Inetone: Firewall with iptables

Dies ist Version . Es handelt sich nicht um die aktuelle Version und kann folglich auch nicht geändert werden.

[Zurück zur aktuellen Version][Diese Version wiederherstellen]

Inhaltsverzeichnis

Scope
iptables
Commands
Syntax
my general ruleset
Python
subprocess

Scope#

I want to enable ipv6 access only
Access enabled only from my home computer
use phyton script to update my home computer ipv6 in the firewall

iptables#

Commands#

> ls -la /usr/sbin/ip*  # list all commands, there are many
> iptables*             # for ipv4 (in debian busters = nft)
> ip6tables*            # for ipv6 (in debian busters = nft)
> iptables-legacy       # former ones, not nft
> iptables-nft          # directly use nft

Notes:

all iptables commands (for ipv4) have an ip6tabbles* equivalent (for ipv6)
see info on nft

Syntax#

see docu

> sudo iptables -L -v 
> sudo iptables -n -v --line-numbers -L 
> sudo service iptables start		# activate firewalling
> sudo service ip6tables start
> sudo chkconfig iptables on		# enable after reboot
> sudo chkconfig ip6tables on

iptables [-t <table-name>] <command> <chain-name> <parameter-1>  <option-1> <parameter-n> <option-n>

table-name
- like [filter, nat, mangle, raw, security], if omitted we use "filter"
command
- -F : flush current chain or all if omitted
- -X : deletes a user-specified chain or all if omitted
- -Z : zeros the byte and packet counters in all chains
- -A : apppend a rule at the end
- -I : inserts at a specified position (similar to replace -R), wihtout position at the top
- -P : a policy is a fall back and is used after all rules have passede** you can enable certain special addresses earlier
- -L : list all rules
chain-name
- INPUT, FORWARD, OUTPUT (as listed with > iptables -L)
- you may invent new chain names, but this seems not to be common (command -N)
parameter-1 (filter)
- -s : source filter (address[/mask][...])
- -d : destination filter
- -p : protocoll filter like [icmp, tcp, udp, all] or those in /etc/protocols, if omitted ALL protocols are considered
  - with -p tcp you can use --dport for destination port filter, any number
  - with -p udp you can use --dport for destination port and --sport as source port filter
  - ports can be also a range like 3000:3200 (all from 3000 to 3200)
  - with -p icmp you can use --icmp-type
- -i : interface like [eth0, lo, ppp0], without name ALL interfaces are used
- -j : jump to [ACCEPT, DROP, QUEUE, RETURN] (or others added with modules)
- -m : adds a comment when listing the rules, syntax >-m comment --comment "My comments here"<
option-1 (target)
- [ACCEPT, DROP, QUEUE, RETURN] (or others added with modules)
option-n (listing options)
- -v : verbose output
- -n : displays IP addresses and port numbers in numeric format instead of hostname/network service
notes
- the first three commands are usually used to create a fresh ruleset in a script
- in the chain list and then drop all other later

my general ruleset#

#!/bin/bash

# MARKUS

SOURCE=<any ipv6 address or host>

# ipv4 ------------------------------------
# Flush all rules and delete all chains for a clean startup
iptables -F
iptables -X
iptables -Z		# Zero out all counters

# drop all ipv4 traffic, we wanmt to use ipv6 only
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP

# ipv6 ------------------------------------
# Flush all rules and delete all chains for a clean startup
ip6tables -F
ip6tables -X
ip6tables -Z

# drop all ipv6 traffic, except your ip ($SOURCE)
# do not limit to --dport 22, because the source has random ports (?)
# add first to enabel replacing 1. rule later
ip6tables -A INPUT  -s $SOURCE -j ACCEPT
ip6tables -A OUTPUT -d $SOURCE -j ACCEPT

# allow ipv6 local loopback
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# drop everthing else
ip6tables -P FORWARD DROP 		# as policy generally
ip6tables -A INPUT  -j DROP
ip6tables -A OUTPUT -j DROP

Python#

package "python3-iptables" manages legacy ones only, docu1, docu2
package "python3-nftables" manages nft tables, docu
alternatively you can use subprocess.run to call the original system commands

subprocess#

import socket	    # determine ipv6
import subprocess   # run system commands

#ip = get_ip()     # you have to create the code to fetch IP in this variable
ip = socket.getaddrinfo('any.host.com', 443, socket.AF_INET6)
# example result=[(<AddressFamily.AF_INET6: 23>, 0, 0, '', ('2a02:3b4:d876:f321:1234:a123:b456:ff', 443, 0, 0))]
# replace first rules
subprocess.run(["/usr/sbin/ip6tables", "-R", "INPUT", "1", "-s", ip, "-j", "ACCEPT"])
subprocess.run(["/usr/sbin/ip6tables", "-R", "OUTPUT", "1", "-d", ip, "-j", "ACCEPT"])