| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | == Overview == | |
| − | + | IPTables works in a Hierarchy. The top most rule in a chain takes precedence over the rules below it. | |
| − | + | So if you have 3 rules, 1) Open port 25, 2) Drop All Traffic 3) Open port 110, rule 3 is useless because rule 2 Drops all traffic including port 110, but port 25 traffic is permitted because it is above the Drop rule. | |
| − | + | ||
| + | |||
| == Chains == | == Chains == | ||
| Line 8: | Line 9: | ||
| * '''FORWARD -''' Rules for traffic that will be forwarding to another IP behind this server (i.e. This box is a firewall for other PC's).   | * '''FORWARD -''' Rules for traffic that will be forwarding to another IP behind this server (i.e. This box is a firewall for other PC's).   | ||
| * '''OUTPUT -''' Rules for traffic that is going out of this server (i.e. To the Internet) | * '''OUTPUT -''' Rules for traffic that is going out of this server (i.e. To the Internet) | ||
| + | * '''PREROUTING''' Rules that happen before routing occurs. | ||
| + | * '''POSTROUTING''' Rules that happen after routing occurs. | ||
| For more detailed info on what these 'Chains' do feel free to ask the Google Gods! | For more detailed info on what these 'Chains' do feel free to ask the Google Gods! | ||
| Line 19: | Line 22: | ||
| -F = '''Flush''' (deletes all rules from the specified chain)<br> | -F = '''Flush''' (deletes all rules from the specified chain)<br> | ||
| -L = '''List''' (lists the currently applied rulesets)<br> | -L = '''List''' (lists the currently applied rulesets)<br> | ||
| − | -p = '''Protocol''' (Protocol being used [i.e. tcp, udp ...])<br> | + | -p = '''Protocol''' (Protocol being used [i.e. tcp, udp, icmp ...])<br> | 
| -s = ''Source'' (Source Address)<br> | -s = ''Source'' (Source Address)<br> | ||
| --sport = '''Source Port'''<br> | --sport = '''Source Port'''<br> | ||
| Line 26: | Line 29: | ||
| -j = '''Jump''' (Jump to an action [i.e. ACCEPT, DROP, REJECT])<br> | -j = '''Jump''' (Jump to an action [i.e. ACCEPT, DROP, REJECT])<br> | ||
| --line-numbers (displays line numbers for each rule. Usefull when deleting or inserting rules)<br> | --line-numbers (displays line numbers for each rule. Usefull when deleting or inserting rules)<br> | ||
| − | |||
| == Examples == | == Examples == | ||
| Line 33: | Line 35: | ||
|   iptables -D INPUT 2 |   iptables -D INPUT 2 | ||
| − | This adds a rule to the 2nd slot in the INPUT chain (which consequently drops all traffic). | + | |
| + | This will delete all rules from the FORWARD chain. | ||
| + |  iptables -F FORWARD | ||
| + | |||
| + | |||
| + | This adds a rule to the 2nd slot in the INPUT chain (which consequently drops all traffic and should be the last item in the chain). | ||
|   iptables -A INPUT -j DROP |   iptables -A INPUT -j DROP | ||
| Line 39: | Line 46: | ||
| This 'Lists' all the rules with their corresponding line numbers. | This 'Lists' all the rules with their corresponding line numbers. | ||
|   iptables -L --line-numbers |   iptables -L --line-numbers | ||
| + | |||
| This opens incoming port 25 (SMTP) traffic and adds the rule to the top of the chain. | This opens incoming port 25 (SMTP) traffic and adds the rule to the top of the chain. | ||
|   iptables -I INPUT -p tcp --dport 25 -j ACCEPT |   iptables -I INPUT -p tcp --dport 25 -j ACCEPT | ||
| − | This  | + | |
| + | This allow establishment of connections initialized by our outgoing packets. | ||
|   iptables -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |   iptables -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
| + | |||
| + | |||
| + | References:<br> | ||
| + | http://www.howtoforge.com/linux_iptables_sarge  Start Here<br> | ||
| + | http://iptables-tutorial.frozentux.net/iptables-tutorial.html  Some Technical reading for those nights when you've run out of Ambien<br> | ||
| + | http://www.frozentux.net/documents/iptables-tutorial/  More Technical reading (You really don't want to read all of this, just wing it!)<br> | ||
| + | http://www.justlinux.com/nhf/Security/IPtables_Basics.html More IPTABLES basics.<br> | ||
| [[Category:IPTables]] | [[Category:IPTables]] | ||
Latest revision as of 06:16, 5 October 2011
Contents
Overview
IPTables works in a Hierarchy. The top most rule in a chain takes precedence over the rules below it. So if you have 3 rules, 1) Open port 25, 2) Drop All Traffic 3) Open port 110, rule 3 is useless because rule 2 Drops all traffic including port 110, but port 25 traffic is permitted because it is above the Drop rule.
Chains
- INPUT - Rules for traffic coming into this server (i.e. From the Internet).
- FORWARD - Rules for traffic that will be forwarding to another IP behind this server (i.e. This box is a firewall for other PC's).
- OUTPUT - Rules for traffic that is going out of this server (i.e. To the Internet)
- PREROUTING Rules that happen before routing occurs.
- POSTROUTING Rules that happen after routing occurs.
For more detailed info on what these 'Chains' do feel free to ask the Google Gods!
Switches
Before we get started we need to know a few of the command line switches.
-A = Append (adds the rule to the bottom of the specified chain)
-I = Insert (adds the rule to the top of the specified chain)
-D = Delete (deletes the rule from the specified chain)
-F = Flush (deletes all rules from the specified chain)
-L = List (lists the currently applied rulesets)
-p = Protocol (Protocol being used [i.e. tcp, udp, icmp ...])
-s = Source (Source Address)
--sport = Source Port
-d = Destination (Destination Address)
--dport = Destination Port
-j = Jump (Jump to an action [i.e. ACCEPT, DROP, REJECT])
--line-numbers (displays line numbers for each rule. Usefull when deleting or inserting rules)
Examples
This will delete the 2nd rule from the INPUT chain.
iptables -D INPUT 2
This will delete all rules from the FORWARD chain.
iptables -F FORWARD
This adds a rule to the 2nd slot in the INPUT chain (which consequently drops all traffic and should be the last item in the chain).
iptables -A INPUT -j DROP
This 'Lists' all the rules with their corresponding line numbers.
iptables -L --line-numbers
This opens incoming port 25 (SMTP) traffic and adds the rule to the top of the chain.
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
This allow establishment of connections initialized by our outgoing packets.
iptables -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
References:
http://www.howtoforge.com/linux_iptables_sarge  Start Here
http://iptables-tutorial.frozentux.net/iptables-tutorial.html  Some Technical reading for those nights when you've run out of Ambien
http://www.frozentux.net/documents/iptables-tutorial/  More Technical reading (You really don't want to read all of this, just wing it!)
http://www.justlinux.com/nhf/Security/IPtables_Basics.html More IPTABLES basics.