IPtables - basic
Aus HS Syswiki
IPv4
server:~# cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # SSH (management) -A INPUT -m state --state NEW -m tcp -p tcp --dport 48531 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # HTTP(S) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT #-A INPUT -s 84.253.15.193 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -s 84.253.15.193 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # IMAP(S) -A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT # POP3(S) -A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT # SMTP(S) -A INPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 465 -j ACCEPT -A INPUT -p tcp --dport 587 -j ACCEPT # NRPE -A INPUT -s 176.9.84.48 -p tcp --dport 5666 -j ACCEPT -A INPUT -s 176.9.124.50 -p tcp --dport 5666 -j ACCEPT # Hacker-Attacks (DDoS, BF etc.) -A INPUT -s 76.14.104.0/21 -j DROP -A INPUT -s 117.79.128.0/18 -j DROP # Default: drop everything else -A INPUT -j DROP -A FORWARD -j DROP COMMIT
IPv6
server:~# cat /etc/sysconfig/ip6tables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # SSH (management) -A INPUT -m state --state NEW -m tcp -p tcp --dport 48531 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # HTTP(S) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT #-A INPUT -s 2a01:4f8:a0:4362::/64 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -s 2a01:4f8:a0:4362::/64 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # IMAP(S) -A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT # POP3(S) -A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT # SMTP(S) -A INPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 465 -j ACCEPT -A INPUT -p tcp --dport 587 -j ACCEPT # Default: drop everything else -A INPUT -j DROP -A FORWARD -j DROP COMMIT
Links
Basic iptables firewall configuration
