firewall.txt

Stop/Disable Firewall
systemctl stop firewalld
systemctl disable firewalld
Do not install firewalld
sudo apt-get purge firewalld (if installed mistakenly)

Before doing anything with NAT tables, make sure following give output: 1
cat /proc/sys/net/ipv4/ip_forward
If output is 0, uncomment following line from /etc/sysctl.conf
net.ipv4.ip_forward=1


List all rules (S for Specifications)
sudo iptables -S 

List all rules for one chain
sudo iptables -S INPUT

List rules in a table
sudo iptables -L
-> First line has name of the chain with default policy
-> Columns are: 
->	->target(ACCEPT, DROP, REJECT, UDP, TCP, ICMP)
->	->prop(protocols: tcp, udp, icmp, all)
->	->source(anywhere)
->	->destination(anywhere)
->	->opt(state, ctsate RELATED, ESTABLISHED, INVALIC, NEW, reject-with, icmp-port-unreachable, tcp-reset, icmp-proto-unreachable, dpt:ssh)

List Packet counts and verbosity
sudo iptables -L INPUT -v

Delete a particular rule
Find following to find the rule
sudo iptables -S 
(If output:-A INPUT -i lo -j ACCEPT, use following command)
sudo iptables -D INPUT -i lo -j ACCEPT

Delete by  line number
Find line-numbers using
sudo iptables -L --line-numbers
To delete line 3 of chain INPUT
sudo iptables -D INPUT 3

Flush single chain
sudo iptables -F INPUT


Flush All Rules, Delete All Chains and Accept All
(it will disable your firewall)
If you're 'ssh'ing your server, set default policies for built-in chainns (INPUT, FORWARD, OUPUT) to ACCEPT. 
1) sudo iptables -P INPUT ACCEPT
2) sudo iptables -P FORWARD ACCEPT
3) sudo iptables -P OUTPUT ACCEPT
Flush protocols nat and mangle and all chains 
4) sudo iptables -t nat -F
5) sudo iptables -t mangle -F
6) sudo iptables -F
Delete all non-default chains
7) sudo iptables -X 


Look for iptables modules and add them
lsmod | grep ip_tables
modprobe -a ip_tables	(a: all)

Check System and Service Manager
ps --pid 1

An Example of Iptables, this will give you internet access .
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -j ACCEPT
sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -j ACCEPT

If server has a local network at NIC 'enp0s31f6' and getting internet at NIC 'wlp1s0' and vagrant VMs are using virtual NIC 'vboxnet1'. Following needs to be done in order for local devices to get to internet or vagrant VMs.

Server: 
	(enp0s31f6)->	10.10.0.10/24
	(wlp1s0)->	192.168.0.106/24
	(vboxnet1)->	192.168.33.1/24
	iptables -t nat -A POSTROUTING -o wlp1s0 -j MASQUERADE
	iptables -A FORWARD -i wlp1s0 -o enp0s31f6 -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -i enp0s31f6 -o wlp1s0 -j ACCEPT
Local Device:
	(eno1)->	10.10.0.20/24
	(/etc/network/interfaces)
	auto eno1
	iface eno1 inet static
		address 10.10.0.20
		netmask 255.255.255.0
		gateway 10.10.0.10
	(/etc/resolv.conf)
	nameserver 8.8.8.8
Vagrant VM: 
	(eth1)->	192.168.33.10/24 


In order to connect from AWS machine using VPN to a local network through server, use following. 
Server: 
	(enp0s31f6)->	10.10.0.10/24
	(vpn0)->	146.209.231.104/22
	iptables -t nat -A POSTROUTING -o vpn0 -j MASQUERADE
        iptables -A FORWARD -i vpn0 -o enp0s31f6 -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A FORWARD -i enp0s31f6 -o vpn0 -j ACCEPT
	iptables -A PREROUTING -t nat -i vpn0 -p tcp --dport 2222 -j DNAT --to 10.10.0.20:22

Client: 
	(eno1)->	10.10.0.20/24
	(/etc/sshd/sshd_config)
	PermitRootLogin yes
	-> systemctl restart sshd
	(Also need to set root password)
	passwd
AWS client:
	(eth0)->	10.225.116.123/24
	ssh -p 2222 146.209.231.104

Drop ping packets (Drop refuses packets quitely and Rejects refuses and sends a message back)
	iptables -A INPUT --protocol icmp --in-interface eth0 -j DROP
	(When you use REJECT, while pinging you'll get message 'Destination Port Unreachable')

Allow/prevent NFS clients (from 192.168.0.0/24) to mount NFS4 shares
	iptables -F
	iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 2049 -j REJECT
	iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 111 -j REJECT
	(Replace REJECT to ACCEPT to allow)

Display rules with line numbers and verbosity
	iptables -nL -v --line-numbers

Replace a rule with another rule. Following will replace rule 2 from INPUT
	iptables -R INPUT 2 -i eth0 -s 0/0 -p tcp --dport 2049 -j REJECT

Save the rules and restoring them manually(though at bootup they automatically restore from saved file).
	sudo apt-get install iptables-persistent
	iptables-save > /etc/iptables/rules.v4
	iptables-restore < /etc/iptables/rules.v4
	(Other method for ubuntu)
	sudo apt-get install iptables-persistent 
	sudo /etc/init.d/iptables-persistent save 
	sudo /etc/init.d/iptables-persistent reload
	sudo netfilter-persistent save
	sudo netfilter-persistent reload

#EXAMPLE: let icmp(ping), http work from client to server, just block ssh from a particular client
sudo iptables -A INPUT -s client4 -p tcp --dport ssh -j REJECT	(ssh can be replaced with 22)
sudo iptables -A INPUT -s client4 -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -s client4 --protocol icmp -j ACCEPT