Difference between revisions of "Iptables: Explanations, options & examples"
Jump to navigation
Jump to search
| Line 49: | Line 49: | ||
**<code>POSTROUTING</code>- '''Alters packets before they leave''' | **<code>POSTROUTING</code>- '''Alters packets before they leave''' | ||
| − | == Explanation of an iptables rule == | + | == Explanation of an example iptables rule == |
<syntaxhighlight> | <syntaxhighlight> | ||
[root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT | [root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | * <code>-A INPUT</code> = '''Append''' the rule to the '''INPUT''' ''chain'' | ||
| + | * <code>-i virbr0</code> = '''Interface''' = '''virbr0''' | ||
| + | * <code>-p udp</code> = '''Protocol''' = '''UDP''' | ||
Revision as of 15:50, 15 November 2012
Configuration file location and command commands
Configuration file
The iptables configuration file is located at: /etc/sysconfig/iptables. The contains all the tables, chains and rules. Additional configurations can be added directly to this file or via command line tools, for example:
[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPTCommon Commands
# start iptables
[root@srv1 ~]# service iptables start
# get current status
[root@srv1 ~]# service iptables status
# stop iptables
[root@srv1 ~]# service iptables stop
# restart iptables
[root@srv1 ~]# service iptables restart
# save any newly added rules
[root@srv1 ~]# service iptables saveStructure of /etc/sysconfig/iptables
Tables
iptables includes 3 default tables:
*filter- Default table for filtering packets*nat- Default table for Network Address Translation*mangle- Default table used for specific type of packet alteration
Chains
Each table has a group of built-in chains, corresponding to the actions to be performed on the packets. The chains for each section are as follows:
- The built-in chains for the filter table:
INPUT- Applies to packets targeted at the host (incoming traffic)OUTPUT- Applies to locally-generated packets heading out of the system (outgoing traffic)FORWARD- Applies to packets routed through the host (forwarded/routed traffic)
- The built-in chains for the nat table:
PREROUTING- Alters packets when they arriveOUTPUT- Alters locally-general packets before they leavePOSTROUTING- Alters packets before they leave
- The built-in chains for the mangle table:
INPUT- Alters packets targeted for the hostOUTPUT- Alters locally-generated packets before they leaveFORWARD- Alters to packets routed through the hostPREROUTING- Alters incoming packets before they are routedPOSTROUTING- Alters packets before they leave
Explanation of an example iptables rule
[root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT-A INPUT= Append the rule to the INPUT chain-i virbr0= Interface = virbr0-p udp= Protocol = UDP