Recent Changes - Search:

Softwares

.

Using-iptables-introduction

Main.Using-iptables-introduction History

Hide minor edits - Show changes to output

November 02, 2011, at 12:20 PM by 117.192.145.37 -
Changed lines 7-16 from:
Three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table.

The target column lists the following actions - ACCEPT, REJECT and LOG

'''What is system-config-securitylevel? '''

system-config-securitylevel is a Fedora/Red Hat-specific graphics utility for easy configuration of firewall-rules end SELinux security settings.

system-config-securitylevel is a graphical user interface for setting basic firewall rules.
to:
'''Iptables usage'''
Changed lines 11-20 from:
system-config-securitylevel
to:
Usage: iptables -[AD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Changed lines 23-24 from:
Run system-config-securitylevel and enable the firewall.
to:
Three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table.

The target column lists the following actions - ACCEPT, REJECT and LOG

'''What is system-config-securitylevel? '''

system-config-securitylevel is a Fedora/Red Hat-specific graphics utility for easy configuration of firewall-rules end SELinux security settings.

system-config-securitylevel is a graphical user interface for setting basic firewall rules.
Changed line 35 from:
iptables -L --line-numbers
to:
system-config-securitylevel
Changed lines 38-39 from:
run '''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them.
to:
Run system-config-securitylevel and enable the firewall.
Changed line 42 from:
sudo iptables -L -n
to:
iptables -L --line-numbers
Added lines 45-53:
run '''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them.

'''List your iptables rules'''

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
sudo iptables -L -n
(:tableend:)
Added lines 284-291:

'''SEE ALSO'''

iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8), libipq(3).

The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions that are not in the standard distribution, and the netfilter-hacking-HOWTO details the netfilter internals.

See http://www.netfilter.org/.
November 02, 2011, at 12:01 PM by 117.192.145.37 -
Added lines 10-15:

'''What is system-config-securitylevel? '''

system-config-securitylevel is a Fedora/Red Hat-specific graphics utility for easy configuration of firewall-rules end SELinux security settings.

system-config-securitylevel is a graphical user interface for setting basic firewall rules.
November 02, 2011, at 11:56 AM by 117.192.145.37 -
Deleted lines 10-13:
Run system-config-securitylevel and enable the firewall.

run '''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them.
Changed line 13 from:
sudo iptables -L -n
to:
system-config-securitylevel
Added lines 16-29:
Run system-config-securitylevel and enable the firewall.

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
iptables -L --line-numbers
(:tableend:)

run '''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them.

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
sudo iptables -L -n
(:tableend:)
Changed lines 53-55 from:
to:
(:tableend:)

[@
Changed lines 67-68 from:
(:tableend:)
to:
@]
Added lines 89-92:
(:tableend:)

[@
ubuntu@server3:~$ sudo iptables -L -n --line-numbers
Changed lines 107-110 from:
(:tableend:)
to:
@]
Added lines 187-191:
(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
ubuntu@server3:~$ iptables --help
(:tableend:)
November 02, 2011, at 11:50 AM by 117.192.145.37 -
Added line 8:
Changed lines 11-19 from:
run system-config-securitylevel and enable the firewall.
If you'd like to run an ssh server, check "SSH" as a trusted service, for example
run iptables -L --line-numbers: this will list your current firewall rules with
line numbers in front of them. We are interested in the ones in the RH
-Firewall-1-INPUT chain (list)

delete rule 3 (the one with ipv6-crypt as the protocol, also known as protocol number 50):

iptables -D RH-Firewall-1-INPUT 3
to:
Run system-config-securitylevel and enable the firewall.

run
'''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them.

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
sudo iptables -L
-n
(:tableend:)
November 02, 2011, at 11:48 AM by 117.192.145.37 -
Added lines 1-242:
(:Google1:)
(:Googlemm:)
----
!!Using Iptables introduction
----

Three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table.
The target column lists the following actions - ACCEPT, REJECT and LOG

run system-config-securitylevel and enable the firewall.
If you'd like to run an ssh server, check "SSH" as a trusted service, for example
run iptables -L --line-numbers: this will list your current firewall rules with
line numbers in front of them. We are interested in the ones in the RH-Firewall-1-INPUT chain (list)

delete rule 3 (the one with ipv6-crypt as the protocol, also known as protocol number 50):

iptables -D RH-Firewall-1-INPUT 3


[@
ubuntu@server3:~$ sudo iptables -L -n
[sudo] password for ubuntu:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
@]

'''Saving iptables'''.

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
ubuntu@server3:~$ sudo sh -c '/sbin/iptables-save > /etc/iptables.save'

ubuntu@server3:~$ cat /etc/iptables.save
# Generated by iptables-save v1.4.10 on Wed Nov 2 19:55:32 2011
*filter
:INPUT ACCEPT [33:4514]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34:3703]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Wed Nov 2 19:55:32 2011
(:tableend:)

'''Flushing iptables rules'''

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
sudo /sbin/iptables -F
(:tableend:)


'''Restoring iptables rules'''

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
sudo sh -c '/sbin/iptables-restore < /etc/iptables.save'
(:tableend:)

'''List line number for your iptables rule'''

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
ubuntu@server3:~$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
ubuntu@server3:~$
(:tableend:)



'''Put the rule at line number 3'''.

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
ubuntu@server3:~$ sudo iptables -I INPUT 3 -s 192.168.1.13 -j ACCEPT
(:tableend:)

[@
ubuntu@server3:~$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 192.168.1.10 0.0.0.0/0
2 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
3 ACCEPT all -- 192.168.1.13 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
@]


'''Drop a rule you could do it with the -D flag and a similar syntax'''.


(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
ubuntu@server3:~$ sudo iptables -D INPUT 3
(:tableend:)

[@
ubuntu@server3:~$ sudo iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 192.168.1.10 0.0.0.0/0
2 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain fail2ban-ssh (1 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
@]


As any other firewall, iptables is also able to do network statistics reporting.
the -v (–verbose) option makes the list command (-L) show the packet and byte counters.
Network stats are available on a per rule basis. Here’s an example on the INPUT chain:


(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
sudo iptables -nvL INPUT
(:tableend:)


'''Flushing and restoring iptables'''

(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :)
(:cellnr:)
sudo /sbin/iptables -F

sudo sh -c '/sbin/iptables-restore < /etc/iptables.save'
(:tableend:)


'''Help'''
[@

ubuntu@server3:~$ iptables --help
iptables v1.4.10

Usage: iptables -[AD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

'''Commands''':
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
'''Options''':
[!] --proto -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
ubuntu@server3:~$
@]

----
(:Google1:)
(:Googlemm:)
Edit - History - Print - Recent Changes - Search
Page last modified on November 02, 2011, at 12:20 PM