Meniu

IPtables - Basic concepts

Tutorial English IPtables - Basic concepts

The IPTables program that comes with Linux distributions allows administrators to configure the operating system so that it allows applications and clients to connect through the network and stop unwanted applications and clients from communicating and corrupting the operating system. It is really a front end tool to manage netfilters which is integrated with the linux kernel.

Iptables functions primarily at OSI layer 3(Network layer) & layer 4(Transport layer).And it can also manage ICMP

To start, stop, and restart iptables after booting

[root@mpsoft ]# service iptables start
[root@mpsoft ]# service iptables stop
[root@mpsoft ]# service iptables restart

To get iptables start at booting time:

[root@mpsoft tmp]# chkconfig iptables on

There are three default tables which cannot be deleted, these are

mangle (It allows you to alter packets within TCP/UDP/ICMP etc)
NAT(Network Address Translation that allow change or masquerade IP address or ports )
Filte(IP packet filtering – INPUT,FORWARD,OUTPUT)

Eg 1 :Iptables to block all incoming traffic except ssh:

[root@mpsoft tmp]# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
[root@mpsoft tmp]# iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT

Eg 2. : Block a source IP(192.168.2.10) from communicating with our system

[root@mpsoft ]# iptables -A INPUT -s 192.168.10.10 j DROP

We can save the rules into a text file and restore it from the same file by using the following commands

[root@mpsoft ]# iptables -save >filename.txt
[root@mpsoft ]# iptables -restore

Script for simple Firewall:

#!/bin/sh
# My system IP/set ip address of server
SERVER_IP=”55.55.55.55″
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP –sport 513:65535 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 –sport 22 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Mirela

Mirela

Zona de mobile
  • | 34 articole
Google News Share Facbook Share Twitter Share MeWe Share Linkedin Share Pinterest Share Reddit Read Feed RSS Share Whatsapp Share Telegram Share Flipboard Share Mix

Nici un comentariu inca. Fii primul!
  • powered by Verysign
In trend
Categorii