15:29 19/03/2015
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04
Saving your iptables Configuration
By default, the rules that you add to iptables are ephemeral. This means that when you restart your server, your iptables rules will be gone.
This is actually a feature for some user because it gives them an avenue to get back in if they have accidentally locked themselves out of the server. However, most users will want a way to automatically save the rules you have created and to load them when the server starts.
There are a few ways to do this, but the easiest way is with the iptables-persistent package. You can download this from Ubuntu's default repositories:
#apt-get update
#apt-get install iptables-persistent
Services: iptables-persistent
During the installation, you will be asked if you would like to save your current rules to be automatically loaded. If you are happy with your current configuration (and you have tested your ability to create independent SSH connections, you can select to save your current rules.
It will also ask you if you want to save the IPv6 rules that you have configured. These are configured through a separate utility called ip6tables which controls the flow of IPv6 packets in almost the same way.
Once the installation is complete, you will have a new service called iptables-persistent that is configured to run at boot. This service will load in your rules and apply them when the server is started.
iptables-persistent_0.5.7_all.deb
##############
root@srv:/opt/script# cat fwdelete
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
/opt/script/fwsave
/opt/script/fwrestart
/opt/script/fwstatus
root@srv:/opt/script# cat fwedit
nano /etc/iptables/rules.v4
root@srv:/opt/script# cat fwrestart
service iptables-persistent restart
root@srv:/opt/script# cat fwrestore
command cp -rf /opt/script/iptables-2015.10.15-1-runningOK /etc/iptables/rules.v4
/opt/script/fwrestart
netstat -ntlup | grep LISTEN
root@srv:/opt/script# cat fwsave
service iptables-persistent save
root@srv:/opt/script# cat fwstatus
iptables -n -L -v --line-numbers | more
root@srv:/opt/script# cat fwstop
service iptables-persistent flush
root@srv:/opt/script# cat fwview
echo "------------------------------------"
cat /etc/iptables/rules.v4 | more
echo "------------------------------------"
chmod +x fw*
##############
#/etc/iptables/rules.v4
#####################################################
# UBUNTU SERVER 14.04 LTS x64 #
#####################################################
#WAN-eth0: - RIGHT #
#LAN-eth1: - LEFT #
#Linux srv 3.13.0-32-generic #
#57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 #
#x86_64 x86_64 x86_64 GNU/Linux #
#iptables: v1.4.21 #
#LastUpdate: 9:25 09/06/2015 #
#####################################################
#_________________________________________________NAT:BEGIN
*nat
:PREROUTING ACCEPT [507:45436]
:POSTROUTING ACCEPT [1:108]
:OUTPUT ACCEPT [1:108]
COMMIT
#_________________________________________________NAT:END
#
#
#_________________________________________________FILTER:BEGIN
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [333:34327]
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
##########qwerty: FIREWALL FOR SERVICES (DAEMONS):BEGIN
#FTP SERVER:
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60000:61000 -j ACCEPT
#HTTPS
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#HTTP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#WEBMIN:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 65443 -j ACCEPT
#SSH:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 65145 -j ACCEPT
##########qwerty: FIREWALL FOR SERVICES (DAEMONS):END
#
#====================================================
#IPTABLES: BLOCK ALL, ACCEPT ABOVE:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#====================================================
COMMIT
#_________________________________________________FILTER:END
No comments:
Post a Comment