|
Softwares          |
Main /
Using-iptables-introduction
Using Iptables introductionIptables usage
Three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table. The target column lists the following actions - ACCEPT, REJECT and LOG What is system-config-securitylevel? system-config-securitylevel is a Fedora/Red Hat-specific graphics utility for easy configuration of firewall-rules end SELinux security settings. system-config-securitylevel is a graphical user interface for setting basic firewall rules.
Run system-config-securitylevel and enable the firewall.
run iptables -L --line-numbers: this will list your current firewall rules with line numbers in front of them. List your iptables rules
ubuntu@server3:~$ sudo iptables -L -n [sudo] password for ubuntu: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 Saving iptables.
ubuntu@server3:~$ cat /etc/iptables.save # Generated by iptables-save v1.4.10 on Wed Nov 2 19:55:32 2011 *filter :INPUT ACCEPT [33:4514] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [34:3703] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-ssh -j RETURN COMMIT # Completed on Wed Nov 2 19:55:32 2011 Flushing iptables rules
Restoring iptables rules
List line number for your iptables rule
ubuntu@server3:~$ sudo iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain fail2ban-ssh (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ubuntu@server3:~$ Put the rule at line number 3.
ubuntu@server3:~$ sudo iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 192.168.1.10 0.0.0.0/0 2 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 3 ACCEPT all -- 192.168.1.13 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain fail2ban-ssh (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Drop a rule you could do it with the -D flag and a similar syntax.
ubuntu@server3:~$ sudo iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 192.168.1.10 0.0.0.0/0 2 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain fail2ban-ssh (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 As any other firewall, iptables is also able to do network statistics reporting. the -v (–verbose) option makes the list command (-L) show the packet and byte counters. Network stats are available on a per rule basis. Here’s an example on the INPUT chain:
Flushing and restoring iptables
Help
ubuntu@server3:~$ iptables --help
iptables v1.4.10
Usage: iptables -[AD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
'''Commands''':
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
'''Options''':
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
ubuntu@server3:~$
SEE ALSO iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8), libipq(3). The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions that are not in the standard distribution, and the netfilter-hacking-HOWTO details the netfilter internals. See http://www.netfilter.org/.
|