--Save and reflect the settings with the iptables-save / iptables-restore command --Configure both IPv4 and IPv6 --Persist the settings with the netfilter-persistent command (so that the settings do not disappear even if the OS is restarted) --Perform a port scan with nmap to see if the iptables settings are reflected
Check with the iptables command and the iptables-save command.
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ sudo iptables-save
# Generated by iptables-save v1.8.3 on Sun Jan 12 23:15:35 2020
*filter
:INPUT ACCEPT [1796:190499]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1400:212762]
COMMIT
# Completed on Sun Jan 12 23:15:35 2020
This time I saved the packet filtering rules in a file called rules.v4.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-name t_icmp --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --syn --state NEW --dport 22 -m hashlimit --hashlimit-name t_sshd --hashlimit 1/m --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-htable-expire 120000 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
COMMIT
The contents of the rule are Simple explanation of firewall iptables-Even beginners can understand well! I referred to the Web server operation course by VPS \ (4 ) \ | Sakura Knowledge.
Apply the rules with the iptables-restore command.
$ sudo iptables-restore < rules.v4
Confirm that the settings are reflected.
$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: up to 1/min burst 10 mode srcip htable-expire 120000
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN limit: up to 1/min burst 10 mode srcip htable-expire 120000
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ sudo iptables-save
# Generated by iptables-save v1.8.3 on Sun Jan 12 23:16:24 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [50:6132]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name t_icmp --hashlimit-htable-expire 120000 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 1/min --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name t_sshd --hashlimit-htable-expire 120000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Sun Jan 12 23:16:24 2020
Check with the ip6tables command and ip6tables-save command.
$ sudo ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ sudo ip6tables-save
# Generated by ip6tables-save v1.8.3 on Sun Jan 12 20:37:47 2020
*filter
:INPUT ACCEPT [328:22552]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [448:31496]
COMMIT
# Completed on Sun Jan 12 20:37:47 2020
This time I saved the packet filtering rules in a file called rules.v6.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT
Apply the rule with the ip6tables-restore command.
$ sudo ip6tables-restore < rules.v6
Confirm that the settings are reflected.
$ sudo ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
$ sudo ip6tables-save
# Generated by ip6tables-save v1.8.3 on Mon Jan 13 00:10:54 2020
*filter
:INPUT DROP [18:1296]
:FORWARD DROP [0:0]
:OUTPUT DROP [74:5328]
COMMIT
# Completed on Mon Jan 13 00:10:54 2020
The iptables settings will return to their initial state when the OS is restarted. If you make the settings persistent with the netfilter-persistent command, the settings will be reflected again when the OS starts.
Install the iptables-persistent package, a plugin for iptables with the netfilter-persistent command.
$ sudo apt install iptables-persistent
It also installs the netfilter-persistent package as a dependency. The netfilter-persistent command for persistence is included in the netfilter-persistent package.
Persist current settings with netfilter-persistent save.
$ sudo netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
Persistent settings are stored in the files rules.v4 and rules.v6 under / etc / iptables /.
$ tree /etc/iptables/
/etc/iptables/
├── rules.v4
└── rules.v6
0 directories, 2 files
After restarting the OS with sudo reboot etc., if you check the settings, it is restored properly.
A README file and a manual are available.
$ cat /usr/share/doc/iptables-persistent/README
netfilter-persistent and its plugins
------------------------------------
netfilter-persistent does no work on its own. You need the accompanying
plugins (for example, iptables-persistent) to load and save filter rules.
However, commands are run from netfilter-persistent. For example, to save
all filter rules:
netfilter-persistent save
or to load them:
netfilter-persistent start
For more details, see `man netfilter-persistent`.
The system service will try to load rules at startup if enabled, but by
default it will not flush rules at shutdown. This behaviour can be changed
by editing /etc/default/netfilter-persistent.
Ubuntu Manpage: netfilter-persistent - load, flush and save netfilter rule sets
Scan the port with the nmap command from another machine to see if the iptables settings are working.
Port scan with some patterns.
XXX.XXX.XXX.XXX is the target IP address (IPv4).
$ sudo nmap -Pn XXX.XXX.XXX.XXX
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 23:38 JST
Nmap scan report for www.example.com (XXX.XXX.XXX.XXX)
Host is up (0.020s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
Nmap done: 1 IP address (1 host up) scanned in 4.59 seconds
Stealth scan.
$ sudo nmap -sS -sU -Pn XXX.XXX.XXX.XXX
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 23:38 JST
Nmap scan report for www.example.com (XXX.XXX.XXX.XXX)
Host is up (0.023s latency).
Not shown: 1000 open|filtered ports, 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
Nmap done: 1 IP address (1 host up) scanned in 10.63 seconds
XXXX: XXXX: XXXX: XXXX: XXXX: XXXX: XXXX: XXXX is the target IP address (IPv6).
$ nmap -6 -Pn XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 23:46 JST
Nmap scan report for wwww.v6.example.com (XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX)
Host is up.
All 1000 scanned ports on wwww.v6.example.com (XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX) are filtered
Nmap done: 1 IP address (1 host up) scanned in 201.70 seconds
Stealth scan.
$ sudo nmap -6 -sS -sU -Pn XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 23:52 JST
Nmap scan report for wwww.v6.example.com (XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX)
Host is up.
All 2000 scanned ports on wwww.v6.example.com (XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX) are filtered (1000) or open|filtered (1000)
Nmap done: 1 IP address (1 host up) scanned in 404.36 seconds
Recommended Posts