|
Softwares          |
Main /
Using-iptables-introductionMain.Using-iptables-introduction HistoryHide minor edits - Show changes to output Changed lines 7-16 from:
The target column lists the following actions - ACCEPT, REJECT and LOG system-config-securitylevel is a Fedora/Red Hat-specific graphics utility for easy configuration of firewall-rules end SELinux security settings. system-config-securitylevel is a graphical user interface for setting basic firewall rules. to:
'''Iptables usage''' Changed lines 11-20 from:
to:
Usage: iptables -[AD] chain rule-specification [options] iptables -I chain [rulenum] rule-specification [options] iptables -R chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LS] [chain [rulenum]] [options] iptables -[FZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information) Changed lines 23-24 from:
to:
Three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table. The target column lists the following actions - ACCEPT, REJECT and LOG '''What is system-config-securitylevel? ''' system-config-securitylevel is a Fedora/Red Hat-specific graphics utility for easy configuration of firewall-rules end SELinux security settings. system-config-securitylevel is a graphical user interface for setting basic firewall rules. Changed line 35 from:
to:
system-config-securitylevel Changed lines 38-39 from:
to:
Run system-config-securitylevel and enable the firewall. Changed line 42 from:
to:
iptables -L --line-numbers Added lines 45-53:
run '''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them. '''List your iptables rules''' (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) sudo iptables -L -n (:tableend:) Added lines 284-291:
'''SEE ALSO''' iptables-save(8), iptables-restore(8), ip6tables(8), ip6tables-save(8), ip6tables-restore(8), libipq(3). The packet-filtering-HOWTO details iptables usage for packet filtering, the NAT-HOWTO details NAT, the netfilter-extensions-HOWTO details the extensions that are not in the standard distribution, and the netfilter-hacking-HOWTO details the netfilter internals. See http://www.netfilter.org/. Added lines 10-15:
'''What is system-config-securitylevel? ''' system-config-securitylevel is a Fedora/Red Hat-specific graphics utility for easy configuration of firewall-rules end SELinux security settings. system-config-securitylevel is a graphical user interface for setting basic firewall rules. Deleted lines 10-13:
run '''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them. Changed line 13 from:
to:
system-config-securitylevel Added lines 16-29:
Run system-config-securitylevel and enable the firewall. (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) iptables -L --line-numbers (:tableend:) run '''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them. (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) sudo iptables -L -n (:tableend:) Changed lines 53-55 from:
to:
(:tableend:) [@ Changed lines 67-68 from:
to:
@] Added lines 89-92:
(:tableend:) [@ ubuntu@server3:~$ sudo iptables -L -n --line-numbers Changed lines 107-110 from:
to:
@] Added lines 187-191:
(:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) ubuntu@server3:~$ iptables --help (:tableend:) Added line 8:
Changed lines 11-19 from:
run iptables -L --line-numbers: this will list your current firewall rules with line numbers in front of them. We are interested in the ones in the RH delete rule 3 (the one with ipv6-crypt as the protocol, also known as protocol number 50): iptables -D RH-Firewall-1-INPUT 3 to:
Run system-config-securitylevel and enable the firewall. run '''iptables -L --line-numbers''': this will list your current firewall rules with line numbers in front of them. (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) sudo iptables -L -n (:tableend:) Added lines 1-242:
(:Google1:) (:Googlemm:) ---- !!Using Iptables introduction ---- Three Chains - INPUT, FORWARD AND OUTPUT - which are all part of the Filter table. The target column lists the following actions - ACCEPT, REJECT and LOG run system-config-securitylevel and enable the firewall. If you'd like to run an ssh server, check "SSH" as a trusted service, for example run iptables -L --line-numbers: this will list your current firewall rules with line numbers in front of them. We are interested in the ones in the RH-Firewall-1-INPUT chain (list) delete rule 3 (the one with ipv6-crypt as the protocol, also known as protocol number 50): iptables -D RH-Firewall-1-INPUT 3 [@ ubuntu@server3:~$ sudo iptables -L -n [sudo] password for ubuntu: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 @] '''Saving iptables'''. (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) ubuntu@server3:~$ sudo sh -c '/sbin/iptables-save > /etc/iptables.save' ubuntu@server3:~$ cat /etc/iptables.save # Generated by iptables-save v1.4.10 on Wed Nov 2 19:55:32 2011 *filter :INPUT ACCEPT [33:4514] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [34:3703] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A fail2ban-ssh -j RETURN COMMIT # Completed on Wed Nov 2 19:55:32 2011 (:tableend:) '''Flushing iptables rules''' (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) sudo /sbin/iptables -F (:tableend:) '''Restoring iptables rules''' (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) sudo sh -c '/sbin/iptables-restore < /etc/iptables.save' (:tableend:) '''List line number for your iptables rule''' (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) ubuntu@server3:~$ sudo iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain fail2ban-ssh (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 ubuntu@server3:~$ (:tableend:) '''Put the rule at line number 3'''. (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) ubuntu@server3:~$ sudo iptables -I INPUT 3 -s 192.168.1.13 -j ACCEPT (:tableend:) [@ ubuntu@server3:~$ sudo iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 192.168.1.10 0.0.0.0/0 2 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 3 ACCEPT all -- 192.168.1.13 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain fail2ban-ssh (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 @] '''Drop a rule you could do it with the -D flag and a similar syntax'''. (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) ubuntu@server3:~$ sudo iptables -D INPUT 3 (:tableend:) [@ ubuntu@server3:~$ sudo iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 192.168.1.10 0.0.0.0/0 2 fail2ban-ssh tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain fail2ban-ssh (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 @] As any other firewall, iptables is also able to do network statistics reporting. the -v (–verbose) option makes the list command (-L) show the packet and byte counters. Network stats are available on a per rule basis. Here’s an example on the INPUT chain: (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) sudo iptables -nvL INPUT (:tableend:) '''Flushing and restoring iptables''' (:table border=1 width=80% bgcolor=#cccc99 cellspacing=0 :) (:cellnr:) sudo /sbin/iptables -F sudo sh -c '/sbin/iptables-restore < /etc/iptables.save' (:tableend:) '''Help''' [@ ubuntu@server3:~$ iptables --help iptables v1.4.10 Usage: iptables -[AD] chain rule-specification [options] iptables -I chain [rulenum] rule-specification [options] iptables -R chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LS] [chain [rulenum]] [options] iptables -[FZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information) '''Commands''': Either long or short options are allowed. --append -A chain Append to chain --delete -D chain Delete matching rule from chain --delete -D chain rulenum Delete rule rulenum (1 = first) from chain --insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) --replace -R chain rulenum Replace rule rulenum (1 = first) in chain --list -L [chain [rulenum]] List the rules in a chain or all chains --list-rules -S [chain [rulenum]] Print the rules in a chain or all chains --flush -F [chain] Delete all rules in chain or all chains --zero -Z [chain [rulenum]] Zero counters in chain or all chains --new -N chain Create a new user-defined chain --delete-chain -X [chain] Delete a user-defined chain --policy -P chain target Change policy on chain to target --rename-chain -E old-chain new-chain Change chain name, (moving any references) '''Options''': [!] --proto -p proto protocol: by number or name, eg. `tcp' [!] --source -s address[/mask][...] source specification [!] --destination -d address[/mask][...] destination specification [!] --in-interface -i input name[+] network interface name ([+] for wildcard) --jump -j target target for rule (may load target extension) --goto -g chain jump to chain with no return --match -m match extended match (may load extension) --numeric -n numeric output of addresses and ports [!] --out-interface -o output name[+] network interface name ([+] for wildcard) --table -t table table to manipulate (default: `filter') --verbose -v verbose mode --line-numbers print line numbers when listing --exact -x expand numbers (display exact values) [!] --fragment -f match second or further fragments only --modprobe=<command> try to insert modules using this command --set-counters PKTS BYTES set the counter during insert/append [!] --version -V print package version. ubuntu@server3:~$ @] ---- (:Google1:) (:Googlemm:) |