Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- iptables [2025/11/12 22:16]
127.0.0.1 Externe Bearbeitung
+++ iptables [2025/11/16 04:42] (aktuell)
admin
@@ Zeile 1: / Zeile 1: @@
+IPTables ist eine hauseigene [[firewall|Firewall]] für [[linux|Linux]] ab Kernel 2.4. Genaugenommen ist es ein Tool das im Hintergrund [[Netfilter]] konfiguriert. Seit etwa Mitte 2018 wurde iptables durch [[nftables]] (netfilter tables) ersetzt, die Syntax blieb weitgehend gleich. [[ebtables]] ist wie IPTables aber für Layer 2 Frames.
+Netfilter hat 3 Tabellen
+  * filter - Paketfilter
+  * nat - [[NAT]]
+  * mangle - Paketheader manipulieren
+Targets
+  * return
+  * queue
+  * drop
+  * accept
+  * reject
+  * log - nach /var/log/syslog
+Policies
+  * INPUT
+  * OUTPUT
+  * FORWARD
+<code>
+# statistics
+iptables -L -v
+</code>
+{{iptables_architektur.png}}
+{{iptables_example_firewall.png}}
+{{selinux_iptables.pdf}}
+[[https://homes.di.unimi.it/sisop/qemu/iptables-tutorial.pdf|IPTables tutorial PDF]]
+<box red>Wichtig! Die Reihenfolge der Regeln ist ausschlaggebend!</box>
+<code>
+iptables -L <policy> --line-numbers # list rules with line numbers
+iptables -D <policy> <rule-number>
+iptables -F # flush rules
+iptables -X <policy> # eigene Policy-Chain löschen, -F löscht nur die 3 Standard Chains
+// default policy -> target
+iptables -P <policy> <target>
+// delete rules
+iptables -L <policy> --line-numbers
+iptables -D <policy> <rule-number>
+// append rule
+iptables -A <policy> -p <protocol> --dport <destination-port> -j DROP
+// Policy-chain erstellen
+iptables -N <chain-name>
+</code>
+<code>
+-A - Regel anhängen
+-I - An bestimmter Position einfügen
+-i - Input interface
+-o - Output interface
+-s - Source IP
+-d - Destination IP
+-j - Action
+-p - Protokoll (tcp/udp/icmp/sip...)
+--dport - Zielport/Protokoll
+--sport - Quellport
+--sports, --dports - mehrere Ports
+-state, --ctstate - RELATED/ESTABLISHED
+</code>
+IP blocken
+<code>
+iptables -I INPUT -s 167.114.157.154 -j DROP
+</code>
+Alle eingehenden TCP ausser Port 22 verbieten
+<code>
+iptables -A INPUT -p tcp -m tcp -m multiport ! --dports 22 -j DROP
+</code>
+Sonstiges
+<code>
+iptables -A INPUT -i lo -j ACCEPT # allow incoming on lo
+iptables -A OUTPUT -o lo -j ACCEPT # allow outgoing on lo
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow internet traffic
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # established and related incoming connections
+iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT # established outgoing connections
+</code>
+Assuming eth0 is your external network, and eth1 is your internal network, this will allow your internal to access the external
+<code>
+iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
+</code>
+Block or reject packets/traffic
+<code>
+iptables -A INPUT -m conntrack --ctstate INVALID -j DROP # drop invalid packets
+iptables -A INPUT -s 15.15.15.51 -j DROP # block an ip
+iptables -A INPUT -s 15.15.15.51 -j REJECT # reject an ip (with answer!)
+</code>
+To block connections from a specific IP address, e.g. 15.15.15.51, to a specific network interface, e.g. eth0
+<code>
+iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP
+</code>
+Allow incoming SSH
+<code>
+iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+</code>
+Allow incoming SSH from Specific IP address or subnet
+<code>
+iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+</code>
+Allow outgoing SSH
+<code>
+iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+</code>
+Allow Incoming Rsync from Specific IP Address or Subnet
+<code>
+iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+</code>
+Allow incoming HTTP (port 80)
+<code>
+iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+</code>
+Allow incoming HTTP (Port 80) and HTTPS (Port 443)
+<code>
+iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+</code>
+Allow [[mysql|MySQL]] only from specific IP or Subnet
+<code>
+iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+</code>
+If you want to delete the rule that drops invalid incoming packets (-A INPUT -m conntrack --ctstate INVALID -j DROP)
+<code>
+iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
+</code>
+Delete Rule by Chain and Number
+<code>
+iptables -L --line-numbers # list rules
+Chain INPUT (policy DROP)
+num  target     prot opt source               destination
+    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
+    ACCEPT     all  --  anywhere             anywhere
+    DROP       all  --  anywhere             anywhere             ctstate INVALID
+    UDP        udp  --  anywhere             anywhere             ctstate NEW
+    TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
+    ICMP       icmp --  anywhere             anywhere             ctstate NEW
+    REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
+    REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
+    REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
+   ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,ESTABLISHED
+…
+iptables -D INPUT 3 # delete rule nr. 3
+</code>
+Siehe auch [[https://www.youtube.com/watch?v=kQYQ_3ayz8w|NAT Masquerade]]
+=====Links=====
+  * [[https://www.youtube.com/watch?v=bHChVF-SEwg|IPTables 1 Konzept]] [[https://www.youtube.com/watch?v=6ri-VF7q1Gw|IPTables 2 Beispiel Firewall]]
+  * [[https://www.youtube.com/watch?v=U_RTRGj_AF0|Parameter]]
+  * [[https://www.youtube.com/playlist?list=PLnzEbgyK52GvB8t7a0sH50sb5sObDcS4-|Pascom IPTables playlist]]
+  * [[https://de.wikibooks.org/wiki/Linux-Praxisbuch/_Linux-Firewall_mit_IP-Tables]]
+  * [[https://netfilter.org/documentation/HOWTO/de/packet-filtering-HOWTO-7.html]]
+  * [[https://www.selflinux.org/selflinux/html/iptables05.html]]
+  * [[https://stackunderflow.dev/p/iptables-for-routing/|StackUnderflow - IpTables Routing]]

MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Unterschiede

Seiten-Werkzeuge