iptables
Good reference
방화벽 설정 - iptables
Refer this web site which contains following contents- Start iptables (register iptables service)
- Terminology
- tables: contains filter, nat, mangle, raw
- chain: contains INPUT, OUTPUT, FORWARD
- INPUT: packets which directs from other host to local host.
- OUTPUT: packets which directs from this host to other host.
- Forward: packets which passes this host and then goes to other host.
- match: is matching condition for example IP-5 Tuples.
- --source (-s): matches source ip address
- --destination (-d): matches destination ip address
- --protocol (-p): matches protocol such as tcp, udp
- --in-interface (-i): input network interface
- --out-interface (-o): output network interface
- --state: matches connection state
- --table (-t): refer to some table name
- --jump (j): how to treat matched packet
- --match (-m): matches to certain module
- target: action when a packet is matched to a condition
- ACCEPT
- DROP: delete a packet
- REJECT: delete a packet and send a response(CONNECTION REFUSED) to original client
- LOG: write the packet to /var/log/syslog
- RETURN
- command
- -A (--append) : add a new rule
- -D (--delete) : delete old rule
- -C (--check) : test a packet
- -I (--insert): insert a new rule
- -L (--list) : print existing rules
- -F (--flush) : delete all rule of chain
- -N (--new) : make new chain
- -X (--delete-chain) : delete a chain
- -P (--policy): change base policy
- connection tracking
- print rule set and its sequence
$ iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
$ iptables -L --line-numbers -v
Chain INPUT (policy ACCEPT 16M packets, 9085M bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
2 0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
3 0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps
4 0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT 1 packets, 336 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
3 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
4 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 7831K packets, 52G bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- any virbr0 anywhere anywhere udp dpt:bootpc
- iptables configuration (Example)
- Policy: Accept all ip packet
- iptables -P INPUT ACCEPT
- Rule: Delete all rules
- iptables -F
- Accept all packet
- iptables -A INPUT -i lo -j ACCEPT
- Accept packet which is matched to a condition
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- save current iptables rules
- service iptables save
댓글 없음:
댓글 쓰기