Difference between revisions of "Iptables"
From Christoph's Personal Wiki
| Line 27: | Line 27: | ||
===Commands=== | ===Commands=== | ||
Either long or short options are allowed. | Either long or short options are allowed. | ||
| − | + | ;<code>--append -A chain</code> : append to chain | |
| − | + | ;<code>--delete -D chain</code> : delete matching rule from chain | |
| − | + | ;<code>--delete -D chain rulenum</code> : delete rule rulenum (1 = first) from chain | |
| − | + | ;<code>--insert -I chain [rulenum]</code> : insert in chain as rulenum (default 1=first) | |
| − | + | ;<code>--replace -R chain rulenum</code> : replace rule rulenum (1 = first) in chain | |
| − | + | ;<code>--list -L [chain]</code> : list the rules in a chain or all chains | |
| − | + | ;<code>--flush -F [chain]</code> : delete all rules in chain or all chains | |
| − | + | ;<code>--zero -Z [chain]</code> : zero counters in chain or all chains | |
| − | + | ;<code>--new -N chain</code> : create a new user-defined chain | |
| − | + | ;<code>--delete-chain -X [chain]</code> : delete a user-defined chain | |
| − | + | ;<code>--policy -P chain target</code> : change policy on chain to target | |
| − | + | ;<code>--rename-chain -E old-chain new-chain</code> : change chain name, (moving any references) | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
===Options=== | ===Options=== | ||
| − | + | ;<code>--proto -p [!] proto</code> : protocol: by number or name, eg. 'tcp' | |
| − | + | ;<code>--source -s [!] address[/mask]</code> : source specification | |
| − | + | ;<code>--destination -d [!] address[/mask]</code> : destination specification | |
| − | + | ;<code>--in-interface -i [!] input name[+]</code> : network interface name ([+] for wildcard) | |
| − | + | ;<code>--jump -j target</code> : target for rule (may load target extension) | |
| − | + | ;<code>--goto -g chain</code> : jump to chain with no return | |
| − | + | ;<code>--match -m match</code> : extended match (may load extension) | |
| − | + | ;<code>--numeric -n</code> : numeric output of addresses and ports | |
| − | + | ;<code>--out-interface -o [!] output name[+]</code> : network interface name ([+] for wildcard) | |
| − | + | ;<code>--table -t table</code> : table to manipulate (default: 'filter') | |
| − | + | ;<code>--verbose -v</code> : verbose mode | |
| − | + | ;<code>--line-numbers</code> : print line numbers when listing | |
| − | + | ;<code>--exact -x</code> : expand numbers (display exact values) | |
| − | + | ;<code>[!] --fragment -f</code> : match second or further fragments only | |
| − | + | ;<code>--modprobe=<command></code> : try to insert modules using this command | |
| − | + | ;<code>--set-counters PKTS BYTES</code> : set the counter during insert/append | |
| − | + | ;<code>[!] --version -V</code> : print package version. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
==Example script== | ==Example script== | ||
Revision as of 01:09, 28 February 2007
Contents
Basic command options
Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):
- Create a new chain (
-N, --new-chain chain) - Delete an empty chain (
-X, --delete-chain [chain]) - Change the policy for a built-in chain (
-P, --policy chain target) - List the rules in a chain (
-L, --list [chain]) - Flush the rules out of a chain (
-F, --flush [chain]) - Zero the packet and byte counters in all chains (
-Z, --zero) (note: It is legal to specify the-L, --list(list) option as well, to see the counters immediately before they are cleared.)
Rule manipulation:
- Append a new rule to a chain (
-A, --append chain rule-specification) - Delete a rule at some position in a chain (
-D, --delete chain rule-specification)
Help (-h)
Usage
iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information)
Commands
Either long or short options are allowed.
--append -A chain- append to chain
--delete -D chain- delete matching rule from chain
--delete -D chain rulenum- delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]- insert in chain as rulenum (default 1=first)
--replace -R chain rulenum- replace rule rulenum (1 = first) in chain
--list -L [chain]- list the rules in a chain or all chains
--flush -F [chain]- delete all rules in chain or all chains
--zero -Z [chain]- zero counters in chain or all chains
--new -N chain- create a new user-defined chain
--delete-chain -X [chain]- delete a user-defined chain
--policy -P chain target- change policy on chain to target
--rename-chain -E old-chain new-chain- change chain name, (moving any references)
Options
--proto -p [!] proto- protocol: by number or name, eg. 'tcp'
--source -s [!] address[/mask]- source specification
--destination -d [!] address[/mask]- destination specification
--in-interface -i [!] input name[+]- network interface name ([+] for wildcard)
--jump -j target- target for rule (may load target extension)
--goto -g chain- jump to chain with no return
--match -m match- extended match (may load extension)
--numeric -n- numeric output of addresses and ports
--out-interface -o [!] output name[+]- network interface name ([+] for wildcard)
--table -t table- table to manipulate (default: 'filter')
--verbose -v- verbose mode
--line-numbers- print line numbers when listing
--exact -x- expand numbers (display exact values)
[!] --fragment -f- match second or further fragments only
--modprobe=<command>- try to insert modules using this command
--set-counters PKTS BYTES- set the counter during insert/append
[!] --version -V- print package version.
Example script
#!/bin/bash LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D="224.0.0.0/4" CLASS_E="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" ######## # flush iptables iptables -F iptables -t nat -F iptables -t mangle -F ######## # loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ######## # policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t mangle -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT ######## # allow related incoming iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT ######## # programs and stuff (add a line for each service you want to allow) # SSH on local network iptables -A INPUT -s $CLASS_A -p tcp --destination-port 22 -j ACCEPT # apache server (on all interfaces/networks) iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT # samba + network share iptables -A INPUT -s $CLASS_A -p tcp --destination-port 137 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 137 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 138 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 138 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 139 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 139 -j ACCEPT iptables -A INPUT -s $CLASS_A -p tcp --destination-port 445 -j ACCEPT iptables -A INPUT -s $CLASS_A -p udp --destination-port 445 -j ACCEPT
External links
- netfilter.org
- Iptables Tutorial 1.2.2 — by Oskar Andreasson
- Linux Networking-concepts HOWTO
- Iptables - Example Firewall Rulesets — by James Stephens
- Iptables On A Linksys-Cisco WRT54GL Broadband Router HOWTO — by James Stephens
- the DD-WRT Wiki — a third party developed firmware for many 802.11g wireless routers based on a Broadcom chip reference design.
- Firewall for Single Host with Iptables
- Netfilter Log Format
