From d2a8fdc112cf5a398941ea87b3af747d19e8b422 Mon Sep 17 00:00:00 2001 From: trimstray Date: Wed, 15 Aug 2018 07:58:13 +0200 Subject: [PATCH] updated TOC, minor fixes - signed-off-by: trimstray --- README.md | 164 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 86 insertions(+), 78 deletions(-) diff --git a/README.md b/README.md index f5a50fa..9613557 100644 --- a/README.md +++ b/README.md @@ -25,55 +25,63 @@ **** +## Table Of Content + +- [Tools to help you configure Iptables](#tools-to-help-you-configure-iptables) +- [Iptables Rules](#iptables-rules) + * [Saving Rules](#saving-rules) + - [Debian Based](#debian-based) + - [RedHat Based](#redhat-based) + * [List out all of the active iptables rules](#list-out-all-of-the-active-iptables-rules) + * [List out all of the active iptables rules with numeric lines](#list-out-all-of-the-active-iptables-rules-with-numeric-lines) + * [List Rules as Tables](#list-rules-as-tables) + * [List Rules as Tables for INPUT chain](#list-rules-as-tables-for-input-chain) + * [Show all of the rule specifications in the INPUT chain](#show-all-of-the-rule-specifications-in-the-input-chain) + * [Show Packet Counts and Aggregate Size](#show-packet-counts-and-aggregate-size) + * [Delete Rule by Chain and Number](#delete-rule-by-chain-and-number) + * [Delete Rule by Specification](#delete-rule-by-specification) + * [Flush All Rules, Delete All Chains, and Accept All](#flush-all-rules--delete-all-chains--and-accept-all) + * [Flush All Chains](#flush-all-chains) + * [Flush a Single Chain](#flush-a-single-chain) + * [Allow Loopback Connections](#allow-loopback-connections) + * [Allow Established and Related Incoming Connections](#allow-established-and-related-incoming-connections) + * [Allow Established Outgoing Connections](#allow-established-outgoing-connections) + * [Internal to External](#internal-to-external) + * [Drop Invalid Packets](#drop-invalid-packets) + * [Block an IP Address](#block-an-ip-address) + * [Block and IP Address and Reject](#block-and-ip-address-and-reject) + * [Block Connections to a Network Interface](#block-connections-to-a-network-interface) + * [Block Connections to a Network Interface](#block-connections-to-a-network-interface-1) + * [Allow All Incoming SSH](#allow-all-incoming-ssh) + * [Allow Incoming SSH from Specific IP address or subnet](#allow-incoming-ssh-from-specific-ip-address-or-subnet) + * [Allow Outgoing SSH](#allow-outgoing-ssh) + * [Allow Incoming Rsync from Specific IP Address or Subnet](#allow-incoming-rsync-from-specific-ip-address-or-subnet) + * [Allow All Incoming HTTP](#allow-all-incoming-http) + * [Allow All Incoming HTTPS](#allow-all-incoming-https) + * [Allow All Incoming HTTP and HTTPS](#allow-all-incoming-http-and-https) + * [Allow MySQL from Specific IP Address or Subnet](#allow-mysql-from-specific-ip-address-or-subnet) + * [Allow MySQL to Specific Network Interface](#allow-mysql-to-specific-network-interface) + * [PostgreSQL from Specific IP Address or Subnet](#postgresql-from-specific-ip-address-or-subnet) + * [Allow PostgreSQL to Specific Network Interface](#allow-postgresql-to-specific-network-interface) + * [Block Outgoing SMTP Mail](#block-outgoing-smtp-mail) + * [Allow All Incoming SMTP](#allow-all-incoming-smtp) + * [Allow All Incoming IMAP](#allow-all-incoming-imap) + * [Allow All Incoming IMAPS](#allow-all-incoming-imaps) + * [Allow All Incoming POP3](#allow-all-incoming-pop3) + * [Allow All Incoming POP3S](#allow-all-incoming-pop3s) + +**** + ### Tools to help you configure Iptables - **[Shorewall](http://shorewall.org/)** - **[Firewalld](https://firewalld.org/)** - **[FireHOL](https://github.com/firehol/firehol)** -- **[UFW](Uncomplicated Firewall)** +- **[UFW](https://wiki.ubuntu.com/UncomplicatedFirewall)** ### Iptables Rules -- [1. Saving Rules](#1-saving-rules) -- [2. List out all of the active iptables rules](#2-list-out-all-of-the-active-iptables-rules) -- [3. List out all of the active iptables rules with numeric lines](#3-list-out-all-of-the-active-iptables-rules-with-numeric-lines) -- [4. List Rules as Tables](#4-list-rules-as-tables) -- [5. List Rules as Tables for INPUT chain](#5-list-rules-as-tables-for-input-chain) -- [6. Show all of the rule specifications in the INPUT chain](#6-show-all-of-the-rule-specifications-in-the-input-chain) -- [7. Show Packet Counts and Aggregate Size](#7-show-packet-counts-and-aggregate-size) -- [8. Delete Rule by Chain and Number](#8-delete-rule-by-chain-and-number) -- [9. Delete Rule by Specification](#9-delete-rule-by-specification) -- [10. Flush All Rules, Delete All Chains, and Accept All](#10-flush-all-rules--delete-all-chains--and-accept-all) -- [11. Flush All Chains](#11-flush-all-chains) -- [12. Flush a Single Chain](#12-flush-a-single-chain) -- [13. Allow Loopback Connections](#13-allow-loopback-connections) -- [14. Allow Established and Related Incoming Connections](#14-allow-established-and-related-incoming-connections) -- [15. Allow Established Outgoing Connections](#15-allow-established-outgoing-connections) -- [16. Internal to External](#16-internal-to-external) -- [17. Drop Invalid Packets](#17-drop-invalid-packets) -- [18. Block an IP Address](#18-block-an-ip-address) -- [19. Block and IP Address and Reject](#19-block-and-ip-address-and-reject) -- [20. Block Connections to a Network Interface](#20-block-connections-to-a-network-interface) -- [21. Block Connections to a Network Interface](#21-block-connections-to-a-network-interface) -- [22. Allow All Incoming SSH](#22-allow-all-incoming-ssh) -- [23. Allow Incoming SSH from Specific IP address or subnet](#23-allow-incoming-ssh-from-specific-ip-address-or-subnet) -- [24. Allow Outgoing SSH](#24-allow-outgoing-ssh) -- [25. Allow Incoming Rsync from Specific IP Address or Subnet](#25-allow-incoming-rsync-from-specific-ip-address-or-subnet) -- [26. Allow All Incoming HTTP](#26-allow-all-incoming-http) -- [27. Allow All Incoming HTTPS](#27-allow-all-incoming-https) -- [28. Allow All Incoming HTTP and HTTPS](#28-allow-all-incoming-http-and-https) -- [29. Allow MySQL from Specific IP Address or Subnet](#29-allow-mysql-from-specific-ip-address-or-subnet) -- [30. Allow MySQL to Specific Network Interface](#30-allow-mysql-to-specific-network-interface) -- [31. PostgreSQL from Specific IP Address or Subnet](#31-postgresql-from-specific-ip-address-or-subnet) -- [32. Allow PostgreSQL to Specific Network Interface](#32-allow-postgresql-to-specific-network-interface) -- [33. Block Outgoing SMTP Mail](#33-block-outgoing-smtp-mail) -- [34. Allow All Incoming SMTP](#34-allow-all-incoming-smtp) -- [35. Allow All Incoming IMAP](#35-allow-all-incoming-imap) -- [36. Allow All Incoming IMAPS](#36-allow-all-incoming-imaps) -- [37. Allow All Incoming POP3](#37-allow-all-incoming-pop3) -- [38. Allow All Incoming POP3S](#38-allow-all-incoming-pop3s) - -#### 1. Saving Rules +#### Saving Rules ###### Debian Based @@ -93,55 +101,55 @@ netfilter-persistent save service iptables save ``` -#### 2. List out all of the active iptables rules +#### List out all of the active iptables rules ```bash iptables -S ``` -#### 3. List out all of the active iptables rules with numeric lines +#### List out all of the active iptables rules with numeric lines ```bash iptables -L --line-numbers ``` -#### 4. List Rules as Tables +#### List Rules as Tables ```bash iptables -L ``` -#### 5. List Rules as Tables for INPUT chain +#### List Rules as Tables for INPUT chain ```bash iptables -L INPUT ``` -#### 6. Show all of the rule specifications in the INPUT chain +#### Show all of the rule specifications in the INPUT chain ```bash iptables -S INPUT ``` -#### 7. Show Packet Counts and Aggregate Size +#### Show Packet Counts and Aggregate Size ```bash iptables -L INPUT -v ``` -#### 8. Delete Rule by Chain and Number +#### Delete Rule by Chain and Number ```bash iptables -D INPUT 10 ``` -#### 9. Delete Rule by Specification +#### Delete Rule by Specification ```bash iptables -D INPUT -m conntrack --ctstate INVALID -j DROP ``` -#### 10. Flush All Rules, Delete All Chains, and Accept All +#### Flush All Rules, Delete All Chains, and Accept All ```bash iptables -P INPUT ACCEPT @@ -154,185 +162,185 @@ iptables -F iptables -X ``` -#### 11. Flush All Chains +#### Flush All Chains ```bash iptables -F ``` -#### 12. Flush a Single Chain +#### Flush a Single Chain ```bash iptables -F INPUT ``` -#### 13. Allow Loopback Connections +#### Allow Loopback Connections ```bash iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ``` -#### 14. Allow Established and Related Incoming Connections +#### Allow Established and Related Incoming Connections ```bash iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ``` -#### 15. Allow Established Outgoing Connections +#### Allow Established Outgoing Connections ```bash iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 16. Internal to External +#### Internal to External ```bash iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT ``` -#### 17. Drop Invalid Packets +#### Drop Invalid Packets ```bash iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ``` -#### 18. Block an IP Address +#### Block an IP Address ```bash iptables -A INPUT -s 15.15.15.51 -j DROP ``` -#### 19. Block and IP Address and Reject +#### Block and IP Address and Reject ```bash iptables -A INPUT -s 15.15.15.51 -j REJECT ``` -#### 20. Block Connections to a Network Interface +#### Block Connections to a Network Interface ```bash iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP ``` -#### 21. Block Connections to a Network Interface +#### Block Connections to a Network Interface ```bash iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP ``` -#### 22. Allow All Incoming SSH +#### Allow All Incoming SSH ```bash iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 23. Allow Incoming SSH from Specific IP address or subnet +#### Allow Incoming SSH from Specific IP address or subnet ```bash iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 24. Allow Outgoing SSH +#### Allow Outgoing SSH ```bash iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 25. Allow Incoming Rsync from Specific IP Address or Subnet +#### Allow Incoming Rsync from Specific IP Address or Subnet ```bash iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 26. Allow All Incoming HTTP +#### Allow All Incoming HTTP ```bash iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 27. Allow All Incoming HTTPS +#### Allow All Incoming HTTPS ```bash iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 28. Allow All Incoming HTTP and HTTPS +#### Allow All Incoming HTTP and HTTPS ```bash iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 29. Allow MySQL from Specific IP Address or Subnet +#### Allow MySQL from Specific IP Address or Subnet ```bash iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 30. Allow MySQL to Specific Network Interface +#### Allow MySQL to Specific Network Interface ```bash iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 31. PostgreSQL from Specific IP Address or Subnet +#### PostgreSQL from Specific IP Address or Subnet ```bash iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 32. Allow PostgreSQL to Specific Network Interface +#### Allow PostgreSQL to Specific Network Interface ```bash iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 33. Block Outgoing SMTP Mail +#### Block Outgoing SMTP Mail ```bash iptables -A OUTPUT -p tcp --dport 25 -j REJECT ``` -#### 34. Allow All Incoming SMTP +#### Allow All Incoming SMTP ```bash iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 35. Allow All Incoming IMAP +#### Allow All Incoming IMAP ```bash iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 36. Allow All Incoming IMAPS +#### Allow All Incoming IMAPS ```bash iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 37. Allow All Incoming POP3 +#### Allow All Incoming POP3 ```bash iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT ``` -#### 38. Allow All Incoming POP3S +#### Allow All Incoming POP3S ```bash iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT