linux :: iptables
three important things in iptables are
1) table
2) chain
3) rule
** rules are grouped into chains which inturn are combined into tables
** tables has chains containing rules
table : there are three tables (by default) in iptables
1) nat - on creation of new connection, for NAT (see previous post)
2) mangle - for specialized packet alteration
3) filter - normal chains (kindof firewall stuff)
chain: collection of rules
1) OUTPUT - any packet going out of the system goes through OUTPUT chain
2) INPUT - any packet coming into the system goes through INPUT chain
3) FORWARD - any packet routing through the system goes through FORWARD chain. that is destination ip is not the systems ip, nor it is generated from this pc, but this system is gateway for the source system.
4) PREROUTING - seen by a packet as soon as it enters the system, before it reach INPUT. not for filter table
5) POSTROUTING - last chain a packet goes through, before it leaves. after OUTPUT. not for filter table.
rules: that applies to the packet
1) ACCEPT
2) DROP
3) QUEUE
4) RETURN
other important things about iptables are -t , -A (INPUT/ OUTPUT/ FORWARD), --states (NEW/ ESTABLISHED/ RELATED/ INVALID), -p (tcp/udp/icmp/all), -m (state), -i , -o
lets see how do i use all this.
iptables -t TABLE_NAME=( nat/ mangle/ filter ) -A/D CHAIN_NAME=( INPUT/ OUTPUT/ FORWARD ) -s SRC_IP -d DEST_IP -m MODULE=( state/ tos/ tcp ) --state STATE=( NEW/ ESTABLISHED/ RELATED/ INVALID ) -p PROTOCOL=( tcp/udp/icmp/all ) --sport SRC_PORT --dport DEST_PORT -i INPUT_INTERFACE -o OUTPUT_INTERFACE -j RULE=( ACCEPT/ DROP/ QUEUE/ RETURN )/ SNAT/ DNAT/ MASQUERADE/ CHAIN
better see example commands and try out few
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s ANY_IP -i eth0 -p tcp -m tcp -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp --dport ssh,http,smtp,pop -j ACCEPT
<< Home