Recent Changes - Search:

Softwares

.

Using-iptables-introduction


Using Iptables introduction


Iptables usage

Usage: iptables -[AD] chain rule-specification [options]

       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table.

The target column lists the following actions - ACCEPT, REJECT and LOG

What is system-config-securitylevel?

system-config-securitylevel is a Fedora/Red Hat-specific graphics utility for easy configuration of firewall-rules end SELinux security settings.

system-config-securitylevel is a graphical user interface for setting basic firewall rules.

system-config-securitylevel

Run system-config-securitylevel and enable the firewall.

iptables -L --line-numbers

run iptables -L --line-numbers: this will list your current firewall rules with line numbers in front of them.

List your iptables rules

sudo iptables -L -n

ubuntu@server3:~$ sudo iptables -L -n
[sudo] password for ubuntu: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Saving iptables.

ubuntu@server3:~$ sudo sh -c '/sbin/iptables-save > /etc/iptables.save'

ubuntu@server3:~$ cat /etc/iptables.save
# Generated by iptables-save v1.4.10 on Wed Nov  2 19:55:32 2011
*filter
:INPUT ACCEPT [33:4514]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34:3703]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh 
-A fail2ban-ssh -j RETURN 
COMMIT
# Completed on Wed Nov  2 19:55:32 2011

Flushing iptables rules

sudo /sbin/iptables -F

Restoring iptables rules

sudo sh -c '/sbin/iptables-restore < /etc/iptables.save'

List line number for your iptables rule

ubuntu@server3:~$ sudo iptables -L -n --line-numbers

ubuntu@server3:~$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
ubuntu@server3:~$

Put the rule at line number 3.

ubuntu@server3:~$ sudo iptables -I INPUT 3 -s 192.168.1.13 -j ACCEPT

ubuntu@server3:~$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  192.168.1.10         0.0.0.0/0           
2    fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 22 
3    ACCEPT     all  --  192.168.1.13         0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Drop a rule you could do it with the -D flag and a similar syntax.

ubuntu@server3:~$ sudo iptables -D INPUT 3

ubuntu@server3:~$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  192.168.1.10         0.0.0.0/0           
2    fail2ban-ssh  tcp  --  0.0.0.0/0         0.0.0.0/0           multiport dports 22 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain fail2ban-ssh (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0

As any other firewall, iptables is also able to do network statistics reporting. the -v (–verbose) option makes the list command (-L) show the packet and byte counters. Network stats are available on a per rule basis. Here’s an example on the INPUT chain:

sudo iptables -nvL INPUT

Flushing and restoring iptables

sudo /sbin/iptables -F

sudo sh -c '/sbin/iptables-restore < /etc/iptables.save'

Help

ubuntu@server3:~$ iptables --help


ubuntu@server3:~$ iptables --help
iptables v1.4.10

Usage: iptables -[AD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

'''Commands''':
Either long or short options are allowed.
  --append  -A chain		Append to chain
  --delete  -D chain		Delete matching rule from chain
  --delete  -D chain rulenum
				Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
				Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
				Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]]
				List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]]
				Print the rules in a chain or all chains
  --flush   -F [chain]		Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]
				Zero counters in chain or all chains
  --new     -N chain		Create a new user-defined chain
  --delete-chain
            -X [chain]		Delete a user-defined chain
  --policy  -P chain target
				Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
				Change chain name, (moving any references)
'''Options''':
[!] --proto	-p proto	protocol: by number or name, eg. `tcp'
[!] --source	-s address[/mask][...]
				source specification
[!] --destination -d address[/mask][...]
				destination specification
[!] --in-interface -i input name[+]
				network interface name ([+] for wildcard)
 --jump	-j target
				target for rule (may load target extension)
  --goto      -g chain
                              jump to chain with no return
  --match	-m match
				extended match (may load extension)
  --numeric	-n		numeric output of addresses and ports
[!] --out-interface -o output name[+]
				network interface name ([+] for wildcard)
  --table	-t table	table to manipulate (default: `filter')
  --verbose	-v		verbose mode
  --line-numbers		print line numbers when listing
  --exact	-x		expand numbers (display exact values)
[!] --fragment	-f		match second or further fragments only
  --modprobe=<command>		try to insert modules using this command
  --set-counters PKTS BYTES	set the counter during insert/append
[!] --version	-V		print package version.
ubuntu@server3:~$ 

SEE ALSO

iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8), libipq(3).

The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions that are not in the standard distribution, and the netfilter-hacking-HOWTO details the netfilter internals.

See http://www.netfilter.org/.


Edit - History - Print - Recent Changes - Search
Page last modified on November 02, 2011, at 12:20 PM