If you are new to Unixmen, you may want to subscribe : 
|
08 June 2009
Posted in
Linux tutorials -
Linux tutorials
Iptables is a user space application program that allows a system administrator to configure the tables provided by Xtables (which in turn uses Netfilter) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function.
On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page , which can be opened using
"man iptables" when installed. iptables is also commonly used to inclusively refer to the kernel-level component Xtables that does the actual table traversal and provides an API for kernel-level extensions.
working with iptables from the command line requires root privileges, so you will need to be root for most things that you will do.To check if the IPtables modules are already running with this command :
#lsmod | grep ip_tables
To see the firewall : blocked and allowed services
# iptables -L
example to alow SSH over your network you have to add this line :
#iptables -A INPUT -p tcp --dport ssh -j ACCEPT allow ssh to connect to external address : iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT save the change with : #/sbin/service iptables save
Now, let's allow all incoming web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
ETHERNET INTERFACES eth0 eth1 and ppp0 for modems
To allow all packets from internet and Intranet :
iptables -A INPUT -i eth0 -j ACCEPT (for eth0)
iptables -A INPUT -i eth1 -j ACCEPT (for ethermet card 2)
iptables -A INPUT -i ppp0 -j ACCEPT (from modem)
How to block some services or ports
# Allow loop-back access. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT - Rule for your computer to be able to access itself via the loopback
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP - Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP - Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
iptables -A INPUT -p all -s localhost -i eth0 -j DROP - Deny packets which claim to be from your loopback interface.
Another approach to firewalls is to drop everything and then garant access to each port you may need:
iptables -F iptables -A INPUT -i lo -p all -j ACCEPT - Allow self access by loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT - Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT - Open ftp port
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT - Open secure shell port
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT - Open HTTP port
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT - Accept local Samba connection
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP - Drop all other connection attempts. Only connections defined above are allowed.
If you have any other question about iptables . just read the linux with this command
#man iptables
Or post your question in the forum .
