Labels

Linux (46) network (13) troubleshoot (13) command (10) virtualization (10) ubuntu (9) Windows (8) cisco (7) security (7) router (6) Tools (5) software (5) vmware (5) ospf (3) eigrp (1) zimbra (1)

2010年4月14日

iptables general configuration

List iptables contents
[root@linux ~]# iptables -L -n
[root@linux ~]# iptables -L -nv
[root@linux ~]# iptables -t nat -L -n

Flush iptables contents
[root@linux ~]# iptables -F
[root@linux ~]# iptables -t nat -F
[root@linux ~]# iptables -F FORWARD
[root@linux ~]# iptables -X MYCHAIN

Set policy for chain
Example:
[root@linux ~]# iptables -P INPUT DROP
Result:
Chain INPUT (policy DROP)
target     prot opt source               destination 

Add rules to the chain
Template:
iptables [-AI Chain] [-io interface] [-p protocal] [-s source ip] [-d destination ip] -j [ACCEPT|DROP]
Example:
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.0.1 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
[root@linux ~]# iptables -A INPUT -s 192.168.2.200 -j LOG
(log all traffic from 192.168.2.200 and record to /var/log/messages)
[root@linux ~]# iptables -A INPUT -p icmp -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP
[root@linux ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
> --sport 1024:65534 --dport ssh -j DROP
[root@linux ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
(Accept the response packet, here state can be NEW,RELATED,ESTABLISHED,INVALID)
[root@linux ~]# iptables -A INPUT -m state --state INVALID -j DROP
[root@linux ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT

Insert a rule to the chain
[root@linux ~]# iptables -I INPUT 2 -i eth0 -p tcp --dport 21 -j DROP
(Insert to the 2rd rule)

Replace a rule
[root@linux ~]# iptables -R INPUT 2 -i eth0 -p tcp --dport 21 -j DROP
(Replace the 2rd rule)

Delete rules
[root@linux ~]# iptables -D INPUT -i eth0 -p tcp --dport 21 -j DROP
[root@linux ~]# iptables -D INPUT 2
(Delete the 2rd rule)

Save and Restore
Whatever you did in command, it will lost after system reboot, so we need to save
to the file that will load when system bootup. For redhat distribution, it will 
save in /etc/sysconfig/iptables
Two command used to backup and restore.
Example:
[root@linux ~]# iptables-save > filename
(Save iptables from running config to a file)
[root@linux ~]# iptables-save > /etc/sysconfig/iptables
(Save iptables from running config to startup config)
[root@linux ~]# iptables-restore < filename
at
Labels:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)