I will give an example of IPTables rules for BGP.Continue reading “IPTables Rules for BGP”
In this article, I will give an example of IPTables rules for SNMP.
Let’s say “iptables -P INPUT DROP” is the default, which is very desirable.
Sometimes it is necessary, for example, to delete all IPTables rules and to add only the necessary, so for convenience, you can specify them in the script, and then execute it.Continue reading “IPTables quick setup script”
IPTables is a command line utility that is the standard interface for managing the firewall.Continue reading “How to configure IPTables”
Suppose the default “iptables -P INPUT ACCEPT” for all connections (and if DROP, which is very desirable, then we do not use all the DROP rules below, we only perform ACCEPT).
Since Asterisk AMI usually works on TCP port 5038, in order to open it we will execute:Continue reading “IPTables rules for Asterisk AMI”
ipset – a tool consisting of a kernel module, libraries and utility, allowing you to organize a list of networks, IP or MAC addresses, etc., which is very convenient to use for example with IPTables.
Installation command in Ubuntu:
Suppose INPUT is the default DROP, I’ll give examples of IPTables rules for FreeRADIUS:
iptables -A INPUT -p udp --dport 1812 -j ACCEPT iptables -A INPUT -p udp --dport 1813 -j ACCEPT
Once on one of the NAT servers I needed to block some sites.
If the sites are located on several IP addresses, then you need to find out these ranges of IP addresses, for example, look for VKontakte on bgp.he.net, for example, a list of subnets for one of the AS belonging to VK “http://bgp.he.net/AS47541#_prefixes”.
When networks or hosts are known, add rules for them in iptables, for example:
/sbin/iptables -A FORWARD -s 184.108.40.206/18 -j DROP /sbin/iptables -A FORWARD -s 220.127.116.11/20 -j DROP
Thus, we prohibit the passage of the traffic of these networks through the server.
Suppose the default INPUT DROP and a DNS server is installed, now I will give an example of IPTables rules so that clients can access the DNS server.
To open the DNS port in IPTables, let’s execute the rule:Continue reading “IPTables rules for DNS”
Assume the default server INPUT DROP, now I will give an example of a simple rule permitting DHCP requests to the server, this will be enough for clients to get IP from the server (where em1 is the network interface on which the DHCP server is running):
iptables -I INPUT -p udp -i em1 --dport 67 -j ACCEPT
To remove a rule, we’ll specify the same command, replacing -A with -D, for example:
iptables -D INPUT -p udp -i em1 --dport 67 -j ACCEPT
Restrict access by IP is strictly impossible, because clients that do not have an IP address usually send a broadcast request from the IP address 0.0.0.0 to 255.255.255.255, and extend already unicast from their received IP.
Here is an example of an IP restriction (where 192.168.5.1 is the IP on which the DHCP server is running, and 172.17.0.0/16 is the network of clients with which it is allowed to renew the IP lease):
iptables -t filter -A INPUT -i em1 -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT iptables -t filter -A INPUT -i em1 -p udp -s 0.0.0.0 --sport 68 -d 192.168.5.1 --dport 67 -j ACCEPT iptables -t filter -A INPUT -i em1 -p udp -s 172.17.0.0/16 --sport 68 -d 192.168.5.1 --dport 67 -j ACCEPT