53 lines
1.2 KiB
Markdown
53 lines
1.2 KiB
Markdown
|
# Intro
|
||
|
|
||
|
This is a basic Linux firewall program.
|
||
|
|
||
|
Look at your firewalls:
|
||
|
|
||
|
> iptables -L
|
||
|
|
||
|
We see the output of input, output and forwarding rules.
|
||
|
|
||
|
# Forward
|
||
|
|
||
|
I don't need any forwarding, so I'm going to drop all forwarding:
|
||
|
|
||
|
> iptables -P FORWARD DROP
|
||
|
|
||
|
# Input
|
||
|
|
||
|
Let's 'A'dd, or 'A'ppend a rule with -A. Let's drop all input from a nearby IP
|
||
|
|
||
|
> iptables -A INPUT -s 192.168.0.23 -j DROP
|
||
|
|
||
|
Or we can block all input from a particular port on the full network.
|
||
|
|
||
|
> iptables -A INPUT -s 192.168.0.0/24 -p tcp --destination-port 25 -j DROP
|
||
|
|
||
|
> iptables -A INPUT --dport 80 -j ACCEPT
|
||
|
|
||
|
|
||
|
This allows http traffic to an Apache web server over port 80.
|
||
|
|
||
|
However, rules are accepted in order - so a packet cannot be rejected and then accepted.
|
||
|
|
||
|
To delete rule 2 from the INPUT chain:
|
||
|
|
||
|
> iptables -D INPUT 3
|
||
|
|
||
|
Alternatively, you can 'I'nsert a rule at the start, rather than 'A'ppending it.
|
||
|
|
||
|
> iptables -I INPUT -s 192.168.0.13 DROP
|
||
|
|
||
|
# Catchalls
|
||
|
|
||
|
Catchall rules state that anything which is not permitted is forbidden. They must be allowed last.
|
||
|
|
||
|
# -Jurice-Diction
|
||
|
|
||
|
The -j flag accepts ACCEPT/REJECT/DROP. The last two are identical except that "REJECT" acknowledges the rejection.
|
||
|
|
||
|
Flush all existing rules with:
|
||
|
|
||
|
> iptables -F
|