Difference between revisions of "Iptables: Explanations, options & examples"

Configuration file location and command commands

Configuration file

The iptables configuration file is located at: /etc/sysconfig/iptables. The contains all the tables, chains and rules. Additional configurations can be added directly to this file or via command line tools, for example:

[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPT

Common Commands

# start iptables
[root@srv1 ~]# service iptables start	

# get current status
[root@srv1 ~]# service iptables status

# stop iptables
[root@srv1 ~]# service iptables stop

# restart iptables
[root@srv1 ~]# service iptables restart

# save any newly added rules
[root@srv1 ~]# service iptables save

Structure of /etc/sysconfig/iptables

Tables

iptables includes 3 default tables:

• *filter - Default table for filtering packets
• *nat - Default table for Network Address Translation
• *mangle - Default table used for specific type of packet alteration

Chains

Each table has a group of built-in chains, corresponding to the actions to be performed on the packets. The chains for each section are as follows:

• The built-in chains for the filter table:
  • INPUT - Applies to packets targeted at the host (incoming traffic)
  • OUTPUT - Applies to locally-generated packets heading out of the system (outgoing traffic)
  • FORWARD - Applies to packets routed through the host (forwarded/routed traffic)
• The built-in chains for the nat table:
  • PREROUTING - Alters packets when they arrive
  • OUTPUT - Alters locally-general packets before they leave
  • POSTROUTING - Alters packets before they leave
• The built-in chains for the mangle table:
  • INPUT - Alters packets targeted for the host
  • OUTPUT - Alters locally-generated packets before they leave
  • FORWARD - Alters to packets routed through the host
  • PREROUTING - Alters incoming packets before they are routed
  • POSTROUTING- Alters packets before they leave