Search This Blog

2012-10-27

IPTables Rules

IPTables are structured like access lists. They have a default deny "any any" at the bottom of the config in order to deny any and all traffic from any host to any host.

In order to add new rules the easiest way to do it is to insert rules to the top of the configuration file.

That is done as follows:
iptables -I INPUT -p (tcp|udp) --dport (port#) -j (ACCEPT|REJECT|...)


Description of CommandLine Options:
-I (rule_name)

  • Insert a new rule to the top of the iptables rule named (rule_name)

-p (tcp|udp)

  • Specifies that this rule is to be created for the tcp OR udp protocol

--dport (port#)

  • Specifies the destination port that the remote machine is trying to access

-j ACCEPT

  • Specifies what to do with the packet if it matches. In this case accept it. Other common options are REJECT or you can specify your own action in reference to an additional firewall rule


example:
Allowing DNS queries to reach your DNS server

  1. Inserting the rules
    1. iptables -I INPUT -p udp --dport 53 -j ACCEPT
    2. iptables -I INPUT -p tcp --dport 53 -j ACCEPT
  2. Saving the configuration
    1. service iptables save
  3. Loading the new rules and ensuring the configuration sticks
    1. service iptables restart

Removing a Rule

Removing a rule can be done by deleting the rule by the number in which it is referenced by.

You can see the rule numbers associated with your rules by running the following:
/sbin/iptables -L -v -n --line-numbers

Example Output:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      207 15336 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 reject-with icmp-host-prohibited
3        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 reject-with icmp-host-prohibited
4        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 5 reject-with icmp-host-prohibited
5        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 9 reject-with icmp-host-prohibited
6        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 10 reject-with icmp-host-prohibited
7        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 reject-with icmp-host-prohibited
8        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 reject-with icmp-host-prohibited
9        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
10       0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
11       0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
12       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
13       0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
14       2    96 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 reject-with icmp-host-prohibited
3        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 reject-with icmp-host-prohibited
4        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 5 reject-with icmp-host-prohibited
5        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 9 reject-with icmp-host-prohibited
6        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 10 reject-with icmp-host-prohibited
7        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 reject-with icmp-host-prohibited
8        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 reject-with icmp-host-prohibited
9        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

If you want to delete rule 8 on the INPUT chain do the following:
iptables -D INPUT 8

Resources: http://www.cyberciti.biz/faq/deleting-firewall-rules/
https://help.ubuntu.com/community/IptablesHowTo
http://www.cyberciti.biz/faq/linux-iptables-drop/

No comments:

Post a Comment