# Accept TCP packets for routing from eth0 (any IP) and destined for IP 192.168.1.58
# that is reachable via eth1.
# -A : Append rule to end of a chain
# FORWARD : Filters packets to server accessible by another NIC on the firewall
# -s : Source IP address
# 0/0 : Any ip address
# -i : Input Interface name (eth0, eth1 etc)
# -d : Destination IP address
# -o : Output Interface name (eth0, eth1 etc)
# -p tcp –sport : TCP source port (can be single or range value)
# -d tcp –dport : TCP destination port (can be single or range value)
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p tcp –sport 1024:65535 –dport 80 -j ACCEPT
# Accept TCP packets coming in from eth0 (any IP) and destined for IP 192.168.1.1
# INPUT : Filter packets destined to the firewall.
iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p tcp -j ACCEPT
# Flush all chains
iptables -F
# YOUR LOCAL NETWORK FIREWALL
# Accept all connection from ip source 192.168.0.1-192.168.0.254 to any ip address from any ports to any ports
iptables -I FORWARD -s 192.168.0.1/24 -d 0/0 -j ACCEPT
# Accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT
# COMMON ICMP (ping)
# ALLOWING Sending “PING” (Echo request) AND
# Incoming “PONG” (Echo reply)
# Allow the firewall to send ICMP echo-request (pings)
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
# Allow the firewall to accept the expected ICMP echo-replies (pongs)
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
# Can do ‘pings’ 1 in a second. (3 pings per seconds = 3/s)
iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -i eth0 -j ACCEPT
# Defense for SYN (–syn = new tcp connection)flood attacks was created by limiting the acceptance of TCP segments
# with the SYN bit set to no more than five Ping per second.
iptables -A INPUT -p tcp –syn -m limit –limit 5/s -i eth0 -j ACCEPT
# ALLOWING INCOMING TRAFFIC
# ON SPECIFIC PORT
# HTTP (port 80)
sudo iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT
# HTTPS (port 443)
sudo iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT
# POP3 (port 110)
sudo iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT
# SMTP (port 25)
sudo iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT
# FTP (port 20 21)
sudo iptables -A INPUT -p tcp -i eth0 –dport ftp -j ACCEPT
# IMAP (port 143)
sudo iptables -A INPUT -p tcp -i eth0 –dport imap -j ACCEPT
# NFS (port 111 2049)
sudo iptables -A INPUT -p tcp -i eth0 –dport nfs -j ACCEPT
# NNTP (port 119)
sudo iptables -A INPUT -p tcp -i eth0 –dport nntp -j ACCEPT
# Telnet (port 23)
sudo iptables -A INPUT -p tcp -i eth0 –dport telnet -j ACCEPT
# SSH (port 22)
sudo iptables -A INPUT -p tcp -i eth0 –dport ssh -j ACCEPT
# DNS (port 53)
sudo iptables -A INPUT -p tcp -i eth0 –dport 53 -j ACCEPT
# Samba (port 137-139)
sudo iptables -A INPUT -p tcp -i eth0 –dport 137:139 -j ACCEPT
# ALLOWING DNS to Access to your firewall
# It’s used by Ubuntu to get update from Repository Server
iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1025:65535 -j ACCEPT
# ALLOWING WWW and SSH to Access to your firewall
# It’s used when you want to manage you web server
# managed remotely via secure shell (ssh) sessions.
# Allow previously established connections
iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow port 80 (http) and 22 (ssh) connections to firewall
iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT
# ALLOWING FIREWALL to access The Internet
# Enable a user on the firewall to surf the internet using Web Browser HTTP (port 80) and HTTPs (port 443)
iptables -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED,RELATED -m multiport –sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT
# Allowing all TCP traffic originating from firewall
iptables -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
# BLOCK VIRUSES
# Use you can use this 4 rules:
# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 136 -j DROP
# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 137 -j DROP
# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 138 -j DROP
# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 139 -j DROP
# or this 1 rule
iptables -A FORWARD -p tcp –dport 136:139 -j DROP
# Use you can use this 4 rules:
# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 136 -j DROP
# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 137 -j DROP
# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 138 -j DROP
# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 139 -j DROP
# or this 1 rule
iptables -A FORWARD -p udp –dport 136:139 -j DROP
# ROUTING
# Allow firewall to accept tcp packets for routing
# Enter via eth0 (any ip) via range port 1024 to 65535
# Destined to eth1 (ip 192.168.0.2 ) port 80 (www/http)
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.2 -o eth1 -p tcp –sport 1024:65535 –dport 80 -j ACCEPT
# -m multiport –dport
# A variety of tcp/udp destination ports separated by commas.
# -m multiport –sport
# A variety of tcp/udp destination ports separated by commas.
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.2 -o eth1 -p tcp -m multiport –sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT
# Loading Kernel Modules
# Any type NAT required, this module have to be loaded.
modprobe -a iptable_nat
# For tcp connection
modprobe -a ip_conntrack
# For FTP support
modprobe -a ip_conntrack_ftp
# For FTP server behind NAT firewall
modprobe -a ip_nat_ftp
modprobe -a ip_queue
modprobe -a iptable_filter
modprobe -a iptable_mangle
modprobe -a ip_tables
modprobe -a ipt_LOG
modprobe -a ipt_MASQUERADE
modprobe -a ipt_owner
modprobe -a ipt_REDIRECT
modprobe -a ipt_TOS
modprobe -a ipt_ttl
modprobe -a ipt_ULOG
modprobe -a ipt_ecn
modprobe -a ipt_ECN
juragan, tanya,.
gimana allow port 8081 pada ubuntu agar bisa diakses dari luar subet,.
server aye di 10.126.19.201, dan kompi aye yang akese 10.126.10.10, masih satu lan.. :(:( :((