Wednesday, June 01, 2005

Small description of Iptables/The Linux Firewalling system.

Iptables have three primary chains.
1) INPUT: all incoming packets pass thru this
2) OUPUT: " outgoing "
3) FORWARD: Packets which came for routing to some other machine.
Setting behaviour : -j ACCEPT/DENY/DROP
Setting Policy: -P : eg. INPUT/OUTPUT

Any packet for any Chain passes thru all the rules until it is Rejected/Accepted or chain ends in which case its behaviour depends on the Chain policy. If the packet doesn't match any rules it will be acted upon by default policy of the chain i.e Drop/Deny or Accept depending on values set with -P option.(eg below)

To see the current policites command is
iptables --list
to make it faster use -n (to avoid name resolutions)
iptables -n --list
Command to make default policy of droping all i/c packets.
iptables -P INPUT -j DROP
Command to make default policy of deny all i/c packets.
iptables -P INPUT -j DENY

So we disable all the packets other than what we want to allow.
Appending a Chain: -A : for e.g INPUT/DROP/DENY
Source specification: -s : for e.g 172.16.0.0/255.255.0.0, 172.16.0-5.0-22 and many others ways...
Deleting a Rule from a chain: -D [see e.g]

Command to accept ALL packets from 172.16.16.16
iptables -A INPUT -s 172.16.16.16 -j ACCEPT
Command to accept only port 22 packets from 172.16.16.20
NOTE: -p tcp/udp is required before giving --dports
iptables -A INPUT -s 172.16.16.20 -p tcp --dports 22 -j ACCEPT
so in most webservers we will have shud have these two commands
iptables -P INPUT -j DENY
iptables -A INPUT -p tcp -dports 80 -j ACCEPT

To remove/delete a rule give the exact same command as used for Appending but replace -A with -D
iptables -D INPUT -s 172.16.16.20 -p tcp -dport 22 -j ACCEPT

To remove all the current Rules/Policy and resort to defaults:
iptables --flush

No comments:

Post a Comment