iptables - Knowledge Base Archives - Hivelocity Hosting

Common Firewall Commands: Iptables, CSF, UFW, & Firewalld

Ashleigh Becker — Mon, 28 Nov 2022 16:37:19 +0000

When running Linux OS, there are a variety of firewalls that can be deployed in your system, all of which require their own commands to operate. As a result, managing and maintaining your system’s firewall can often be difficult without something convenient to use for reference. The goal of this article is to provide you with a basic reference list of common commands useful for handling your Linux OS firewall.

To keep things succinct, the commands will be provided within a table format below following a brief precursor explanation on the various firewalls we’ll be covering here.

Common Firewalls Used in Linux

The following section covers basic background information regarding what firewall types are available within your Linux OS.

iptables

The Linux kernel requires rules for IP packet filtering to be managed in tables. iptables is used to set up, maintain, and inspect these tables of IP packet filtering rules with each table containing built-in chains. The iptables chains are lists of rules which match a set of packets, specifying instructions for each rule on how to handle the packet.

ConfigServer Security & Firewall (CSF)

ConfigServer Security & Firewall or CSF, is a tool that manipulates iptables chains while also providing additional functionality that iptables does not offer. CSF filtering is done on IP addresses, services, and ports.

CSF uses the Login Failure Daemon (lfd) which provides a tool that scans the latest log file entries for login attempts against your server. This is useful for detecting brute-force attacks, allowing lfd to automatically detect the pattern and block the offending IP.

Uncomplicated Firewall (UFW)

Uncomplicated Firewall (UFW) is the default firewall configuration tool for Ubuntu and has been developed to ease iptables firewall configuration by providing a friendly method to create an Ipv4 or Ipv6 host-based firewall.

Firewalld

Firewalld is a service daemon with D-bus interface which provides easy management of the network/firewall zones, assigning different levels of trust to a network and its associated connections. Additionally, the interface also provides the ability to add iptables rules directly.

Table of Commands for Firewall Management

The following is a list of common commands that can be made for the four the Firewall types discussed above.

Action	iptables	CSF	UFW	Firewalld
Check Firewall Status	N/A	service csf status or systemctl status csf	service ufw status or systemctl status ufw	service firewalld status (Not required as CSF won’t run if it’s not working)
Viewing/Searching Firewall Rules	iptables -n -L -v –line-numbers	csf -g [IP]	sudo ufw status numbered will show a list of rules, then use sudo ufw delete # with the rule number.	firewall-cmd –list-all firewall-cmd –list-services firewall-cmd –list-ports
Restart Firewall	Occasionally rebooting the system can help if iptables rules do not take effect.	service csf restart or csf -r or even better to flush rules csf -ra	service ufw restart	service firewalld restart
Adding and Blocking a Port [Make sure to modify the #### entry]	Adding: iptables -I INPUT 1 -p tcp –dport=#### -j ACCEPT — Blocking: iptables -I INPUT 1 -p tcp –dport=#### -j DROP	Edit csf.conf file in /etc/csf/csf.conf and add the following lines with whichever ports you need. Note: The snippet below was taken from the file to show you where you will place the ports in/out. Do not change anything in the file other than the numbers in the following lines: # Allow incoming TCP ports* TCP_IN = “20,443,465,21,22,587,993,25,53,80,110,143,995” # Allow outgoing TCP ports TCP_OUT = “20,21,443,587,22,25,80,110,43,53”	Adding: sudo ufw allow ####, you can use /tcp or /udp here as well — Blocking: sudo ufw deny ####, you can use /tcp or /udp	Adding: firewall-cmd –permanent –add-port=##/TCP or use /UDP — Blocking: firewall-cmd –permanent –remove-port=### /tcp or /udp can be added at the end of that line without a space
Adding and Removing an IP [Make sure to modify the x.x.x.x with an IP]	Adding: iptables -A INPUT -s x.x.x.x -j ACCEPT — Removing: iptables -A INPUT -s ###.###.###.### -j DROP	Adding: csf -a [x.x.x.x] [Optional comment] (Writes information to /etc/csf/csf.allow) — Removing: csf -tr [IP.add.re.ss] (Writes information to /etc/csf/csf.deny)	sudo ufw allow from x.x.x.x [sudo ufw status numbered will show a list of rules, then use sudo ufw delete # with the rule number.]	firewall-cmd –permanent –add-source=###.###.###.### firewall-cmd –permanent –remove-source=###.###.###.###
Blocking an IP [Make sure to modify the x.x.x.x with an IP]	iptables -A INPUT -s x.x.x.x -j DROP	csf -d [x.x.x.x] [Optional comment] (Writes information to /etc/csf/csf.deny)	sudo ufw deny from x.x.x.x	firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4′ source address=x.x.x.x’ reject”
Adding and Removing a Service	N/A	N/A	Allow: sudo ufw allow service — Remove: sudo ufw deny service	Allow: firewall-cmd –permanent –add-service=ssh — Remove: firewall-cmd –permanent –remove-service=mysql

-written by Pascal Suissa

The post Common Firewall Commands: Iptables, CSF, UFW, & Firewalld appeared first on Hivelocity Hosting.

Default IPTables Configuaration for HSphere

Steve Eschweiler — Sat, 13 Nov 2010 13:58:14 +0000

Below is a ‘template’ firewall for a single server HSphere install

Notes:
192.168.1.1 is the example base IP address of the server, You need to change this
192.168.1.2 is *your* IP address. You *must* change this otherwise you’ll lock yourself out of the server.
This example would be saved to file /etc/sysconfig/iptables
You need to load the ip_conntrack_ftp module into the kernel when iptables is started. You add this module name in /etc/rc.d/init.d/iptables
Change;
IPTABLES_MODULES=””
To;
IPTABLES_MODULES=”ip_conntrack_ftp”
################################################## #####
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BLOCK_NET – [0:0]
# Handle Passive FTP (remember to enable ip_conntrack_ftp module)
-A OUTPUT -p tcp -m tcp -m state –dport 1024:65535 –sport 1024:65535 –state RELATED,ESTABLISHED -j ACCEPT
# Server Base IP address
-A INPUT -s 192.168.1.1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Management IPs (VERY IMPORTANT TO PUT YOUR IP HERE otherwise you’ll be locked out)
-A INPUT -s 192.168.1.2 -j ACCEPT
# End Management IPs
# Run Block bad networks chain
-A INPUT -j BLOCK_NET
# Handle Passive FTP (remember to enable ip_conntrack_ftp module in the iptables init script)
A INPUT -p tcp -m tcp -m state –dport 1024:65535 –sport 1024:65535 –state ESTABLISHED -j ACCEPT
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -p udp -m udp –dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 113 -j DROP
-A INPUT -p tcp -m tcp –dport 135 -j DROP
-A INPUT -p tcp -m tcp –dport 136 -j DROP
-A INPUT -p tcp -m tcp –dport 137 -j DROP
-A INPUT -p tcp -m tcp –dport 138 -j DROP
-A INPUT -p tcp -m tcp –dport 139 -j DROP
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 445 -j DROP
-A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 593 -j DROP
-A INPUT -p tcp -m tcp –dport 777 -j DROP
-A INPUT -p tcp -m tcp –dport 778 -j DROP
-A INPUT -p tcp -m tcp –dport 837 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 1025 -j DROP
-A INPUT -p tcp -m tcp –dport 1080 -j DROP
-A INPUT -p tcp -m tcp –dport 1434 -j DROP
-A INPUT -p tcp -m tcp –dport 1433 -j DROP
-A INPUT -p tcp -m tcp –dport 3128 -j DROP
-A INPUT -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4321 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4444 -j DROP
-A INPUT -p tcp -m tcp –dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 6667 -j DROP
-A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8443 -j ACCEPT
-A INPUT -p udp -m udp –dport 137:138 –sport 137:138 -j DROP
# Logging to /var/log/messages
-A INPUT -p tcp -m tcp -j LOG –log-prefix “AUDIT TCP “
-A INPUT -p tcp -m tcp -j REJECT –reject-with tcp-reset
-A INPUT -p udp -m udp -j LOG –log-prefix “AUDIT UDP “
-A INPUT -p udp -m udp -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp –icmp-type 8 -j LOG
# mangle section
*mangle
REROUTING ACCEPT [1591876424:227299011220]
:INPUT ACCEPT [1591816598:227294667655]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1765890237:977040975279]
:POSTROUTING ACCEPT [1765890154:977040909847]COMMIT
# NAT section
*nat
PREROUTING ACCEPT [10032111:558215684]
:POSTROUTING ACCEPT [5152283:290989829]
:OUTPUT ACCEPT [3923347:241838349]
COMMIT
################################################## #####

The post Default IPTables Configuaration for HSphere appeared first on Hivelocity Hosting.

Identify and fix SYN attack

Steve Eschweiler — Sat, 13 Nov 2010 06:50:52 +0000

Identifying SYN attack
====================

Load becomes very inconcistant
netstat -an | grep SYN (if long list SYN_REC)
netstat -n -p|grep SYN_REC|wc -l (gives count of SYN attacks)
also checking acces_logs (if perticular IP found to be requesting most
then can block that IP)

Yyou can go for below
====================
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
==============================
netstat -an | grep SYN | more

iptables -A INPUT -s IP -j DROP

iptables -A INPUT -s 168.75.16.116 -j DROP

iptables restart

Look for this lines in your /etc/httpd/conf/httpd.conf

Code:——————————————————————————–
# KeepAlive: Whether or not to allow persistent connections (more than
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request from the
KeepAliveTimeout 15
——————————————————————————–
Set KeepAlive On to Off with your favorite text editor
that should work, if not you may be a victim of DoS attack

======================================================

echo 90 > /proc/sys/net/ipv4/tcp_keepalive_time

The post Identify and fix SYN attack appeared first on Hivelocity Hosting.

Setting Rules for Iptables in Linux

Steve Eschweiler — Sat, 13 Nov 2010 05:50:57 +0000

If you’re a Linux user, then chances are your system is already using iptables to control your server’s firewall. For those who are new to the term, iptables is a user-space utility program that gives administrators the ability to modify the IP filtering rules used by the Linux kernel firewall. In other words, it’s a system of rules that tells your server what it can and can’t access online. By editing your system’s iptable rules, you can control incoming and outgoing information by allowing or limiting access to specific ports or IP addresses through your firewall.

In this guide, we’ll cover the basics of how to edit your Linux server’s iptable rules using the command line.

*Note: iptables requires users to have admin access. When modifying iptables rules, be sure to execute your commands as the root user.

Modifying Iptables Rules

Before you begin making changes to your iptables rules, you’ll first need to know the commands to stop and restart iptables. The commands are as follows:

To stop iptables, use the command:
service iptables stop

To start iptables, use the command:
service iptables start

Now that you know how to start and stop iptables as needed, you can begin modifying your system’s rules to your specific needs.

Allowing/Denying Specific IP Addresses in Iptables

To modify which IP addresses are able to connect to your server, just follow these steps:

First, you’ll need to stop iptables using the service iptables stop command.
Next, to allow a specific IP address, use the command:
iptables -A INPUT -s 82.18.238.16 -j ACCEPT

*Note: you will need to replace the “82.18.238.16” listed in these examples with the specific IP address you are attempting to allow/deny access to.
If you are attempting to allow an IP address that is on the list of banned IPs, you can remove the rule banning the IP address by using the command:
iptables -D INPUT -s 82.18.238.16 -j DROP

By using “-D” instead of “-A”, you will delete the rule, allowing access to this specific IP address.
Alternatively, if you are trying to deny a specific IP address from accessing your server, use the command:
iptables -A INPUT -s 82.18.238.16 -j DROP
Once you’ve added or denied all necessary IPs, save your changes using the following command:
service iptables save
Lastly, you must restart iptables using the service iptables start command.

Allowing/Denying Specific Ports within Iptables

In addition to determining which IP addresses can access or be accessed by your server, you can also use iptables rules to determine which ports your server is accessible on.

*Note: remember to use the stop, save, and start commands before and after to ensure that your changes are accepted and saved.

For example, if you’d like to be able to brows the web and access websites that communicate via port 80, you can append the following rules to allow access to port 80 on your server.

iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp –dport 80 -j ACCEPT

If you’d also like to allow access to secure websites, those listed as HTTPS, you must open port 443 in addition to port 80. The command to do so looks like this:

iptables -A INPUT -p tcp -m tcp –sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp –dport 443 -j ACCEPT

*Note: If you wanted to deny access to either of these ports, you can repeat this same command and change the final term from ACCEPT to DROP.

Another trick that might prove useful to you, depending on your needs, is the ability to allow remote SSH access by appending the rules to port 22. This can be done using the following rules:

iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT

And there you have! You now know several basic iptables commands and can allow or deny ports and IP addresses as needed. By keeping your iptables up to date, you can strengthen your server’s firewall and keep it secure from unwanted access.

The post Setting Rules for Iptables in Linux appeared first on Hivelocity Hosting.