source: postlfs/security/iptables.xml@ ab6bf6a

10.1 11.0 11.1 11.2 lazarus plabs/python-mods qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since ab6bf6a was ab6bf6a, checked in by Douglas R. Reno <renodr@…>, 23 months ago

Update to iptables-1.8.7

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24135 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 36.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2">
8 <!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
9 <!ENTITY iptables-md5sum "602ba7e937c72fbb7b1c2b71c3b0004b">
10 <!ENTITY iptables-size "704 KB">
11 <!ENTITY iptables-buildsize "22 MB">
12 <!ENTITY iptables-time "0.1 SBU">
13]>
14
15<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
16 <?dbhtml filename="iptables.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>iptables-&iptables-version;</title>
24
25 <indexterm zone="iptables">
26 <primary sortas="a-iptables">iptables</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to iptables</title>
31
32 <para>
33 <application>iptables</application> is a userspace command line program
34 used to configure the Linux 2.4 and later kernel packet filtering ruleset.
35 </para>
36
37 &lfs10_checked;
38
39 <bridgehead renderas="sect3">Package Information</bridgehead>
40 <itemizedlist spacing="compact">
41 <listitem>
42 <para>
43 Download (HTTP): <ulink url="&iptables-download-http;"/>
44 </para>
45 </listitem>
46 <listitem>
47 <para>
48 Download (FTP): <ulink url="&iptables-download-ftp;"/>
49 </para>
50 </listitem>
51 <listitem>
52 <para>
53 Download MD5 sum: &iptables-md5sum;
54 </para>
55 </listitem>
56 <listitem>
57 <para>
58 Download size: &iptables-size;
59 </para>
60 </listitem>
61 <listitem>
62 <para>
63 Estimated disk space required: &iptables-buildsize;
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 Estimated build time: &iptables-time;
69 </para>
70 </listitem>
71 </itemizedlist>
72
73 <bridgehead renderas="sect3">iptables Dependencies</bridgehead>
74
75 <bridgehead renderas="sect4">Optional</bridgehead>
76 <para role="optional">
77<!-- <xref linkend="nftables"/>, -->
78 <xref linkend="libpcap"/> (required for nfsypproxy support),
79 <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink>
80 (required for Berkeley Packet Filter support),
81 <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink>
82 (required for connlabel support),
83 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack</ulink>
84 (required for connlabel support), and
85 <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink>
86 </para>
87
88
89 <para condition="html" role="usernotes">User Notes:
90 <ulink url="&blfs-wiki;/iptables"/>
91 </para>
92 </sect2>
93
94 <sect2 role="kernel" id="iptables-kernel">
95 <title>Kernel Configuration</title>
96
97 <para>
98 A firewall in Linux is accomplished through the netfilter interface. To
99 use <application>iptables</application> to configure netfilter, the
100 following kernel configuration parameters are required:
101 </para>
102
103<screen><literal>[*] Networking support ---&gt; [CONFIG_NET]
104 Networking Options ---&gt;
105 [*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]
106 [*] Advanced netfilter configuration [CONFIG_NETFILTER_ADVANCED]
107 Core Netfilter Configuration ---&gt;
108 &lt;*/M&gt; Netfilter connection tracking support [CONFIG_NF_CONNTRACK]
109 &lt;*/M&gt; Netfilter Xtables support (required for ip_tables) [CONFIG_NETFILTER_XTABLES]
110 &lt;*/M&gt; LOG target support [CONFIG_NETFILTER_XT_TARGET_LOG]
111 IP: Netfilter Configuration ---&gt;
112 &lt;*/M&gt; IP tables support (required for filtering/masq/NAT) [CONFIG_IP_NF_IPTABLES]</literal></screen>
113
114 <para>
115 Include any connection tracking protocols that will be used, as well as
116 any protocols that you wish to use for match support under the
117 "Core Netfilter Configuration" section. The above options are enough
118 for running <xref linkend="fw-persFw-ipt"/> below.
119 </para>
120
121 <indexterm zone="iptables iptables-kernel">
122 <primary sortas="d-iptables">iptables</primary>
123 </indexterm>
124
125 </sect2>
126
127 <sect2 role="installation">
128 <title>Installation of iptables</title>
129
130 <note>
131 <para>
132 The installation below does not include building some specialized
133 extension libraries which require the raw headers in the
134 <application>Linux</application> source code. If you wish to build the
135 additional extensions (if you aren't sure, then you probably don't), you
136 can look at the <filename>INSTALL</filename> file to see an example of
137 how to change the <parameter>KERNEL_DIR=</parameter> parameter to point
138 at the <application>Linux</application> source code. Note that if you
139 upgrade the kernel version, you may also need to recompile
140 <application>iptables</application> and that the BLFS team has not
141 tested using the raw kernel headers.
142 </para>
143 </note>
144
145 <para>
146 Install <application>iptables</application> by running the following
147 commands:
148 </para>
149
150<screen><userinput>./configure --prefix=/usr \
151 --sbindir=/sbin \
152 --disable-nftables \
153 --enable-libipq \
154 --with-xtlibdir=/lib/xtables &amp;&amp;
155make</userinput></screen>
156
157 <para>
158 <!-- there is a iptables-test.py script which seems to run a
159 lot of tests. Unfortunatly, success rate is 50% only. Needs
160 to be clarified how to use and which prerequisites are required
161 to run to 100%. Contacted Shekhar Sharma for that (Dec'19),
162 waiting for answer (thomas). -->
163 This package does not come with a test suite.
164 </para>
165
166 <para>
167 Now, as the <systemitem class="username">root</systemitem> user:
168 </para>
169
170<screen role="root"><userinput>make install &amp;&amp;
171ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;
172
173for file in ip4tc ip6tc ipq xtables
174do
175 mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
176 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
177done</userinput></screen>
178
179 </sect2>
180
181 <sect2 role="commands">
182 <title>Command Explanations</title>
183
184 <para>
185 <parameter>--disable-nftables</parameter>: This switch disables building
186 nftables compatibility. <!--Omit this switch if you have installed
187 <xref linkend="nftables"/>.-->
188 </para>
189
190 <para>
191 <parameter>--enable-libipq</parameter>: This switch enables building
192 of <filename class="libraryfile">libipq.so</filename> which
193 can be used by some packages outside of BLFS.
194 </para>
195
196 <para>
197 <parameter>--with-xtlibdir=/lib/xtables</parameter>: This switch ensures that
198 all <application>iptables</application> modules are installed in the
199 <filename class="directory">/lib/xtables</filename> directory.
200 </para>
201
202 <para>
203 <option>--enable-nfsynproxy</option>: This switch enables installation
204 of <application>nfsynproxy</application> SYNPROXY configuration tool.
205 </para>
206
207 <para>
208 <command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml</command>:
209 This command ensures that the symbolic link for the
210 <command>iptables-xml</command> command is relative.
211 </para>
212
213 </sect2>
214
215 <sect2 role="configuration">
216 <title>Configuring iptables</title>
217<!--
218 <note>
219 <para>
220 If you intend to use <xref linkend="firewalld"/> to configure your
221 firewall rules, you should not use the example configurations provided
222 here, nor should you enable the
223 <phrase revision="sysv">bootscript.</phrase>
224 <phrase revision="systemd">systemd unit.</phrase>
225 </para>
226 </note>
227-->
228 <note>
229 <para>
230 In the following example configurations, <emphasis
231 role="strong">LAN1</emphasis> is used for the internal LAN interface,
232 and <emphasis role="strong">WAN1</emphasis> is used for the external
233 interace connected to the Internet. You will need to replace these
234 values with appropriate interface names for your system.
235 </para>
236 </note>
237
238 <sect3 id="fw-persFw-ipt"
239 xreflabel="Creating a Personal Firewall With iptables">
240 <title>Personal Firewall</title>
241
242 <para>
243 A Personal Firewall is designed to let you access all the
244 services offered on the Internet while keeping your computer secure and
245 your data private.
246 </para>
247
248 <para>
249 Below is a slightly modified version of Rusty Russell's
250 recommendation from the <ulink
251 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
252 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
253 to the Linux 5.x kernels.
254 </para>
255
256<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
257<literal>#!/bin/sh
258
259# Begin rc.iptables
260
261# Insert connection-tracking modules
262# (not needed if built into the kernel)
263modprobe nf_conntrack
264modprobe xt_LOG
265
266# Enable broadcast echo Protection
267echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
268
269# Disable Source Routed Packets
270echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
271echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
272
273# Enable TCP SYN Cookie Protection
274echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
275
276# Disable ICMP Redirect Acceptance
277echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
278
279# Do not send Redirect Messages
280echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
281echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
282
283# Drop Spoofed Packets coming in on an interface, where responses
284# would result in the reply going out a different interface.
285echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
286echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
287
288# Log packets with impossible addresses.
289echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
290echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
291
292# be verbose on dynamic ip-addresses (not needed in case of static IP)
293echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
294
295# disable Explicit Congestion Notification
296# too many routers are still ignorant
297echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
298
299# Set a known state
300iptables -P INPUT DROP
301iptables -P FORWARD DROP
302iptables -P OUTPUT DROP
303
304# These lines are here in case rules are already in place and the
305# script is ever rerun on the fly. We want to remove all rules and
306# pre-existing user defined chains before we implement new rules.
307iptables -F
308iptables -X
309iptables -Z
310
311iptables -t nat -F
312
313# Allow local-only connections
314iptables -A INPUT -i lo -j ACCEPT
315
316# Free output on any interface to any ip for any service
317# (equal to -P ACCEPT)
318iptables -A OUTPUT -j ACCEPT
319
320# Permit answers on already established connections
321# and permit new connections related to established ones
322# (e.g. port mode ftp)
323iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
324
325# Log everything else.
326iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
327
328# End $rc_base/rc.iptables</literal>
329EOF
330chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
331
332<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
333
334cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
335<literal>#!/bin/sh
336
337# Begin /etc/systemd/scripts/iptables
338
339# Insert connection-tracking modules
340# (not needed if built into the kernel)
341modprobe nf_conntrack
342modprobe xt_LOG
343
344# Enable broadcast echo Protection
345echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
346
347# Disable Source Routed Packets
348echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
349echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
350
351# Enable TCP SYN Cookie Protection
352echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
353
354# Disable ICMP Redirect Acceptance
355echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
356
357# Do not send Redirect Messages
358echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
359echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
360
361# Drop Spoofed Packets coming in on an interface, where responses
362# would result in the reply going out a different interface.
363echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
364echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
365
366# Log packets with impossible addresses.
367echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
368echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
369
370# be verbose on dynamic ip-addresses (not needed in case of static IP)
371echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
372
373# disable Explicit Congestion Notification
374# too many routers are still ignorant
375echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
376
377# Set a known state
378iptables -P INPUT DROP
379iptables -P FORWARD DROP
380iptables -P OUTPUT DROP
381
382# These lines are here in case rules are already in place and the
383# script is ever rerun on the fly. We want to remove all rules and
384# pre-existing user defined chains before we implement new rules.
385iptables -F
386iptables -X
387iptables -Z
388
389iptables -t nat -F
390
391# Allow local-only connections
392iptables -A INPUT -i lo -j ACCEPT
393
394# Free output on any interface to any ip for any service
395# (equal to -P ACCEPT)
396iptables -A OUTPUT -j ACCEPT
397
398# Permit answers on already established connections
399# and permit new connections related to established ones
400# (e.g. port mode ftp)
401iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
402
403# Log everything else.
404iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
405
406# End /etc/systemd/scripts/iptables</literal>
407EOF
408chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
409
410 <para>
411 This script is quite simple, it drops all traffic coming
412 into your computer that wasn't initiated from your computer, but
413 as long as you are simply surfing the Internet you are unlikely
414 to exceed its limits.
415 </para>
416
417 <para>
418 If you frequently encounter certain delays at accessing
419 FTP servers, take a look at <xref linkend="fw-BB-4-ipt"/>.
420 </para>
421
422 <para>
423 Even if you have daemons or services running on your system,
424 these will be inaccessible everywhere but from your computer itself.
425 If you want to allow access to services on your machine, such as
426 <command>ssh</command> or <command>ping</command>, take a look at
427 <xref linkend="fw-busybox-ipt"/>.
428 </para>
429
430 </sect3>
431
432 <sect3 id="fw-masqRouter-ipt"
433 xreflabel="Creating a Masquerading Router With iptables">
434 <title>Masquerading Router</title>
435
436 <para>
437 A Network Firewall has two interfaces, one connected to an
438 intranet, in this example <emphasis role="strong">LAN1</emphasis>,
439 and one connected to the Internet, here <emphasis
440 role="strong">WAN1</emphasis>. To provide the maximum security
441 for the firewall itself, make sure that there are no unnecessary
442 servers running on it such as <application>X11</application>.
443 As a general principle, the firewall itself should not access
444 any untrusted service (think of a remote server giving answers that
445 makes a daemon on your system crash, or even worse, that implements
446 a worm via a buffer-overflow).
447 </para>
448
449<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
450<literal>#!/bin/sh
451
452# Begin rc.iptables
453
454echo
455echo "You're using the example configuration for a setup of a firewall"
456echo "from Beyond Linux From Scratch."
457echo "This example is far from being complete, it is only meant"
458echo "to be a reference."
459echo "Firewall security is a complex issue, that exceeds the scope"
460echo "of the configuration rules below."
461echo "You can find additional information"
462echo "about firewalls in Chapter 4 of the BLFS book."
463echo "http://www.&lfs-domainname;/blfs"
464echo
465
466# Insert iptables modules (not needed if built into the kernel).
467
468modprobe nf_conntrack
469modprobe nf_conntrack_ftp
470modprobe xt_conntrack
471modprobe xt_LOG
472modprobe xt_state
473
474# Enable broadcast echo Protection
475echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
476
477# Disable Source Routed Packets
478echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
479
480# Enable TCP SYN Cookie Protection
481echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
482
483# Disable ICMP Redirect Acceptance
484echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
485
486# Don't send Redirect Messages
487echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
488
489# Drop Spoofed Packets coming in on an interface where responses
490# would result in the reply going out a different interface.
491echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
492
493# Log packets with impossible addresses.
494echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
495
496# Be verbose on dynamic ip-addresses (not needed in case of static IP)
497echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
498
499# Disable Explicit Congestion Notification
500# Too many routers are still ignorant
501echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
502
503# Set a known state
504iptables -P INPUT DROP
505iptables -P FORWARD DROP
506iptables -P OUTPUT DROP
507
508# These lines are here in case rules are already in place and the
509# script is ever rerun on the fly. We want to remove all rules and
510# pre-existing user defined chains before we implement new rules.
511iptables -F
512iptables -X
513iptables -Z
514
515iptables -t nat -F
516
517# Allow local connections
518iptables -A INPUT -i lo -j ACCEPT
519iptables -A OUTPUT -o lo -j ACCEPT
520
521# Allow forwarding if the initiated on the intranet
522iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
523iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT
524
525# Do masquerading
526# (not needed if intranet is not using private ip-addresses)
527iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
528
529# Log everything for debugging
530# (last of all rules, but before policy rules)
531iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
532iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
533iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
534
535# Enable IP Forwarding
536echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
537EOF
538chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
539
540<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
541
542cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
543<literal>#!/bin/sh
544
545# Begin /etc/systemd/scripts/iptables
546
547echo
548echo "You're using the example configuration for a setup of a firewall"
549echo "from Beyond Linux From Scratch."
550echo "This example is far from being complete, it is only meant"
551echo "to be a reference."
552echo "Firewall security is a complex issue, that exceeds the scope"
553echo "of the configuration rules below."
554
555echo "You can find additional information"
556echo "about firewalls in Chapter 4 of the BLFS book."
557echo "http://www.&lfs-domainname;/blfs"
558echo
559
560# Insert iptables modules (not needed if built into the kernel).
561
562modprobe nf_conntrack
563modprobe nf_conntrack_ftp
564modprobe xt_conntrack
565modprobe xt_LOG
566modprobe xt_state
567
568# Enable broadcast echo Protection
569echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
570
571# Disable Source Routed Packets
572echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
573
574# Enable TCP SYN Cookie Protection
575echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
576
577# Disable ICMP Redirect Acceptance
578echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
579
580# Don't send Redirect Messages
581echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
582
583# Drop Spoofed Packets coming in on an interface where responses
584# would result in the reply going out a different interface.
585echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
586
587# Log packets with impossible addresses.
588echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
589
590# Be verbose on dynamic ip-addresses (not needed in case of static IP)
591echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
592
593# Disable Explicit Congestion Notification
594# Too many routers are still ignorant
595echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
596
597# Set a known state
598iptables -P INPUT DROP
599iptables -P FORWARD DROP
600iptables -P OUTPUT DROP
601
602# These lines are here in case rules are already in place and the
603# script is ever rerun on the fly. We want to remove all rules and
604# pre-existing user defined chains before we implement new rules.
605iptables -F
606iptables -X
607iptables -Z
608
609iptables -t nat -F
610
611# Allow local connections
612iptables -A INPUT -i lo -j ACCEPT
613iptables -A OUTPUT -o lo -j ACCEPT
614
615# Allow forwarding if the initiated on the intranet
616iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
617iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT
618
619# Do masquerading
620# (not needed if intranet is not using private ip-addresses)
621iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
622
623# Log everything for debugging
624# (last of all rules, but before policy rules)
625iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
626iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
627iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
628
629# Enable IP Forwarding
630echo 1 &gt; /proc/sys/net/ipv4/ip_forward
631
632# The following sections allow inbound packets for specific examples
633# Uncomment the example lines and adjust as necessary
634
635# Allow ping on the external interface
636#iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
637#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
638
639# Reject ident packets with TCP reset to avoid delays with FTP or IRC
640#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
641
642# Allow HTTP and HTTPS to 192.168.0.2
643#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2
644#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2
645#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
646#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT
647
648# End /etc/systemd/scripts/iptables</literal>
649EOF
650chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
651
652 <para>
653 With this script your intranet should be reasonably secure
654 against external attacks. No one should be able to setup a new
655 connection to any internal service and, if it's masqueraded,
656 makes your intranet invisible to the Internet. Furthermore, your
657 firewall should be relatively safe because there are no services
658 running that a cracker could attack.
659 </para>
660
661 </sect3>
662
663 <sect3 id="fw-busybox-ipt" xreflabel="Creating a BusyBox With iptables">
664 <title>BusyBox</title>
665
666 <para>
667 This scenario isn't too different from the <xref
668 linkend="fw-masqRouter-ipt"/>, but additionally offers some
669 services to your intranet. Examples of this can be when
670 you want to administer your firewall from another host on
671 your intranet or use it as a proxy or a name server.
672 </para>
673
674 <note>
675 <para>
676 Outlining specifically how to protect a server that
677 offers services on the Internet goes far beyond the scope of
678 this document. See the references in <xref linkend="fw-extra-info"/>
679 for more information.
680 </para>
681 </note>
682
683 <para>
684 Be cautious. Every service you have enabled makes your
685 setup more complex and your firewall less secure. You are
686 exposed to the risks of misconfigured services or running
687 a service with an exploitable bug. A firewall should generally
688 not run any extra services. See the introduction to the
689 <xref linkend="fw-masqRouter-ipt"/> for some more details.
690 </para>
691
692 <para>
693 If you want to add services such as internal Samba or
694 name servers that do not need to access the Internet themselves,
695 the additional statements are quite simple and should still be
696 acceptable from a security standpoint. Just add the following lines
697 into the script <emphasis>before</emphasis> the logging rules.
698 </para>
699
700<screen><literal>iptables -A INPUT -i ! WAN1 -j ACCEPT
701iptables -A OUTPUT -o ! WAN1 -j ACCEPT</literal></screen>
702
703 <para>
704 If daemons, such as squid, have to access the Internet
705 themselves, you could open OUTPUT generally and restrict
706 INPUT.
707 </para>
708
709<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
710iptables -A OUTPUT -j ACCEPT</literal></screen>
711
712 <para>
713 However, it is generally not advisable to leave OUTPUT
714 unrestricted. You lose any control over trojans who would like
715 to "call home", and a bit of redundancy in case you've
716 (mis-)configured a service so that it broadcasts its existence
717 to the world.
718 </para>
719
720 <para>
721 To accomplish this, you should restrict INPUT and OUTPUT
722 on all ports except those that it's absolutely necessary to have
723 open. Which ports you have to open depends on your needs: mostly
724 you will find them by looking for failed accesses in your log
725 files.
726 </para>
727
728 <itemizedlist spacing="compact" role='iptables'>
729 <title>Have a Look at the Following Examples:</title>
730 <listitem>
731 <para>
732 Squid is caching the web:
733 </para>
734
735<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
736iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
737 -j ACCEPT</literal></screen>
738
739 </listitem>
740 <listitem>
741 <para>
742 Your caching name server (e.g., named) does its lookups via UDP:
743 </para>
744
745<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
746
747 </listitem>
748 <listitem>
749 <para>
750 You want to be able to ping your computer to ensure it's still
751 alive:
752 </para>
753
754<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
755iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
756
757 </listitem>
758 <listitem>
759 <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptables example number 4">
760 If you are frequently accessing FTP servers or enjoy chatting, you
761 might notice delays because some implementations of these daemons
762 query an identd daemon on your system to obtain usernames. Although
763 there's really little harm in this, having an identd running is not
764 recommended because many security experts feel the service gives
765 out too much additional information.
766 </para>
767
768 <para>
769 To avoid these delays you could reject the requests with a
770 'tcp-reset' response:
771 </para>
772
773<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
774
775 </listitem>
776 <listitem>
777 <para>
778 To log and drop invalid packets (packets
779 that came in after netfilter's timeout or some types of
780 network scans) insert these rules at the top of the chain:
781 </para>
782
783<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
784 -j LOG --log-prefix "FIREWALL:INVALID "
785iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
786
787 </listitem>
788 <listitem>
789 <para>
790 Anything coming from the outside should not have a
791 private address, this is a common attack called IP-spoofing:
792 </para>
793
794<screen><literal>iptables -A INPUT -i WAN1 -s 10.0.0.0/8 -j DROP
795iptables -A INPUT -i WAN1 -s 172.16.0.0/12 -j DROP
796iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP</literal></screen>
797
798 <para>
799 There are other addresses that you may also want to drop:
800 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
801 experimental), 169.254.0.0/16 (Link Local Networks), and
802 192.0.2.0/24 (IANA defined test network).
803 </para>
804 </listitem>
805 <listitem>
806 <para>
807 If your firewall is a DHCP client, you need to allow those packets:
808 </para>
809
810<screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 --sport 67 \
811 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
812
813 </listitem>
814 <listitem>
815 <para>
816 To simplify debugging and be fair to anyone who'd like
817 to access a service you have disabled, purposely or by mistake,
818 you could REJECT those packets that are dropped.
819 </para>
820
821 <para>
822 Obviously this must be done directly after logging as the very
823 last lines before the packets are dropped by policy:
824 </para>
825
826<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
827
828 </listitem>
829 </itemizedlist>
830
831 <para>
832 These are only examples to show you some of the capabilities
833 of the firewall code in Linux. Have a look at the man page of iptables.
834 There you will find much more information. The port numbers needed for
835 this can be found in <filename>/etc/services</filename>, in case you
836 didn't find them by trial and error in your log file.
837 </para>
838
839 </sect3>
840
841 <sect3 id="iptables-init">
842 <title><phrase revision="sysv">Boot Script</phrase>
843 <phrase revision="systemd">Systemd Unit</phrase></title>
844
845 <para revision="sysv">
846 To set up the iptables firewall at boot, install the
847 <filename>/etc/rc.d/init.d/iptables</filename> init script included
848 in the <xref linkend="bootscripts"/> package.
849 </para>
850
851 <para revision="systemd">
852 To set up the iptables firewall at boot, install the
853 <filename>iptables.service</filename> unit included in the
854 <xref linkend="systemd-units"/> package.
855 </para>
856
857 <indexterm zone="iptables iptables-init">
858 <primary sortas="f-iptables">iptables</primary>
859 </indexterm>
860
861<screen role="root"><userinput>make install-iptables</userinput></screen>
862
863 </sect3>
864
865 </sect2>
866
867 <sect2 role="content">
868 <title>Contents</title>
869
870 <segmentedlist>
871 <segtitle>Installed Programs</segtitle>
872 <segtitle>Installed Libraries</segtitle>
873 <segtitle>Installed Directories</segtitle>
874
875 <seglistitem>
876 <seg>
877 ip6tables,
878 ip6tables-apply,
879 ip6tables-legacy,
880 ip6tables-legacy-restore,
881 ip6tables-legacy-save,
882 ip6tables-restore,
883 ip6tables-save,
884 iptables,
885 iptables-apply,
886 iptables-legacy,
887 iptables-legacy-restore,
888 iptables-legacy-apply,
889 iptables-restore,
890 iptables-save,
891 iptables-xml,
892 nfsynproxy (optional),
893 and xtables-multi
894 </seg>
895 <seg>
896 libip4tc.so,
897 libip6tc.so,
898 libipq.so,
899 libiptc.so,
900 and libxtables.so
901 </seg>
902 <seg>
903 /lib/xtables and
904 /usr/include/libiptc
905 </seg>
906 </seglistitem>
907 </segmentedlist>
908
909 <variablelist>
910 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
911 <?dbfo list-presentation="list"?>
912 <?dbhtml list-presentation="table"?>
913
914 <varlistentry id="iptables-prog">
915 <term><command>iptables</command></term>
916 <listitem>
917 <para>
918 is used to set up, maintain, and inspect the tables of
919 IP packet filter rules in the Linux kernel.
920 </para>
921 <indexterm zone="iptables iptables-prog">
922 <primary sortas="b-iptables">iptables</primary>
923 </indexterm>
924 </listitem>
925 </varlistentry>
926
927 <varlistentry id="iptables-apply">
928 <term><command>iptables-apply</command></term>
929 <listitem>
930 <para>
931 is a safer way to update iptables remotely.
932 </para>
933 <indexterm zone="iptables iptables-apply">
934 <primary sortas="b-iptables-apply">iptables-apply</primary>
935 </indexterm>
936 </listitem>
937 </varlistentry>
938
939 <varlistentry id="iptables-legacy">
940 <term><command>iptables-legacy</command></term>
941 <listitem>
942 <para>
943 is used to interact with iptables using the legacy command set.
944 </para>
945 <indexterm zone="iptables iptables-legacy">
946 <primary sortas="b-iptables-legacy">iptables-legacy</primary>
947 </indexterm>
948 </listitem>
949 </varlistentry>
950
951 <varlistentry id="iptables-legacy-restore">
952 <term><command>iptables-legacy-restore</command></term>
953 <listitem>
954 <para>
955 is used to restore a set of legacy iptables rules.
956 </para>
957 <indexterm zone="iptables iptables-legacy-restore">
958 <primary sortas="b-iptables-legacy-restore">iptables-legacy-restore</primary>
959 </indexterm>
960 </listitem>
961 </varlistentry>
962
963 <varlistentry id="iptables-legacy-save">
964 <term><command>iptables-legacy-save</command></term>
965 <listitem>
966 <para>
967 is used to save a set of legacy iptables rules.
968 </para>
969 <indexterm zone="iptables iptables-legacy-save">
970 <primary sortas="b-iptables-legacy-save">iptables-legacy-save</primary>
971 </indexterm>
972 </listitem>
973 </varlistentry>
974
975 <varlistentry id="iptables-restore">
976 <term><command>iptables-restore</command></term>
977 <listitem>
978 <para>
979 is used to restore IP Tables from data specified on
980 STDIN. Use I/O redirection provided by your
981 shell to read from a file.
982 </para>
983 <indexterm zone="iptables iptables-restore">
984 <primary sortas="b-iptables-restore">iptables-restore</primary>
985 </indexterm>
986 </listitem>
987 </varlistentry>
988
989 <varlistentry id="iptables-save">
990 <term><command>iptables-save</command></term>
991 <listitem>
992 <para>
993 is used to dump the contents of an IP Table in easily
994 parseable format to STDOUT. Use I/O-redirection
995 provided by your shell to write to a file.
996 </para>
997 <indexterm zone="iptables iptables-save">
998 <primary sortas="b-iptables-save">iptables-save</primary>
999 </indexterm>
1000 </listitem>
1001 </varlistentry>
1002
1003 <varlistentry id="iptables-xml">
1004 <term><command>iptables-xml</command></term>
1005 <listitem>
1006 <para>
1007 is used to convert the output of
1008 <command>iptables-save</command> to an XML format. Using the
1009 <filename>iptables.xslt</filename> stylesheet converts the XML
1010 back to the format of <command>iptables-restore</command>.
1011 </para>
1012 <indexterm zone="iptables iptables-xml">
1013 <primary sortas="b-iptables-xml">iptables-xml</primary>
1014 </indexterm>
1015 </listitem>
1016 </varlistentry>
1017
1018 <varlistentry id="ip6tables">
1019 <term><command>ip6tables*</command></term>
1020 <listitem>
1021 <para>
1022 are a set of commands for IPV6 that parallel the iptables
1023 commands above.
1024 </para>
1025 <indexterm zone="iptables ip6tables">
1026 <primary sortas="b-ip6tables">ip6tables</primary>
1027 </indexterm>
1028 </listitem>
1029 </varlistentry>
1030
1031 <varlistentry id="nfsynproxy">
1032 <term><command>nfsynproxy</command></term>
1033 <listitem>
1034 <para>
1035 (optional) configuration tool. SYNPROXY target makes handling of
1036 large SYN floods possible without the large performance penalties
1037 imposed by the connection tracking in such cases.
1038 </para>
1039 <indexterm zone="iptables nfsynproxy">
1040 <primary sortas="b-nfsynproxy">nfsynproxy</primary>
1041 </indexterm>
1042 </listitem>
1043 </varlistentry>
1044
1045 <varlistentry id="xtables-multi">
1046 <term><command>xtables-multi</command></term>
1047 <listitem>
1048 <para>
1049 is a binary that behaves according to the name it is called by.
1050 </para>
1051 <indexterm zone="iptables xtables-multi">
1052 <primary sortas="b-xtables-multi">xtables-multi</primary>
1053 </indexterm>
1054 </listitem>
1055 </varlistentry>
1056
1057 </variablelist>
1058
1059 </sect2>
1060
1061</sect1>
Note: See TracBrowser for help on using the repository browser.