Firewall

July 2016 ยท 2 minute read

iptables

Check:

sudo iptables -L

Save:

sudo iptables-save

Filter:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

ufw

To control which port should be open and which should not. iptables is the application to do so. But it is not easy to configure. In Ubuntu, there is an application called ufw. It is very easy to configure and deal with iptables.

Install:

sudo aptitude install ufw

Check if active or inactive and display the rules if active:

sudo ufw status verbose

Check which ports and enabled in iptables:

sudo netstat -antp

Allow by port:

sudo ufw allow 22

List services:

less /etc/services

Allow or Deny by service name:

sudo ufw allow openvpn

Deny by default:

sudo ufw default deny
// or
sudo ufw default deny incoming
sudo ufw default allow outgoing

Enable:

sudo ufw enable

status with number:

sudo ufw status numbered

Delete a rule by number:

sudo ufw delete 4
// or
sudo ufw delete allow ssh

Allow by IP address:

sudo ufw allow from 192.168.255.255

Reset to default:

sudo ufw reset

nftables

https://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/

sudo apt install nftables

Ref: