Difference between revisions of "Iptables: Explanations, options & examples"
| Line 54: | Line 54: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | * <code>-A INPUT</code> = '''Append''' the rule | + | * <code>-A INPUT</code> = '''Append''' the rule to the '''INPUT''' ''chain'' |
* <code>-i virbr0</code> = '''Interface''' = '''virbr0''' | * <code>-i virbr0</code> = '''Interface''' = '''virbr0''' | ||
* <code>-p udp</code> = '''Protocol''' = '''UDP''' | * <code>-p udp</code> = '''Protocol''' = '''UDP''' | ||
| Line 61: | Line 61: | ||
* <code>-j ACCEPT</code> = '''Jump''' to the target of '''ACCEPT'''. Basically, what to do if the packet matches the rule criteria. Option could be to ACCEPT, DENY or jump to another chain. | * <code>-j ACCEPT</code> = '''Jump''' to the target of '''ACCEPT'''. Basically, what to do if the packet matches the rule criteria. Option could be to ACCEPT, DENY or jump to another chain. | ||
| − | This rule will basically '''accept''' '''UDP''' traffic on '''port 53''' across '''virbr0'''. In practice, this rule will exist in the <code>*filter</code> '' | + | This rule will basically '''accept''' '''UDP''' traffic on '''port 53''' across '''virbr0'''. In practice, this rule will exist in the <code>*filter</code> ''table'' and will allow DNS operations over the KVM virtual network interface known as <code>virbr0</code>. |
== Example operations with iptables == | == Example operations with iptables == | ||
Revision as of 17:20, 15 November 2012
Configuration file location and command commands
Configuration file
The iptables configuration file is located at: /etc/sysconfig/iptables. The contains all the tables, chains and rules. Additional configurations can be added directly to this file or via command line tools, for example:
[root@srv1 ~]# iptables -A INPUT -i eth0 -j ACCEPTCommon Commands
# start iptables
[root@srv1 ~]# service iptables start
# get current status
[root@srv1 ~]# service iptables status
# stop iptables
[root@srv1 ~]# service iptables stop
# restart iptables
[root@srv1 ~]# service iptables restart
# save any newly added rules
[root@srv1 ~]# service iptables saveStructure of /etc/sysconfig/iptables
Tables
iptables includes 3 default tables:
*filter- Default table for filtering packets*nat- Default table for Network Address Translation*mangle- Default table used for specific type of packet alteration
Chains
Each table has a group of built-in chains, corresponding to the actions to be performed on the packets. The chains for each section are as follows:
- The built-in chains for the filter table:
INPUT- Applies to packets targeted at the host (incoming traffic)OUTPUT- Applies to locally-generated packets heading out of the system (outgoing traffic)FORWARD- Applies to packets routed through the host (forwarded/routed traffic)
- The built-in chains for the nat table:
PREROUTING- Alters packets when they arriveOUTPUT- Alters locally-general packets before they leavePOSTROUTING- Alters packets before they leave
- The built-in chains for the mangle table:
INPUT- Alters packets targeted for the hostOUTPUT- Alters locally-generated packets before they leaveFORWARD- Alters to packets routed through the hostPREROUTING- Alters incoming packets before they are routedPOSTROUTING- Alters packets before they leave
Explanation of an example iptables rule
[root@srv1 ~]# iptables -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT-A INPUT= Append the rule to the INPUT chain-i virbr0= Interface = virbr0-p udp= Protocol = UDP-m udp= match = UDP - not sure what this means!--dport 53= desintation port = 53-j ACCEPT= Jump to the target of ACCEPT. Basically, what to do if the packet matches the rule criteria. Option could be to ACCEPT, DENY or jump to another chain.
This rule will basically accept UDP traffic on port 53 across virbr0. In practice, this rule will exist in the *filter table and will allow DNS operations over the KVM virtual network interface known as virbr0.
Example operations with iptables
Open up specific ports (port 80 in this example)
[root@srv1 ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPTThis rule needs to be in the *filter chain.
It will allow TCP traffic over port 80.
NB - The --state NEW signifies the packet is establishing a new connection. ESTABLISHSED would mean the packet is associated with an existing connected which has seen packet transfer in both directions. RELATED would mean a packet is establishing a new connection but is associated with an existing connections (useful for FTP).