Skip to main content

Linux-iptables: Einrichten einer Firewall mit Regeln

  • filter
  1. Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0

-A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

  1. Accepts all established inbound connections

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  1. Allows all outbound traffic
  2. You could modify this to only allow certain traffic

-A OUTPUT -j ACCEPT

  1. Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)

-A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT

  1. Allows SSH connections
  2. THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
  3. -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW --dport 32654 -j ACCEPT

  1. SMTP

-A INPUT -p tcp --dport 25 -j ACCEPT

  1. POP3

-A INPUT -p tcp --dport 110 -j ACCEPT

  1. IMAP2

-A INPUT -p tcp --dport 143 -j ACCEPT

  1. SSMTP

-A INPUT -p tcp --dport 465 -j ACCEPT

  1. IMAP submission

-A INPUT -p tcp --dport 587 -j ACCEPT

  1. IMAPS

-A INPUT -p tcp --dport 993 -j ACCEPT

  1. POP3S

-A INPUT -p tcp --dport 995 -j ACCEPT

  1. TS3

-A INPUT -p udp --dport 9987 -j ACCEPT

  1. FTP

-A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

  1. -A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

  1. -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT

  1. SIEVE
  2. -A INPUT -p tcp --dport 4190 -j ACCEPT
  1. Now you should read up on iptables rules and consider whether ssh access
  2. for everyone is really desired. Most likely you will only allow access from certain IPs.
  1. Allow ping

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

  1. log iptables denied calls (access via 'dmesg' command)

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

  1. Reject all other inbound - default deny unless explicitly allowed policy:

-A INPUT -j REJECT -A FORWARD -j REJECT

COMMIT








  1. !/bin/bash


SAVEFILE="/home/scripts/iptables/$(date +%Y%m%d_%H%M%S)_iptables.save.rules" TESTFILE="/home/scripts/iptables/iptables.test.rules" PRODFILE="/etc/iptables.prod.rules"


if [ "$1" == "TEST" ] then

 iptables -F
 iptables -X
 iptables -t nat -F
 iptables -t nat -X
 iptables -t mangle -F
 iptables -t mangle -X
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT

 echo "##### Saving current rules from iptables-save to $SAVEFILE"
 iptables-save > $SAVEFILE
 echo "#####"
 echo ""

 echo "##### Deploing rules from $TESTFILE to iptables-restore"
 iptables-restore < $TESTFILE
 echo "#####"
 echo ""

 iptables -L

elif [ "$1" == "PROD" ] then

 echo "##### Deploing rules from 'iptables-save' to $PRODFILE"
 iptables-save > $PRODFILE
 echo "#####"

else

 echo "##### Usage"
 echo "activate_fw.sh [TEST|PROD]"
 echo ""
 echo "     TEST      to save current rules to $SAVEFILE"
 echo "               and to deploy new rules from $TESTFILE for testing"
 echo ""
 echo "     PROD      to deploy current rules to $PRODFILE for productive use"
 echo "#####"

fi

No Comments
Back to top