iptables
resources
notes
basic guide to iptables
iptables -> tables -> chains -> rules
3 main files
- /etc/init.d/iptables – init script to start|stop|restart and save rulesets.
- /etc/sysconfig/iptables – where rulesets are saved.
- /sbin/iptables – binary.
3 tables
- Filter
- Default table
- INPUT - incoming to firewall
- OUTPUT - outgoing from server
- FORWARD - routed through local server
- NAT
- PREROUTING - alters packets before routing
- POSTROUTING - alters packets when they're leaving the system
- OUTPUT - for locally generated packets on the firewall
- Mangle
- INPUT : Default chain originating to system.
- OUTPUT : Default chain generating from system.
- FORWARD : Default chain packets are send through another interface.
- RH-Firewall-1-INPUT : The user-defined custom chain.
Actions
Commands
- Change default action
iptables --policy INPUT ACCEPT/DROP/REJECT iptables --policy OUTPUT ACCEPT/DROP/REJECT iptables --policy FORWARD ACCEPT/DROP/REJECT
- Delete a specific rules
[root@tecmint ~]# iptables -D INPUT 5
- Flush ruleset
iptables -F
- Insert rule
[root@tecmint ~]# iptables -I INPUT 5 -s ipaddress -j DROP
- List rules
[root@tecmint ~]# iptables -L INPUT -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0
- Save Changes
Ubuntu: sudo /sbin/iptables-save Red Hat / CentOS: /sbin/service iptables save
- Set action based on state
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
- Set action for connection from range of IPs
iptables -A INPUT -s 10.10.10.10 -j DROP
- Set action for connection from single IP
iptables -A INPUT -s 10.10.10.0/24 -j DROP
- Set action for connection to a specific port
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
Flags
- -D
<chain> <rulenum>
Delete rule
- -I
<chain> <rulenum> <rulespec>
Insert rule
- -j
<target>
This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special built in targets which decide the fate of the packet immediately, or an extension. If this option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.
- -L
List ruleset
- –line-numbers
Show line numbers to make adding/deleting easy
- -n
Display in numeric format
- -v
Verbose
- -s
<source>
Set source for rules