FireWall IPTABLES

Konfigurační příklad pravidel IPTABLES aktivovaných při startu systému pomocí systemd služby. Zajímavý článek: Správa linuxového serveru: Linuxový firewall, základy iptables. Uvádím příklad generovaných pravidlech dle listu IP segmentů stažených z https://www.ipdeny.com/ipblocks/data/countries/cz.zone pro CZ region. Sice ze zkušenosti seznam není stoprocentní, ale pro základní filtr dostačující. Další regiony https://www.ipdeny.com/ipblocks .

/etc/network/iptables.conf

#!/bin/sh
###################################################################################################
#
#  PRAVIDLA:  PC (IPV4)
#  ====================
#
#  18.04.2022
#
#    /etc/systemd/system/iptables.service
#  &gt; /etc/network/iptables.conf
#    /etc/network/iptables.conf.disable
#
#--------------------------------------------------------------------------------------------------
#
# sudo netstat -tulpn | grep LISTEN
#
# sudo wget -T 3 --no-check-certificate https://www.ipdeny.com/ipblocks/data/countries/cz.zone \
#         -O /etc/network/cz.zone  2&gt;/dev/null &amp;&amp; echo ok || echo ERR
#__________________________________________________________________________________________________

_FILE_CZ_ZONE="/etc/network/cz.zone"
 

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###################################################################################################
# _Z_R_U_S_E_N_I__P_R_E_D_C_H_O_Z_I_C_H__P_R_A_V_I_D_E_L_
#__________________________________________________________________________________________________

iptables -F
iptables -X

ip6tables -F
ip6tables -X

# D E K L A R A C E
# `````````````````

iptables -N     _IP_SSH_ADMIN           # p:22 selelktivne IP administratoru
iptables -N     _IP_SSH_NET             # p:22 internet

iptables -N     _IP_CZ_ZONE             # omezeni na CZ region

iptables -N     _LOG+ACCEPT             # ... logovani + ACCEPT
iptables -N     _LOG+DROP               # ... logovani + DROP  

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###################################################################################################
# _V_Y_C_H_O_Z_I__P_R_A_V_I_D_L_A_
#__________________________________________________________________________________________________

iptables -P     INPUT           DROP
iptables -P     FORWARD         DROP
iptables -P     OUTPUT          ACCEPT

ip6tables -P    INPUT           DROP
ip6tables -P    FORWARD         DROP
ip6tables -P    OUTPUT          ACCEPT

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###################################################################################################
# _V_S_T_U_P_N_I__P_R_A_V_I_D_L_A_
#__________________________________________________________________________________________________

iptables -A     INPUT           -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#--------------------------------------------------------------------------------------------------

iptables -A     INPUT           -i lo                   -j ACCEPT       # lokalni smycka
ip6tables -A    INPUT           -i lo                   -j ACCEPT       # lokalni smyckaa ipv6

iptables -A     INPUT           -s 10.0.0.0/24          -j ACCEPT       # vse domaci sit

#--------------------------------------------------------------------------------------------------

iptables -A     INPUT           -p tcp --dport 22       -j _IP_SSH_ADMIN # ssh administratori

#--------------------------------------------------------------------------------------------------

iptables -A     INPUT           -j _IP_CZ_ZONE                          # pusti dal jen CZ region

iptables -A     INPUT           -p tcp --dport 22       -j _IP_SSH_NET  # ssh (CZ) region 

#--------------------------------------------------------------------------------------------------

iptables -A     INPUT                                   -j DROP         # zahodit vse ostatni

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###################################################################################################
# _P_O_D_S_K_U_P_I_N_Y__P_R_A_V_I_D_E_L_
# 

# _IP_SSH_ADMIN
# `````````````
iptables -A     _IP_SSH_ADMIN   -s 111.111.111.111      -j _LOG+ACCEPT
iptables -A     _IP_SSH_ADMIN   -s 222.222.222.222      -j _LOG+ACCEPT
iptables -A     _IP_SSH_ADMIN   -j RETURN

# _IP_SSH_NET
# ```````````
iptables -A     _IP_SSH_NET     -s 222.111.222.111      -j _LOG+ACCEPT
iptables -A     _IP_SSH_NET     -s 111.222.111.222      -j _LOG+ACCEPT
iptables -A     _IP_SSH_NET     -j _LOG+DROP

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###################################################################################################
# _I_P___C_Z__Z_O_N_E__P_R_A_V_I_D_L_A_
#

if [ -r "$_FILE_CZ_ZONE" ]
then
  for _IP_ZONE in `sudo cat "$_FILE_CZ_ZONE" 2&gt;/dev/null`
  do
    #echo $_IP_ZONE
    iptables  -A  _IP_CZ_ZONE  -s $_IP_ZONE  -j RETURN
  done
fi

iptables -A  _IP_CZ_ZONE   -j _LOG+DROP_CZ
iptables -A  _IP_CZ_ZONE   -j DROP

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###################################################################################################
# _Z_A_K_O_N_C_E_N_I__L_O_G_E_M_
#__________________________________________________________________________________________________

iptables -A     _LOG+ACCEPT     -m state --state NEW -m limit --limit 5/min \
                                -j LOG --log-prefix " _IPT_ACCEPT_ "
iptables -A     _LOG+ACCEPT     -j ACCEPT

iptables -A     _LOG+DROP       -m state --state NEW -m limit --limit 5/min \
                                -j LOG --log-prefix " _IPT_DROP_ "
iptables -A     _LOG+DROP       -j DROP

#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###################################################################################################
# V Y P I S   P R A V I D E L
# ```````````````````````````
iptables -L -n -v
###################################################################################################

Oprávnění

sudo chown root:root /etc/network/iptables.conf
sudo chmod 640 /etc/network/iptables.conf

/etc/systemd/system/iptables.service

###############################################################
#
#  FIREWALL IPTABLES PRAVIDLA
#  ==========================
#
#  18.04.2022
#
#  &gt; /etc/systemd/system/iptables.service
#    /etc/network/iptables.conf
#    /etc/network/iptables.conf.disable
#
#  sudo systemctl daemon-reload
#  sudo systemctl start iptables.service
#  sudo systemctl enable iptables.service
#  sudo systemctl --no-pager status iptables.service
#

[Unit]
Description="FIREWALL IPTABLES PRAVIDLA"

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/bin/sh /etc/network/iptables.conf 
RemainAfterExit=yes
ExecStop=/bin/sh /etc/network/iptables.conf.disable
TimeoutStopSec=1s

[Install]
WantedBy=multi-user.target
###############################################################

Aktivace

sudo systemctl daemon-reload
sudo systemctl enable iptables.service
sudo systemctl start iptables.service
sudo systemctl --no-pager status iptables.service