Difference between revisions of "Firewall: iptables"
(Created page with "{{MessageBox| backgroundcolor = red| image =Warning.png| heading =WARNING| message = This is recommended only for advanced users, proceed with caution.}} = iptables tutorial = I...") |
|||
(3 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{MessageBox| | {{MessageBox| | ||
− | backgroundcolor = | + | backgroundcolor = #faa| |
image =Warning.png| | image =Warning.png| | ||
heading =WARNING| | heading =WARNING| | ||
Line 17: | Line 17: | ||
* 80 - HTTP | * 80 - HTTP | ||
* 139 - NetBIOS port for Samba | * 139 - NetBIOS port for Samba | ||
− | * 443 - HTTPS if you optionally [[ | + | * 443 - HTTPS if you optionally [[Access HDA over SSL]]. |
* 445 - Samba File Sharing (port for your network shares) | * 445 - Samba File Sharing (port for your network shares) | ||
* 1194 - VPN | * 1194 - VPN | ||
Line 23: | Line 23: | ||
Here is the minimum iptables firewall rules required for your HDA to still function as an HDA. These rules do not include any extra services you have enabled such as SSH (port 22), VNC (port 5902), MiniDLNA (port 8200), etc. For extra apps and services you'll have to look up documentation on the App you're using. | Here is the minimum iptables firewall rules required for your HDA to still function as an HDA. These rules do not include any extra services you have enabled such as SSH (port 22), VNC (port 5902), MiniDLNA (port 8200), etc. For extra apps and services you'll have to look up documentation on the App you're using. | ||
− | + | <pre style="white-space: pre-wrap; word-break: keep-all;"> <nowiki>*filter | |
− | |||
− | |||
:INPUT ACCEPT [0:0] | :INPUT ACCEPT [0:0] | ||
:FORWARD ACCEPT [0:0] | :FORWARD ACCEPT [0:0] | ||
Line 58: | Line 56: | ||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited | -A FORWARD -j REJECT --reject-with icmp-host-prohibited | ||
COMMIT</nowiki></pre> | COMMIT</nowiki></pre> | ||
− | |||
= Modify iptables state = | = Modify iptables state = | ||
Start the firewall. | Start the firewall. | ||
− | + | service iptables start | |
Stop the firewall. | Stop the firewall. | ||
− | + | service iptables stop | |
Show the current rules. | Show the current rules. | ||
− | + | service iptables status | |
Service command usage. | Service command usage. | ||
− | + | Usage: <nowiki>iptables {start|stop|restart|condrestart|status|panic|save}</nowiki> | |
= List of ports needed for current Amahi Apps = | = List of ports needed for current Amahi Apps = | ||
TO BE UPDATED! | TO BE UPDATED! |
Latest revision as of 01:55, 23 June 2020
WARNING | |
---|---|
This is recommended only for advanced users, proceed with caution. |
Contents
iptables tutorial
If you're looking for a tutorial for how to use iptables there are better ones out there such as this one. The purpose of this article is to provide Amahi users with a basic set of core rules in which they can enable the iptables firewall on their Amahi HDA without disrupting network services.
Edit the firewall to allow core services
You can edit your firewall rules by editing /etc/sysconfig/iptables or run the command system-config-firewall.
First you need to understand what ports must be open in your HDA.
- 53 - DNS
- 67,68 - DHCP
- 80 - HTTP
- 139 - NetBIOS port for Samba
- 443 - HTTPS if you optionally Access HDA over SSL.
- 445 - Samba File Sharing (port for your network shares)
- 1194 - VPN
- 5353 - Multicast DNS
Here is the minimum iptables firewall rules required for your HDA to still function as an HDA. These rules do not include any extra services you have enabled such as SSH (port 22), VNC (port 5902), MiniDLNA (port 8200), etc. For extra apps and services you'll have to look up documentation on the App you're using.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT #multicast dns -A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT #dns -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT #dhcp -A INPUT -m state --state NEW -m tcp -p tcp --dport 67 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 67 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 68 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 68 -j ACCEPT #netbios -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT #Samba Share -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT #hda web serving -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #VPN Server -A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT -A INPUT -i tap0 -j ACCEPT -A INPUT -i br0 -j ACCEPT -A FORWARD -i br0 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Modify iptables state
Start the firewall.
service iptables start
Stop the firewall.
service iptables stop
Show the current rules.
service iptables status
Service command usage.
Usage: iptables {start|stop|restart|condrestart|status|panic|save}
List of ports needed for current Amahi Apps
TO BE UPDATED!