Iptables

Iptables

By default Iptable work on accept policy. Means if rule not match then it is accepted. In this case we add rule for deny.

=====================================================================================================

Change policy default value to Drop => if rule not match it will drop the packet. Here we add rule for accept.
#iptables -P INPUT DROP

=====================================================================================================
syntax of iptable rule

#iptables position chain S/D_IP port_type S/D_port_no jump_action

_____________________________________________________________________________________________________

1> position [ select chain and position of rule ]

-I => insert rule at top of chain
-D => delete rule [ specify number of rule ]
-A => append rule at bottom of chain

chain

INPUT => check incomming packet
OUTPUT => check outgoing packet
FORWARD => packet bypassed from machine.

_____________________________________________________________________________________________________

2> source or destination IP address [ S/D_IP ]

-s => provide souce IP ( for incomming INPUT chain )
-d => provide destination IP ( for outgoing OUTPUT chain )
_____________________________________________________________________________________________________

3> select port type
-p => tcp OR udp
_____________________________________________________________________________________________________

4> specify the port number
–dport => destination port [ input chain ]
–sport => source port [ output chain ]

_____________________________________________________________________________________________________

5> Action to be taken on packet

-j => jump

ACCEPT => packet accepted
DROP => packet drop
REJECT => packet rejected and send ack to client

note => in drop case it not send any ack to source machine
_____________________________________________________________________________________________________

Generally required rule

1> list and show iptables rule
#iptables -L => note : it check the DNS for IP and hence slow

#iptables -nL

Note => it save the rule in /etc/sysconfig/iptables

2> show line number infront of rule
#iptables -nL –line-number

3> save/start/restart iptables
#service iptables save
#service iptables start/stop/restart

4> permantly on iptables service
#lokkit –enabled
#chkconfig iptables on
#service iptables start

5> Backup and restore IPtables rule
backup => #iptables-save > myrules ie. any file name
restore => #iptables-restore myrules

6> Flush and delete Iptables rule
-stop the iptables service first
#service iptables stop

-backup the rule and then flush
#iptables-save > myrule
#iptables -F

-save the new status
#service iptables save

7> Delete the rule
eg. delete rule number 3 from input chain
#iptables -D INPUT 3

8> Change default policy settings to DROP. bydefault its accept
#iptables -P INPUT DROP

NOTE :
-s 0.0.0.0 => all ( by default all )
-s !IP => all except given IP

===================================================================================================
Examples

1> block ssh for particular IP address
#iptables -I INPUT -s 213.175.199.209 -p tcp –dport 22 -j DROP

2> block ssh for particular network
#iptables -I INPUT -s 213.175.199.0/24 -p tcp –dport 22 -j DROP

3>Deny SSH from all IP except the 192.168.0.75
#iptables -I INPUT -s !192.168.0.75 -p tcp –dport 22 -j REJECT

4> Deny outgoing packet on port 22
#iptables -I OUTPUT -d 192.168.122.0 -p tcp –dport 22 -j REJECT

Note : If rule syntax is wrong then it will not execute

==================================================================================================

Posted in Fundamental

Leave a Reply