Monday, April 15, 2013

iptables

Listing Rules
# Rules are evaluated from top to bottom
# list the iptable rules
iptables -list
iptables -L

# list the rules with high verbosity 
iptables -L -v

# list the rules with high verbosity and line numbers
iptables -L -v --line-numbers

# list the rules with high verbosity and line numbers and show the raw IP addresses and ports
iptables -L -v --line-numbers -n

# list rules as a list of rules in the conf file.
iptables -S

Adding/Editing/Removing Rules 
# -I Option: Insert a rule at a specific point (to be the 4th rule). 
iptables -I INPUT 4 -p tcp  --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

# -A Option: Append a rule to the end of the rule list
iptables -A INPUT -p tcp  --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

# -D Option: Delete the INPUT rule at line 4
iptables -D INPUT 4

# -R Option: Replace a rule at 4th line
iptables -R INPUT 4 -p tcp  --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

Change the iptables policy

# Change the policy to drop all traffic if no rules matched.  
# Important: You'll want to setup an ssh rule before doing this
iptables -P INPUT DROP

# Change the policy to accept all traffic unless specific rules are matched
iptables -P INPUT ACCEPT

IPTables modules

# Modules are loaded using the -m flag
# Some common examples include: "-m tcp", "-m mac", and "-m state"
# Many are loaded by default. For example, if you specify "-p tcp --dport 22", I think it automatically loads the tcp module and assumes "-m tcp".

# List Loaded IPTables modules
cat /proc/net/ip_tables_matches

Jump option parameters (-j option) "jump to the specified target"
  ACCEPT - Accept the packet and stop processing rules
  REJECT - reject the packet and notify sender
  DROP - silently drop the packet and stop processing rules
  LOG - log the packet and continue processing

State option parameters (--cstate and --state options) 
   NEW - new connection that has not been seen
   RELATED - new connection but related to another connection
   ESTABLISHED - connection is already established
   INVALID - traffic couldn't be identified

Save the firewall rules on a RedHat system
/sbin/service iptables save

Clear rule statistics counters
iptables -Z

# good howto for Ubuntu
https://help.ubuntu.com/community/IptablesHowTo

# A good howto for Centos and DROP policy
http://wiki.centos.org/HowTos/Network/IPTables

No comments: