -A FORWARD -s -i eth2 -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "[FORWARD DROPPED]:" --log-level debug
iptables -P FORWARD DROP
iptables -t nat -I POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination