Difference between revisions of "Iptables: Explanations, options & examples"
Jump to navigation
Jump to search
| Line 48: | Line 48: | ||
**<code>PREROUTING</code> - '''Alters incoming packets before they are routed''' | **<code>PREROUTING</code> - '''Alters incoming packets before they are routed''' | ||
**<code>POSTROUTING</code>- '''Alters packets before they leave''' | **<code>POSTROUTING</code>- '''Alters packets before they leave''' | ||
| + | |||
| + | == Explanation of an iptables rule == | ||
| + | <syntaxhighlight> | ||
| + | [root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT | ||
| + | </syntaxhighlight> | ||
Revision as of 14:02, 15 November 2012
Configuration file location and command commands
Configuration file
The iptables configuration file is located at: /etc/sysconfig/iptables. The contains all the tables, chains and rules. Additional configurations can be added directly to this file or via command line tools, for example:
[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPTCommon Commands
# start iptables
[root@srv1 ~]# service iptables start
# get current status
[root@srv1 ~]# service iptables status
# stop iptables
[root@srv1 ~]# service iptables stop
# restart iptables
[root@srv1 ~]# service iptables restart
# save any newly added rules
[root@srv1 ~]# service iptables saveStructure of /etc/sysconfig/iptables
Tables
iptables includes 3 default tables:
*filter- Default table for filtering packets*nat- Default table for Network Address Translation*mangle- Default table used for specific type of packet alteration
Chains
Each table has a group of built-in chains, corresponding to the actions to be performed on the packets. The chains for each section are as follows:
- The built-in chains for the filter table:
INPUT- Applies to packets targeted at the host (incoming traffic)OUTPUT- Applies to locally-generated packets heading out of the system (outgoing traffic)FORWARD- Applies to packets routed through the host (forwarded/routed traffic)
- The built-in chains for the nat table:
PREROUTING- Alters packets when they arriveOUTPUT- Alters locally-general packets before they leavePOSTROUTING- Alters packets before they leave
- The built-in chains for the mangle table:
INPUT- Alters packets targeted for the hostOUTPUT- Alters locally-generated packets before they leaveFORWARD- Alters to packets routed through the hostPREROUTING- Alters incoming packets before they are routedPOSTROUTING- Alters packets before they leave
Explanation of an iptables rule
[root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT