source: postlfs/security/iptables.xml@ 4a570af

11.0 qt5new trunk
Last change on this file since 4a570af was 4a570af, checked in by Xi Ruoyao <xry111@…>, 5 months ago

secure linuxfromscratch.org url

  • Property mode set to 100644
File size: 36.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2">
8 <!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
9 <!ENTITY iptables-md5sum "602ba7e937c72fbb7b1c2b71c3b0004b">
10 <!ENTITY iptables-size "704 KB">
11 <!ENTITY iptables-buildsize "22 MB">
12 <!ENTITY iptables-time "0.1 SBU">
13]>
14
15<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
16 <?dbhtml filename="iptables.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>iptables-&iptables-version;</title>
23
24 <indexterm zone="iptables">
25 <primary sortas="a-iptables">iptables</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to iptables</title>
30
31 <para>
32 <application>iptables</application> is a userspace command line program
33 used to configure the Linux 2.4 and later kernel packet filtering ruleset.
34 </para>
35
36 &lfs101_checked;
37
38 <bridgehead renderas="sect3">Package Information</bridgehead>
39 <itemizedlist spacing="compact">
40 <listitem>
41 <para>
42 Download (HTTP): <ulink url="&iptables-download-http;"/>
43 </para>
44 </listitem>
45 <listitem>
46 <para>
47 Download (FTP): <ulink url="&iptables-download-ftp;"/>
48 </para>
49 </listitem>
50 <listitem>
51 <para>
52 Download MD5 sum: &iptables-md5sum;
53 </para>
54 </listitem>
55 <listitem>
56 <para>
57 Download size: &iptables-size;
58 </para>
59 </listitem>
60 <listitem>
61 <para>
62 Estimated disk space required: &iptables-buildsize;
63 </para>
64 </listitem>
65 <listitem>
66 <para>
67 Estimated build time: &iptables-time;
68 </para>
69 </listitem>
70 </itemizedlist>
71
72 <bridgehead renderas="sect3">iptables Dependencies</bridgehead>
73
74 <bridgehead renderas="sect4">Optional</bridgehead>
75 <para role="optional">
76<!-- <xref linkend="nftables"/>, -->
77 <xref linkend="libpcap"/> (required for nfsypproxy support),
78 <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink>
79 (required for Berkeley Packet Filter support),
80 <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink>
81 (required for connlabel support),
82 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack</ulink>
83 (required for connlabel support), and
84 <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink>
85 </para>
86
87
88 <para condition="html" role="usernotes">User Notes:
89 <ulink url="&blfs-wiki;/iptables"/>
90 </para>
91 </sect2>
92
93 <sect2 role="kernel" id="iptables-kernel">
94 <title>Kernel Configuration</title>
95
96 <para>
97 A firewall in Linux is accomplished through the netfilter interface. To
98 use <application>iptables</application> to configure netfilter, the
99 following kernel configuration parameters are required:
100 </para>
101
102<screen><literal>[*] Networking support ---&gt; [CONFIG_NET]
103 Networking Options ---&gt;
104 [*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]
105 [*] Advanced netfilter configuration [CONFIG_NETFILTER_ADVANCED]
106 Core Netfilter Configuration ---&gt;
107 &lt;*/M&gt; Netfilter connection tracking support [CONFIG_NF_CONNTRACK]
108 &lt;*/M&gt; Netfilter Xtables support (required for ip_tables) [CONFIG_NETFILTER_XTABLES]
109 &lt;*/M&gt; LOG target support [CONFIG_NETFILTER_XT_TARGET_LOG]
110 IP: Netfilter Configuration ---&gt;
111 &lt;*/M&gt; IP tables support (required for filtering/masq/NAT) [CONFIG_IP_NF_IPTABLES]</literal></screen>
112
113 <para>
114 Include any connection tracking protocols that will be used, as well as
115 any protocols that you wish to use for match support under the
116 "Core Netfilter Configuration" section. The above options are enough
117 for running <xref linkend="fw-persFw-ipt"/> below.
118 </para>
119
120 <indexterm zone="iptables iptables-kernel">
121 <primary sortas="d-iptables">iptables</primary>
122 </indexterm>
123
124 </sect2>
125
126 <sect2 role="installation">
127 <title>Installation of iptables</title>
128
129 <note>
130 <para>
131 The installation below does not include building some specialized
132 extension libraries which require the raw headers in the
133 <application>Linux</application> source code. If you wish to build the
134 additional extensions (if you aren't sure, then you probably don't), you
135 can look at the <filename>INSTALL</filename> file to see an example of
136 how to change the <parameter>KERNEL_DIR=</parameter> parameter to point
137 at the <application>Linux</application> source code. Note that if you
138 upgrade the kernel version, you may also need to recompile
139 <application>iptables</application> and that the BLFS team has not
140 tested using the raw kernel headers.
141 </para>
142 </note>
143
144 <para>
145 Install <application>iptables</application> by running the following
146 commands:
147 </para>
148
149<screen><userinput>./configure --prefix=/usr \
150 --sbindir=/sbin \
151 --disable-nftables \
152 --enable-libipq \
153 --with-xtlibdir=/lib/xtables &amp;&amp;
154make</userinput></screen>
155
156 <para>
157 <!-- there is a iptables-test.py script which seems to run a
158 lot of tests. Unfortunatly, success rate is 50% only. Needs
159 to be clarified how to use and which prerequisites are required
160 to run to 100%. Contacted Shekhar Sharma for that (Dec'19),
161 waiting for answer (thomas). -->
162 This package does not come with a test suite.
163 </para>
164
165 <para>
166 Now, as the <systemitem class="username">root</systemitem> user:
167 </para>
168
169<screen role="root"><userinput>make install &amp;&amp;
170ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;
171
172for file in ip4tc ip6tc ipq xtables
173do
174 mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
175 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
176done</userinput></screen>
177
178 </sect2>
179
180 <sect2 role="commands">
181 <title>Command Explanations</title>
182
183 <para>
184 <parameter>--disable-nftables</parameter>: This switch disables building
185 nftables compatibility. <!--Omit this switch if you have installed
186 <xref linkend="nftables"/>.-->
187 </para>
188
189 <para>
190 <parameter>--enable-libipq</parameter>: This switch enables building
191 of <filename class="libraryfile">libipq.so</filename> which
192 can be used by some packages outside of BLFS.
193 </para>
194
195 <para>
196 <parameter>--with-xtlibdir=/lib/xtables</parameter>: This switch ensures that
197 all <application>iptables</application> modules are installed in the
198 <filename class="directory">/lib/xtables</filename> directory.
199 </para>
200
201 <para>
202 <option>--enable-nfsynproxy</option>: This switch enables installation
203 of <application>nfsynproxy</application> SYNPROXY configuration tool.
204 </para>
205
206 <para>
207 <command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml</command>:
208 This command ensures that the symbolic link for the
209 <command>iptables-xml</command> command is relative.
210 </para>
211
212 </sect2>
213
214 <sect2 role="configuration">
215 <title>Configuring iptables</title>
216<!--
217 <note>
218 <para>
219 If you intend to use <xref linkend="firewalld"/> to configure your
220 firewall rules, you should not use the example configurations provided
221 here, nor should you enable the
222 <phrase revision="sysv">bootscript.</phrase>
223 <phrase revision="systemd">systemd unit.</phrase>
224 </para>
225 </note>
226-->
227 <note>
228 <para>
229 In the following example configurations, <emphasis
230 role="strong">LAN1</emphasis> is used for the internal LAN interface,
231 and <emphasis role="strong">WAN1</emphasis> is used for the external
232 interace connected to the Internet. You will need to replace these
233 values with appropriate interface names for your system.
234 </para>
235 </note>
236
237 <sect3 id="fw-persFw-ipt"
238 xreflabel="Creating a Personal Firewall With iptables">
239 <title>Personal Firewall</title>
240
241 <para>
242 A Personal Firewall is designed to let you access all the
243 services offered on the Internet while keeping your computer secure and
244 your data private.
245 </para>
246
247 <para>
248 Below is a slightly modified version of Rusty Russell's
249 recommendation from the <ulink
250 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
251 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
252 to the Linux 5.x kernels.
253 </para>
254
255<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
256<literal>#!/bin/sh
257
258# Begin rc.iptables
259
260# Insert connection-tracking modules
261# (not needed if built into the kernel)
262modprobe nf_conntrack
263modprobe xt_LOG
264
265# Enable broadcast echo Protection
266echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
267
268# Disable Source Routed Packets
269echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
270echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
271
272# Enable TCP SYN Cookie Protection
273echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
274
275# Disable ICMP Redirect Acceptance
276echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
277
278# Do not send Redirect Messages
279echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
280echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
281
282# Drop Spoofed Packets coming in on an interface, where responses
283# would result in the reply going out a different interface.
284echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
285echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
286
287# Log packets with impossible addresses.
288echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
289echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
290
291# be verbose on dynamic ip-addresses (not needed in case of static IP)
292echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
293
294# disable Explicit Congestion Notification
295# too many routers are still ignorant
296echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
297
298# Set a known state
299iptables -P INPUT DROP
300iptables -P FORWARD DROP
301iptables -P OUTPUT DROP
302
303# These lines are here in case rules are already in place and the
304# script is ever rerun on the fly. We want to remove all rules and
305# pre-existing user defined chains before we implement new rules.
306iptables -F
307iptables -X
308iptables -Z
309
310iptables -t nat -F
311
312# Allow local-only connections
313iptables -A INPUT -i lo -j ACCEPT
314
315# Free output on any interface to any ip for any service
316# (equal to -P ACCEPT)
317iptables -A OUTPUT -j ACCEPT
318
319# Permit answers on already established connections
320# and permit new connections related to established ones
321# (e.g. port mode ftp)
322iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
323
324# Log everything else.
325iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
326
327# End $rc_base/rc.iptables</literal>
328EOF
329chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
330
331<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
332
333cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
334<literal>#!/bin/sh
335
336# Begin /etc/systemd/scripts/iptables
337
338# Insert connection-tracking modules
339# (not needed if built into the kernel)
340modprobe nf_conntrack
341modprobe xt_LOG
342
343# Enable broadcast echo Protection
344echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
345
346# Disable Source Routed Packets
347echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
348echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
349
350# Enable TCP SYN Cookie Protection
351echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
352
353# Disable ICMP Redirect Acceptance
354echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
355
356# Do not send Redirect Messages
357echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
358echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
359
360# Drop Spoofed Packets coming in on an interface, where responses
361# would result in the reply going out a different interface.
362echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
363echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
364
365# Log packets with impossible addresses.
366echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
367echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
368
369# be verbose on dynamic ip-addresses (not needed in case of static IP)
370echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
371
372# disable Explicit Congestion Notification
373# too many routers are still ignorant
374echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
375
376# Set a known state
377iptables -P INPUT DROP
378iptables -P FORWARD DROP
379iptables -P OUTPUT DROP
380
381# These lines are here in case rules are already in place and the
382# script is ever rerun on the fly. We want to remove all rules and
383# pre-existing user defined chains before we implement new rules.
384iptables -F
385iptables -X
386iptables -Z
387
388iptables -t nat -F
389
390# Allow local-only connections
391iptables -A INPUT -i lo -j ACCEPT
392
393# Free output on any interface to any ip for any service
394# (equal to -P ACCEPT)
395iptables -A OUTPUT -j ACCEPT
396
397# Permit answers on already established connections
398# and permit new connections related to established ones
399# (e.g. port mode ftp)
400iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
401
402# Log everything else.
403iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
404
405# End /etc/systemd/scripts/iptables</literal>
406EOF
407chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
408
409 <para>
410 This script is quite simple, it drops all traffic coming
411 into your computer that wasn't initiated from your computer, but
412 as long as you are simply surfing the Internet you are unlikely
413 to exceed its limits.
414 </para>
415
416 <para>
417 If you frequently encounter certain delays at accessing
418 FTP servers, take a look at <xref linkend="fw-BB-4-ipt"/>.
419 </para>
420
421 <para>
422 Even if you have daemons or services running on your system,
423 these will be inaccessible everywhere but from your computer itself.
424 If you want to allow access to services on your machine, such as
425 <command>ssh</command> or <command>ping</command>, take a look at
426 <xref linkend="fw-busybox-ipt"/>.
427 </para>
428
429 </sect3>
430
431 <sect3 id="fw-masqRouter-ipt"
432 xreflabel="Creating a Masquerading Router With iptables">
433 <title>Masquerading Router</title>
434
435 <para>
436 A Network Firewall has two interfaces, one connected to an
437 intranet, in this example <emphasis role="strong">LAN1</emphasis>,
438 and one connected to the Internet, here <emphasis
439 role="strong">WAN1</emphasis>. To provide the maximum security
440 for the firewall itself, make sure that there are no unnecessary
441 servers running on it such as <application>X11</application>.
442 As a general principle, the firewall itself should not access
443 any untrusted service (think of a remote server giving answers that
444 makes a daemon on your system crash, or even worse, that implements
445 a worm via a buffer-overflow).
446 </para>
447
448<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
449<literal>#!/bin/sh
450
451# Begin rc.iptables
452
453echo
454echo "You're using the example configuration for a setup of a firewall"
455echo "from Beyond Linux From Scratch."
456echo "This example is far from being complete, it is only meant"
457echo "to be a reference."
458echo "Firewall security is a complex issue, that exceeds the scope"
459echo "of the configuration rules below."
460echo "You can find additional information"
461echo "about firewalls in Chapter 4 of the BLFS book."
462echo "https://www.&lfs-domainname;/blfs"
463echo
464
465# Insert iptables modules (not needed if built into the kernel).
466
467modprobe nf_conntrack
468modprobe nf_conntrack_ftp
469modprobe xt_conntrack
470modprobe xt_LOG
471modprobe xt_state
472
473# Enable broadcast echo Protection
474echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
475
476# Disable Source Routed Packets
477echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
478
479# Enable TCP SYN Cookie Protection
480echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
481
482# Disable ICMP Redirect Acceptance
483echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
484
485# Don't send Redirect Messages
486echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
487
488# Drop Spoofed Packets coming in on an interface where responses
489# would result in the reply going out a different interface.
490echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
491
492# Log packets with impossible addresses.
493echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
494
495# Be verbose on dynamic ip-addresses (not needed in case of static IP)
496echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
497
498# Disable Explicit Congestion Notification
499# Too many routers are still ignorant
500echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
501
502# Set a known state
503iptables -P INPUT DROP
504iptables -P FORWARD DROP
505iptables -P OUTPUT DROP
506
507# These lines are here in case rules are already in place and the
508# script is ever rerun on the fly. We want to remove all rules and
509# pre-existing user defined chains before we implement new rules.
510iptables -F
511iptables -X
512iptables -Z
513
514iptables -t nat -F
515
516# Allow local connections
517iptables -A INPUT -i lo -j ACCEPT
518iptables -A OUTPUT -o lo -j ACCEPT
519
520# Allow forwarding if the initiated on the intranet
521iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
522iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT
523
524# Do masquerading
525# (not needed if intranet is not using private ip-addresses)
526iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
527
528# Log everything for debugging
529# (last of all rules, but before policy rules)
530iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
531iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
532iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
533
534# Enable IP Forwarding
535echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
536EOF
537chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
538
539<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
540
541cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
542<literal>#!/bin/sh
543
544# Begin /etc/systemd/scripts/iptables
545
546echo
547echo "You're using the example configuration for a setup of a firewall"
548echo "from Beyond Linux From Scratch."
549echo "This example is far from being complete, it is only meant"
550echo "to be a reference."
551echo "Firewall security is a complex issue, that exceeds the scope"
552echo "of the configuration rules below."
553
554echo "You can find additional information"
555echo "about firewalls in Chapter 4 of the BLFS book."
556echo "http://www.&lfs-domainname;/blfs"
557echo
558
559# Insert iptables modules (not needed if built into the kernel).
560
561modprobe nf_conntrack
562modprobe nf_conntrack_ftp
563modprobe xt_conntrack
564modprobe xt_LOG
565modprobe xt_state
566
567# Enable broadcast echo Protection
568echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
569
570# Disable Source Routed Packets
571echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
572
573# Enable TCP SYN Cookie Protection
574echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
575
576# Disable ICMP Redirect Acceptance
577echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
578
579# Don't send Redirect Messages
580echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
581
582# Drop Spoofed Packets coming in on an interface where responses
583# would result in the reply going out a different interface.
584echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
585
586# Log packets with impossible addresses.
587echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
588
589# Be verbose on dynamic ip-addresses (not needed in case of static IP)
590echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
591
592# Disable Explicit Congestion Notification
593# Too many routers are still ignorant
594echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
595
596# Set a known state
597iptables -P INPUT DROP
598iptables -P FORWARD DROP
599iptables -P OUTPUT DROP
600
601# These lines are here in case rules are already in place and the
602# script is ever rerun on the fly. We want to remove all rules and
603# pre-existing user defined chains before we implement new rules.
604iptables -F
605iptables -X
606iptables -Z
607
608iptables -t nat -F
609
610# Allow local connections
611iptables -A INPUT -i lo -j ACCEPT
612iptables -A OUTPUT -o lo -j ACCEPT
613
614# Allow forwarding if the initiated on the intranet
615iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
616iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT
617
618# Do masquerading
619# (not needed if intranet is not using private ip-addresses)
620iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
621
622# Log everything for debugging
623# (last of all rules, but before policy rules)
624iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
625iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
626iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
627
628# Enable IP Forwarding
629echo 1 &gt; /proc/sys/net/ipv4/ip_forward
630
631# The following sections allow inbound packets for specific examples
632# Uncomment the example lines and adjust as necessary
633
634# Allow ping on the external interface
635#iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
636#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
637
638# Reject ident packets with TCP reset to avoid delays with FTP or IRC
639#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
640
641# Allow HTTP and HTTPS to 192.168.0.2
642#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2
643#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2
644#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
645#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT
646
647# End /etc/systemd/scripts/iptables</literal>
648EOF
649chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
650
651 <para>
652 With this script your intranet should be reasonably secure
653 against external attacks. No one should be able to setup a new
654 connection to any internal service and, if it's masqueraded,
655 makes your intranet invisible to the Internet. Furthermore, your
656 firewall should be relatively safe because there are no services
657 running that a cracker could attack.
658 </para>
659
660 </sect3>
661
662 <sect3 id="fw-busybox-ipt" xreflabel="Creating a BusyBox With iptables">
663 <title>BusyBox</title>
664
665 <para>
666 This scenario isn't too different from the <xref
667 linkend="fw-masqRouter-ipt"/>, but additionally offers some
668 services to your intranet. Examples of this can be when
669 you want to administer your firewall from another host on
670 your intranet or use it as a proxy or a name server.
671 </para>
672
673 <note>
674 <para>
675 Outlining specifically how to protect a server that
676 offers services on the Internet goes far beyond the scope of
677 this document. See the references in <xref linkend="fw-extra-info"/>
678 for more information.
679 </para>
680 </note>
681
682 <para>
683 Be cautious. Every service you have enabled makes your
684 setup more complex and your firewall less secure. You are
685 exposed to the risks of misconfigured services or running
686 a service with an exploitable bug. A firewall should generally
687 not run any extra services. See the introduction to the
688 <xref linkend="fw-masqRouter-ipt"/> for some more details.
689 </para>
690
691 <para>
692 If you want to add services such as internal Samba or
693 name servers that do not need to access the Internet themselves,
694 the additional statements are quite simple and should still be
695 acceptable from a security standpoint. Just add the following lines
696 into the script <emphasis>before</emphasis> the logging rules.
697 </para>
698
699<screen><literal>iptables -A INPUT -i ! WAN1 -j ACCEPT
700iptables -A OUTPUT -o ! WAN1 -j ACCEPT</literal></screen>
701
702 <para>
703 If daemons, such as squid, have to access the Internet
704 themselves, you could open OUTPUT generally and restrict
705 INPUT.
706 </para>
707
708<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
709iptables -A OUTPUT -j ACCEPT</literal></screen>
710
711 <para>
712 However, it is generally not advisable to leave OUTPUT
713 unrestricted. You lose any control over trojans who would like
714 to "call home", and a bit of redundancy in case you've
715 (mis-)configured a service so that it broadcasts its existence
716 to the world.
717 </para>
718
719 <para>
720 To accomplish this, you should restrict INPUT and OUTPUT
721 on all ports except those that it's absolutely necessary to have
722 open. Which ports you have to open depends on your needs: mostly
723 you will find them by looking for failed accesses in your log
724 files.
725 </para>
726
727 <itemizedlist spacing="compact" role='iptables'>
728 <title>Have a Look at the Following Examples:</title>
729 <listitem>
730 <para>
731 Squid is caching the web:
732 </para>
733
734<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
735iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
736 -j ACCEPT</literal></screen>
737
738 </listitem>
739 <listitem>
740 <para>
741 Your caching name server (e.g., named) does its lookups via UDP:
742 </para>
743
744<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
745
746 </listitem>
747 <listitem>
748 <para>
749 You want to be able to ping your computer to ensure it's still
750 alive:
751 </para>
752
753<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
754iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
755
756 </listitem>
757 <listitem>
758 <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptables example number 4">
759 If you are frequently accessing FTP servers or enjoy chatting, you
760 might notice delays because some implementations of these daemons
761 query an identd daemon on your system to obtain usernames. Although
762 there's really little harm in this, having an identd running is not
763 recommended because many security experts feel the service gives
764 out too much additional information.
765 </para>
766
767 <para>
768 To avoid these delays you could reject the requests with a
769 'tcp-reset' response:
770 </para>
771
772<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
773
774 </listitem>
775 <listitem>
776 <para>
777 To log and drop invalid packets (packets
778 that came in after netfilter's timeout or some types of
779 network scans) insert these rules at the top of the chain:
780 </para>
781
782<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
783 -j LOG --log-prefix "FIREWALL:INVALID "
784iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
785
786 </listitem>
787 <listitem>
788 <para>
789 Anything coming from the outside should not have a
790 private address, this is a common attack called IP-spoofing:
791 </para>
792
793<screen><literal>iptables -A INPUT -i WAN1 -s 10.0.0.0/8 -j DROP
794iptables -A INPUT -i WAN1 -s 172.16.0.0/12 -j DROP
795iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP</literal></screen>
796
797 <para>
798 There are other addresses that you may also want to drop:
799 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
800 experimental), 169.254.0.0/16 (Link Local Networks), and
801 192.0.2.0/24 (IANA defined test network).
802 </para>
803 </listitem>
804 <listitem>
805 <para>
806 If your firewall is a DHCP client, you need to allow those packets:
807 </para>
808
809<screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 --sport 67 \
810 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
811
812 </listitem>
813 <listitem>
814 <para>
815 To simplify debugging and be fair to anyone who'd like
816 to access a service you have disabled, purposely or by mistake,
817 you could REJECT those packets that are dropped.
818 </para>
819
820 <para>
821 Obviously this must be done directly after logging as the very
822 last lines before the packets are dropped by policy:
823 </para>
824
825<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
826
827 </listitem>
828 </itemizedlist>
829
830 <para>
831 These are only examples to show you some of the capabilities
832 of the firewall code in Linux. Have a look at the man page of iptables.
833 There you will find much more information. The port numbers needed for
834 this can be found in <filename>/etc/services</filename>, in case you
835 didn't find them by trial and error in your log file.
836 </para>
837
838 </sect3>
839
840 <sect3 id="iptables-init">
841 <title><phrase revision="sysv">Boot Script</phrase>
842 <phrase revision="systemd">Systemd Unit</phrase></title>
843
844 <para revision="sysv">
845 To set up the iptables firewall at boot, install the
846 <filename>/etc/rc.d/init.d/iptables</filename> init script included
847 in the <xref linkend="bootscripts"/> package.
848 </para>
849
850 <para revision="systemd">
851 To set up the iptables firewall at boot, install the
852 <filename>iptables.service</filename> unit included in the
853 <xref linkend="systemd-units"/> package.
854 </para>
855
856 <indexterm zone="iptables iptables-init">
857 <primary sortas="f-iptables">iptables</primary>
858 </indexterm>
859
860<screen role="root"><userinput>make install-iptables</userinput></screen>
861
862 </sect3>
863
864 </sect2>
865
866 <sect2 role="content">
867 <title>Contents</title>
868
869 <segmentedlist>
870 <segtitle>Installed Programs</segtitle>
871 <segtitle>Installed Libraries</segtitle>
872 <segtitle>Installed Directories</segtitle>
873
874 <seglistitem>
875 <seg>
876 ip6tables,
877 ip6tables-apply,
878 ip6tables-legacy,
879 ip6tables-legacy-restore,
880 ip6tables-legacy-save,
881 ip6tables-restore,
882 ip6tables-save,
883 iptables,
884 iptables-apply,
885 iptables-legacy,
886 iptables-legacy-restore,
887 iptables-legacy-apply,
888 iptables-restore,
889 iptables-save,
890 iptables-xml,
891 nfsynproxy (optional),
892 and xtables-multi
893 </seg>
894 <seg>
895 libip4tc.so,
896 libip6tc.so,
897 libipq.so,
898 libiptc.so,
899 and libxtables.so
900 </seg>
901 <seg>
902 /lib/xtables and
903 /usr/include/libiptc
904 </seg>
905 </seglistitem>
906 </segmentedlist>
907
908 <variablelist>
909 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
910 <?dbfo list-presentation="list"?>
911 <?dbhtml list-presentation="table"?>
912
913 <varlistentry id="iptables-prog">
914 <term><command>iptables</command></term>
915 <listitem>
916 <para>
917 is used to set up, maintain, and inspect the tables of
918 IP packet filter rules in the Linux kernel
919 </para>
920 <indexterm zone="iptables iptables-prog">
921 <primary sortas="b-iptables">iptables</primary>
922 </indexterm>
923 </listitem>
924 </varlistentry>
925
926 <varlistentry id="iptables-apply">
927 <term><command>iptables-apply</command></term>
928 <listitem>
929 <para>
930 is a safer way to update iptables remotely
931 </para>
932 <indexterm zone="iptables iptables-apply">
933 <primary sortas="b-iptables-apply">iptables-apply</primary>
934 </indexterm>
935 </listitem>
936 </varlistentry>
937
938 <varlistentry id="iptables-legacy">
939 <term><command>iptables-legacy</command></term>
940 <listitem>
941 <para>
942 is used to interact with iptables using the legacy command set
943 </para>
944 <indexterm zone="iptables iptables-legacy">
945 <primary sortas="b-iptables-legacy">iptables-legacy</primary>
946 </indexterm>
947 </listitem>
948 </varlistentry>
949
950 <varlistentry id="iptables-legacy-restore">
951 <term><command>iptables-legacy-restore</command></term>
952 <listitem>
953 <para>
954 is used to restore a set of legacy iptables rules
955 </para>
956 <indexterm zone="iptables iptables-legacy-restore">
957 <primary sortas="b-iptables-legacy-restore">iptables-legacy-restore</primary>
958 </indexterm>
959 </listitem>
960 </varlistentry>
961
962 <varlistentry id="iptables-legacy-save">
963 <term><command>iptables-legacy-save</command></term>
964 <listitem>
965 <para>
966 is used to save a set of legacy iptables rules
967 </para>
968 <indexterm zone="iptables iptables-legacy-save">
969 <primary sortas="b-iptables-legacy-save">iptables-legacy-save</primary>
970 </indexterm>
971 </listitem>
972 </varlistentry>
973
974 <varlistentry id="iptables-restore">
975 <term><command>iptables-restore</command></term>
976 <listitem>
977 <para>
978 is used to restore IP Tables from data specified on
979 STDIN. Use I/O redirection provided by your
980 shell to read from a file
981 </para>
982 <indexterm zone="iptables iptables-restore">
983 <primary sortas="b-iptables-restore">iptables-restore</primary>
984 </indexterm>
985 </listitem>
986 </varlistentry>
987
988 <varlistentry id="iptables-save">
989 <term><command>iptables-save</command></term>
990 <listitem>
991 <para>
992 is used to dump the contents of an IP Table in easily
993 parseable format to STDOUT. Use I/O-redirection
994 provided by your shell to write to a file
995 </para>
996 <indexterm zone="iptables iptables-save">
997 <primary sortas="b-iptables-save">iptables-save</primary>
998 </indexterm>
999 </listitem>
1000 </varlistentry>
1001
1002 <varlistentry id="iptables-xml">
1003 <term><command>iptables-xml</command></term>
1004 <listitem>
1005 <para>
1006 is used to convert the output of
1007 <command>iptables-save</command> to an XML format. Using the
1008 <filename>iptables.xslt</filename> stylesheet converts the XML
1009 back to the format of <command>iptables-restore</command>
1010 </para>
1011 <indexterm zone="iptables iptables-xml">
1012 <primary sortas="b-iptables-xml">iptables-xml</primary>
1013 </indexterm>
1014 </listitem>
1015 </varlistentry>
1016
1017 <varlistentry id="ip6tables">
1018 <term><command>ip6tables*</command></term>
1019 <listitem>
1020 <para>
1021 are a set of commands for IPV6 that parallel the iptables
1022 commands above
1023 </para>
1024 <indexterm zone="iptables ip6tables">
1025 <primary sortas="b-ip6tables">ip6tables</primary>
1026 </indexterm>
1027 </listitem>
1028 </varlistentry>
1029
1030 <varlistentry id="nfsynproxy">
1031 <term><command>nfsynproxy</command></term>
1032 <listitem>
1033 <para>
1034 (optional) configuration tool. SYNPROXY target makes handling of
1035 large SYN floods possible without the large performance penalties
1036 imposed by the connection tracking in such cases
1037 </para>
1038 <indexterm zone="iptables nfsynproxy">
1039 <primary sortas="b-nfsynproxy">nfsynproxy</primary>
1040 </indexterm>
1041 </listitem>
1042 </varlistentry>
1043
1044 <varlistentry id="xtables-multi">
1045 <term><command>xtables-multi</command></term>
1046 <listitem>
1047 <para>
1048 is a binary that behaves according to the name it is called by
1049 </para>
1050 <indexterm zone="iptables xtables-multi">
1051 <primary sortas="b-xtables-multi">xtables-multi</primary>
1052 </indexterm>
1053 </listitem>
1054 </varlistentry>
1055
1056 </variablelist>
1057
1058 </sect2>
1059
1060</sect1>
Note: See TracBrowser for help on using the repository browser.