Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
linux:iptables [2018/06/22 15:53] – [Iptables-Regeln dauerhaft sichern] st | linux:iptables [2023/09/12 09:48] (aktuell) – [Iptables-Regeln dauerhaft sichern] st | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== Netfilter / Iptables ====== | ||
+ | Netfilter ist eine [[security: | ||
+ | Einstellungen ausgeben: | ||
+ | / | ||
+ | |||
+ | ===== Konfigurationswerkzeuge ===== | ||
+ | [[http:// | ||
+ | |||
+ | [[software: | ||
+ | |||
+ | ===== Links ===== | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | ===== Tools ===== | ||
+ | |||
+ | Wenn das Modul ip_conntrack geladen ist (wenn nicht: nachholen mit '' | ||
+ | sudo iptstate | ||
+ | |||
+ | (benötigt CONFIG_NF_CT_NETLINK in [[linux: | ||
+ | |||
+ | |||
+ | ===== Portumleitung auf Standardports ===== | ||
+ | |||
+ | Regeln erstellen, z.B. Port 80 -> 8080 und 443 -> 8443. | ||
+ | |||
+ | <code bash> | ||
+ | sudo iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8080 | ||
+ | sudo iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8443 | ||
+ | </ | ||
+ | |||
+ | ===== Iptables-Regeln dauerhaft sichern ===== | ||
+ | |||
+ | Damit die aktuell gültigen Regeln einen reboot überleben: | ||
+ | |||
+ | Skript ablegen in: | ||
+ | * / | ||
+ | * / | ||
+ | |||
+ | Alternativ gibt es unter Debian/ | ||
+ | |||
+ | <code bash>apt install iptables-persistent</ | ||
+ | |||
+ | Regel permanent speichern: | ||
+ | <code bash> | ||
+ | iptables-save > / | ||
+ | ip6tables-save > / | ||
+ | </ | ||
+ | |||
+ | Restore sofort: | ||
+ | <code bash> | ||
+ | iptables-restore < / | ||
+ | ip6tables-restore | ||
+ | </ | ||
+ | |||
+ | Der folgende systemd-service sorgt für einen restore beim reboot: | ||
+ | <code bash> | ||
+ | |||
+ | [[https:// | ||
+ | ===== Iptables-Regeln auflisten und löschen ===== | ||
+ | |||
+ | Auflistung aktuell gültiger Regeln (v4): <code bash> | ||
+ | |||
+ | löschen: <code bash> | ||
+ | ===== Simples Firewallscript ===== | ||
+ | |||
+ | Blockieren einer einzigen IP-Adresse (hier im Beispiel " | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | |||
+ | Als Ausgangsbasis für eine umfangreichere Firewall: | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | |||
+ | IPTABLES="/ | ||
+ | |||
+ | function firewall_start() | ||
+ | { | ||
+ | # echo " | ||
+ | |||
+ | # default policy = Drop | ||
+ | # uncomment | ||
+ | #$IPTABLES -P INPUT DROP | ||
+ | #$IPTABLES -P OUTPUT DROP | ||
+ | #$IPTABLES -P FORWARD DROP | ||
+ | |||
+ | # example: Drop all packets from host 120.166.10.211 | ||
+ | $IPTABLES -I INPUT -s 120.166.10.211 -j DROP | ||
+ | $IPTABLES -I INPUT -s 120.166.10.211 -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level debug --log-prefix "IPT 120.166.10.211 blocked: " | ||
+ | |||
+ | } | ||
+ | |||
+ | |||
+ | function firewall_stop() | ||
+ | { | ||
+ | |||
+ | # forwarding off? | ||
+ | # echo " | ||
+ | # | ||
+ | # reset the default policies in the filter table. | ||
+ | # | ||
+ | $IPTABLES -P INPUT ACCEPT | ||
+ | $IPTABLES -P FORWARD ACCEPT | ||
+ | $IPTABLES -P OUTPUT ACCEPT | ||
+ | |||
+ | # | ||
+ | # reset the default policies in the nat table. | ||
+ | # | ||
+ | $IPTABLES -t nat -P PREROUTING ACCEPT | ||
+ | $IPTABLES -t nat -P POSTROUTING ACCEPT | ||
+ | $IPTABLES -t nat -P OUTPUT ACCEPT | ||
+ | |||
+ | # | ||
+ | # reset the default policies in the mangle table. | ||
+ | # | ||
+ | $IPTABLES -t mangle -P PREROUTING ACCEPT | ||
+ | $IPTABLES -t mangle -P OUTPUT ACCEPT | ||
+ | |||
+ | # | ||
+ | # flush all the rules in the filter and nat tables. | ||
+ | # | ||
+ | $IPTABLES -F | ||
+ | $IPTABLES -t nat -F | ||
+ | $IPTABLES -t mangle -F | ||
+ | # | ||
+ | # erase all chains that's not default in filter and nat table. | ||
+ | # | ||
+ | $IPTABLES -X | ||
+ | $IPTABLES -t nat -X | ||
+ | $IPTABLES -t mangle -X | ||
+ | } | ||
+ | |||
+ | |||
+ | case " | ||
+ | start) | ||
+ | echo " | ||
+ | firewall_start | ||
+ | ;; | ||
+ | stop) | ||
+ | echo " | ||
+ | firewall_stop | ||
+ | ;; | ||
+ | restart) | ||
+ | echo " | ||
+ | firewall_stop | ||
+ | firewall_start | ||
+ | ;; | ||
+ | *) | ||
+ | echo " | ||
+ | exit 1 | ||
+ | ;; | ||
+ | esac | ||
+ | </ |