From Fedora Project Wiki

(How to edit IPtables rules.)
 
(Beginning of cli way editing iptables rules.)
Line 10: Line 10:


Let's go.
Let's go.
__TOC__
== my CLI way ==
=== Hot change in iptables rules contents ===
This method allow you to change behaviour of your iptables firewall when is running.
{{admon/caution|Caution|You can break up your connection with mistakes in rules.}}
I invite you to read the man pages about iptables for further explanation and more sophisticated rules.
You must have superuser rights to launch these commands, please use sudo or su as your convenience.
Example of iptables rules which allow any connections established or related, icmp requests, all local traffic and finally ssh communication :
<pre>[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination </pre>
First thing to know, the rules apply in order of appearance and exit if there is a match. So, if we have a rule that reject ssh connections then after another rules allowing ssh then once the reject rule is reached, the packets exit and apply the reject rule but never reached the accept rule.
So with that in mind, we can edit iptables's rules.
==== Append a rule ====
This is add a rule at the end of the specified chain of iptables :
<pre>[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ssh
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       


== my CLI way ==
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination </pre>
 
Notice the last line in chain INPUT. There are now 5 rules in that chain. Let's delete the last one for recreate on the top of the same chain.
<pre>[root@server ~]# iptables -D INPUT 5
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ssh
 
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
 
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination </pre>
 
Now, recreate it on the top :
<pre>[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ssh
 
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
 
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination </pre>
Notice the number append after the name of the chain. As we say that we insert the rule at the top, we must insert it '''before''' the first. So, you want to insert this rules '''before''' the third rule you as to change this number to 3. Simple isn't it!
 
For the next, we replace a rules already existing. The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 :
<pre>[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    tcp  --  192.168.0.0/24      anywhere            tcp dpt:http
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            state NEW tcp dpt:ssh
 
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
 
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination </pre>
 
So, summarize, we now know how to :
* append
<pre>iptables -A <chain></pre>
* insert
<pre>iptables -I <chain> <rule_position></pre>
* replace
<pre>iptables -R <chain> <rule_position></pre>
* delete
<pre>iptables -D <chain> <rule_position></pre>
 
=== Make changes persistant ===


== TUI/semi graphical ==
== TUI/semi graphical ==
== GUI ==
== GUI ==

Revision as of 21:22, 6 December 2011

How to edit IPtables rules.

In this how to we will learn three differents way to edit IPtables rules :

  • CLI : iptables command and his config file /etc/sysconfig/iptables.
  • ncurse interface : setup or system-config-firewall-tui
  • GUI : system-config-firewall

It is not an how to about making elaborates rules with iptables, we only use iptables on a basic way.

Let's go.

my CLI way

Hot change in iptables rules contents

This method allow you to change behaviour of your iptables firewall when is running.

Caution
You can break up your connection with mistakes in rules.

I invite you to read the man pages about iptables for further explanation and more sophisticated rules. You must have superuser rights to launch these commands, please use sudo or su as your convenience. Example of iptables rules which allow any connections established or related, icmp requests, all local traffic and finally ssh communication :

[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

First thing to know, the rules apply in order of appearance and exit if there is a match. So, if we have a rule that reject ssh connections then after another rules allowing ssh then once the reject rule is reached, the packets exit and apply the reject rule but never reached the accept rule. So with that in mind, we can edit iptables's rules.

Append a rule

This is add a rule at the end of the specified chain of iptables :

[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Notice the last line in chain INPUT. There are now 5 rules in that chain. Let's delete the last one for recreate on the top of the same chain.

[root@server ~]# iptables -D INPUT 5
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Now, recreate it on the top :

[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Notice the number append after the name of the chain. As we say that we insert the rule at the top, we must insert it before the first. So, you want to insert this rules before the third rule you as to change this number to 3. Simple isn't it!

For the next, we replace a rules already existing. The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 :

[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

So, summarize, we now know how to :

  • append
iptables -A <chain>
  • insert
iptables -I <chain> <rule_position>
  • replace
iptables -R <chain> <rule_position>
  • delete
iptables -D <chain> <rule_position>

Make changes persistant

TUI/semi graphical

GUI