Results 1 to 9 of 9
|
Enjoy an ad free experience by logging in. Not a member yet? Register.
|
|
-
04-30-2013 #1
- Join Date
- Apr 2013
- Location
- US
- Posts
- 4
Import the output of iptables -L back into iptables
Fortunately, I was able to go back in my session window and get the rules as I had issued an iptables -L earlier.
Here is basically the gist of my rules:
Code:Chain INPUT (policy ACCEPT) target prot opt source destination acctboth all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination acctboth all -- anywhere anywhere Chain acctboth (2 references) target prot opt source destination tcp -- 10.0.0.69 anywhere tcp dpt:http tcp -- anywhere 10.0.0.69 tcp spt:http tcp -- 10.0.0.69 anywhere tcp dpt:smtp tcp -- anywhere 10.0.0.69 tcp spt:smtp tcp -- 10.0.0.69 anywhere tcp dpt:pop3 tcp -- anywhere 10.0.0.69 tcp spt:pop3 icmp -- 10.0.0.69 anywhere icmp -- anywhere 10.0.0.69 tcp -- 10.0.0.69 anywhere tcp -- anywhere 10.0.0.69 udp -- 10.0.0.69 anywhere udp -- anywhere 10.0.0.69 all -- 10.0.0.69 anywhere all -- anywhere 10.0.0.69 #The Mangle portion of the ruleset. Here is where unwanted packet types get dropped. #This helps in making port scans against your server a bit more time consuming and difficult, but not impossible. *mangle :PREROUTING ACCEPT [444:43563] :INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [402:144198] :POSTROUTING ACCEPT [402:144198] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT #The FILTER section of the ruleset is where we initially drop all packets and then selectively open certain ports. *filter :INPUT DROP [1:242] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :icmp_packets - [0:0] #Inbound -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 26 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT -A INPUT -p udp -m udp --dport 465 -j ACCEPT -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT -A INPUT -p udp -m udp --dport 873 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p udp -m udp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m tcp --dport 783 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2078 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2083 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2087 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2089 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2096 -j ACCEPT -A INPUT -p tcp -m tcp --dport 6666 -j ACCEPT -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -p icmp -j icmp_packets #Outbound -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT -A OUTPUT -p udp -m udp --dport 21 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 26 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 113 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT -A OUTPUT -p udp -m udp --dport 465 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 873 -j ACCEPT -A OUTPUT -p udp -m udp --dport 873 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 2078 -j ACCEPT -A OUTPUT -p udp -m udp --dport 2078 -j ACCEPT -A OUTPUT -d 127.0.0.1 -j ACCEPT -A OUTPUT -p icmp -j icmp_packets #Accept and respond to ICMP requests -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT COMMIT # Iptables firewall reset script *filter :INPUT ACCEPT [164:15203] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [147:63028] COMMIT *mangle :PREROUTING ACCEPT [164:15203] :INPUT ACCEPT [164:15203] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [147:63028] :POSTROUTING ACCEPT [147:63028] COMMIT *nat :PREROUTING ACCEPT [14:672] :POSTROUTING ACCEPT [9:684] :OUTPUT ACCEPT [9:684] COMMIT
-
05-01-2013 #2
- Join Date
- May 2011
- Posts
- 4,353
hello and welcome!
i usually use the command iptables-save for this purpose, e.g.:
Code:iptables-save > /etc/sysconfig/iptables.new
-
05-01-2013 #3
Or is you are using REDHAT or one of its forks
Code:service iptables save
-
05-01-2013 #4
- Join Date
- Apr 2013
- Location
- US
- Posts
- 4
That's normally what I would do in order to get it exported in a format proper for importing straight in again. Then, I could just do a:
Code:/sbin/iptables-restore < /etc/sysconfig/iptables.new
Code:iptables -L
-
05-02-2013 #5
- Join Date
- May 2011
- Posts
- 4,353
oh, now i understand (i think): you can't issue an "iptables-save" (or "service iptables save") b/c your current rules are messed up. but in a terminal, you still have the output of "iptables -L" that you can copy-paste, etc., in order to create a new /etc/sysconfig/iptables file - is that right?
-
05-02-2013 #6
The above you should be able to remove all line that do not start with an '-A' and then place 'iptables' in front of the '-A' and then save the file make it executable and run it to add these rules to your firewall. After that you would just hae to rebuild your chain rules.
I would suggest making a backup copy of your firewall config in the future
-
05-06-2013 #7
- Join Date
- Apr 2013
- Location
- US
- Posts
- 4
Thanks for the help! I absolutely will be making numerous backups of the rules in different places before I try scripting out iptables again.
What do you mean exactly when you say rebuild my chain rules?
Thanks again.
-
05-06-2013 #8Code:
Chain acctboth (2 references) target prot opt source destination tcp -- 10.0.0.69 anywhere tcp dpt:http tcp -- anywhere 10.0.0.69 tcp spt:http tcp -- 10.0.0.69 anywhere tcp dpt:smtp tcp -- anywhere 10.0.0.69 tcp spt:smtp tcp -- 10.0.0.69 anywhere tcp dpt:pop3 tcp -- anywhere 10.0.0.69 tcp spt:pop3 icmp -- 10.0.0.69 anywhere icmp -- anywhere 10.0.0.69 tcp -- 10.0.0.69 anywhere tcp -- anywhere 10.0.0.69 udp -- 10.0.0.69 anywhere udp -- anywhere 10.0.0.69 all -- 10.0.0.69 anywhere all -- anywhere 10.0.0.69
-
05-06-2013 #9
- Join Date
- Apr 2013
- Location
- US
- Posts
- 4
Thanks, I'll give that a shot.