The notes of iptables on ubuntu 14.04

Posted on | In
Symbols count in article: 8k | Reading time ≈ 7 mins.

Preface

This note will denote the config of the iptables on ubuntu os, the following will show the detail of the work.

  • How to install shadowsocks client on ubuntu os.
  • how to config the iptables.
  • how to save your config.

Install shadowsocks client

Detail DOC

PPA is for Ubuntu >= 14.04.

1
2
3
sudo add-apt-repository ppa:hzwhuang/ss-qt5
sudo apt-get update
sudo apt-get install shadowsocks-qt5

config iptables

base use:

1
2
3
4
5
sudo iptables -L 		# look the rules
sudo iptables -S        # We can see the output in a format that reflects the commands necessary to enable each rule and policy by instead using the -S flag:
sudo iptables 		    # add rules
sudo iptables -L -n     # check the useage of rules
sudo iptables -F 		# clear the rules

my config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443,8067 -m state --state NEW,ESTABLISHED -j ACCEPT

sudo iptables -A INPUT -p tcp -m tcp --dport 26029 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT

sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

sudo iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
sudo iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
sudo iptables -A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 24800 -j ACCEPT
sudo iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2425 -j ACCEPT

sudo iptables -I INPUT -p tcp --dport 2425 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 2425 -j ACCEPT
sudo iptables -I OUTPUT -p tcp --sport 2425 -j ACCEPT
sudo iptables -I OUTPUT -p udp --sport 2425 -j ACCEPT

sudo iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -A INPUT  -p icmp --icmp-type echo-reply   -j ACCEPT
sudo iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

sudo iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
sudo iptables -I INPUT 5 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
sudo iptables -I INPUT 5 -p udp -m udp --dport 137 -j ACCEPT
sudo iptables -I INPUT 5 -p udp -m udp --dport 138 -j ACCEPT

Save the config

1
2
3
4
sudo apt-get update
sudo apt-get install iptables-persistent
sudo invoke-rc.d iptables-persistent save
sudo iptables-save

END

0%