iptables
iptables for firewall
IPアドレスやポートのルーティング設定を行う iptables
についてのティップス。
ルータのネットワーク設定、ファイヤーウォール、Docker, WireGuardなど iptables
によってその挙動が決まります。iproute2
とセットで理解しましょう。
"ifconfig"
, "netstat"
の役割は iproute2
に置き換わっています。
"ip rule"
, "ip route"
は iproute2
に含まれるコマンドの一部です。
また iptables
も nftables
に置き換わっています。
netfilter.org:iptables, nftables
ドキュメント
https://www.netfilter.org/documentation/index.html
Utilities obsoleted by iproute2
Legacy utility | Replacement command | Note |
---|---|---|
ifconfig | ip addr, ip link, ip -s | Address and link configuration |
route | ip route | Routing tables |
arp | ip neigh | Neighbors |
iptunnel | ip tunnel | Tunnels |
nameif, ifrename | ip link set name | Rename network interfaces |
ipmaddr | ip maddr | Multicast |
netstat | ip -s, ss, ip route | Show various networking statistics |
brctl | bridge | Handle bridge addresses and devices |
iptables - ArchWiki
https://wiki.archlinux.jp/index.php/Iptables
iptables Tutorial
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES
注)iptables
でのポート設定はプロセス上の設定ではないため netstat
には反映されません。
マニュアルまたは $ man iptables
コマンドで確認
https://man7.org/linux/man-pages/man8/iptables.8.html
SYNOPSIS top
iptables [-t table] {-A|-C|-D} chain rule-specification
ip6tables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
TABLES top
There are currently five independent tables (which tables are
present at any time depends on the kernel configuration options
and which modules are present).
-t, --table table
This option specifies the packet matching table which the
command should operate on. If the kernel is configured
with automatic module loading, an attempt will be made to
load the appropriate module for that table if it is not
already there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed).
It contains the built-in chains INPUT (for packets
destined to local sockets), FORWARD (for packets being
routed through the box), and OUTPUT (for locally-
generated packets).
nat:
This table is consulted when a packet that creates a
new connection is encountered. It consists of four
built-ins: PREROUTING (for altering packets as soon as
they come in), INPUT (for altering packets destined
for local sockets), OUTPUT (for altering locally-
generated packets before routing), and POSTROUTING
(for altering packets as they are about to go out).
IPv6 NAT support is available since kernel 3.7.
mangle:
This table is used for specialized packet alteration.
Until kernel 2.4.17 it had two built-in chains:
PREROUTING (for altering incoming packets before
routing) and OUTPUT (for altering locally-generated
packets before routing). Since kernel 2.4.18, three
other built-in chains are also supported: INPUT (for
packets coming into the box itself), FORWARD (for
altering packets being routed through the box), and
POSTROUTING (for altering packets as they are about to
go out).
raw:
This table is used mainly for configuring exemptions
from connection tracking in combination with the
NOTRACK target. It registers at the netfilter hooks
with higher priority and is thus called before
ip_conntrack, or any other IP tables. It provides the
following built-in chains: PREROUTING (for packets
arriving via any network interface) OUTPUT (for
packets generated by local processes)
security:
This table is used for Mandatory Access Control (MAC)
networking rules, such as those enabled by the SECMARK
and CONNSECMARK targets. Mandatory Access Control is
implemented by Linux Security Modules such as SELinux.
The security table is called after the filter table,
allowing any Discretionary Access Control (DAC) rules
in the filter table to take effect before MAC rules.
This table provides the following built-in chains:
INPUT (for packets coming into the box itself), OUTPUT
(for altering locally-generated packets before
routing), and FORWARD (for altering packets being
routed through the box).
OPTIONS top
The options that are recognized by iptables and ip6tables can be
divided into several different groups.
COMMANDS
These options specify the desired action to perform. Only one of
them can be specified on the command line unless otherwise stated
below. For long versions of the command and option names, you
need to use only enough letters to ensure that iptables can
differentiate it from all other options.
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain.
When the source and/or destination names resolve to more
than one address, a rule will be added for each possible
address combination.
-C, --check chain rule-specification
Check whether a rule matching the specification does exist
in the selected chain. This command uses the same logic as
-D to find a matching entry, but does not alter the
existing iptables configuration and uses its exit code to
indicate success or failure.
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There
are two versions of this command: the rule can be
specified as a number in the chain (starting at 1 for the
first rule) or a rule to match.
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the
given rule number. So, if the rule number is 1, the rule
or rules are inserted at the head of the chain. This is
also the default if no rule number is specified.
-R, --replace chain rulenum rule-specification
Replace a rule in the selected chain. If the source
and/or destination names resolve to multiple addresses,
the command will fail. Rules are numbered starting at 1.
-L, --list [chain]
List all rules in the selected chain. If no chain is
selected, all chains are listed. Like every other iptables
command, it applies to the specified table (filter is the
default), so NAT rules get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in
order to avoid long reverse DNS lookups. It is legal to
specify the -Z (zero) option as well, in which case the
chain(s) will be atomically listed and zeroed. The exact
output is affected by the other arguments given. The exact
rules are suppressed until you use
iptables -L -v
or iptables-save(8).
-S, --list-rules [chain]
Print all rules in the selected chain. If no chain is
selected, all chains are printed like iptables-save. Like
every other iptables command, it applies to the specified
table (filter is the default).
テーブルnatルールの確認
$ sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -i wg0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.8.0.3
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
ルールの削除
$ sudo iptables -t nat -D PREROUTING -i wg0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.8.0.3
25 Most Frequently Used Linux IPTables Rules Examples
Iptables Essentials: Common Firewall Rules and Commands
firewallsetup
シンプルなステートフルファイアウォール
https://wiki.archlinux.jp/index.php/シンプルなステートフルファイアウォール
参考)パケットの流れ方:Netfilter
設定の保存とリストア・起動時の読込み
https://www.cyberciti.biz/faq/how-to-save-iptables-firewall-rules-permanently-on-linux/
ルールの保存
$ sudo /sbin/iptables-save > /etc/iptables/rules.v4
## IPv6 ##
$ sudo /sbin/ip6tables-save > /etc/iptables/rules.v6
保存したルールの確認
$ cat /etc/iptables/rules.v4
リストア
## Debian or Ubuntu ##
$ sudo /sbin/iptables-restore < /etc/iptables/rules.v4
$ sudo /sbin/ip6tables-restore < /etc/iptables/rules.v6
## CentOS/RHEL ##
$ sudo /sbin/iptables-save < /etc/sysconfig/iptables
$ sudo /sbin/ip6tables-save < /etc/sysconfig/ip6tables
再起動時に設定を読込む場合
Please note that the following command will conflict with iptables frontends such as ufw command or firewall-cmd command. Avoid using the following packages if you are using those tools.
$ sudo apt install iptables-persistent
## OR ##
$ sudo apt-get install iptables-persistent