Difference between revisions of "Firewall core (main) protocols"

(DNS)
Line 120: Line 120:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
IPTABLES=`which iptables`
 
IPTABLES=`which iptables`
 +
IP6TABLES=`which ip6tables`
  
 +
#### Requirement
 +
# Keep ESTABLISHED, RELATED connections
 +
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
# FTP client - base rules
+
$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
+
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+
$IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  
  
# Active FTP
+
#### FTP client
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
# FTP data transfer
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
+
$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
 
+
$IP6TABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
# Passive FTP
+
# FTP control (command)
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
+
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT  
+
$IP6TABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
 
</syntaxhighlight>
 
</syntaxhighlight>

Revision as of 22:14, 2 April 2015


Allow services and network protocols

DHCP

DHCP client: 

IPTABLES=`which iptables`


# DHCP client >> Broadcast IP request 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT 
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT


DNS

This will allow your computer to perform DNS requests: 

IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`

    # DNS (udp)
    $IPTABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
    $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
    $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
    $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

    $IP6TABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
    $IP6TABLES -A OUTPUT -p udp --sport 53 -j ACCEPT
    $IP6TABLES -A INPUT -p udp --dport 53 -j ACCEPT
    $IP6TABLES -A INPUT -p udp --sport 53 -j ACCEPT


    # DNS sec (tcp)
    $IPTABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT
    $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT

    $IP6TABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
    $IP6TABLES -A OUTPUT -p tcp --sport 53 -j ACCEPT

LAN communication

To allow communication in the local network, without any restrictions: 

IPTABLES=`which iptables`
IP_LAN_V4="172.16.50.0/24"
IP_LAN_V6="2001:DB8:1::1"


# Allow LAN communication
if [ ! -z "$IP_LAN_V4" ] 
then
 	echo -e " ... Allow LAN communication - IP v4"
	$IPTABLES -A INPUT -s $IP_LAN_V4 -d $IP_LAN_V4 -j ACCEPT
	$IPTABLES -A OUTPUT -s $IP_LAN_V4 -d $IP_LAN_V4 -j ACCEPT
        # Allow forwarding within the LAN
        $IPTABLES -A FORWARD -s $IP_LAN_V4 -j ACCEPT
fi

if [ ! -z "$IP_LAN_V6" ] 
then
	echo -e " ... Allow LAN communication - IP v6"
	$IP6TABLES -A INPUT -s $IP_LAN_V6 -d $IP_LAN_V6 -j ACCEPT
	$IP6TABLES -A OUTPUT -s $IP_LAN_V6 -d $IP_LAN_V6 -j ACCEPT
        # Allow forwarding within the LAN
        $IP6TABLES -A FORWARD -s $IP_LAN_V6 -j ACCEPT
fi

Note: thanks to the ! -z operator if the variable is not set or "" then the rule will be skipped.


NTP (time syncronization) client

IPTABLES=`which iptables`


# NTP client
echo -e " ... Allow NTP time sync"
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT

$IP6TABLES -A OUTPUT -p udp --dport 123 -j ACCEPT
$IP6TABLES -A INPUT -p udp --sport 123 -j ACCEPT


Samba file-share

IPTABLES=`which iptables`


# SAMBA share
# Access filtering is done in /etc/samba/smb.conf
$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT                 # NetBios Name Service
$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT                 # NetBios Data Exchange
$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT                 # NetBios Session + Samba
$IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT                 # CIFS - Partage Win2K and more
$IPTABLES -A INPUT -p tcp --dport 548 -j ACCEPT                 # Apple File Sharing Protocol


FTP client

IPTABLES=`which iptables`
IP6TABLES=`which ip6tables`

#### Requirement
# Keep ESTABLISHED, RELATED connections
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

#### FTP client
# FTP data transfer
$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
$IP6TABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT  
# FTP control (command)
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
$IP6TABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Firewall_core_(main)_protocols&oldid=2243"