69 lines
3.6 KiB
Markdown
69 lines
3.6 KiB
Markdown
---
|
|
title: 02 Server Iptables
|
|
description: a little bigger note on iptables
|
|
published: true
|
|
date: 2024-03-27T18:07:56.613Z
|
|
tags:
|
|
editor: markdown
|
|
dateCreated: 2024-03-21T11:45:00.336Z
|
|
---
|
|
|
|
# iptables
|
|
|
|
As you know most likeley files, commands, information etc. are being transmitted not in one go but in packets. The arrival of packets at your server and the transmission of packets from your server is regulated via the program iptables.
|
|
|
|
I use the box in a box metaphore for a mental picture. A packet is a box in a box in a box.... max 7 times. Like a babooshka doll from Russia, another metaphore describing packets. Every box has an address label with extra information.
|
|
|
|
The iptables software reads the labels of the two outer boxes. Based on this info the software desides where the packet needs to go and if it is allowed to. In order for the iptable software to work it needs instructions on how to make descisions. These instructions are written in lists (tables).
|
|
|
|
Packets are checked following a set of standard routes (a sequence of tables). Three tables are the most important for us now. Input, Forward and Output.
|
|
|
|
We are not discussing the layering of packets in all possibilities nor are we discussing the innerworks of the software called iptables. What we discuss is a basic understanding on what happens and what we can do with the iptables.
|
|
|
|
## Input, Forward tables
|
|
When a packet arrives at your server iptables checks if the destination is the local machine or somewhere else. In our case the somewhere else is docker as docker creates and runs virtual machines etc.
|
|
When the packet destination is the local machine the rules of the Input list are checked from top to bottem.
|
|
When the destination is docker, the packet is checked against the rules in the Forward table.
|
|
It is either Input or Forward not both. You can however tell iptables to do so if you want.
|
|
|
|
## Output table
|
|
The output table tells iptables what to do with packets which are being sent from your computer. I you have bo rules in that table and the standard policy is drop, nothing will be send out.
|
|
For the input and forward tables it works the same. nor rules and a standard policy of drop and nothing cmoes in.
|
|
|
|
## Warning
|
|
Do not make the mistake that I made! blocking all incomming packets before adding rules accepting my ssh connection on my local machine. ssh will drop and you can only get into your machine with an attached screen, keyboard and mouse.
|
|
|
|
check if you have iptables installed
|
|
`sudo iptables`
|
|
if not install iptables
|
|
`sudo pacman -S iptables`
|
|
check the iptables
|
|
`sudo iptables -L -v -n --line-numbers `
|
|
check the service status / start / stop and enable
|
|
`sudo systemctl status iptables `
|
|
`sudo systemctl start iptables `
|
|
`sudo systemctl stop iptables `
|
|
`sudo systemctl enable iptables `
|
|
where is the file located with all the rules?
|
|
`/etc/iptables/iptables.rules`
|
|
How to save your new rules!
|
|
`sudo iptables-save -f /etc/iptables/iptables.rules`
|
|
|
|
how to change iptables
|
|
You can use a UI interface program (not described here), the terminal (the way to go) or editing the file itself (not a fan).
|
|
|
|
add a rule
|
|
`sudo iptables -A INPUT -i lo -j ACCEPT`
|
|
`sudo iptables -A INPUT -p tcp -i eno1 -s 192.168.1.10 -d 192.168.2.10 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT `
|
|
`sudo iptables -P INPUT DROP`
|
|
delete a rule
|
|
update a rule
|
|
|
|
https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands
|
|
|
|
https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
|
|
|
|
https://wiki.archlinux.org/title/Iptables#Editing_rules
|
|
|
|
|