|
⇤ ← Revision 1 as of 2012-02-18 16:13:11
Size: 4340
Comment:
|
Size: 4422
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #language en | #language es |
| Line 5: | Line 5: |
| ~+Iptables+~ provides packet filtering, network address translation (NAT) and other packet mangling. | ~+Iptables+~ permite filtrar paquetes, traducción de direcciones de red y otros destrozamientos de paquetes. |
| Line 7: | Line 7: |
| Two of the most common uses of iptables is to provide firewall support and NAT. | Dos de los mas comunes usos de iptables son proveer soporte para muros de fuego y NAT. |
| Line 9: | Line 9: |
| Configuring iptables manually is challenging for the uninitiated. Fortunately, there are many configuration tools (wizards) available to assist: e.g., DebPkg:fwbuilder, DebPkg:bastille, DebPkg:ferm ([[ferm|wiki page]]), DebPkg:ufw (Uncomplicated Firewall, from Ubuntu). | Configurar iptables manualmente es un reto para los que están iniciando. Afortunadamente, existen algunas herramientas de configuración (asistentes) disponibles para ayudarse, por ejemplo, DebPkg:fwbuilder, DebPkg:bastille, DebPkg:ferm ([[ferm|wiki page]]), DebPkg:ufw (Uncomplicated Firewall, from Ubuntu). |
| Line 11: | Line 11: |
| == Viewing current configuration == | == Ver la configuración actual == |
| Line 13: | Line 13: |
| See what rules are already configured. Issue this command: | Para ver que reglas ya están configuradas, utilice este comando: |
| Line 19: | Line 19: |
| The output will be similar to this: | La salida será similar a la siguiente: |
| Line 32: | Line 32: |
| This allows anyone access to anything from anywhere. | Esto permite a cualquier el acceso de lo que sea a donde sea. |
| Line 34: | Line 34: |
| == Storing iptables rules in a file == | == Almacenar las reglas en un archivo == |
| Line 36: | Line 36: |
| Note: there is a package designed to help with this: DebianPkg:iptables-persistent | Nota: Existe un paquete que le puedo ayudar a hacer esto: DebianPkg:iptables-persistent |
Translation(s): Español - Inglés - Italiano- Español
Iptables permite filtrar paquetes, traducción de direcciones de red y otros destrozamientos de paquetes.
Dos de los mas comunes usos de iptables son proveer soporte para muros de fuego y NAT.
Configurar iptables manualmente es un reto para los que están iniciando. Afortunadamente, existen algunas herramientas de configuración (asistentes) disponibles para ayudarse, por ejemplo, fwbuilder, bastille, ferm (wiki page), ufw (Uncomplicated Firewall, from Ubuntu).
Ver la configuración actual
Para ver que reglas ya están configuradas, utilice este comando:
iptables -L
La salida será similar a la siguiente:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Esto permite a cualquier el acceso de lo que sea a donde sea.
Almacenar las reglas en un archivo
Nota: Existe un paquete que le puedo ayudar a hacer esto: iptables-persistent
Let's tighten that up a bit by creating a test iptables file:
nano /etc/iptables.test.rules
In this file enter some basic rules:
*filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections for script kiddies # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT # Now you should read up on iptables rules and consider whether ssh access # for everyone is really desired. Most likely you will only allow access from certain IPs. # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
That may look complicated, but look at each section at a time. You will see that it simply shuts all ports except the ones we have allowed - which in this case are ports 80 and 443 (the standard web browser ports) and the SSH port defined earlier.
Activate these new rules:
iptables-restore < /etc/iptables.test.rules
And see the difference:
iptables -L
Now the output tells us that only the ports defined above are open. All the others are closed.
Once you are happy, save the new rules to the master iptables file:
iptables-save > /etc/iptables.up.rules
To make sure the iptables rules are started on a reboot we'll create a new file:
nano /etc/network/if-pre-up.d/iptables
Add these lines to it:
#!/bin/bash /sbin/iptables-restore < /etc/iptables.up.rules
The file needs to be executable so change the permissions:
chmod +x /etc/network/if-pre-up.d/iptables
Note: This HOWTO had been contributed by user Geejay to wiki.openvz.org as a part of installing container howto.
See also
Documentation about the netfilter/iptables:
. http://www.netfilter.org/documentation/- Gentle Introductions/Overviews
Firewall and Advanced Routing Under Linux:
. http://ornellas.apanela.com/dokuwiki/pub:firewall_and_adv_routingIptables Basics:
. http://www.justlinux.com/nhf/Security/IPtables_Basics.html
Securing Debian: Adding firewall capabilities:
. http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup