(How to edit IPtables rules.) |
(Beginning of cli way editing iptables rules.) |
||
Line 10: | Line 10: | ||
Let's go. | Let's go. | ||
__TOC__ | |||
== my CLI way == | |||
=== Hot change in iptables rules contents === | |||
This method allow you to change behaviour of your iptables firewall when is running. | |||
{{admon/caution|Caution|You can break up your connection with mistakes in rules.}} | |||
I invite you to read the man pages about iptables for further explanation and more sophisticated rules. | |||
You must have superuser rights to launch these commands, please use sudo or su as your convenience. | |||
Example of iptables rules which allow any connections established or related, icmp requests, all local traffic and finally ssh communication : | |||
<pre>[root@server ~]# iptables -L | |||
Chain INPUT (policy DROP) | |||
target prot opt source destination | |||
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED | |||
ACCEPT icmp -- anywhere anywhere | |||
ACCEPT all -- anywhere anywhere | |||
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh | |||
Chain FORWARD (policy ACCEPT) | |||
target prot opt source destination | |||
Chain OUTPUT (policy ACCEPT) | |||
target prot opt source destination </pre> | |||
First thing to know, the rules apply in order of appearance and exit if there is a match. So, if we have a rule that reject ssh connections then after another rules allowing ssh then once the reject rule is reached, the packets exit and apply the reject rule but never reached the accept rule. | |||
So with that in mind, we can edit iptables's rules. | |||
==== Append a rule ==== | |||
This is add a rule at the end of the specified chain of iptables : | |||
<pre>[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |||
[root@server ~]# iptables -L | |||
Chain INPUT (policy DROP) | |||
target prot opt source destination | |||
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED | |||
ACCEPT icmp -- anywhere anywhere | |||
ACCEPT all -- anywhere anywhere | |||
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh | |||
ACCEPT tcp -- anywhere anywhere tcp dpt:http | |||
Chain FORWARD (policy ACCEPT) | |||
target prot opt source destination | |||
== | Chain OUTPUT (policy ACCEPT) | ||
target prot opt source destination </pre> | |||
Notice the last line in chain INPUT. There are now 5 rules in that chain. Let's delete the last one for recreate on the top of the same chain. | |||
<pre>[root@server ~]# iptables -D INPUT 5 | |||
[root@server ~]# iptables -L | |||
Chain INPUT (policy DROP) | |||
target prot opt source destination | |||
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED | |||
ACCEPT icmp -- anywhere anywhere | |||
ACCEPT all -- anywhere anywhere | |||
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh | |||
Chain FORWARD (policy ACCEPT) | |||
target prot opt source destination | |||
Chain OUTPUT (policy ACCEPT) | |||
target prot opt source destination </pre> | |||
Now, recreate it on the top : | |||
<pre>[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT | |||
[root@server ~]# iptables -L | |||
Chain INPUT (policy DROP) | |||
target prot opt source destination | |||
ACCEPT tcp -- anywhere anywhere tcp dpt:http | |||
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED | |||
ACCEPT icmp -- anywhere anywhere | |||
ACCEPT all -- anywhere anywhere | |||
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh | |||
Chain FORWARD (policy ACCEPT) | |||
target prot opt source destination | |||
Chain OUTPUT (policy ACCEPT) | |||
target prot opt source destination </pre> | |||
Notice the number append after the name of the chain. As we say that we insert the rule at the top, we must insert it '''before''' the first. So, you want to insert this rules '''before''' the third rule you as to change this number to 3. Simple isn't it! | |||
For the next, we replace a rules already existing. The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 : | |||
<pre>[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT | |||
[root@server ~]# iptables -L | |||
Chain INPUT (policy DROP) | |||
target prot opt source destination | |||
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http | |||
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED | |||
ACCEPT icmp -- anywhere anywhere | |||
ACCEPT all -- anywhere anywhere | |||
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh | |||
Chain FORWARD (policy ACCEPT) | |||
target prot opt source destination | |||
Chain OUTPUT (policy ACCEPT) | |||
target prot opt source destination </pre> | |||
So, summarize, we now know how to : | |||
* append | |||
<pre>iptables -A <chain></pre> | |||
* insert | |||
<pre>iptables -I <chain> <rule_position></pre> | |||
* replace | |||
<pre>iptables -R <chain> <rule_position></pre> | |||
* delete | |||
<pre>iptables -D <chain> <rule_position></pre> | |||
=== Make changes persistant === | |||
== TUI/semi graphical == | == TUI/semi graphical == | ||
== GUI == | == GUI == |
Revision as of 21:22, 6 December 2011
How to edit IPtables rules.
In this how to we will learn three differents way to edit IPtables rules :
- CLI : iptables command and his config file /etc/sysconfig/iptables.
- ncurse interface : setup or system-config-firewall-tui
- GUI : system-config-firewall
It is not an how to about making elaborates rules with iptables, we only use iptables on a basic way.
Let's go.
my CLI way
Hot change in iptables rules contents
This method allow you to change behaviour of your iptables firewall when is running.
I invite you to read the man pages about iptables for further explanation and more sophisticated rules. You must have superuser rights to launch these commands, please use sudo or su as your convenience. Example of iptables rules which allow any connections established or related, icmp requests, all local traffic and finally ssh communication :
[root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
First thing to know, the rules apply in order of appearance and exit if there is a match. So, if we have a rule that reject ssh connections then after another rules allowing ssh then once the reject rule is reached, the packets exit and apply the reject rule but never reached the accept rule. So with that in mind, we can edit iptables's rules.
Append a rule
This is add a rule at the end of the specified chain of iptables :
[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Notice the last line in chain INPUT. There are now 5 rules in that chain. Let's delete the last one for recreate on the top of the same chain.
[root@server ~]# iptables -D INPUT 5 [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Now, recreate it on the top :
[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Notice the number append after the name of the chain. As we say that we insert the rule at the top, we must insert it before the first. So, you want to insert this rules before the third rule you as to change this number to 3. Simple isn't it!
For the next, we replace a rules already existing. The rules about the http server is pretty wide for acceptance. Restrict a little more this rule by only allow a specific network 192.168.0.0/24 :
[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
So, summarize, we now know how to :
- append
iptables -A <chain>
- insert
iptables -I <chain> <rule_position>
- replace
iptables -R <chain> <rule_position>
- delete
iptables -D <chain> <rule_position>