basic settings: We're going to tell it to allow established connections, traffic generated by the server itself, traffic destined for our SSH and web server ports. We will drop all other traffic. We can set this basic firewall up by typing:
sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -j DROP # We can see our current firewall rules: sudo iptables -S
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
restringere accesso con TCP wrappers:
vi /etc/hosts.allow smbd: 192.168.1.
rendere effettivo un comando: va dato il save della tabella
/sbin/service iptables save
View Blocked IP:
/sbin/iptables -L -v /sbin/iptables -L INPUT -v -n | grep 1.2.3.4
/sbin/iptables -I INPUT -s {IP-HERE} -j DROP /sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
You can replace -I INPUT (insert) with -A INPUT (append) rule as follows:
/sbin/iptables -A INPUT -s 1.2.3.4 -j DROP /sbin/iptables -i eth1 -A INPUT -s 1.2.3.4 -j DROP
blocca un singolo IP:
/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
block a subnet
/sbin/iptables -i eth1 -A INPUT -s 10.0.0.0/8 -j DROP
#!/bin/sh # firewall for china and korea # http://www.okean.com/antispam/iptables/rc.firewall.sinokorea # send comments, corrections, and additions to: comments20140703@okean.com iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -N INPUT || iptables -F INPUT iptables -A INPUT -p tcp -s 1.0.1.0/24 -j DROP iptables -A INPUT -p tcp -s 1.0.2.0/23 -j DROP iptables -A INPUT -p tcp -s 1.0.8.0/21 -j DROP iptables -A INPUT -p tcp -s 1.0.32.0/19 -j DROP #...
remove a drop instruction, get the line number of the rule, then delete line number:
# find line number /sbin/iptables -L INPUT -n --line-numbers | grep 1.2.3.4 # delete number 3 /sbin/iptables -D INPUT 3
rimuove le regole su un IP:
/sbin/iptables -D INPUT -s 1.2.3.4 -j DROP service iptables save
import export rules:
iptables-save > /root/myfirewall.conf iptables-restore < /root/myfirewall.conf
Block Outgoing Request From LAN IP 192.168.1.200?
# /sbin/iptables -A OUTPUT -s 192.168.1.200 -j DROP # /sbin/service iptables save
enable Mysql:
nano -w /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT service iptables restart # or /etc/init.d/iptables restart
disable application server port
/sbin/iptables -A INPUT -p tcp -i eth0 --dport 8080 -j REJECT --reject-with tcp-reset
iptables rule are applied directly as soon as you run the following commands the port will be open:
# enable port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# translate port to port
iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8000
# To save the rules out to a config file later:
iptables-save > /etc/iptables/rules.v4
The config file will be used by the iptables-persistent service when the machine boots.
Port forwarding using iptables:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport <port> -j DNAT --to-destination <host>:<port>
simple settings
sudo ufw allow from {your-ip} to any port 22 sudo ufw allow 80 sudo ufw allow 443 sudo ufw disable sudo ufw enable