Back up your configuration with the command:<\/p>\n
\/sbin\/iptables-save > \/root\/iptables-works<\/code><\/span><\/pre>\nTip #2: Even better, include a timestamp in the filename.<\/h3>\n
Add the timestamp with the command:<\/p>\n
\/sbin\/iptables-save > \/root\/iptables-works-`date +%F`<\/code><\/span><\/pre>\nYou get a file with a name like:<\/p>\n
\/root\/iptables-works-2018-09-11<\/code><\/span><\/pre>\nIf you do something that prevents your system from working, you can quickly restore it:<\/p>\n
\/sbin\/iptables-restore < \/root\/iptables-works-2018-09-11<\/code><\/span><\/pre>\nTip #3: Every time you create a backup copy of the iptables policy, create a link to the file with ‘latest’ in the name.<\/h3>\nln \u2013s \/root\/iptables-works-`date +%F` \/root\/iptables-works-latest<\/code><\/span><\/pre>\nTip #4: Put specific rules at the top of the policy and generic rules at the bottom.<\/h3>\n
Avoid generic rules like this at the top of the policy rules:<\/p>\n
iptables -A INPUT -p tcp --dport 22 -j DROP<\/code><\/span><\/pre>\nThe more criteria you specify in the rule, the less chance you will have of locking yourself out. Instead of the very generic rule above, use something like this:<\/p>\n
iptables -A INPUT -p tcp --dport 22 \u2013s 10.0.0.0\/8 \u2013d 192.168.100.101 -j DROP<\/code><\/span><\/pre>\nThis rule appends (-A<\/strong>) to the\u00a0INPUT<\/strong>\u00a0chain a rule that will\u00a0DROP<\/strong>\u00a0any packets originating from the CIDR block\u00a010.0.0.0\/8<\/strong>\u00a0on TCP (-p tcp<\/strong>) port 22 (–dport 22<\/strong>) destined for IP address 192.168.100.101 (-d 192.168.100.101<\/strong>).<\/p>\nThere are plenty of ways you can be more specific. For example, using\u00a0-i eth0<\/strong>\u00a0will limit the processing to a single NIC in your server. This way, the filtering actions will not apply the rule to\u00a0eth1<\/strong>.<\/p>\nTip #5: Whitelist your IP address at the top of your policy rules.<\/h3>\n
This is a very effective method of not locking yourself out. Everybody else, not so much.<\/p>\n
iptables -I INPUT -s <your IP> -j ACCEPT<\/code><\/span><\/pre>\nYou need to put this as the\u00a0first<\/em>\u00a0rule for it to work properly. Remember,\u00a0-I<\/strong>\u00a0inserts it as the first rule;\u00a0-A<\/strong>\u00a0appends it to the end of the list.<\/p>\nTip #6: Know and understand all the rules in your current policy.<\/h3>\n
Not making a mistake in the first place is half the battle. If you understand the inner workings behind your iptables policy, it will make your life easier. Draw a flowchart if you must. Also remember: What the policy does and what it is supposed to do can be two different things.<\/p>\n
Set up a workstation firewall policy<\/h2>\n
Scenario: You want to set up a workstation with a restrictive firewall policy.<\/p>\n
Tip #1: Set the default policy as DROP.<\/h3>\n\n# Set a default policy of DROP
\n*filter
\n:INPUT DROP [0:0]
\n:FORWARD DROP [0:0]
\n:OUTPUT DROP [0:0]<\/div>\n<\/div>\nTip #2: Allow users the minimum amount of services needed to get their work done.<\/h3>\n
The iptables rules need to allow the workstation to get an IP address, netmask, and other important information via DHCP (-p udp –dport 67:68 –sport 67:68<\/strong>). For remote management, the rules need to allow inbound SSH (–dport 22<\/strong>), outbound mail (–dport 25<\/strong>), DNS (–dport 53<\/strong>), outbound ping (-p icmp<\/strong>), Network Time Protocol (–dport 123 –sport 123<\/strong>), and outbound HTTP (–dport 80<\/strong>) and HTTPS (–dport 443<\/strong>).<\/p>\n\n# Set a default policy of DROP
\n*filter
\n:INPUT DROP [0:0]
\n:FORWARD DROP [0:0]
\n:OUTPUT DROP [0:0]<\/p>\n# Accept any related or established connections
\n-I INPUT \u00a01 -m state –state RELATED,ESTABLISHED -j ACCEPT
\n-I OUTPUT 1 -m state –state RELATED,ESTABLISHED -j ACCEPT<\/p>\n
# Allow all traffic on the loopback interface
\n-A INPUT -i lo -j ACCEPT
\n-A OUTPUT -o lo -j ACCEPT<\/p>\n
# Allow outbound DHCP request
\n-A OUTPUT \u2013o eth0 -p udp –dport 67:68 –sport 67:68 -j ACCEPT<\/p>\n
# Allow inbound SSH
\n-A INPUT -i eth0 -p tcp -m tcp –dport 22 -m state –state NEW \u00a0-j ACCEPT<\/p>\n
# Allow outbound email
\n-A OUTPUT -i eth0 -p tcp -m tcp –dport 25 -m state –state NEW \u00a0-j ACCEPT<\/p>\n
# Outbound DNS lookups
\n-A OUTPUT -o eth0 -p udp -m udp –dport 53 -j ACCEPT<\/p>\n
# Outbound PING requests
\n-A OUTPUT \u2013o eth0 -p icmp -j ACCEPT<\/p>\n
# Outbound Network Time Protocol (NTP) requests
\n-A OUTPUT \u2013o eth0 -p udp –dport 123 –sport 123 -j ACCEPT<\/p>\n
# Outbound HTTP
\n-A OUTPUT -o eth0 -p tcp -m tcp –dport 80 -m state –state NEW -j ACCEPT
\n-A OUTPUT -o eth0 -p tcp -m tcp –dport 443 -m state –state NEW -j ACCEPT<\/p>\n
COMMIT<\/p><\/div>\n<\/div>\n
Restrict an IP address range<\/h2>\n
Scenario: The CEO of your company thinks the employees are spending too much time on Facebook and not getting any work done. The CEO tells the CIO to do something about the employees wasting time on Facebook. The CIO tells the CISO to do something about employees wasting time on Facebook. Eventually,\u00a0you<\/em>\u00a0are told the employees are wasting too much time on Facebook, and you have to do something about it. You decide to block all access to Facebook. First, find out Facebook’s IP address by using the\u00a0host<\/strong>\u00a0and\u00a0whois<\/strong>\u00a0commands.<\/p>\n\nhost -t a www.facebook.com
\nwww.facebook.com is an alias for star.c10r.facebook.com.
\nstar.c10r.facebook.com has address 31.13.65.17
\nwhois 31.13.65.17 | grep inetnum
\ninetnum: \u00a0 \u00a0 \u00a0 \u00a031.13.64.0 – 31.13.127.255<\/div>\n<\/div>\nThen convert that range to CIDR notation by using the\u00a0CIDR to IPv4 Conversion<\/a>\u00a0page. You get\u00a031.13.64.0\/18<\/strong>. To prevent outgoing access to\u00a0www.facebook.com<\/a>, enter:<\/p>\niptables -A OUTPUT -p tcp -i eth0 \u2013o eth1 \u2013d 31.13.64.0\/18 -j DROP<\/code><\/span><\/pre>\nRegulate by time<\/h2>\n
Scenario: The backlash from the company’s employees over denying access to Facebook access causes the CEO to relent a little (that and his administrative assistant’s reminding him that she keeps HIS Facebook page up-to-date). The CEO decides to allow access to Facebook.com only at lunchtime (12PM to 1PM). Assuming the default policy is DROP, use iptables’ time features to open up access.<\/p>\n
\niptables \u2013A OUTPUT -p tcp -m multiport –dport http,https -i eth0 -o eth1 -m time –timestart 12:00 –timestart 12:00 \u2013timestop 13:00 \u2013d
\n31.13.64.0\/18 \u00a0-j ACCEPT<\/div>\n<\/div>\n