diff --git a/sec/ex-3_iptables.adoc b/sec/ex-3_iptables.adoc index 278f692..a59269d 100644 --- a/sec/ex-3_iptables.adoc +++ b/sec/ex-3_iptables.adoc @@ -309,10 +309,72 @@ However, be aware that the packet will continue to traverse all other chains in +== Use iptables +=== Showing the current rules +[source,bash] +---- +# iptables -nvL + +Chain INPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + +Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination + +Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) + pkts bytes target prot opt in out source destination +---- + +If the output looks like the above, then there are no rules (i.e. nothing is blocked) in the default filter table + + +=== Resetting rules + +You can flush and reset iptables to default using these commands: + +[source,bash] +---- +# iptables -F +# iptables -X +# iptables -t nat -F +# iptables -t nat -X +# iptables -t mangle -F +# iptables -t mangle -X +# iptables -t raw -F +# iptables -t raw -X +# iptables -t security -F +# iptables -t security -X +# iptables -P INPUT ACCEPT +# iptables -P FORWARD ACCEPT +# iptables -P OUTPUT ACCEPT +---- + +The -F command with no arguments flushes all the chains in its current table. Similarly, -X deletes all empty non-default chains in a table. + +Individual chains may be flushed or deleted by following -F and -X with a [chain] argument. + +=== Editing rules + +Rules can be edited by + +- appending -A a rule to a chain, + +- inserting -I it at a specific position on the chain, +- replacing -R an existing rule, +- or deleting -D it. + +The first three commands are exemplified in the following. + +First of all, our computer is not a router (unless, of course, it is a router). We want to change the default policy on the FORWARD chain from ACCEPT to DROP. + +[source,bash] +---- +# iptables -P FORWARD DROP +---- @@ -323,7 +385,7 @@ However, be aware that the packet will continue to traverse all other chains in [appendix] -== How to use tcpdump +== How to use iptables This exercise will show you how to isolate traffic in various ways—from IP, to port, to protocol, to application-layer traffic—to make sure you find exactly what you need as quickly as possible.