iptables: Como listar e deletar regras de Firewall

Em alguns casos as regras de firewall de seu servidor podem limitar seu acesso ou impedir que algum sistema funcione adequadamente.

Veja logo abaixo alguns comandos que auxiliam na manutenção das regras de firewall em seu servidor:

 

LISTAR TODAS AS REGRAS

# iptables -S

Exemplo:

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N ALLOWIN
-N ALLOWOUT
-N DENYIN
-N DENYOUT
-N INVALID
-N INVDROP
-N LOCALINPUT
-N LOCALOUTPUT
-N LOGDROPIN
-N LOGDROPOUT
-N SMTPOUTPUT
-N SYNFLOOD
-A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT


LISTAR UMA CHAIN ESPECÍFICA

# iptables -S INPUT

Exemplo:

# iptables -S INPUT
-P INPUT DROP
-A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYNFLOOD
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 4443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 19000 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 49152:65534 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN

LISTAR REGRAS COMO TABELA

# iptables -L

Exemplo:

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp dpt:domain
ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp dpt:domain
ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp spt:domain
ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp spt:domain
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp dpt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp dpt:domain
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp spt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp spt:domain
LOCALINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
SYNFLOOD   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
INVALID    tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:autodesk-nlm
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:infowave
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:radsec
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:gnunet
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:eli
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nbx-ser
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nbx-dir
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pharos
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:igrid
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpts:49152:65534

LISTAR UMA CHAIN ESPECÍFICA COMO TABELA

# iptables -L INPUT

Exemplo:

# iptables -L INPUT
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp dpt:domain
ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp dpt:domain
ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp spt:domain
ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp spt:domain
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp dpt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp dpt:domain
ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp spt:domain
ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp spt:domain
LOCALINPUT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
SYNFLOOD   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
INVALID    tcp  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:imap
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:autodesk-nlm
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:infowave
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:radsec
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:gnunet
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:eli
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nbx-ser
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nbx-dir
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pharos
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:igrid
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpts:49152:65534
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:ftp-data
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:domain
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
LOGDROPIN  all  --  anywhere             anywhere

LISTAR A CONTAGEM DE PACOTES E TAMANHO AGREGADO POR REGRAS

# iptables -L INPUT -v

Exemplo:

# iptables -L INPUT -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   124 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
  465 19628 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
    0     0 ACCEPT     tcp  --  !lo    any     google-public-dns-b.google.com  anywhere             tcp dpt:domain
    0     0 ACCEPT     udp  --  !lo    any     google-public-dns-b.google.com  anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  !lo    any     google-public-dns-b.google.com  anywhere             tcp spt:domain
 141K 9784K ACCEPT     udp  --  !lo    any     google-public-dns-b.google.com  anywhere             udp spt:domain
    0     0 ACCEPT     tcp  --  !lo    any     google-public-dns-a.google.com  anywhere             tcp dpt:domain
    0     0 ACCEPT     udp  --  !lo    any     google-public-dns-a.google.com  anywhere             udp dpt:domain
  537  342K ACCEPT     tcp  --  !lo    any     google-public-dns-a.google.com  anywhere             tcp spt:domain
4755K  491M ACCEPT     udp  --  !lo    any     google-public-dns-a.google.com  anywhere             udp spt:domain
  91M   40G LOCALINPUT  all  --  !lo    any     anywhere             anywhere
5903K 3575M ACCEPT     all  --  lo     any     anywhere             anywhere
2339K  132M SYNFLOOD   tcp  --  !lo    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
  81M   39G INVALID    tcp  --  !lo    any     anywhere             anywhere
  78M   39G ACCEPT     all  --  !lo    any     anywhere             anywhere             state RELATED,ESTABLISHED
   61  2488 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:ftp-data
 9267  513K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:ftp
 322K   18M ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:smtp
   44  1960 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:domain
1488K   86M ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:http
 104K 5496K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:pop3
 7846  462K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:imap
93399 5184K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:https
 4386  240K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:urd
 175K 9442K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:submission
15377  928K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:imaps
 5755  344K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:pop3s
    1    40 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:autodesk-nlm
  100  5872 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:infowave
 2718  151K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:radsec
    2    80 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:gnunet
 1343 75584 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:eli
  151  8220 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:nbx-ser
12091  632K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:nbx-dir
24325 1391K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:mysql
  199  7972 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:pharos
   14   724 ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpt:igrid
 4132  210K ACCEPT     tcp  --  !lo    any     anywhere             anywhere             state NEW tcp dpts:49152:65534
    0     0 ACCEPT     udp  --  !lo    any     anywhere             anywhere             state NEW udp dpt:ftp-data
    0     0 ACCEPT     udp  --  !lo    any     anywhere             anywhere             state NEW udp dpt:ftp
   44  2826 ACCEPT     udp  --  !lo    any     anywhere             anywhere             state NEW udp dpt:domain
  964 62604 ACCEPT     icmp --  !lo    any     anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
    0     0 ACCEPT     icmp --  !lo    any     anywhere             anywhere             icmp echo-reply limit: avg 1/sec burst 5
   35  3300 ACCEPT     icmp --  !lo    any     anywhere             anywhere             icmp time-exceeded
  206 14999 ACCEPT     icmp --  !lo    any     anywhere             anywhere             icmp destination-unreachable
25936 1519K LOGDROPIN  all  --  !lo    any     anywhere             anywhere

RESETAR A CONTAGEM DE PACOTES E TAMANHO AGREGADO

Reseta todas as regras

# iptables -Z

Reseta somente a CHAIN desejada

# iptables -Z INPUT

EXIBIR REGRAS IPTABLES NUMERADAS

# iptables -L --line-numbers

Exemplo:

# iptables -L --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
3    ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp dpt:domain
4    ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp dpt:domain
5    ACCEPT     tcp  --  google-public-dns-b.google.com  anywhere             tcp spt:domain
6    ACCEPT     udp  --  google-public-dns-b.google.com  anywhere             udp spt:domain
7    ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp dpt:domain
8    ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp dpt:domain
9    ACCEPT     tcp  --  google-public-dns-a.google.com  anywhere             tcp spt:domain
10   ACCEPT     udp  --  google-public-dns-a.google.com  anywhere             udp spt:domain
11   LOCALINPUT  all  --  anywhere             anywhere
12   ACCEPT     all  --  anywhere             anywhere
13   SYNFLOOD   tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
14   INVALID    tcp  --  anywhere             anywhere
15   ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
16   ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp-data
17   ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ftp
18   ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:smtp
19   ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:domain
20   ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http

REMOVER REGRA ESPECIFICA

Remove a regra número 3 da CHAIN INPUT:

# iptables -D INPUT 3

 

FLUSH CHAIN

Simples CHAIN:

# iptables -F INPUT

Todas as CHAINS:

# iptables -F

 

REMOVER TODAS AS REGRAS, DELETAR TODAS AS CHAINS E ACEITAR TODO O TRÁFEGO

Primeiro, libere todo o tráfego no servidor:

# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

Agora, limpe todas as chains incluindo a NAT e MANGLE.
Lembre-se: -F (limpar) e -X (Remover):

# iptables -t nat -F
# iptables -t mangle -F
# iptables -F
# iptables -X
Rolar para cima