IPtables configuration
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
First, i'm sorry for my english, not my first language.
I was wondering about IPtables. I read a lot of articles and posts about it, and thought i understood it at least a bit.
I spent hours trying every combinations of rules... And yet, i'm starting to think that only the established rules allow me to go on internet. when i delete those rules, nothing is allowed...
What did i do wrong ?
Thanks in advance !
#!/bin/bash
#iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# Autorise uniquement les processus de l'utilisateur tor à établir des
connexions
#iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
#TOR
#iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# SSH
iptables -A INPUT -p tcp --dport 666 -j DROP
iptables -A OUTPUT -p tcp --dport 666 -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# FTP
#iptables -A OUTPUT -p tcp --dport 20:21 -j DROP
#iptables -A INPUT -p tcp --dport 20:21 -j DROP
# Mail SMTP
#iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --dport 587 -j DROP
#iptables -A OUTPUT -p tcp --dport 587 -j DROP
#Transmission
iptables -A INPUT -m state --state ESTABLISHED -p udp --dport 51413 -j
ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT
# Mail POP3
#iptables -A INPUT -p tcp --dport 110 -j DROP
#iptables -A OUTPUT -p tcp --dport 110 -j DROP
# Mail IMAP
#iptables -A INPUT -p tcp --dport 143 -j DROP
#iptables -A OUTPUT -p tcp --dport 143 -j DROP
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
exit 0
security iptables firewall
New contributor
add a comment |
First, i'm sorry for my english, not my first language.
I was wondering about IPtables. I read a lot of articles and posts about it, and thought i understood it at least a bit.
I spent hours trying every combinations of rules... And yet, i'm starting to think that only the established rules allow me to go on internet. when i delete those rules, nothing is allowed...
What did i do wrong ?
Thanks in advance !
#!/bin/bash
#iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# Autorise uniquement les processus de l'utilisateur tor à établir des
connexions
#iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
#TOR
#iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# SSH
iptables -A INPUT -p tcp --dport 666 -j DROP
iptables -A OUTPUT -p tcp --dport 666 -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# FTP
#iptables -A OUTPUT -p tcp --dport 20:21 -j DROP
#iptables -A INPUT -p tcp --dport 20:21 -j DROP
# Mail SMTP
#iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --dport 587 -j DROP
#iptables -A OUTPUT -p tcp --dport 587 -j DROP
#Transmission
iptables -A INPUT -m state --state ESTABLISHED -p udp --dport 51413 -j
ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT
# Mail POP3
#iptables -A INPUT -p tcp --dport 110 -j DROP
#iptables -A OUTPUT -p tcp --dport 110 -j DROP
# Mail IMAP
#iptables -A INPUT -p tcp --dport 143 -j DROP
#iptables -A OUTPUT -p tcp --dport 143 -j DROP
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
exit 0
security iptables firewall
New contributor
add a comment |
First, i'm sorry for my english, not my first language.
I was wondering about IPtables. I read a lot of articles and posts about it, and thought i understood it at least a bit.
I spent hours trying every combinations of rules... And yet, i'm starting to think that only the established rules allow me to go on internet. when i delete those rules, nothing is allowed...
What did i do wrong ?
Thanks in advance !
#!/bin/bash
#iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# Autorise uniquement les processus de l'utilisateur tor à établir des
connexions
#iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
#TOR
#iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# SSH
iptables -A INPUT -p tcp --dport 666 -j DROP
iptables -A OUTPUT -p tcp --dport 666 -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# FTP
#iptables -A OUTPUT -p tcp --dport 20:21 -j DROP
#iptables -A INPUT -p tcp --dport 20:21 -j DROP
# Mail SMTP
#iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --dport 587 -j DROP
#iptables -A OUTPUT -p tcp --dport 587 -j DROP
#Transmission
iptables -A INPUT -m state --state ESTABLISHED -p udp --dport 51413 -j
ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT
# Mail POP3
#iptables -A INPUT -p tcp --dport 110 -j DROP
#iptables -A OUTPUT -p tcp --dport 110 -j DROP
# Mail IMAP
#iptables -A INPUT -p tcp --dport 143 -j DROP
#iptables -A OUTPUT -p tcp --dport 143 -j DROP
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
exit 0
security iptables firewall
New contributor
First, i'm sorry for my english, not my first language.
I was wondering about IPtables. I read a lot of articles and posts about it, and thought i understood it at least a bit.
I spent hours trying every combinations of rules... And yet, i'm starting to think that only the established rules allow me to go on internet. when i delete those rules, nothing is allowed...
What did i do wrong ?
Thanks in advance !
#!/bin/bash
#iptables-restore < /etc/iptables.test.rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
## On drop les scans XMAS et NULL.
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Dropper silencieusement tous les paquets broadcastés.
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Autorise les connexions déjà établies et localhost
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# Autorise uniquement les processus de l'utilisateur tor à établir des
connexions
#iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
#TOR
#iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9050 -j ACCEPT
# ICMP (Ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j DROP
# SSH
iptables -A INPUT -p tcp --dport 666 -j DROP
iptables -A OUTPUT -p tcp --dport 666 -j DROP
# DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
# HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# FTP
#iptables -A OUTPUT -p tcp --dport 20:21 -j DROP
#iptables -A INPUT -p tcp --dport 20:21 -j DROP
# Mail SMTP
#iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --dport 587 -j DROP
#iptables -A OUTPUT -p tcp --dport 587 -j DROP
#Transmission
iptables -A INPUT -m state --state ESTABLISHED -p udp --dport 51413 -j
ACCEPT
iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT
# Mail POP3
#iptables -A INPUT -p tcp --dport 110 -j DROP
#iptables -A OUTPUT -p tcp --dport 110 -j DROP
# Mail IMAP
#iptables -A INPUT -p tcp --dport 143 -j DROP
#iptables -A OUTPUT -p tcp --dport 143 -j DROP
# NTP (horloge du serveur)
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# On log les paquets en entrée.
iptables -A INPUT -j LOG
# On log les paquets en sortie.
iptables -A OUTPUT -j LOG
# On log les paquets forward.
iptables -A FORWARD -j LOG
exit 0
security iptables firewall
security iptables firewall
New contributor
New contributor
New contributor
asked 3 mins ago
redravenredraven
1
1
New contributor
New contributor
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
redraven is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1137597%2fiptables-configuration%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
redraven is a new contributor. Be nice, and check out our Code of Conduct.
redraven is a new contributor. Be nice, and check out our Code of Conduct.
redraven is a new contributor. Be nice, and check out our Code of Conduct.
redraven is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1137597%2fiptables-configuration%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown