# rpm -q iptables
To see if iptables is actually running
# lsmod | grep ip_tables
To inspect currently loaded rules for iptables.
# iptables -L
To save the new added rules
# /sbin/service iptables save
To enable iptables by running:
# system-config-securitylevel
To edit the rules for iptables.
# vi /etc/sysconfig/iptables
Example of the content of / etc/sysconfig/iptables file.
*nat
:PREROUTING ACCEPT [190:33819]
:POSTROUTING ACCEPT [1:60]
:OUTPUT ACCEPT [4:240]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed Nov 23 12:04:17 2011
# Generated by iptables-save v1.4.7 on Wed Nov 23 12:04:17 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1413536:615884533]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth+ -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Rule Set for iptables
1. Set of rules that all all outgoing connections but block all unwanted incoming connections:# iptables -P INPUT ACCEPT # iptables -F # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p tcp --dport 22 -j ACCEPT # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -L -v
Switch Definition
-P : default policy
-F : flush all existing rules
-A : append a rule to a specific chain
-i : to specify packets matching or destinated for the localhost interface
-j : to jump to the target action for packets matching the rule.
-m : to load a module (state)
-p : connection types
-dport : connection port
-L -v: to list the rules
-s : source IP address
2. If allowed external internet interface (ppp0 dialup modem), it will have effectively like disabled our firewall.
# iptables -A INPUT -i ppp0 -j ACCEPT
3. To allow all incoming packets within internal LAN but still filter incoming packets on our external internet connection.
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -i eth0 -j ACCEPT
4. Add packets from trusted IP address
# iptables -A INPUT -s [ip_address] -j ACCEPT
# iptables -A INPUT -s [ip_address]/[port] -j ACCEPT
# iptables -A INPUT -s [ip_address]/[subnet_mask] -j ACCEPT
# iptables -A INPUT -s [ip_address] -m mac --mac-source [mac_address_of_source_ip_address] -j ACCEPT
5. Accept tcp packets on destination port 6881 (bittorent)
# iptables -A INPUT -p tcp --dport 6881 -j ACCEPT
6. Accept tcp packets on destination port 6881-6890
# iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
7. Accept tcp packets on destination port 22 (SSH)
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
8. Accept tcp packets on destination port 22 (SSH) from private LAN
# iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
No comments:
Post a Comment