7/29/2012

IPTables 3

IPTables 3

  • Adding new chain :

You can use this flag (-N)

example
iptables -N LAN

Practical example :

To manage your Intranet easily you should write a new chain and write Intranet rules in this chain.
1- Create new chain
iptables -N LAN
2- Forward all traffic in network (192.168.0.0/24) into LAN chain.
iptables -I INPUT 1 -s 192.168.0.0/24 -j LAN
Then you can manage your Intranet rules easily in LAN chain such as :
iptables -A LAN -p tcp --dport 22 -j ACCEPT


  • Change Default Policy :

You can change default policy for a chain from ACCEPT to DROP or to LOG ... etc
For example to change default policy for INPUT chain to DROP all communication instead of ACCEPT

Example :
iptables -P INPUT DROP

  • Matching multiple ports :

Uses to match more than one port in one rule
You can use this flag (-m multiport)

Example
Deny hosts to connect to SSH and Telnet
iptables -A INPUT -p tcp -m multiport --dport 22,23 -j DROP


  • List rules :

Use this command to list rules for all chains

Example :
iptables -L


Chain INPUT (policy ACCEPT)
target     prot opt source               destination      
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere          
ACCEPT     all  --  anywhere             anywhere          
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination      
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


  • List rules by line number :

Use this command to list rules by line number

Example :
sudo iptables -L –line-number



Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination   

  • Deleting :

For deleting rules by rule number (line number)
You can use this flag (-D)

Example :
iptables -D INPUT 4

This will delete line number 4 from input chain.

  • Replace :

For replacing one rule with anther one by line number
You can use this flag (-R)

Example :
iptables -R INPUT 3 -s 192.168.0.5 -j ACCEPT

This will replace rule number 4 in input chain with ( Accept 192.168.0.5 )

  • Inserting :

For inserting rule in a chain by line number 
You can use this flag (-I)

Example :
iptables -I INPUT 4 -p tcp --dport 22 -j ACCEPT

This will insert in line number 4 (ACCEPT SSH)

  • Negation :

You can use this flag (!)

Example :
Deny all traffic but not from 192.168.0.10

iptables -A INPUT -s ! 192.168.0.10 -j DROP


  • Logging :

For logging a traffic 
You can use this flag (-J LOG)

Example :
Log all traffic from 192.168.0.10

iptables -A INPUT -s 192.168.0.10 -j LOG


  • Dealing with wildcard :

Such as eth , ppp ... etc
You can use this flag (-i) , and replace the number beside the interface with + such as (eth+) instead of (eth0 or eth1 .. etc).

Example :
Deny SSH from eth interface

iptables -A INPUT -i eth+ -p tcp --dport 22 -j DROP


Hint :You must manage your chains and rules in perfect way because processing occurs in IPTables on packages from up to down , and this may affect on your connection speed.

No comments:

Post a Comment