Tags » Iptables

Test driving App Firewall with IPTables

With more and more application moving to the cloud, web based applications have become ubiquitous. They are ideal for providing access to applications sitting on the cloud (over HTTP through a standard web browser). 1,279 more words

Linux

IPTables: Matching A GRE packet based on tunnel key

I was trying to figure out a way to match packets with a certain GRE key and take some action. IPTables does not provide a direct solution to this problem but has the u32 extension modules that can be used to extract 4 bytes of the IP header and match against a pattern. 749 more words

Linux

Infrastructure from scratch. Part 7. Security

The word we say almost everything and everywhere. The question we have to double check when implementing new feature. It’s a kind of work allows to sleep calmly. 1,737 more words

Linux

Linux iptables example

Introduction

The following show a typical example of Linux iptables firewall configuration.

Iptable script


function load_one_module()
{
result=`$LSMOD | $GREP $1 | $AWK {'print $1'} | $HEAD -1`
if [ -z $result ]; then
	$MODPROBE $1
fi

}

#============================================================================

function load_modules()
{
MODULES="ip_tables iptable_filter ip_conntrack"

for mod in $MODULES; do
	load_one_module $mod
done

}

#============================================================================
function load_rules()
{
#------------------------------
# Load Kernel modules
#------------------------------
load_modules

#------------------------------
# Flush all existing rules
#------------------------------
$IPTABLES -F INPUT 
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#------------------------------
# Set up default behaviour to DROP
#------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#------------------------------
# Local loopback
# Allow only self referencing
#------------------------------
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT 

#---------------------------------
# Allow existing connections
#---------------------------------
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED	-j ACCEPT

#---------------------------------
#	Allow all tcp out
#---------------------------------
$IPTABLES -A OUTPUT -o $NIC -p tcp  -j ACCEPT

#---------------------------------
# ICMP
#---------------------------------
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

#----------------------------------
# Allow DNS (tcp 53, udp 53)
#----------------------------------
$IPTABLES -A INPUT  -i $NIC -p tcp --sport 53 -j ACCEPT # client
$IPTABLES -A INPUT  -i $NIC -p tcp --dport 53 -j ACCEPT # server

$IPTABLES -A INPUT  -i $NIC -p udp --sport 53 -j ACCEPT # client
$IPTABLES -A INPUT  -i $NIC -p udp --dport 53 -j ACCEPT # server


$IPTABLES -A OUTPUT -o $NIC -p udp --dport 53 -j ACCEPT # client
$IPTABLES -A OUTPUT -o $NIC -p udp --sport 53 -j ACCEPT # server

$IPTABLES -A OUTPUT -o $NIC -p tcp --dport 53 -j ACCEPT # client
$IPTABLES -A OUTPUT -o $NIC -p tcp --sport 53 -j ACCEPT # server


#----------------------------------
# Allow ssh (tcp 22) 
#----------------------------------
$IPTABLES -A INPUT  -i $NIC -p tcp --dport 22 -j ACCEPT # server
$IPTABLES -A INPUT  -i $NIC -p tcp --sport 22 -j ACCEPT # client

#----------------------------------
# Allow http (tcp 80) in and out
#----------------------------------
$IPTABLES -A INPUT -i $NIC -p tcp --dport 80 -j ACCEPT  # server
$IPTABLES -A INPUT -i $NIC -p tcp --sport 80 -j ACCEPT  # client

#----------------------------------
# Allow https (tcp 443) in and out
#----------------------------------
$IPTABLES -A INPUT -i $NIC -p tcp --dport 443 -j ACCEPT  # server
$IPTABLES -A INPUT -i $NIC -p tcp --sport 443 -j ACCEPT  # client


#----------------------------------
# Allow mysql (tcp 3306) in and out
#----------------------------------
$IPTABLES -A INPUT -i $NIC -p tcp --dport 3306 -j ACCEPT  # server
$IPTABLES -A INPUT -i $NIC -p tcp --sport 3306 -j ACCEPT  # client



}



#============================================================================
function clear_rules()
{
#------------------------------
# Flush all existing rules
#------------------------------
$IPTABLES -F INPUT 
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#------------------------------
# default behaviour : ACCEPT
#------------------------------
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

}
… 172 more words
Linux

iptables and TFTP HOWTO

Reminder to self on iptables and TFTP HOWTO.

TL;DR

iptables on a TFTP server:

iptables -I INPUT -j ACCEPT -p udp -m udp --dport 69…
645 more words

Linux

Enabling Nutanix 2009 page access with allssh command

On top of HTML5 based Prism GUI, Nutanix cluster has nifty web pages to give additional information on what is going on in your cluster. Under normal conditions there isn’t usually need to access these pages, but they can be handy in troubleshooting or in performance testing. 650 more words

Nutanix