Prepare Ubuntu FireWall
if you want a good reference that will take you in step by step way check this link
Keep established connections allowed
Accept all loopback communications and put the first rule
Let Mysql Server accept connections from private network
Drop any other Packets not matching our rules.
if you want a good reference that will take you in step by step way check this link
sudo apt-get update sudo apt-get install iptables-persistent
Keep established connections allowed
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTAccept all packets destined to port 22 or 80
iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Accept all loopback communications and put the first rule
sudo iptables -I INPUT 1 -i lo -j ACCEPT
Let Mysql Server accept connections from private network
iptables -A INPUT -p tcp --dport 3306 -s 192.168.0.0/24 -j ACCEPT
Drop any other Packets not matching our rules.
iptables -A INPUT -j DROP
OR for better resoaning
iptables -A INPUT -j REJECT
check this Drop vs Reject
Note : the last rule must be the last rule to be added.
If you ever update your firewall and want to preserve the changes, you must save your iptables rules for them to be persistent.
Save your firewall rules with this command:
sudo service netfilter-persistent save
sudo iptables -I INPUT 1 -i lo -j ACCEPT
insert this rule on the first row to accept ll packets coming from interface lo
to list line numbers in iptables use this command
sudo iptables -L --line-numbers
to insert the new rul on specific line do the following
sudo iptables -I INPUT 4 new_rule_here
To delete rule by line Number
sudo iptables -D INPUT 3
To export firewall rules use :
sudo iptables-save > iptables-export
To accept on a range of ports :
sudo iptables -A INPUT -p tcp --match multiport --dports 1024:3000 -j ACCEPT
To import firewall rules use :
sudo iptables-restore < iptables-export
To Block all connections on port 111, prefer to the end of the list
iptables -I INPUT -p udp --dport 111 -j REJECT
To allow all communication on the private network on interface ens19
iptables -A INPUT -i ens19 -s 192.168.100.0/24 -j ACCEPT
So, the minimum required rules in nutshell
sudo iptables -I INPUT 1 -i lo -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT sudo iptables -A INPUT -i ens19 -s 192.168.100.0/24 -j ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -j REJECT
No comments:
Post a Comment