Table of Contents

Linux

iptables - How to Use iptables in Linux


Table of Contents



How to check iptables rule

# iptalbes -L
# iptables -L --line-numbers

# iptables -L <Chain> --line-numbers
# iptables -L INPUT --line-numbers


Configuration

Table

filter
nat
mangle

Chane

INPUT filter , mangle
OUTPUT filter , nat , mangle
FORWARD filter
PREROUTING nat , mangle
POSTROUTING nat

Target

ACCEPT
DROP
REJECT
RETRUN
MASQUERADE
PREROUTING
LOG
SNAT
DNAT


How to delete iptable configuration

Use same command with "-D" option

Run the same command but replace ā€œ-Aā€ with ā€œ-Dā€. 

# Add
iptables -A xxxxxxxxxx

# Delete
iptables -D xxxxxxxxxx

Check the number with --line-numbers option

#Check Numbers
iptables -L <xx chain xx> --line-numbers

#Delete the Number
iptables -D <xx chain xx> 2
Example
#Check Numbers
iptables -L INPUT --line-numbers

Chain INPUT (policy ACCEPT) 
    num  target prot opt source destination
    1    ACCEPT     udp  --  anywhere  anywhere             udp dpt:domain 
    2    ACCEPT     tcp  --  anywhere  anywhere             tcp dpt:domain 
    3    ACCEPT     udp  --  anywhere  anywhere             udp dpt:bootps 
    4    ACCEPT     tcp  --  anywhere  anywhere             tcp dpt:bootps

#Delete the Number
iptables -D INPUT 2


How to configure iptables

# cp -p /etc/sysconfig/iptables  /etc/sysconfig/iptables.`date -d '1day ago' +%Y%m%d`

# vi /etc/iptables.sh
# /etc/iptables.sh

# /etc/init.d/iptables save
<- created the /etc/sysconfig/iptables.save of old configuration

# diff /etc/sysconfig/iptables  /etc/sysconfig/iptables.`date -d '1day ago' +%Y%m%d`


Examples

#!/bin/sh


#iptable
iptables -F


iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


#Loopback
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

#ping
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
#snmp
iptables -A OUTPUT -p udp --sport 161 -j ACCEPT
iptables -A INPUT  -p udp --dport 161 -j ACCEPT
#ntp
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT  -p udp --sport 123 -j ACCEPT
#dns
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT  -p udp --sport 53 -j ACCEPT


#----------------------------------------------------------------------
iptables -A OUTPUT -d 192.168.10.11  -j ACCEPT  #test-server-1
iptables -A INPUT -s 192.168.10.11  -j ACCEPT   #test-server-1


iptables -A OUTPUT -d 192.168.10.12  -j ACCEPT  #test-server-2
iptables -A INPUT -s 192.168.10.12  -j ACCEPT   #test-server-2