Difference between revisions of "Iptables"

From Christoph's Personal Wiki
Jump to: navigation, search
 
Line 1: Line 1:
 +
==Basic command options==
 +
Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):
 +
 +
*Create a new chain (<code>-N, --new-chain chain</code>)
 +
*Delete an empty chain (<code>-X, --delete-chain [chain]</code>)
 +
*Change the policy for a built-in chain (<code>-P, --policy chain target</code>)
 +
*List the rules in a chain (<code>-L, --list [chain]</code>)
 +
*Flush the rules out of a chain (<code>-F, --flush [chain]</code>)
 +
*Zero the packet and byte counters in all chains (<code>-Z, --zero</code>) (note: It is legal to specify the <code>-L, --list</code> (list) option as well, to see the counters immediately before they are cleared.)
 +
 +
Rule manipulation:
 +
 +
*Append a new rule to a chain (<code>-A, --append chain rule-specification</code>)
 +
*Delete a rule at some position in a chain (<code>-D, --delete chain rule-specification</code>)
 +
 +
==Help (-h)==
 +
===Usage===
 +
iptables -[AD] chain rule-specification [options]
 +
iptables -[RI] chain rulenum rule-specification [options]
 +
iptables -D chain rulenum [options]
 +
iptables -[LFZ] [chain] [options]
 +
iptables -[NX] chain
 +
iptables -E old-chain-name new-chain-name
 +
iptables -P chain target [options]
 +
iptables -h (print this help information)
 +
 +
===Commands===
 +
Either long or short options are allowed.
 +
  --append  -A chain            Append to chain
 +
  --delete  -D chain            Delete matching rule from chain
 +
  --delete  -D chain rulenum
 +
                                Delete rule rulenum (1 = first) from chain
 +
  --insert  -I chain [rulenum]
 +
                                Insert in chain as rulenum (default 1=first)
 +
  --replace -R chain rulenum
 +
                                Replace rule rulenum (1 = first) in chain
 +
  --list    -L [chain]          List the rules in a chain or all chains
 +
  --flush  -F [chain]          Delete all rules in  chain or all chains
 +
  --zero    -Z [chain]          Zero counters in chain or all chains
 +
  --new    -N chain            Create a new user-defined chain
 +
  --delete-chain
 +
            -X [chain]          Delete a user-defined chain
 +
  --policy  -P chain target
 +
                                Change policy on chain to target
 +
  --rename-chain
 +
            -E old-chain new-chain
 +
                                Change chain name, (moving any references)
 +
===Options===
 +
  --proto      -p [!] proto    protocol: by number or name, eg. `tcp'
 +
  --source      -s [!] address[/mask]
 +
                                source specification
 +
  --destination -d [!] address[/mask]
 +
                                destination specification
 +
  --in-interface -i [!] input name[+]
 +
                                network interface name ([+] for wildcard)
 +
  --jump        -j target
 +
                                target for rule (may load target extension)
 +
  --goto      -g chain
 +
                              jump to chain with no return
 +
  --match      -m match
 +
                                extended match (may load extension)
 +
  --numeric    -n              numeric output of addresses and ports
 +
  --out-interface -o [!] output name[+]
 +
                                network interface name ([+] for wildcard)
 +
  --table      -t table        table to manipulate (default: `filter')
 +
  --verbose    -v              verbose mode
 +
  --line-numbers                print line numbers when listing
 +
  --exact      -x              expand numbers (display exact values)
 +
[!] --fragment  -f            match second or further fragments only
 +
  --modprobe=<command>          try to insert modules using this command
 +
  --set-counters PKTS BYTES    set the counter during insert/append
 +
[!] --version  -V            print package version.
 +
 
==Example script==
 
==Example script==
 
<pre>
 
<pre>
Line 68: Line 141:
 
*[http://www.dd-wrt.com/wiki/index.php/Main_Page the DD-WRT Wiki] &mdash; a third party developed firmware for many 802.11g wireless routers based on a Broadcom chip reference design.
 
*[http://www.dd-wrt.com/wiki/index.php/Main_Page the DD-WRT Wiki] &mdash; a third party developed firmware for many 802.11g wireless routers based on a Broadcom chip reference design.
 
*[http://myy.helia.fi/~karte/iptables_firewall.html Firewall for Single Host with Iptables]
 
*[http://myy.helia.fi/~karte/iptables_firewall.html Firewall for Single Host with Iptables]
 +
*[http://logi.cc/linux/netfilter-log-format.php3 Netfilter Log Format]
  
 
[[Category:Linux Command Line Tools]]
 
[[Category:Linux Command Line Tools]]

Revision as of 02:52, 27 February 2007

Basic command options

Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):

  • Create a new chain (-N, --new-chain chain)
  • Delete an empty chain (-X, --delete-chain [chain])
  • Change the policy for a built-in chain (-P, --policy chain target)
  • List the rules in a chain (-L, --list [chain])
  • Flush the rules out of a chain (-F, --flush [chain])
  • Zero the packet and byte counters in all chains (-Z, --zero) (note: It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared.)

Rule manipulation:

  • Append a new rule to a chain (-A, --append chain rule-specification)
  • Delete a rule at some position in a chain (-D, --delete chain rule-specification)

Help (-h)

Usage

iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands

Either long or short options are allowed. 

 --append  -A chain            Append to chain
 --delete  -D chain            Delete matching rule from chain
 --delete  -D chain rulenum
                               Delete rule rulenum (1 = first) from chain
 --insert  -I chain [rulenum]
                               Insert in chain as rulenum (default 1=first)
 --replace -R chain rulenum
                               Replace rule rulenum (1 = first) in chain
 --list    -L [chain]          List the rules in a chain or all chains
 --flush   -F [chain]          Delete all rules in  chain or all chains
 --zero    -Z [chain]          Zero counters in chain or all chains
 --new     -N chain            Create a new user-defined chain
 --delete-chain
           -X [chain]          Delete a user-defined chain
 --policy  -P chain target
                               Change policy on chain to target
 --rename-chain
           -E old-chain new-chain
                               Change chain name, (moving any references)

Options

 --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
 --source      -s [!] address[/mask]
                               source specification
 --destination -d [!] address[/mask]
                               destination specification
 --in-interface -i [!] input name[+]
                               network interface name ([+] for wildcard)
 --jump        -j target
                               target for rule (may load target extension)
 --goto      -g chain
                             jump to chain with no return
 --match       -m match
                               extended match (may load extension)
 --numeric     -n              numeric output of addresses and ports
 --out-interface -o [!] output name[+]
                               network interface name ([+] for wildcard)
 --table       -t table        table to manipulate (default: `filter')
 --verbose     -v              verbose mode
 --line-numbers                print line numbers when listing
 --exact       -x              expand numbers (display exact values)
[!] --fragment  -f             match second or further fragments only
 --modprobe=<command>          try to insert modules using this command
 --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V             print package version.

Example script

#!/bin/bash

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

########
# flush iptables
iptables -F
iptables -t nat -F
iptables -t mangle -F

########
# loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

########
# policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

########
# allow related incoming
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

########
# programs and stuff (add a line for each service you want to allow)

# SSH on local network
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 22 -j ACCEPT

# apache server (on all interfaces/networks)
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT

# samba + network share
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 137 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 137 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 138 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 138 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 139 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 139 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 445 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 445 -j ACCEPT

External links

Retrieved from "http://wiki.christophchamp.com/index.php?title=Iptables&oldid=3421"