Browse Source

iptables

master
test2 5 years ago
parent
commit
ee5160574d
  1. 64
      sec/ex-3_iptables.adoc

64
sec/ex-3_iptables.adoc

@ -309,10 +309,72 @@ However, be aware that the packet will continue to traverse all other chains in
== Use iptables
=== Showing the current rules
[source,bash]
----
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
----
If the output looks like the above, then there are no rules (i.e. nothing is blocked) in the default filter table
=== Resetting rules
You can flush and reset iptables to default using these commands:
[source,bash]
----
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -t raw -F
# iptables -t raw -X
# iptables -t security -F
# iptables -t security -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
----
The -F command with no arguments flushes all the chains in its current table. Similarly, -X deletes all empty non-default chains in a table.
Individual chains may be flushed or deleted by following -F and -X with a [chain] argument.
=== Editing rules
Rules can be edited by
- appending -A a rule to a chain,
- inserting -I it at a specific position on the chain,
- replacing -R an existing rule,
- or deleting -D it.
The first three commands are exemplified in the following.
First of all, our computer is not a router (unless, of course, it is a router). We want to change the default policy on the FORWARD chain from ACCEPT to DROP.
[source,bash]
----
# iptables -P FORWARD DROP
----
@ -323,7 +385,7 @@ However, be aware that the packet will continue to traverse all other chains in
[appendix]
== How to use tcpdump
== How to use iptables
This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible.

Loading…
Cancel
Save