{"id":217,"date":"2016-07-04T23:09:44","date_gmt":"2016-07-04T22:09:44","guid":{"rendered":"https:\/\/solidt.eu\/blog\/?p=217"},"modified":"2020-03-25T17:53:42","modified_gmt":"2020-03-25T16:53:42","slug":"iptables-firewall-configuration","status":"publish","type":"post","link":"https:\/\/solidt.eu\/site\/iptables-firewall-configuration\/","title":{"rendered":"Iptables firewall configuration"},"content":{"rendered":"\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/bash\n\n# clear \/ flush all iptables rules\niptables -F\n\n# build new rules\n\n# allow established connections\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n# allow incomming ssh connections\niptables -A INPUT -p tcp --dport 22 -j ACCEPT\n# allow incomming dns port\niptables -A INPUT -p tcp --dport 53 -j ACCEPT\niptables -A INPUT -p udp --dport 53 -j ACCEPT\n# allow incomming port 80\niptables -A INPUT -p tcp --dport 80 -j ACCEPT\n# allow incomming port 443\niptables -A INPUT -p tcp --dport 443 -j ACCEPT\n\niptables -A INPUT -p tcp --dport 631 -j ACCEPT\n\niptables -A INPUT -p tcp --dport 3306 -j ACCEPT\n# allow incomming bitcoin\niptables -A INPUT -p tcp --dport 8333 -j ACCEPT\n\niptables -A INPUT -p tcp --dport 9000 -j ACCEPT\n\n# allow postgres\niptables -A INPUT -p tcp --dport 5432 -j ACCEPT\n# allow openvpn connections\niptables -A INPUT -p udp --dport 1194 -j ACCEPT\n# allow polipo proxy incomming connections\niptables -A INPUT -p tcp --dport 8123 -j ACCEPT\n# allow apache couchdb (NoSql database)\niptables -A INPUT -p tcp --dport 5984 -j ACCEPT\n\n# to redirect port 80 to 5984 use command below:\n#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 5984\n\n# list iptables\n#iptables -L\niptables -A INPUT -p icmp -j ACCEPT\n\n# drop all incomming packets, not matching a rule\niptables -A INPUT -j DROP\n\n# insert a row at postion 1 (first) for allowing loopback connections\niptables -I INPUT 1 -i lo -j ACCEPT\n\n# list configuration in detail\niptables -L -v\n\n## save configuration\niptables-save > iptables.rules\n\n## restore configuration\n#iptables-restore\n\n## log invalid packets\n#iptables -I INPUT 5 -m limit --limit 5\/min -j LOG --log-prefix \"iptables denied: \" --log-level 7\n\n\n# ipv6 \nip6tables -F\n\nip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nip6tables -A INPUT -p icmpv6 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 22 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 53 -j ACCEPT\nip6tables -A INPUT -p udp --dport 53 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 80 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 443 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 631 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 3306 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 5432 -j ACCEPT\n\n# allow apache couchdb (NoSql database)\nip6tables -A INPUT -p tcp --dport 5984 -j ACCEPT\n\n# allow openvpn connections\nip6tables -A INPUT -p udp --dport 1194 -j ACCEPT\n\n# allow polipo proxy incomming connections\nip6tables -A INPUT -p tcp --dport 8123 -j ACCEPT\n\nip6tables -A INPUT -j DROP\n\n# insert a row at postion 1 (first) for allowing loopback connections\nip6tables -I INPUT 1 -i lo -j ACCEPT\n\nip6tables -L -v\n\nip6tables-save > ip6tables.rules\n(Run as root)\n\n#!\/bin\/bash\ncp iptables.rules \/etc\/\ncp ip6tables.rules \/etc\/\n(Run on system\/network startup)\n\n<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/bin\/bash\n\n#\n# script for setup ip address, route and gateway\n#\n\nip=\/sbin\/ip\naction=$1\ndevice=$2\n\ngateway_v4=\"192.168.2.254\"\nstatic_v4=\"192.168.2.29\/24\"\nstatic_v6=\"fc00::1\/64\"\n\nfunction start() \n{\n\tstop\t\n\n\tsetup_firewall\n\n\t$ip link set dev $device up\n\t$ip addr add $static_v4 dev $device\n\t$ip route add default via $gateway_v4\n\t#$ip link show $device\n\t$ip addr show $device\n\t$ip -6 addr add $static_v6 dev $device\n\t$ip -6 addr show $device\n}\n\nfunction stop() \n{\n\t$ip addr flush dev $device\n\t$ip -6 addr flush dev $device\n\t$ip link set dev $device down\n}\n\nfunction setup_firewall() \n{\n\tiptables-restore &lt; \/etc\/iptables.rules\n\tip6tables-restore &lt; \/etc\/ip6tables.rules\n}\n\nfunction main() {\n\n\tif [ \"$action\" == \"start\" ]; then\t\n\t\techo Starting $device\n\t\tstart\n\tfi\n\n\tif [ \"$action\" == \"stop\" ]; then\n\t\techo Stopping $device\n\t\tstop\n\tfi\n\techo Finished\n}\n\nmain\n(Example systemd file)\n\n[Unit]\nDescription=Wired network configuration\nWants=network.target\nBefore=network.target\nBindTo=sys-subsystem-net-devices-enp2s0.device\nAfter=sys-subsystem-net-devices-enp2s0.device\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=\/etc\/configscripts\/network-setup start enp2s0\nExecStop=\/etc\/configscripts\/network-setup stop enp2s0\n\n[Install]\nWantedBy=multi-user.target<\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8],"tags":[],"class_list":["post-217","post","type-post","status-publish","format-standard","hentry","category-other-scripts"],"_links":{"self":[{"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/posts\/217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/comments?post=217"}],"version-history":[{"count":6,"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/posts\/217\/revisions"}],"predecessor-version":[{"id":3605,"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/posts\/217\/revisions\/3605"}],"wp:attachment":[{"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/media?parent=217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/categories?post=217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/solidt.eu\/site\/wp-json\/wp\/v2\/tags?post=217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}