Setting berikut secara default memblok semua paket yang masuk kecuali pada port 22, 80 dan 443.
# cek dulu apakah sudah ada settingan sebelumnya # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # settingan dapat dihapus dengan opsi flushSimpan script iptables agar tidak perlu mengetik ulang dikemudian hari jika settingan terlupa. (running as root)
# mkdir -p /root/scripts # vim /root/scripts/iptables.sh [--- SNIP ---] #!/bin/bash # Allow semua traffic untuk loopback iptables -I INPUT 1 -i lo -j ACCEPT # Allow Web Traffic iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH port 22 iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Establish connection iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Block semua traffic yang masuk iptables -P INPUT DROP iptables -P FORWARD DROP [--- SNIP ---] # chmod +x /root/scripts/iptables.sh # /root/scripts/iptables.sh # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destinationKarena konfigurasi dari iptables bersifat temporer ketika direboot maka akan hilang. Untuk itu digunakan perintah iptables-save dan iptables-restore untuk mengembalikan konfigurasi ketika boot.
# iptables-save > /etc/default/iptables # vim /etc/network/if-up.d/iptables [--SNIP--] #!/bin/bash iptables-restore < /etc/default/iptables exit0 [--SNIP--] # chmod +x /etc/network/if-up.d/iptablesReferensi:
0 comments:
Post a Comment