| Rev | Author | # | Line |
|---|---|---|---|
| 25 | JohnMcPherson | 1 | Before you read anything else, make sure you have read and understood HowFirewallingWorks. This tells you about iptables(8) and gives some examples. |
| 24 | AristotlePagaltzis | 2 | |
| 3 | If you need a decent iptables FireWall for your [Linux] box, you probably want to give PerrysFirewallingScript a try. | ||
| 4 | |||
| 5 | There are LinuxDistribution~s that exist only to provide firewalling; PerryLorier is working on a FireWall-on-a-disc system. You can technically speaking shut a [Linux] machine down into [Kernel]-only mode and still be running a FireWall. | ||
| 6 | |||
| 7 | !!! Adding a rule | ||
| 8 | |||
| 9 | To create a rule that will send back an [ICMP] message, use | ||
| 10 | |||
| 11 | <verbatim> | ||
| 12 | iptables -A chain [...] --jump REJECT --reject-with icmp-port-unreachable | ||
| 13 | </verbatim> | ||
| 14 | |||
| 15 | The type corresponds to an [ICMP] error and can be one of: | ||
| 16 | |||
| 17 | * <tt>icmp-net-unreachable</tt> | ||
| 18 | * <tt>icmp-host-unreachable</tt> | ||
| 19 | * <tt>icmp-port-unreachable</tt> (default) | ||
| 20 | * <tt>icmp-proto-unreachable</tt> | ||
| 21 | * <tt>icmp-net-prohibited</tt> | ||
| 22 | * <tt>icmp-host-prohibited</tt> | ||
| 23 | |||
| 24 | !!! Deleting a rule | ||
| 25 | |||
| 26 | <verbatim> | ||
| 27 | iptables -D chain [rule number] | ||
| 28 | iptables -D chain [rule description] | ||
| 29 | </verbatim> | ||
| 30 | |||
| 31 | Hint: if you want to delete a rule and you don't want to have to mess around with specifying ports etc, try <tt>iptables -L --line-numbers</tt>. Then you can just use <tt>iptables -D FORWARD 1</tt> to remove it. | ||
| 32 | |||
| 33 | !!! Deleting all rules | ||
| 34 | |||
| 35 | <verbatim> | ||
| 36 | iptables [-t <table>] -F [chain] | ||
| 37 | </verbatim> | ||
| 38 | |||
| 39 | This removes all rules from the specified table and chain, or all the chains in the table if none is specified. | ||
| 40 | |||
| 41 | Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, though, should: | ||
| 42 | |||
| 43 | <verbatim> | ||
| 44 | iptables -t filter -F | ||
| 45 | iptables -t filter -X | ||
| 46 | iptables -t nat -F | ||
| 47 | iptables -t nat -X | ||
| 48 | iptables -t mangle -F | ||
| 49 | iptables -t mangle -X | ||
| 50 | iptables -t filter -P INPUT ACCEPT | ||
| 51 | iptables -t filter -P FORWARD ACCEPT | ||
| 52 | iptables -t filter -P OUTPUT ACCEPT | ||
| 53 | iptables -t nat -P PREROUTING ACCEPT | ||
| 54 | iptables -t nat -P OUTPUT ACCEPT | ||
| 55 | iptables -t nat -P POSTROUTING ACCEPT | ||
| 56 | iptables -t mangle -P PREROUTING ACCEPT | ||
| 57 | iptables -t mangle -P INPUT ACCEPT | ||
| 58 | iptables -t mangle -P FORWARD ACCEPT | ||
| 59 | iptables -t mangle -P OUTPUT ACCEPT | ||
| 60 | iptables -t mangle -P POSTROUTING ACCEPT | ||
| 61 | </verbatim> | ||
| 62 | |||
| 63 | !!! Hints, tips and traps | ||
| 64 | |||
| 65 | * Having a default <tt>DENY</tt> or <tt>REJECT</tt> policy is a good idea. Don't start with that rule if you're working remotely, though... | ||
| 66 | * <tt>DENY</tt> might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. A rate limited <tt>REJECT</tt> (using <tt>-m limit</tt>) is much much safer. | ||
| 67 | * You probably want to rate limit log messages too. Otherwise a good portscan can flood syslogd(8) for ages. | ||
| 68 | * If you are having problems using <tt>-m owner</tt> with iptables 1.2.6a and [Kernel] 2.4.x see IptablesNotes | ||
| 69 | * For those stupid places that don't support packet fragmentation (like some online banking sites a while back): | ||
| 70 | <verbatim> | ||
| 71 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | ||
| 72 | </verbatim> | ||
| 73 | Make sure it's the first thing in the <tt>FORWARD</tt> chain on your router, or in the <tt>OUTPUT</tt> chain if you use one of those hardware [DSL] router boxes. | ||
| 74 | |||
| 75 | |||
| 76 | !!! Pinholing | ||
| 77 | |||
| 78 | If you have a FireWall running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc). | ||
| 79 | |||
| 80 | Experiment with this command line, substituting the emphasized bits according to your needs: | ||
| 81 | |||
| 82 | <pre> | ||
| 83 | iptables -t nat -A PREROUTING -i ''ppp0'' -j DNAT -p ''tcp'' --to=''10.69.1.200'' --dport ''4661'' | ||
| 84 | </pre> | ||
| 85 | |||
| 86 | !!! Can't access the [NZ Herald | http://www.nzherald.co.nz] or other sites? | ||
| 87 | |||
| 88 | Make sure you have [ECN] (Explicit Congestion Notification) disabled and don't have any TypeOfService settings in your FireWall script. If you know what you're doing, try <tt>iptables -t mangle -F PREROUTING</tt> which should clean up any of them. | ||
| 89 | |||
| 90 | Alternatively, you can go with the ''Don't fix good science to work with a bad implementation'', or manually add rules allowing access to the NZ Herald [IP]s. | ||
| 91 | |||
| 92 | Also, it should be noted that some home routers don't seem to like [ECN]s either. If you're having problems accessing the InterNet with a home [ADSL] router, and tcpdump(8) output is mentioning packets with [SWE], try turning [ECN]s off as seen in the [ECN] page. | ||
| 93 | |||
| 26 | CraigBox | 94 | !!! Multiple people behind a firewall can't make PPTP connections simultaneously |
| 24 | AristotlePagaltzis | 95 | |
| 96 | Have a [NAT] FireWall that only allows one person behind it to make a [VPN] connection at once? See [PPTPConnectionTracking] | ||
| 26 | CraigBox | 97 | |
| 98 | !!! Run non-root processes on ports below 1024 | ||
| 99 | |||
| 100 | If you want to be able to run a process that responds to requests on a [Port] below 1024 without running it as the SuperUser, a simple approach is to have it bind to some port above 1024, then configure a lower layer in the NetworkStack to do the legwork. On [Linux], a convenient way to achieve this is by using iptables(8): | ||
| 101 | |||
| 102 | <pre> | ||
| 103 | iptables --table nat -A PREROUTING -p tcp --dport <i>$external_port</i> -i eth0 -j REDIRECT --to-ports <i>$local_port</i> | ||
| 104 | </pre> | ||
| 105 | |||
| 106 | This way, you could have a process bind to port 8080 locally, but have it appear to outsiders as though it was listening on port 80. | ||
| 24 | AristotlePagaltzis | 107 | |
| 108 | ---- | ||
| 109 | Part of CategoryNetworking and CategorySecurity |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()