iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators.
Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too.
The iptables package also includes ip6tables. ip6tables is used for configuring the IPv6 packet filter. Dependencies
iptables requires a kernel that features the ip_tables packet filter. This includes all 2.4.x and 2.6.x kernel releases. Main Features
* listing the contents of the packet filter ruleset * adding/removing/modifying rules in the packet filter ruleset * listing/zeroing per-rule counters of the packet filter ruleset
Rules
* If you create a set of rules in iptables during one session and then reboot your computer, all the rules that were added will be lost.
* If you want the rules to persist, you should put the commands to add them into a startup script.
* To check what rules are already implemented:
o Type into a terminal window:
ComputerName:~# iptables -L o A list of the present rules will appear on the screen under a variety of headings.
Rule Components
* There are three basic components to each rule:
1. Where to apply the rule during the process of sending and receiving network traffic (packets). There are three different places, or chains:
1. INPUT: Applies rules to packets being received from the network. 2. OUPUT: Applies rules to packets being sent from your computer. 3. FORWARD: Applies rules to packets that your machine is forwarding to others on the network.
2. What type of effect the rule has, regardless of where it is applied. The 3 effects are:
1. ACCEPT: Accepts a given packet and allows it to pass either in or out. 2. DENY: Does not allow a packet to pass but sends an error message back to its sender. 3. DROP: Completely ignores a packet without sending an error message to its sender.
Each chain also has a default policy (usually ACCEPT) that is applied if a specific packet does not match any rules.
3. The location you want to block packets from or going to, usually called the source can be written as either an IP address or a DNS name (such as www.yahoo.com).
* Each of these three components are used to create a rule through command line arguments.
Back to top
Adding a Rule
* To add a rule:
o Use the argument -A to tell iptables to add a rule to the chain Chain_Name.
No comments:
Post a Comment