From LedHed's Wiki
Jump to: navigation, search

Overview

IPTables works in a Hierarchy. The top most rule in a chain takes precedence over the rules below it. So if you have 3 rules, 1) Open port 25, 2) Drop All Traffic 3) Open port 110, rule 3 is useless because rule 2 Drops all traffic including port 110, but port 25 traffic is permitted because it is above the Drop rule.


Chains

  • INPUT - Rules for traffic coming into this server (i.e. From the Internet).
  • FORWARD - Rules for traffic that will be forwarding to another IP behind this server (i.e. This box is a firewall for other PC's).
  • OUTPUT - Rules for traffic that is going out of this server (i.e. To the Internet)
  • PREROUTING Rules that happen before routing occurs.
  • POSTROUTING Rules that happen after routing occurs.

For more detailed info on what these 'Chains' do feel free to ask the Google Gods!


Switches

Before we get started we need to know a few of the command line switches.
-A = Append (adds the rule to the bottom of the specified chain)
-I = Insert (adds the rule to the top of the specified chain)
-D = Delete (deletes the rule from the specified chain)
-F = Flush (deletes all rules from the specified chain)
-L = List (lists the currently applied rulesets)
-p = Protocol (Protocol being used [i.e. tcp, udp, icmp ...])
-s = Source (Source Address)
--sport = Source Port
-d = Destination (Destination Address)
--dport = Destination Port
-j = Jump (Jump to an action [i.e. ACCEPT, DROP, REJECT])
--line-numbers (displays line numbers for each rule. Usefull when deleting or inserting rules)

Examples

This will delete the 2nd rule from the INPUT chain.

iptables -D INPUT 2


This will delete all rules from the FORWARD chain.

iptables -F FORWARD


This adds a rule to the 2nd slot in the INPUT chain (which consequently drops all traffic and should be the last item in the chain).

iptables -A INPUT -j DROP


This 'Lists' all the rules with their corresponding line numbers.

iptables -L --line-numbers


This opens incoming port 25 (SMTP) traffic and adds the rule to the top of the chain.

iptables -I INPUT -p tcp --dport 25 -j ACCEPT


This allow establishment of connections initialized by our outgoing packets.

iptables -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


References:
http://www.howtoforge.com/linux_iptables_sarge Start Here
http://iptables-tutorial.frozentux.net/iptables-tutorial.html Some Technical reading for those nights when you've run out of Ambien
http://www.frozentux.net/documents/iptables-tutorial/ More Technical reading (You really don't want to read all of this, just wing it!)
http://www.justlinux.com/nhf/Security/IPtables_Basics.html More IPTABLES basics.