1) INPUT: all incoming packets pass thru this
2) OUPUT: " outgoing "
3) FORWARD: Packets which came for routing to some other machine.
Setting behaviour : -j ACCEPT/DENY/DROP
Setting Policy: -P
Any packet for any Chain passes thru all the rules until it is Rejected/Accepted or chain ends in which case its behaviour depends on the Chain policy. If the packet doesn't match any rules it will be acted upon by default policy of the chain i.e Drop/Deny or Accept depending on values set with -P option.(eg below)
To see the current policites command is
iptables --list
to make it faster use -n (to avoid name resolutions)
iptables -n --list
Command to make default policy of droping all i/c packets.
iptables -P INPUT -j DROP
Command to make default policy of deny all i/c packets.
iptables -P INPUT -j DENY
So we disable all the packets other than what we want to allow.
Appending a Chain: -A
Source specification: -s
Deleting a Rule from a chain: -D
Command to accept ALL packets from 172.16.16.16
iptables -A INPUT -s 172.16.16.16 -j ACCEPT
Command to accept only port 22 packets from 172.16.16.20
NOTE: -p tcp/udp is required before giving --dports
iptables -A INPUT -s 172.16.16.20 -p tcp --dports 22 -j ACCEPT
so in most webservers we will have shud have these two commands
iptables -P INPUT -j DENY
iptables -A INPUT -p tcp -dports 80 -j ACCEPT
To remove/delete a rule give the exact same command as used for Appending but replace -A with -D
iptables -D INPUT -s 172.16.16.20 -p tcp -dport 22 -j ACCEPT
To remove all the current Rules/Policy and resort to defaults:
iptables --flush
No comments:
Post a Comment