{"id":1313,"date":"2009-10-16T14:12:44","date_gmt":"2009-10-16T19:12:44","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=1313"},"modified":"2009-10-16T14:12:44","modified_gmt":"2009-10-16T19:12:44","slug":"linux-netfilter","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=1313","title":{"rendered":"Linux Netfilter"},"content":{"rendered":"<span id=\"Netfilter\"><h2>Netfilter<\/h2><\/span>\n<span id=\"Rules\"><h3>Rules<\/h3><\/span>\n<p>* INPUT<br \/>\n* FORWARD<br \/>\n* OUTPUT<\/p>\n<span id=\"ipchains\"><h3>ipchains<\/h3><\/span>\n<p>* For Linux 2.2 kernels<br \/>\n* Packets destined for locally running daemons: input.<br \/>\n* Packets from remote and destined for locally running daemons: input, forward, output.<br \/>\n* Packets from locally running daemons: output.<\/p>\n<span id=\"iptables\"><h3>iptables<\/h3><\/span>\n<p>* For Linux 2.4 or later kernels.<br \/>\n* \/sbin, \/etc\/init.d, \/etc\/sysconfig.<br \/>\n* Packets destined for locally running daemons: input.<br \/>\n* Packets from remote and destined for locally running daemons: forward<br \/>\n* Packets from locally running daemons: output.<\/p>\n<pre>\r\n# clear all rules\r\niptables -F\r\n\r\n# Default all inputs to drop\r\niptables -P INPUT DROP\r\n\r\n# Allow FTP\r\niptables \\\r\n  -A INPUT \\  # add new rule to input filter\r\n  -i eth0 \\  # applies only to eth0\r\n  -p tcp \\ # applies to tcp protocol\r\n  -s any\/0 \\ # applies to all sources\r\n  --sport 1024:65535 \\ # applies to all sources and source port from 1024 to 65535\r\n  -d MY.NET.IP.ADDR \\ # destined for IP\r\n  --dport 21 \\ # destine for port 21\r\n  -j ACCEPT \\ # if packet matches, allow it otherwise use default rule\r\n\r\n# same for FTP port 20\r\niptables -A INPUT -i eth0 -p tcp -s any\/0 --sport 1024:65535 -d MY.NET.IP.ADDR\r\n  --dport 20 -j ACCEPT\r\n\r\n# Allow passive FTP\r\niptables -A INPUT -i eth0 -p tcp -s any\/0 --sport 1024:65535 -d MY.NET.IP.ADDR\r\n  --dport 1024:65535 -j ACCEPT\r\n\r\n# Allow DNS\r\niptables -A INPUT -i eth0 -p udp -s any\/0 --sport 1024:65535 -d MY.NET.IP.ADDR\r\n  --dport 53 -j ACCEPT\r\niptables -A INPUT -i eth0 -p tcp -s any\/0 --sport 1024:65535 -d MY.NET.IP.ADDR\r\n  --dport 53 -j ACCEPT\r\n\r\n# Allow Telnet\r\niptables -A INPUT -i eth0 -p tcp -s 209.100.100.10 --sport 1024:65535\r\n  -d MY.NETWORK.IP.ADDR --dport 23 -j ACCEPT\r\n\r\n# Allow SSH\r\niptables -A INPUT -i eth0 -p tcp -s 209.200.200.10 --sport 1024:65535\r\n  -d MY.NETWORK.IP.ADDR --dport 22 -j ACCEPT\r\n\r\n# Allow Email\r\niptables -A INPUT -i eth0 -p tcp ! --syn -s EMAIL.NET.IP.ADDR --sport 25\r\n  -d MY.NETWORK.IP.ADDR --dport 1024:65535 -j ACCEPT\r\n\r\n# Allow HTTP\r\niptables -A INPUT -i eth0 -p tcp -d MY.NETWORK.IP.ADDR --dport 80 -j ACCEPT\r\n\r\n# Allow HTTPS\r\niptables -A INPUT -i eth0 -p tcp -d MY.NETWORK.IP.ADDR --dport 443 -j ACCEPT\r\n\r\n# Allow ICMP\r\niptables -A INPUT -i eth0 -p icmp -d MY.NETWORK.IP.ADDR -j ACCEPT\r\n\r\n# List all rules\r\niptables -L -n\r\n\r\n# Save rules\r\n\/etc\/init.d\/iptables save\r\n\r\n# Start iptables\r\nservice iptables start\r\nservice iptables stop\r\n<\/pre>\n<span id=\"Routing_Tables\"><h3>Routing Tables<\/h3><\/span>\n<p>* Configuration is memory only. Need to use script to be permanent.<\/p>\n<pre>\r\n# Added by system when install a NIC to route all packets to eth0\r\n\/sbin\/route add --net 209.100.100.0 netmask 255.255.0.0 dev eth0\r\n\r\n# Forward packets (acting as router)\r\n\/bin\/echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n\r\n# Force all packets destined to 192.168.150.33 to gateway whose ip is 172.24.150.1\r\n\/sbin\/route add -host 192.168.150.33 gw 172.24.150.1\r\n\r\n# Force all packets destined to 192.168.150 network to gate way whose ip is 172.24.150.1\r\n\/sbin\/route add --net 192.168.150.0 netmask 255.255.255.0 gw 172.24.150.1\r\n\r\n# Unmatched packets will be sent to gateway\r\n\/sbin\/route add --default gw 172.24.150.1\r\n\r\n# List routing rules\r\nnetstat -rn\r\nroute -n\r\nip route list\r\n<\/pre>\n<span id=\"Sample_Routing_Script\"><h3>Sample Routing Script<\/h3><\/span>\n<pre lang=\"bash\">\r\n#!\/bin\/bash\r\n#\r\n# Packet Handling Service\r\n#\r\n# chkconfig 2345 55 45\r\n# description: Starts or stops iptables rules and routing\r\n\r\ncase \"$1\" in\r\nstart)\r\n    # Flush (or erase) the current iptables rules\r\n    \/sbin\/iptables -F\r\n    \/sbin\/iptables --table nat -flush\r\n    \/sbin\/iptables --table nat --delete-chain\r\n\r\n    # Enable the loopback device for all types of packets\r\n    # (Normally for packets created by local daemons for delivery\r\n    # to local daemons)\r\n    \/sbin\/iptables -A INPUT -i lo -p all -j ACCEPT\r\n    \/sbin\/iptables -A OUTPUT -o lo -p all -j ACCEPT\r\n    \/sbin\/iptables -A FORWARD -o lo -p all -j ACCEPT\r\n\r\n    # Set the default policies\r\n    \/sbin\/iptables -P INPUT DROP\r\n    \/sbin\/iptables -P FORWARD DROP\r\n    \/sbin\/iptables -P OUTPUT ACCEPT\r\n\r\n    # NAT\r\n    \/sbin\/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\r\n\r\n    # Allow inbound packets from our private network\r\n    \/sbin\/iptables -A INPUT -i eth1 -j ACCEPT\r\n    \/sbin\/iptables -A FORWARD -i eth1 -j ACCEPT\r\n\r\n    # Allow packets back in from conversations we initiated\r\n    # from the private network.\r\n    \/sbin\/iptables -A FORWARD -i eth0 --match state --state ESTABLISHED,RELATED -j ACCEPT\r\n    \/sbin\/iptables -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT\r\n\r\n    # Allow Sendmail and POP (from anywhere, but really what we\r\n    # are allowing here is inbound connections on the eth0 interface).\r\n    # (Sendmail and POP are running locally on this machine).\r\n    \/sbin\/iptables -A INPUT --protocol tcp --destination-port 25 -j ACCEPT\r\n    \/sbin\/iptables -A INPUT --protocol tcp --destination-port 110 -j ACCEPT\r\n\r\n    # Routing Rules --\r\n    # Route packets destined for the 192.168.150.0 network using the internal\r\n    # gateway machine 172.24.150.1\r\n    \/sbin\/route add -net 192.168.150.0 netmask 255.255.255.0 gw 172.24.150.1\r\n\r\n    # By default, if we don't know where a packet should be sent we\r\n    # assume it should be sent to the Internet router.\r\n    \/sbin\/route add default gw 209.100.100.1\r\n\r\n    # Now that everything is in place we allow packet forwarding.\r\n    echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n\r\n  ;;\r\nstop)\r\n    # Flush (or erase) the current iptables rules\r\n    \/sbin\/iptables -F\r\n\r\n    # Set the default policies back to ACCEPT\r\n    # (This is not a secure configuration.)\r\n    \/sbin\/iptables -P INPUT ACCEPT\r\n    \/sbin\/iptables -P FORWARD ACCEPT\r\n    \/sbin\/iptables -P OUTPUT ACCEPT\r\n\r\n    # Remove our routing rules.\r\n    \/sbin\/route del -net 192.168.150.0 netmask 255.255.255.0 gw 172.24.150.1\r\n    \/sbin\/route del default gw 209.100.100.1\r\n\r\n    # Disable packet forwarding\r\n    echo 0 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n;;\r\nstatus)\r\n    enabled=`\/bin\/cat \/proc\/sys\/net\/ipv4\/ip_forward`\r\n    if [ \"$enabled\" -eq 1 ]; then\r\n        echo \"Running\"\r\n    else\r\n        echo \"Down\"\r\n    fi\r\n;;\r\n*)\r\n        echo \"Requires start, stop or status\"\r\n;;\r\nesac\r\n<\/pre>\n<span id=\"References\"><h2>References<\/h2><\/span>\n<p>The Linux Enterprise Cluster by Karl Kopper <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Netfilter Rules * INPUT * FORWARD * OUTPUT ipchains * For Linux 2.2 kernels * Packets destined for locally running daemons: input. * Packets from remote and destined for locally running daemons: input, forward, output. * Packets from locally running &hellip; <a href=\"https:\/\/jianmingli.com\/wp\/?p=1313\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[61],"tags":[],"class_list":["post-1313","post","type-post","status-publish","format-standard","hentry","category-linux"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-lb","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1313"}],"version-history":[{"count":1,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1313\/revisions"}],"predecessor-version":[{"id":1314,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/1313\/revisions\/1314"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}