Iptables (Debian): Unterschied zwischen den Versionen

Aus Matts Wiki
← Zum vorherigen Versionsunterschied
VisuellWikitext
Keine Bearbeitungszusammenfassung
Keine Bearbeitungszusammenfassung
 
(11 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
== Befehle ==
Further reading: [[Nftables - nft]]
iptables-restore < iptables.rules      # Regeln aus iptables.rules in IPTables importieren
iptables-save > iptables.rules          # Regeln aus iptables.rules nach IPTables exportieren
iptables -L                            # Aktive Firewallkonfiguration anzeigen
iptables -L -v                          # Aktive Firewallkonfiguration mit mehr Details anzeigen
iptables -S                            # Aktive Firewallregeln anzeigen
iptables -F                            # Flush / Aktive Regeln löschen


== iptables 1.4.21 auf Debian 8.0 einrichten ==
== Commands ==


  # cd /etc
=== General Commands ===
  # wget <iptables rules file>
  iptables-save > iptables.rules          # Export iptables rules to iptables.rules
  # chmod 600 iptables.rules
  iptables-restore < iptables.rules      # Import iptables rules from iptables.rules
  # nano iptables.test.rules # update at least SSH port
  iptables -L                            # List active iptables rules
  # iptables-restore < iptables.rules
  iptables -L [CHAIN]                    # List active iptables rules for given chain name
iptables -L -v                          # List active iptables rules and show adapters
iptables -S                            # List active in iptables-save-format
  iptables -F                            # Flush active rules
In case of <code>iptables -L</code> being very slow try:
iptables -L -n                          # List active iptables with numeric output
Parameter <code>-n</code> leads to showing numeric values. This prevents reverse DNS lookup for IP Adresses possibly slowing the whole process.


Prüfen, ob SSH Zugriff noch funktioniert.
=== Create Blocking Rules Manually ===
Block individual IP address:
sudo iptables -A INPUT -s 1.2.3.4 -j DROP
Works with range of IP addresses as well:
sudo iptables -A INPUT -s 1.2.3.0/24 -j DROP
Make it permanent then:
netfilter-persistent save


iptables Konfiguration beim Netzwerk Startup laden:
=== Checking How Many Packets Dropped ===
sudo iptables -L INPUT -v --line-numbers


  # iptables-save > iptables.rules
=== Deleting Iptables Rules ===
  # chmod 600 iptables.rules
List the rules with line numbers:
  # cd /etc/network/if-pre-up.d/
  sudo iptables -L [CHAIN] –-line-numbers
# wget <iptables load file>
i.e.:
  # chmod +x iptables
sudo iptables -L INPUT –line-numbers
Delete a rule by its number in a specific chain:
sudo iptables -D [CHAIN] [number]
i.e.:
sudo iptables -D INPUT 4
Delete by rule specification:
sudo iptables -D [CHAIN] -p [PROTOCOL] –dport [PORT] -j [TARGET]
 
== iptables on Debian ==
 
=== Add iptables Rule File ===
 
Copy '''iptables.rules''' to '''/etc'''
 
chown root:root iptables.rules
  chmod 600 iptables.rules
  iptables-restore < iptables.rules
 
Check, if still works.
 
=== Enable Automatic Load of Rules at Startup ===
 
Copy iptables-restore script to '''/etc/network/if-pre-up.d/'''
 
Add execution permissions:
 
  chmod +x iptables
 
The package '''iptables-persistent''' which also can be used for persisting iptables:


Hierfür kann auch der Dienst iptables-persistent genutzt werden. Muss vorher installiert werden:
  # apt-get install iptables-persistent
  # apt-get install iptables-persistent
== Blacklisting with ipset with Automatic Updates ==
See: https://github.com/trick77/ipset-blacklist


[[Category:Linux]]
[[Category:Linux]]
[[Category:Debian]]
[[Category:Terminal]]
[[Category:Terminal]]

Aktuelle Version vom 8. November 2025, 00:27 Uhr

Further reading: Nftables - nft

Commands

General Commands

iptables-save > iptables.rules          # Export iptables rules to iptables.rules
iptables-restore < iptables.rules       # Import iptables rules from iptables.rules
iptables -L                             # List active iptables rules
iptables -L [CHAIN]                     # List active iptables rules for given chain name
iptables -L -v                          # List active iptables rules and show adapters
iptables -S                             # List active in iptables-save-format
iptables -F                             # Flush active rules

In case of iptables -L being very slow try: 

iptables -L -n                          # List active iptables with numeric output

Parameter -n leads to showing numeric values. This prevents reverse DNS lookup for IP Adresses possibly slowing the whole process.

Create Blocking Rules Manually

Block individual IP address: 

sudo iptables -A INPUT -s 1.2.3.4 -j DROP

Works with range of IP addresses as well: 

sudo iptables -A INPUT -s 1.2.3.0/24 -j DROP

Make it permanent then: 

netfilter-persistent save

Checking How Many Packets Dropped

sudo iptables -L INPUT -v --line-numbers

Deleting Iptables Rules

List the rules with line numbers: 

sudo iptables -L [CHAIN] –-line-numbers

i.e.: 

sudo iptables -L INPUT –line-numbers

Delete a rule by its number in a specific chain: 

sudo iptables -D [CHAIN] [number]

i.e.: 

sudo iptables -D INPUT 4

Delete by rule specification: 

sudo iptables -D [CHAIN] -p [PROTOCOL] –dport [PORT] -j [TARGET]

iptables on Debian

Add iptables Rule File

Copy iptables.rules to /etc 

chown root:root iptables.rules
chmod 600 iptables.rules
iptables-restore < iptables.rules

Check, if still works.

Enable Automatic Load of Rules at Startup

Copy iptables-restore script to /etc/network/if-pre-up.d/

Add execution permissions: 

chmod +x iptables

The package iptables-persistent which also can be used for persisting iptables: 

# apt-get install iptables-persistent

Blacklisting with ipset with Automatic Updates

See: https://github.com/trick77/ipset-blacklist

Abgerufen von „https://otremba.net/w/index.php?title=Iptables_(Debian)&oldid=3747