Em alguns casos as regras de firewall de seu servidor podem limitar seu acesso ou impedir que algum sistema funcione adequadamente.
Veja logo abaixo alguns comandos que auxiliam na manutenção das regras de firewall em seu servidor:
LISTAR TODAS AS REGRAS
# iptables -S
Exemplo:
# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP -N ALLOWIN -N ALLOWOUT -N DENYIN -N DENYOUT -N INVALID -N INVDROP -N LOCALINPUT -N LOCALOUTPUT -N LOGDROPIN -N LOGDROPOUT -N SMTPOUTPUT -N SYNFLOOD -A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT -A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT -A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
LISTAR UMA CHAIN ESPECÍFICA
# iptables -S INPUT
Exemplo:
# iptables -S INPUT -P INPUT DROP -A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT -A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT -A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT -A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT -A INPUT ! -i lo -j LOCALINPUT -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYNFLOOD -A INPUT ! -i lo -p tcp -j INVALID -A INPUT ! -i lo -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2080 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 4443 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 19000 -j ACCEPT -A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 49152:65534 -j ACCEPT -A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT -A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT -A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A INPUT ! -i lo -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT -A INPUT ! -i lo -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT ! -i lo -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT ! -i lo -j LOGDROPIN
LISTAR REGRAS COMO TABELA
# iptables -L
Exemplo:
# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150 ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp dpt:domain ACCEPT udp -- google-public-dns-b.google.com anywhere udp dpt:domain ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp dpt:domain ACCEPT udp -- google-public-dns-a.google.com anywhere udp dpt:domain ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain LOCALINPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere SYNFLOOD tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN INVALID tcp -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:urd ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:submission ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:autodesk-nlm ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:infowave ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:radsec ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:gnunet ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:eli ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-ser ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-dir ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pharos ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:igrid ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:49152:65534
LISTAR UMA CHAIN ESPECÍFICA COMO TABELA
# iptables -L INPUT
Exemplo:
# iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150 ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp dpt:domain ACCEPT udp -- google-public-dns-b.google.com anywhere udp dpt:domain ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp dpt:domain ACCEPT udp -- google-public-dns-a.google.com anywhere udp dpt:domain ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain LOCALINPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere SYNFLOOD tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN INVALID tcp -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:urd ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:submission ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:autodesk-nlm ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:infowave ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:radsec ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:gnunet ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:eli ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-ser ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-dir ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pharos ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:igrid ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:49152:65534 ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp-data ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp destination-unreachable LOGDROPIN all -- anywhere anywhere
LISTAR A CONTAGEM DE PACOTES E TAMANHO AGREGADO POR REGRAS
# iptables -L INPUT -v
Exemplo:
# iptables -L INPUT -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 124 ACCEPT tcp -- !lo any anywhere anywhere tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
465 19628 ACCEPT tcp -- !lo any anywhere anywhere tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
0 0 ACCEPT tcp -- !lo any google-public-dns-b.google.com anywhere tcp dpt:domain
0 0 ACCEPT udp -- !lo any google-public-dns-b.google.com anywhere udp dpt:domain
0 0 ACCEPT tcp -- !lo any google-public-dns-b.google.com anywhere tcp spt:domain
141K 9784K ACCEPT udp -- !lo any google-public-dns-b.google.com anywhere udp spt:domain
0 0 ACCEPT tcp -- !lo any google-public-dns-a.google.com anywhere tcp dpt:domain
0 0 ACCEPT udp -- !lo any google-public-dns-a.google.com anywhere udp dpt:domain
537 342K ACCEPT tcp -- !lo any google-public-dns-a.google.com anywhere tcp spt:domain
4755K 491M ACCEPT udp -- !lo any google-public-dns-a.google.com anywhere udp spt:domain
91M 40G LOCALINPUT all -- !lo any anywhere anywhere
5903K 3575M ACCEPT all -- lo any anywhere anywhere
2339K 132M SYNFLOOD tcp -- !lo any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
81M 39G INVALID tcp -- !lo any anywhere anywhere
78M 39G ACCEPT all -- !lo any anywhere anywhere state RELATED,ESTABLISHED
61 2488 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:ftp-data
9267 513K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:ftp
322K 18M ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:smtp
44 1960 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:domain
1488K 86M ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:http
104K 5496K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:pop3
7846 462K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:imap
93399 5184K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:https
4386 240K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:urd
175K 9442K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:submission
15377 928K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:imaps
5755 344K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:pop3s
1 40 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:autodesk-nlm
100 5872 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:infowave
2718 151K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:radsec
2 80 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:gnunet
1343 75584 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:eli
151 8220 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:nbx-ser
12091 632K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:nbx-dir
24325 1391K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:mysql
199 7972 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:pharos
14 724 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:igrid
4132 210K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpts:49152:65534
0 0 ACCEPT udp -- !lo any anywhere anywhere state NEW udp dpt:ftp-data
0 0 ACCEPT udp -- !lo any anywhere anywhere state NEW udp dpt:ftp
44 2826 ACCEPT udp -- !lo any anywhere anywhere state NEW udp dpt:domain
964 62604 ACCEPT icmp -- !lo any anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- !lo any anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5
35 3300 ACCEPT icmp -- !lo any anywhere anywhere icmp time-exceeded
206 14999 ACCEPT icmp -- !lo any anywhere anywhere icmp destination-unreachable
25936 1519K LOGDROPIN all -- !lo any anywhere anywhere
RESETAR A CONTAGEM DE PACOTES E TAMANHO AGREGADO
Reseta todas as regras
# iptables -Z
Reseta somente a CHAIN desejada
# iptables -Z INPUT
EXIBIR REGRAS IPTABLES NUMERADAS
# iptables -L --line-numbers
Exemplo:
# iptables -L --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150 2 ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150 3 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp dpt:domain 4 ACCEPT udp -- google-public-dns-b.google.com anywhere udp dpt:domain 5 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain 6 ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain 7 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp dpt:domain 8 ACCEPT udp -- google-public-dns-a.google.com anywhere udp dpt:domain 9 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain 10 ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain 11 LOCALINPUT all -- anywhere anywhere 12 ACCEPT all -- anywhere anywhere 13 SYNFLOOD tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN 14 INVALID tcp -- anywhere anywhere 15 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 16 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data 17 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp 18 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp 19 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain 20 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
REMOVER REGRA ESPECIFICA
Remove a regra número 3 da CHAIN INPUT:
# iptables -D INPUT 3
FLUSH CHAIN
Simples CHAIN:
# iptables -F INPUT
Todas as CHAINS:
# iptables -F
REMOVER TODAS AS REGRAS, DELETAR TODAS AS CHAINS E ACEITAR TODO O TRÁFEGO
Primeiro, libere todo o tráfego no servidor:
# iptables -P INPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -P OUTPUT ACCEPT
Agora, limpe todas as chains incluindo a NAT e MANGLE.
Lembre-se: -F (limpar) e -X (Remover):
# iptables -t nat -F # iptables -t mangle -F # iptables -F # iptables -X
