Setting up iptable on debian, how to write a rule correctly?

N

nepster-web2014-02-13 17:20:03

Debian

nepster-web, 2014-02-13 17:20:03

Installed iptables-persistent
I got the following files:
/etc/iptables/rules.v4

# Generated by iptables-save v1.4.14 on Thu Feb 13 09:03:29 2014
*filter
:INPUT ACCEPT [178:21358]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [179:40896]
COMMIT
# Completed on Thu Feb 13 09:03:29 2014

/etc/iptables/rules.v6

# Generated by ip6tables-save v1.4.14 on Thu Feb 13 09:03:29 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Feb 13 09:03:29 2014

Can you please tell me how to describe the rules in these files?
For example, I need to restrict access via ssh to everyone except the ip range: 213.200.*.*

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

S

sergeevav82, 2014-02-13
@nepster-web

Something like this
iptables -I INPUT ! -s 213.200.0.0/16 -p tcp --dport 22 -j DROP
/etc/init.d/iptables-persistent save
The iptables-persistent package only allows rules to be loaded on boot. Written in files with the save command.
And for studying, I recommend Link 1 and Link 2
The file will take the following form:

# Generated by ip6tables-save v1.4.14 on Thu Feb 13 09:03:29 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT ! -s 213.200.0.0/16 -p tcp --dport 22 -j DROP
COMMIT
# Completed on Thu Feb 13 09:03:29 2014

V

Vlad Zhivotnev, 2014-02-14
@inkvizitor68sl

iptables -A INPUT -s 213.200.0.0/16 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 83.143.233.190 -p tcp --dport 22 -j
ACCEPT 22 -j DROP
Run, check that nothing has fallen off. You execute iptables-save, you will be spit out a file in response, which you need to write to /etc/iptables/rules.v4
Do not forget about ipv6 - this is a separate protocol, it has a separate firewall, in fact. If you don't want to let anyone in via ssh via ipv6, then:
ip6tables -A INPUT -p tcp --dport -22 -j DROP
ip6tables-save > /etc/iptables/rules.v6
The rules read something like this (for example, iptables -A INPUT -s 213.200.0.0/16 -p tcp --dport 22 -j ACCEPT)
In the INPUT chain (incoming traffic), add to the end of the list of rules (-A, -I - to the beginning of the list) a rule for traffic with sources located on the subnet 213.200.0.0/16, using the tcp protocol (there is also udp, icmp), for Destination Port 22 is a rule that allows traffic that meets these conditions.
iptables -A INPUT -p tcp --dport 22 -j DROP = deny all incoming tcp traffic to port 22.
Rules are read one by one, until the first one that matches (well, the rules are so simple, the logic there is quite intricate).

S

sergeevav82, 2014-02-14
@sergeevav82

Well, or create a chain where to wrap what is possible, but block what is not there. For example so.

iptables -N TO_SSH
iptables -I INPUT -s 213.200.0.0/16 -p tcp --dport 22 -j TO_SSH
iptables -I INPUT -s 83.143.233.190 -p tcp --dport 22 -j TO_SSH
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -I TO_SSH -j ACCEPT

and in the future, if you need to add some kind of IP address, write

iptables -I INPUT -s <IP или сеть> -p tcp --dport 22 -j TO_SSH