Answer the question
In order to leave comments, you need to log in
S
S
symbyon12015-06-18 13:11:37
symbyon1, 2015-06-18 13:11:37
How to properly close and open ports in iptables?
Help to correctly configure the firewall on ubuntu. what is the essence of the problem, it is necessary to close all ports but leave open only a select few!
Example:
Closed 1-65355
Exceptions: Apache2 TCP
80
DHClient TCP 56171 68 6782 DoveCot TCP
110 143 993 995 Exim4 TCP
587 465 25
IHTTPD TCP 1500 Mysqld TCP
3306 Named TCP
53 953 NTPD TCP
123
PROFTPD TCP 21 SSHD TCP
22
2 answer(s)
@merryjane
@insiki
I
Igor, 2015-06-18 @merryjane
If, for example, for the INPUT chain, then set the default policy to DROP, allow established connections, and then a list of rules that allow the above listed:
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
...O
O Di, 2015-06-18 @insiki
Example from working config:
#!/bin/sh
#Включаем форвардинг пакетов
echo 1 > /proc/sys/net/ipv4/ip_forward
#Удалить все существующие правила
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
#Политику по умолчанию устанавливаем на блокировку
iptables -P INPUT DROP
iptables -P FORWARD DROP
#Разрешаем входящие/исходящие пакеты на шлюз из локальной сети
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -m conntrack --ctstate NEW -j ACCEPT
#Разрешаем доступ из внутренней сети наружу
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT # HTTPS
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dport 25,110,143,465,587,993,995,2525 -m conntrack --ctstate NEW -j ACCEPT # Post
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dport 2041,2042 -m conntrack --ctstate NEW -j ACCEPT # mail.ru Agent
iptables -A FORWARD -i eth1 -o eth0 -p udp -m multiport --dport 500,4500 -m conntrack --ctstate NEW -j ACCEPT # VPN IPSec
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dport 5242,4244 -m conntrack --ctstate NEW -j ACCEPT # Viber
iptables -A FORWARD -i eth1 -o eth0 -p udp -m multiport --dport 5243,9785 -m conntrack --ctstate NEW -j ACCEPT # Viber
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dport 4433 -m conntrack --ctstate NEW -j ACCEPT # Sberbank
iptables -A FORWARD -i eth1 -o eth0 -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -j ACCEPT
#Включаем NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#Заворачивем порты на порт прокси (делаем прозрачным)
iptables -t nat -A PREROUTING -i eth1 ! -d 192.168.1.0/24 -p tcp -m multiport --dport 80,8080 -j REDIRECT --to-port 3128
Similar questions
P
P
P
V
F
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question