Iptables¶
Iptables are used in the Debian install script.
Basic Rules¶
iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp --dport 443 -j ACCEPTiptables -A INPUT -p tcp --dport 5060:5069 -j ACCEPTiptables -A INPUT -p udp --dport 5060:5069 -j ACCEPTiptables -A INPUT -p tcp --dport 5080 -j ACCEPTiptables -A INPUT -p udp --dport 5080 -j ACCEPTiptables -A INPUT -p udp --dport 16384:32768 -j ACCEPTiptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPTiptables -A INPUT -p udp --dport 1194 -j ACCEPTiptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT ACCEPTOptional Rules¶
OPENVPN:
iptables -A INPUT -p udp --dport 1194 -j ACCEPTICMP:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPTFriendly Scanner¶
Rules to block not so friendly scanner
iptables -I INPUT -j DROP -p tcp --dport 5060 -m string --string "friendly-scanner" --algo bmiptables -I INPUT -j DROP -p tcp --dport 5080 -m string --string "friendly-scanner" --algo bmiptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bmiptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "friendly-scanner" --algo bmOptional
iptables -I INPUT -j DROP -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bmiptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxIPUserAgent" --algo bmiptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "VaxSIPUserAgent" --algo bmiptables -I INPUT -j DROP -p tcp --dport 5080 -m string --string "VaxIPUserAgent" --algo bmiptables -I INPUT -j DROP -p tcp --dport 5060 -m string --string "VaxSIPUserAgent/3.1" --algo bmiptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent/3.1" --algo bmiptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "VaxSIPUserAgent/3.1" --algo bmiptables -I INPUT -j DROP -p tcp --dport 5080 -m string --string "VaxSIPUserAgent/3.1" --algo bmAdd DSCP rules¶
iptables -t mangle -A OUTPUT -p udp -m udp –sport 16384:32768 -j DSCP –set-dscp 46 iptables -t mangle -A OUTPUT -p udp -m udp –sport 5060:5091 -j DSCP –set-dscp 26 iptables -t mangle -A OUTPUT -p tcp -m tcp –sport 5060:5091 -j DSCP –set-dscp 26
Show iptable rules¶
sudo iptables -L -v
Show line numbers¶
iptables -L -v -n --line-numbers
Show DSCP rules¶
iptables -vL -t mangle
Flush Out Iptables¶
iptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPTiptables -FOpen a Port for a Specific IP Address¶
iptables -A INPUT -j ACCEPT -p tcp --dport 5432 -s x.x.x.x/32Block IP address¶
iptables -I INPUT -s 62.210.245.132 -j DROPRestore Rules from rules.v4¶
This reads the file rules.v4 and saved iptables rules back into active memory.
| iptables-restore < /etc/iptables/rules.v4
Flush iptables¶
How to flush iptables without loosing access to ssh.
iptables -P INPUT ACCEPTiptables -FSave Changes¶
Debian / Ubuntu
apt-get install iptables-persistentservice iptables-persistent savedpkg-reconfigure iptables-persistentiptables-save > /etc/iptables/rules.v4ip6tables-save > /etc/iptables/rules.v6