iptables: Como listar e deletar regras de Firewall

189 11 de novembro de 2023

Em determinadas situações, as regras de firewall do seu servidor podem restringir o acesso ou interferir no funcionamento adequado de sistemas. Para auxiliar na manutenção e ajuste dessas regras de firewall, confira a seguir alguns comandos úteis:

Listar todas as regras

iptables -S

Exemplo:

iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N ALLOWIN
-N ALLOWOUT
-N DENYIN
-N DENYOUT
-N INVALID
-N INVDROP
-N LOCALINPUT
-N LOCALOUTPUT
-N LOGDROPIN
-N LOGDROPOUT
-N SMTPOUTPUT
-N SYNFLOOD
-A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT

Listar uma chain específica

iptables -S INPUT

Exemplo:

iptables -S INPUT
-P INPUT DROP
-A INPUT ! -i lo -p tcp -m tcp --dport 8889 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --dport 8888 -m limit --limit 100/sec --limit-burst 150 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.4.4/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp --sport 53 -j ACCEPT
-A INPUT ! -i lo -j LOCALINPUT
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYNFLOOD
-A INPUT ! -i lo -p tcp -j INVALID
-A INPUT ! -i lo -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2080 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2082 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2083 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2086 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2087 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2095 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 2096 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 4443 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 19000 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state --state NEW -m tcp --dport 49152:65534 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 20 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT
-A INPUT ! -i lo -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT ! -i lo -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT ! -i lo -j LOGDROPIN

Listar regras como tabela

iptables -L

Exemplo:

iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp dpt:domain
ACCEPT udp -- google-public-dns-b.google.com anywhere udp dpt:domain
ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain
ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain
ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp dpt:domain
ACCEPT udp -- google-public-dns-a.google.com anywhere udp dpt:domain
ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain
ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain
LOCALINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
SYNFLOOD tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
INVALID tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:urd
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:autodesk-nlm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:eli
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-dir
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pharos
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:igrid
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:49152:65534

Listar uma chain específica como tabela

iptables -L INPUT

Exemplo:

iptables -L INPUT
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp dpt:domain
ACCEPT udp -- google-public-dns-b.google.com anywhere udp dpt:domain
ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain
ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain
ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp dpt:domain
ACCEPT udp -- google-public-dns-a.google.com anywhere udp dpt:domain
ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain
ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain
LOCALINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
SYNFLOOD tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
INVALID tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:urd
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:submission
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:autodesk-nlm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:infowave
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:radsec
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:gnunet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:eli
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-ser
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nbx-dir
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pharos
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:igrid
ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:49152:65534
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp-data
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ftp
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
LOGDROPIN all -- anywhere anywhere

Listar a contagem de pacotes e tamanho agregado por regras

iptables -L INPUT -v

Exemplo:

iptables -L INPUT -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3 124 ACCEPT tcp -- !lo any anywhere anywhere tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
465 19628 ACCEPT tcp -- !lo any anywhere anywhere tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
0 0 ACCEPT tcp -- !lo any google-public-dns-b.google.com anywhere tcp dpt:domain
0 0 ACCEPT udp -- !lo any google-public-dns-b.google.com anywhere udp dpt:domain
0 0 ACCEPT tcp -- !lo any google-public-dns-b.google.com anywhere tcp spt:domain
141K 9784K ACCEPT udp -- !lo any google-public-dns-b.google.com anywhere udp spt:domain
0 0 ACCEPT tcp -- !lo any google-public-dns-a.google.com anywhere tcp dpt:domain
0 0 ACCEPT udp -- !lo any google-public-dns-a.google.com anywhere udp dpt:domain
537 342K ACCEPT tcp -- !lo any google-public-dns-a.google.com anywhere tcp spt:domain
4755K 491M ACCEPT udp -- !lo any google-public-dns-a.google.com anywhere udp spt:domain
91M 40G LOCALINPUT all -- !lo any anywhere anywhere
5903K 3575M ACCEPT all -- lo any anywhere anywhere
2339K 132M SYNFLOOD tcp -- !lo any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
81M 39G INVALID tcp -- !lo any anywhere anywhere
78M 39G ACCEPT all -- !lo any anywhere anywhere state RELATED,ESTABLISHED
61 2488 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:ftp-data
9267 513K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:ftp
322K 18M ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:smtp
44 1960 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:domain
1488K 86M ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:http
104K 5496K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:pop3
7846 462K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:imap
93399 5184K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:https
4386 240K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:urd
175K 9442K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:submission
15377 928K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:imaps
5755 344K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:pop3s
1 40 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:autodesk-nlm
100 5872 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:infowave
2718 151K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:radsec
2 80 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:gnunet
1343 75584 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:eli
151 8220 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:nbx-ser
12091 632K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:nbx-dir
24325 1391K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:mysql
199 7972 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:pharos
14 724 ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpt:igrid
4132 210K ACCEPT tcp -- !lo any anywhere anywhere state NEW tcp dpts:49152:65534
0 0 ACCEPT udp -- !lo any anywhere anywhere state NEW udp dpt:ftp-data
0 0 ACCEPT udp -- !lo any anywhere anywhere state NEW udp dpt:ftp
44 2826 ACCEPT udp -- !lo any anywhere anywhere state NEW udp dpt:domain
964 62604 ACCEPT icmp -- !lo any anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
0 0 ACCEPT icmp -- !lo any anywhere anywhere icmp echo-reply limit: avg 1/sec burst 5
35 3300 ACCEPT icmp -- !lo any anywhere anywhere icmp time-exceeded
206 14999 ACCEPT icmp -- !lo any anywhere anywhere icmp destination-unreachable
25936 1519K LOGDROPIN all -- !lo any anywhere anywhere

Resetar a contagem de pacotes e amanho agregado

Reseta todas as regras:

iptables -Z

Reseta somente a CHAIN desejada:

iptables -Z INPUT

Exibir regras iptables numeradas

iptables -L --line-numbers

Exemplo:

iptables -L --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-2 limit: avg 100/sec burst 150
2 ACCEPT tcp -- anywhere anywhere tcp dpt:ddi-tcp-1 limit: avg 100/sec burst 150
3 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp dpt:domain
4 ACCEPT udp -- google-public-dns-b.google.com anywhere udp dpt:domain
5 ACCEPT tcp -- google-public-dns-b.google.com anywhere tcp spt:domain
6 ACCEPT udp -- google-public-dns-b.google.com anywhere udp spt:domain
7 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp dpt:domain
8 ACCEPT udp -- google-public-dns-a.google.com anywhere udp dpt:domain
9 ACCEPT tcp -- google-public-dns-a.google.com anywhere tcp spt:domain
10 ACCEPT udp -- google-public-dns-a.google.com anywhere udp spt:domain
11 LOCALINPUT all -- anywhere anywhere
12 ACCEPT all -- anywhere anywhere
13 SYNFLOOD tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
14 INVALID tcp -- anywhere anywhere
15 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
16 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
17 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
18 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
19 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
20 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http

Remover regra específica

Remove a regra número 3 da CHAIN INPUT:

iptables -D INPUT 3

Flush chain

Simples CHAIN:

iptables -F INPUT

Todas as CHAINS:

iptables -F

Remover todas as regras, deletar todas as CHAINS e aceitar todo o tráfego

Primeiro, libere todo o tráfego no servidor:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Agora, limpe todas as chains incluindo a NAT e MANGLE. Lembre-se: -F (limpar) e -X (Remover):

iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

HOSPEDAGEM WEB

GERENCIAMENTO

SEGURANÇA E-MAIL

HOSPEDAGEM WEB

GERENCIAMENTO

SEGURANÇA E-MAIL

Knowledge Base

iptables: Como listar e deletar regras de Firewall

Remover regra específica

Flush chain

Remover todas as regras, deletar todas as CHAINS e aceitar todo o tráfego

Cloud Hosting

Soluções

Atendimento

Empresa