26/06/13 25 reglas para iptables - Taringa!

www.taringa.net/posts/linux/15735840/25-reglas-para-iptables.html 1/7
Inicio Novatos Destacados
25reglasparaiptables
1.Eliminartodaslasreglasexistentes
iptablesF
2.Establecerpolticaspordefecto
iptablesPINPUTDROP
iptablesPFORWARDDROP
iptablesPOUTPUTDROP
3.BloquearunadireccinIPespecfica
#BLOCK_THIS_IP="x.x.x.x"
iptablesAINPUTs"$BLOCK_THIS_IP"jDROP
4.PermitirconexionesentrantesSSH
iptablesAINPUTieth0ptcpdport22mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport22mstatestateESTABLISHEDjACCEPT
5.PermitirconexionesentrantesSSHsloaunaredespecfica
Buscar...
Posts Comunidades Msica Juegos TOPs Global
LINUXYGNU|HACEMSDE8MESES 2 6
PrepareforCisco'sCCNAOnl i neCCNACerti fi cati onCourses GetCi scoCNACerti fi edNow!www.el earni ngcenter.com
ServidoresTeamspeak3Servi dores Pri vados TS3Cubi voi cePanel deControl ,desdesl o3/mes www.Cubi Voi ce.es
Cisco3750E3750ESwitchWSC3750ESeri es Catal ystNewUsed24TDS48TDS24PD48PSESDRouterSwi tch.com/_Ci sco_3750E
FreeIPv6CertificationGetstartedi nmi nutes!BecomeanIPv6GuruIPv6.HE.net
ISO.WorksfrSolidWorksautomati scheIsometri eerzeugungi nkl usi veMateri al stckl i stewww.uni tec.de/i soworks
ObtengaElCISSPAhoraCISSPCerti fi cadoMs Codi ci adoEnSeguri dadDeLaInfoEnEl Mercado!i sc2.org
GestinSimpledeProyectS,es fci l .Nadaquei nstal ar.Prubal odeformagratui ta!www.smartsheet.es
CursoservidorweblinuxCursoonl i ne,aprendeamontarunservi dorwebconl i nuxdesdecero.udemy.com
FreeDNS&DynamicDNSGl obal l yRedundant,InstantUpdates Wi ndows &Uni xCl i ents,Free&Easywww.Si tel uti ons.com/
StaticIPAddressServiceGetyourownstati cIPaddress today!MyStati cIPAddress.com
Platinum
691
Seguidores
36.465
Puntos
115
Posts
alband
Firewall ping Drop
accept seguridad iptables
Forward input output
Tags
AnunciosGoogle
Instalarredes
FTPWindowsServer
LinuxUBUNTU
Compartidopor
Identificarme Identificarme
26/06/13 25 reglas para iptables - Taringa!
www.taringa.net/posts/linux/15735840/25-reglas-para-iptables.html 2/7
iptablesAINPUTieth0ptcps192.168.200.0/24dport22mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport22mstatestateESTABLISHEDjACCEPT
6.PermitirHTTPentrante
iptablesAINPUTieth0ptcpdport80mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport80mstatestateESTABLISHEDjACCEPT
7.PermitirHTTPSentrante
iptablesAINPUTieth0ptcpdport443mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport443mstatestateESTABLISHEDjACCEPT
8.Multipuerto(PermitirentrantesSSH,HTTPyHTTPS)
iptablesAINPUTieth0ptcpmmultiportdports22,80,443mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpmmultiportsports22,80,443mstatestateESTABLISHEDjACCEPT
9.PermitirsalirSSH
iptablesAOUTPUToeth0ptcpdport22mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAINPUTieth0ptcpsport22mstatestateESTABLISHEDjACCEPT
10.PermitirsalirSSHsloaunaredespecfica
iptablesAOUTPUToeth0ptcpd192.168.101.0/24dport22mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAINPUTieth0ptcpsport22mstatestateESTABLISHEDjACCEPT
11.PermitirsalirHTTPS
iptablesAOUTPUToeth0ptcpdport443mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAINPUTieth0ptcpsport443mstatestateESTABLISHEDjACCEPT
12.CarguartrficoHTTPSbalanceado
iptablesAPREROUTINGieth0ptcpdport443mstatestateNEWmnthcounter0every3packet0j
DNATtodestination192.168.1.101:443
iptablesAPREROUTINGieth0ptcpdport443mstatestateNEWmnthcounter0every3packet1j
DNATtodestination192.168.1.102:443
iptablesAPREROUTINGieth0ptcpdport443mstatestateNEWmnthcounter0every3packet2j
DNATtodestination192.168.1.103:443
13.Permitirpingdesdeelinterioralexterior
iptablesAOUTPUTpicmpicmptypeechorequestjACCEPT
iptablesAINPUTpicmpicmptypeechoreplyjACCEPT
14.Permitirpingdesdeelexterioralinterior
iptablesAINPUTpicmpicmptypeechorequestjACCEPT
iptablesAOUTPUTpicmpicmptypeechoreplyjACCEPT
15.Permitirelaccesoloopback
iptablesAINPUTilojACCEPT
iptablesAOUTPUTolojACCEPT
16.Permitirquelospaquetesderedinternasalganalaredexterna.
#ifeth1isconnectedtoexternalnetwork(internet)
#ifeth0isconnectedtointernalnetwork(192.168.1.x)
iptablesAFORWARDieth0oeth1jACCEPT
16.PermitirconsultasDNS
iptablesAOUTPUTpudpoeth0dport53jACCEPT
iptablesAINPUTpudpieth0sport53jACCEPT
17.PermitirconexionesNIS
#rpcinfop|grepypbindThisportis853and850
iptablesAINPUTptcpdport111jACCEPT
iptablesAINPUTpudpdport111jACCEPT
iptablesAINPUTptcpdport853jACCEPT
iptablesAINPUTpudpdport853jACCEPT
iptablesAINPUTptcpdport850jACCEPT
iptablesAINPUTpudpdport850jACCEPT
18.Permitirrsyncdeunaredespecfica
iptablesAINPUTieth0ptcps192.168.101.0/24dport873mstatestateNEW,ESTABLISHEDjACCEPT
26/06/13 25 reglas para iptables - Taringa!
www.taringa.net/posts/linux/15735840/25-reglas-para-iptables.html 3/7
iptablesAOUTPUToeth0ptcpsport873mstatestateESTABLISHEDjACCEPT
19.PermitirconexinMySQLslodesdeunaredespecfica
iptablesAINPUTieth0ptcps192.168.200.0/24dport3306mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport3306mstatestateESTABLISHEDjACCEPT
20.PermitirSendmailoPostfix
iptablesAINPUTieth0ptcpdport25mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport25mstatestateESTABLISHEDjACCEPT
21.PermitirIMAPyIMAPS
iptablesAINPUTieth0ptcpdport143mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport143mstatestateESTABLISHEDjACCEPT
iptablesAINPUTieth0ptcpdport993mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport993mstatestateESTABLISHEDjACCEPT
22.PermitirPOP3yPOP3S
iptablesAINPUTieth0ptcpdport110mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport110mstatestateESTABLISHEDjACCEPT
iptablesAINPUTieth0ptcpdport995mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport995mstatestateESTABLISHEDjACCEPT
23.PrevenirataquesDoS
iptablesAINPUTptcpdport80mlimitlimit25/minutelimitburst100jACCEPT
24.Reenvodepuertos422to22
iptablestnatAPREROUTINGptcpd192.168.102.37dport422jDNATto192.168.102.37:22
iptablesAINPUTieth0ptcpdport422mstatestateNEW,ESTABLISHEDjACCEPT
iptablesAOUTPUToeth0ptcpsport422mstatestateESTABLISHEDjACCEPT
25.Logdepaquetesrechazados
iptablesNLOGGING
iptablesAINPUTjLOGGING
iptablesALOGGINGmlimitlimit2/minjLOGlogprefix"IPTablesPacketDropped:"loglevel7
iptablesALOGGINGjDROP
ATENCIN:
Esteejemplovalelapenaanalizar,porquehayquetenerencuenta,yaquealgunasdelasreglasqueestan
arribasonparaservidoresquepermitenlaentradadepaquetesnuevo(NEW)
iptablesAFORWARDieth0s10.0.0.0/8pudpdport53mstatestateNEW,RELATED,ESTABLISHEDj
ACCEPT
Estareglaahoradicequevamosareenviartodoloquevengaporlatarjetaeth0desdelared10.0.0.0/8a
travsdeudpyalpuertodedestinodelDNSdelamquinaderemotasiempreycuandoseamosnosotroslos
queempezamoslaconexin(NEW)yalahayamosestablecido(ESTABLISHED)oqueestn
relacionadas(RELATED)comopuedesereliniciodelaconexinolospuertos20u21delftp.
iptablesAFORWARDieth1d10.0.0.0/8pudpsport53mstatestateRELATED,STABLISHEDjACCEPT
Enestaotrareglaconelcambioquehemosrealizadosignificaquesolovamosaaceptarlasconexionesdesde
el53mientraslaconexinyaesteestablecidaoestrelacionada.Afinaldecuentasestamosimpidiendoque
alguieninicielaconexinporquepodranentrarennuestrofirewallynosotrostendramosunafalsailusinde
seguridadconestefirewall.Ahoraesmuchomsdifcilquenospuedancolaralgoquenoqueremosqueentre
ennuestrared.