Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
79 views13 pages

Iptables 1

Iptables is a command line firewall utility that uses policy chains and rules to allow or block network traffic based on criteria like protocol, source/destination addresses and ports. It has built-in tables (filter, nat, mangle) and chains (input, output, forward) that are used to match packets and apply default or user-defined rules. Iptables comes pre-installed on Linux and provides options to list, add, delete, and flush rules for controlling network access and performing network address translation.

Uploaded by

srinivas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
79 views13 pages

Iptables 1

Iptables is a command line firewall utility that uses policy chains and rules to allow or block network traffic based on criteria like protocol, source/destination addresses and ports. It has built-in tables (filter, nat, mangle) and chains (input, output, forward) that are used to match packets and apply default or user-defined rules. Iptables comes pre-installed on Linux and provides options to list, add, delete, and flush rules for controlling network access and performing network address translation.

Uploaded by

srinivas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

IPTABLES

 Iptables is a command-line firewall utility that uses policy chains to allow or


block traffic. When a connection tries to establish itself on your system,
iptables looks for a rule in its list to match it to. If it doesn’t find one, it resorts
to the default action.
 IPtables almost always comes pre-installed on any Linux distribution
The three most basic and commonly
used responses.
 Accept – Allow the connection.
 Drop – Drop the connection, act like it never happened. This is best if you
don’t want the source to realize your system exists.
 Reject – Don’t allow the connection, but send back an error. This is best if
you don’t want a particular source to connect to your system, but you
want them to know that your firewall blocked them.
Types Of Tables In IPTABLES

 Filter Table
 Filter is default table for iptables. So, if you don’t define you own table,
you’ll be using filter table. Iptables’s filter table has the following built-in
chains.
 ◾INPUT chain – Incoming to firewall. For packets coming to the local server.
 ◾OUTPUT chain – Outgoing from firewall. For packets generated locally and
going out of the local server.
 ◾FORWARD chain – Packet for another NIC on the local server. For packets
routed through the local server.
 NAT table
 Iptable’s NAT table has the following built-in chains.
 ◾PREROUTING chain – Alters packets before routing. i.e Packet translation
happens immediately after the packet comes to the system (and before
routing). This helps to translate the destination ip address of the packets to
something that matches the routing on the local server. This is used for
DNAT (destination NAT).
 ◾POSTROUTING chain – Alters packets after routing. i.e Packet translation
happens when the packets are leaving the system. This helps to translate
the source ip address of the packets to something that might match the
routing on the desintation server. This is used for SNAT (source NAT).
 ◾OUTPUT chain – NAT for locally generated packets on the firewall.
 Mangle table
 Iptables’s Mangle table is for specialized packet alteration. This alters QOS
bits in the TCP header. Mangle table has the following built-in chains.
 ◾PREROUTING chain
 ◾OUTPUT chain
 ◾FORWARD chain
 ◾INPUT chain
 ◾POSTROUTING chain
The following iptable example shows that there
are some rules defined in the input, forward, and
output chain of the filter table.
# iptables –list

 The rules in the iptables –list command output contains the following fields:
 num – Rule number within the particular chain
 target – Special target variable that we discussed above
 prot – Protocols. tcp, udp, icmp, etc.,
 opt – Special options for that specific rule.
 source – Source ip-address of the packet
 destination – Destination ip-address for the packet
Commands To Manage IPTables

 Delete Existing Rules :


 Before you start building new set of rules, you might want to clean-up all
the default rules, and existing rules.
# iptables -F
Set Default Chain Policies
The default chain policy is ACCEPT. Change this to DROP for all INPUT,
FORWARD, and OUTPUT chains as shown below.
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP
Various Option To use with IPTABLES
 -L : List rules.
 -v : Display detailed information. This option makes the list command show
the interface name, the rule options, and the TOS masks. The packet and
byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000
and 1,000,000,000 multipliers respectively.
 -n : Display IP address and port in numeric format. Do not use DNS to resolve
names. This will speed up listing.
 -F : Deleting (flushing) all the rules.
 -X : Delete chain.
 -t table_name : Select table (called nat or mangle) and delete/flush rules.
 -P : Set the default policy (such as DROP, REJECT, or ACCEPT).
 -D : Delete one or more rules from the selected chain
 Block a Specific ip-address
Before we proceed further will other examples, if you want to block a specific ip-address,
you should do that first as shown below. Change the “x.x.x.x” in the following example
to the specific ip-address that you like to block.
BLOCK_THIS_IP="x.x.x.x"
# iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
 Allow ALL Incoming SSH
 The following rules allow ALL incoming ssh connections on eth0 interface.

# iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


 Allow Incoming SSH only from a Sepcific Network
 The following rules allow incoming ssh connections only from 192.168.100.X network.

# iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state


NEW,ESTABLISHED -j ACCEPT

#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


 Allow Outgoing SSH
 The following rules allow outgoing ssh connection. i.e When you ssh from
inside to an outside server.

# iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state


NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j
ACCEPT
Allow Outgoing SSH only to a Specific
Network
 The following rules allow outgoing ssh connection only to a specific
network. i.e You an ssh only to 192.168.100.0/24 network from the inside.
# iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --
state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j
ACCEPT

You might also like