When DesdeLinux I was only a few months old and I wrote an extremely simple to understand tutorial about iptables: iptables for newbies, curious, interested (1st part) . Using metaphors such as comparing our computer with our house, our firewall with the door of the house, as well as other examples, I explained in an entertaining way, without so many technicalities or complicated concepts, what is a firewall, what is iptables and how to start using it and configure. This is the continuation, the 2nd part of the previous iptables tutorial 🙂
It happens that a few days ago using a Linksys AP (Access Point) I put a Wifi at my girlfriend's house, although the locality is not the most knowledgeable in terms of technology, that is, it is not that there are many dangers of cracking, it is always A good idea to have excellent security both in the Wifi and in the computers.
I will not comment on the security of the Wifi here, as it is not the objective of the post, I will focus on the iptables configuration that I currently use on my laptop.
In the previous post I had explained that it is necessary in a firewall to first deny all incoming traffic, for this:
sudo iptables -P INPUT DROP
Then we must allow our own computer to have permission to enter data:
sudo iptables -A INPUT -i lo -j ACCEPT
As well as accepting packets of requests that originate from our computer:
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
So far our computer can navigate the internet without problems, but no one from any other environment (LAN, internet, Wifi, etc.) will be able to access our computer in any way. We are going to start configuring iptables according to our needs.
Using ulogd to output the iptables logs to another file:
By default the iptables logs go in the kernel log, the system log, or something like that ... in Arch by default, right now I don't even remember where they go, that's why I use ulogd so that the iptables logs are in another file.
sudo iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ULOG
Giving access to my private server:
I don't use VirtualBox or anything similar to virtualize, I have my private server virtualized with Qemu + KVM which must be able to connect to my laptop as such, with the iptables rules that I just specified above it will not be able to, that is why I have to give permission to the IP of my virtual server so that it can access my laptop:
sudo iptables -A INPUT -i virbr0 -p tcp -s 192.168.122.88 -j ACCEPT
We are going to detail this line, it is important that you understand what each parameter means, because they will be repeated a lot from now on:
-A INPUT : I'm saying I'm going to declare a rule for inbound traffic
-i virbr0 : I declare that the interface through which I will accept the traffic is not etho (LAN) or wlan0 (Wifi), I specifically say that it is my virbr0 interface, that is, the virtual network interface (internal) through which my laptop communicates with my virtual server (and vice versa)
-p tcp : I specify the protocol, the most used are UDP and TCP, here it was really enough not to put this but ... it is customary to specify the type of protocol to accept
-s 192.168.122.88 : The source, source of the packages. In other words, the rule refers to packets that come specifically from the IP 192.168.122.88
-j ACCEPT : Already here I say what I want to do with the packages that match the above, in this case accept.
In other words, as a summary, I will accept packets that come from the IP 192.168.122.88, but in case you want to enter packets that come from that IP BUT! They enter from an interface that is not virbr0, that is, let's say that they try to enter packets from the IP 192.168.122.88 but they are from a computer in our Wifi network, if that is the case, the packets will be rejected. why? Because we clearly specify that yes, we accept packets from 192.168.122.88 yes, but and only but, they also have to enter from the virbr0 interface (internal, virtual network interface), if the packets come from another interface (LAN, RAS, Wifi, etc) then they will not be accepted. By specifying the interface as you can see we can restrict it even more, we can have a better control over what enters (or does not enter) our computer.
Accepting ping from any IP of the home Wifi:
From some other computer that connects to the Wifi, if you try to ping my laptop I want to allow it. reason? The idea is also that in the next few weeks to link the PC of the house next door to the network, so sharing information would be less complex, more fluid, when I start to do tests to link the desktop to the Wifi, I will need to ping my laptop to check connectivity, if my laptop does not ping me back, I can think that the AP is failing, or that there was an error when accessing the Wifi, that is why I want to allow the ping.
sudo iptables -A INPUT -i wlo1 -p icmp -s 192.168.1.0/24 -d 192.168.1.51 -j ACCEPT
-A INPUT : Same as before, I refer to incoming traffic
-i wlo1 : Similar to before. In the previous case I specified the virtual interface, in this case I specify another interface, that of my wifi: wlo1
-p icmp : Icmp protocol, icmp = ping. That is, I am not allowing SSH or anything similar, I only allow ping (icmp)
-s 192.168.1.0/24 : The source of the packets, that is, as long as the packets come from an IP 192.168.1.? will be accepted
-d 192.168.1.51 : Destination IP, that is, my IP.
-j ACCEPT : I indicate what to do with the packages that match the above, accept.
That is, and to explain this in a running way, I accept that they ping me (icmp protocol) whose destination is specifically my IP, as long as they come from an IP such as 192.168.1 .__ but also, they cannot come from any network interface , they have to enter specifically from my Wifi network interface (wlo1)
Accept SSH only for one IP:
Sometimes I need to connect by SSH from my smartphone to control the laptop, that is why I must allow SSH access to my laptop from the IPs of my Wifi, for this:
sudo iptables -A INPUT -i wlo1 -p tcp -s 192.168.1.0/24 -d 192.168.1.51 --dport 22 -j ACCEPT
From this line the only thing that is different or that deserves to be highlighted is: –Dport 22 (SSH port I use)
In other words, I accept attempts to connect to my laptop through port 22, as long as they come from an IP of my wifi, they also have to have my IP as a specific destination and also come through the wlo1 interface, that is, that of my wifi (not the lan, etc)
Allowing them to view your website:
It is not my case, but if any of you have a hosted website and do not want to deny access to anyone, that is, that everyone from anywhere can access that website, it is much simpler than you may think:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
In other words, here they are allowing all incoming traffic (tcp) through port 80. As you can see, I do not specify from which IPs or network I allow access, by not specifying an IP range to allow, iptables assumes that I want to allow access to all existing IP ranges, that is, to the whole world 🙂
Other combinations:
I have many other rules such as, for example, accept ping for IPs from my home LAN (for this it is basically the same line as above, changing the IP ranges), which is more of the same that I just explained above ... in my laptop as such I do not use really complex things, that of limiting connections, anti DDoS, I leave that for the servers, on my laptop I don't need it 🙂
Anyway, so far the article.
As you can see, working with iptables is not that complex by any means, once you build a script in which you write your rules it is very simple then modify it, add or remove rules to your firewall.
I do not consider myself an expert on the subject far from it, despite any questions you may have, they comment here, I will try to help you as much as I can.
regards
Very good, very well explained, great.
I love this type of post.
Thank you very much for commenting 🙂
This post was a debt that I had for a long time, it is pleasant and pleasant in the end to be able to pay it off ^ _ ^
regards
a question are you in cuba?
… It happens that a few days ago using a Linksys AP (Access Point) I put a Wifi at my girlfriend's house
Yes of course, I was born and live in Cuba. why the question?
@FIXOCONN: Hello friend and forgive the offtopic of the question, but how do you define Cinnamon to appear as a desktop environment in the user-agent? I use Mint 13 with Cinnamon, but in no way do I get the Cinnamon logo to appear in my user-agent every time I comment on this site
Would you be so kind as to pass me your user agent details if it's not too much trouble? I would like to know that data to place it myself =)
I leave you a page so you can review it and give me the information. Thanks and admins, forgive the "trolling" (if you can call it that) on my part with this information -> http://user-agent-string.info/
Add "Cinnamon" (without the quotes) to any part of the UserAgent, then the logo should appear in future comments 🙂
Very Good the post! very clear 😀
Thanks for reading and thanks for your comment 🙂
Thank you! It really helps me!
Hello, first of all many congratulations for the blog, I think it's great.
Something that might be good to mention is that the option to log with ULOG does not work in operating systems that have ulogd2, for this case the rule should be:
sudo iptables -A INPUT -p tcp -m tcp –tcp-flags FIN, SYN, RST, ACK SYN -j NFLOG
First of all, thank you very much for what you say about the blog 🙂
I have ulogd v2.0.2-2 installed in Arch, and the line I put works without problems (I had to put a loglevel = 1 in /etc/ulogd.conf, but it takes the logs to another file without problems.
Are you using ulogd v2 or higher, does the line I left work wrong?
Regards and thanks for commenting.
I was always waiting for the second part, I remember when I read the first (it was my initiation in the firewalls). Thanks @ KZKG ^ Gaara, regards 🙂
Thanks for reading me 😀
And hehe yes, what I said ... this post was a debt that I had a long time ago ^ _ ^
Regards. Very Good the post. I am trying to configure iptables rules to redirect traffic from squid to dansguardian and it still does not achieve the goal. I would appreciate some help in this regard.
iptables for that? Isn't that done directly with ACLs in Squid?
"I have many other rules like .."
This is what I call paranoia, boy
A little more and you put a pack of Rotwailer's in each open port on your modem / router 🙂
HAHAHAHAHAHAHAHAHA I'm dying of laughter with the rottwailers hahahaha
Greetings friend, it happens that I need help to configure IPTables in such a way that it denies access only for port 80 when I type the address in the browser of my custom nameservers, that is when for example I type ns1.mydomain.com and ns2.mydomain. com (which are my nameservers) IPtables deny access to port 80 so that the browser tries to load the page but after a while it expires and never loads, it happens that I have already tried with commands like this:
iptables -A INPUT -d ns1.midomini.com -p tcp –dport 80 -j DROP
iptables -A INPUT -d ns2.midomini.com -p tcp –dport 80 -j DROP
But the only thing it does is deny entry to port 80 in all my domains (since they are sharing the same IP as Virtual Host), I want it to only be in the url of my nameservers and the IP to which my nameservers point , that is, IP tables deny access to port 80 in:
ns1.midomini.com (Pointing A) -> 102.887.23.33
ns2.midomini.com (Pointing A) -> 102.887.23.34
and the IPs that the nameservers point to
102.887.23.33
102.887.23.34
An example of a company that has this system is: Dreamhost
Their nameservers: ns1.dreamhost.com and ns2.dreamhost.com and the IPs they point to do not respond when typed in the address bar of the browser
Thank you very much in advance for your attention, I would very much like you to give me a hand with this, I really need it and urgently !!
Good day !!
Hello Ivan,
Contact me by email (kzkggaara[at]desdelinux[dot]net) to talk about it more calmly and explain it better, tomorrow without fail I will answer you (today I'm passing by)
What you want to do is simple, I don't know why the lines you tell me don't work for you, they should, but you have to check logs and other things that would be too long around here.
Greetings and I wait for your email
theoretically with iptables I could avoid being sent disconnection requests from programs like aircrack. I am right??? Well I'll do tests but if you tell me that you would make me very happy XDDD
In theory I think so, now, I don't know how it could be done, I've never done it ... but I repeat, in theory, I think it could.
After applying the iptables rules, it is impossible for me to access shared windows folders on the local network. What rule should I apply to fix it?
Thank you.
What iptables rules did you apply?
This is the 2nd part of "iptables for newbies", did you read the first one? I ask this to know if you applied the rules that were in the previous post
Yes, I have read both parts. For the script I base myself on another post you posted about starting rules with systemd.
#! / Bin / bash
# - UTF 8 -
# Iptables binary
iptables = »/ usr / bin / iptables»
threw out ""
## Clean tables ##
$ iptables -F
$ iptables -X
$ iptables -Z
#echo »- Made FLUS to iptables» && echo »»
## Establishing logs with ULOGD ##
$ iptables -A INPUT -p tcp -m tcp –tcp-flags FIN, SYN, RST, ACK SYN -j ULOG
## Define default DROP policy ##
$ iptables -P INPUT DROP
$ iptables -P FORWARD DROP
#echo »- DROP policy defined by default» && echo »»
## Allow everything to localhost ##
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -o lo -j ACCEPT
#echo »- All allowed for localhost» && echo »»
## Allow to enter packets of connections that I initiate ##
$ iptables -A INPUT -m state –state ESTABLISHED, RELATED -j ACCEPT
#echo »- Allowed connection packets initiated by my» && echo »»
threw out " ##############################"
echo »## IPTABLES CONFIGURED OK! ## »
threw out " ##############################"
I have read on the internet that for samba you should have the following rules in the script:
$ iptables -A INPUT -p tcp –dport 139 -j ACCEPT
$ iptables -A INPUT -p tcp –dport 445 -j ACCEPT
$ iptables -A INPUT -p udp –sport 137 -j ACCEPT
$ iptables -A INPUT -p udp –dport 137 -j ACCEPT
$ iptables -A INPUT -p udp –dport 138 -j ACCEPT
However, not even with them I can see windows workgroups. : S
Problem solved. Modify the workgroup and hosts allow parameters in the samba configuration file.
Excellent article, just great !!!!
I just read it and I love both the way you explain it and the really useful use of iptables, I would really like to learn how to use it in more depth.
Greetings and excellent article, I hope you publish more about Iptables! ^^
Dear;
I have a proxy with iptables and one of my networks cannot ping http://www.google.cl for this reason I have the ports blocked and trying a thousand ways to open the ports and nothing happens. If I can't ping I can't connect outlook
Congratulations on the post! Very good. But I have a question. Sometimes the IP address that is assigned to you on the network can change (if it is true that we could assign an IP to our MAC Addres), but is there a possibility with Iptables to allow access to our server via SSH by MAC Address?
I hope I have explained myself well.
Regards, and thank you very much!
Hello, you know that I had a linux server configured and after putting these commands I blocked everything and lost access, I could recover almost everything but I am missing 2 things. * I can no longer access from a web browser through the cname «server» if by ip, 10.10.10.5 and on the other hand I do not see the shared resources from the windows explorer on the network, before I put \\ server and saw all shared resources. I hope you can help me, I know it's silly but I'm not being able to solve it, thanks
I quote verbatim:
'
Icmp protocol, icmp = ping. That is, I am not allowing SSH or anything similar, I only allow ping (icmp)
'
ICMP and PING are not the same. Pinging is a part of the ICMP protocol, but it is not everything. The ICMP (Internet Control Message Protocol) protocol has many more uses, some of them with certain dangers. And you are accepting all ICMP traffic. You would have to restrict only to ping.
Greetings!
I have to do an internship but I don't understand much about iptables, could you please help me….
thanks!!!!!!!