SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

iptables

IP Tables

This is a small howto on using IP Tables. It's mostly from Internet sources like this one. I just modified and extended it to my specific knowledge and experience.

Important to Know

Since the IP tables are within the linux kernel changes to the rules are implemented immediately. This could lock you out if you don't know what you're doing, so make sure you have access to the console before you start experimenting.

Chains and Rules

Iptables is made up of CHAINS, each chain holds RULES.

The default chains are:

  • INPUT (Incoming traffic to this machine)
  • FORWARD (Traffic going to or from a machine on the other side of this firewall)
  • OUTPUT (Outgoing traffic from this machine).

Rules are then placed inside these chains in order to allow or deny specific traffic. There are three basic “ACTIONS” that a rule can take. Other rules exist, but these are the basic and most commonly used actions:

  • ACCEPT (Allows the traffic through the firewall)
  • DROP (The packet is dropped with no reply to sender)
  • REJECT (Packet is dropped and an appropriate message is sent back to the sender.)

Listing IP Tables

Listing the current IP Tables can be done with the command iptables -L:

[sjoerd@redhatbox /]$ sudo iptables -L -v
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

You can add statistics to the output by adding -v:

[sjoerd@redhatbox /]$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3642 1590K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    1    60 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    3   697 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
13083 1218K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT 3503 packets, 480K bytes)
 pkts bytes target     prot opt in     out     source               destination

Open a Port Using IP Tables

Adding a single port can be done like this:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

More information:

  • -I : insert: This will insert the rule at the top of the chain. You can also use -A for append, which will place the new rule at the end of the chain.
  • INPUT: insert the rule into the CHAIN INPUT
  • -p tcp : only match tcp packets
  • –dport 80 : only match packets headed for port 80 (destination port)
  • -j ACCEPTS : jump to the ACCEPT RULE

You can also allow specific sources like a single host or network:

iptables -I INPUT -p tcp -s pcsjoerd.getshifting.local --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT

Save IP Tables Changes

After adding ports you need to save settings with this command service iptables save:

[sjoerd@redhatbox/]$ sudo service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
You could leave a comment if you were logged in.
iptables.txt · Last modified: 2021/09/24 00:24 (external edit)