RHEL6–40–
IP TABLES IN LINUX -P2
What is IP Tables and its significance,
Other Posts under IPTABLES series,
IP TABLES IN LINUX -P1
IP TABLES IN LINUX -P2
IP TABLES IN LINUX -P3
IP TABLES IN LINUX -P4
IP TABLES IN LINUX -P5
IP TABLES IN LINUX -P6
IP TABLES IN LINUX -P7
IP TABLES IN LINUX -P1
IP TABLES IN LINUX -P2
IP TABLES IN LINUX -P3
IP TABLES IN LINUX -P4
IP TABLES IN LINUX -P5
IP TABLES IN LINUX -P6
IP TABLES IN LINUX -P7
Great,
this is second post from IPTables and we already learned basics and now it’s
time for implementation.
Well,
are you really serious to learn? Then please do mistakes with me and get
frustrated.
This
post is just a hit and trial like a beginner is learning Iptables
implementation by reading various posts on internet.
We
will conclude our learning later,
Hey
isn’t it better to conclude yourself whether you earned something or just
wasted your time.
LAB
SETUP,
rhel6-server = IPTables
will be configure on this system
rhel6-client1 = This
system will access to rhel6-server
[root@rhel6-server ~]# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
Chain FORWARD (policy ACCEPT)
target
prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target
prot opt source
destination
[root@rhel6-server ~]# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
Chain FORWARD (policy ACCEPT)
target
prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target
prot opt source
destination
-L
|
list the current filter rules
|
-t
|
table name
|
-P
|
policy
|
-A
|
append this rule to rule chain
|
-j
|
jump to specified target
(ACCEPT/REJECT/DROP/LOG)
|
-i
|
match only if packet is coming on
specific interface
|
-I
|
insert a rule (the chain to insert a
rule and rule no)
Ex. -I INPUT 5 (insert the rule in INPUT chain and make it 5th rule in the list) |
-V
|
display more options/details/info in
o/p.
|
MATCH
|
|
--dport
|
Destination
port required for this rule, single port/range may be given as start:end
which match start to end |
-S --source
|
Address
(/mask) source specification, specifies the source of the packet, it can be
an ip,
a hostname or a network ip address. |
-d --destination
|
Address
(/mask) destination specification, specifies the destination,
it can adopt any of the --source values. |
-O
--out-interface
|
match the
output interface.
|
-i --in-interface
|
match the
interface that receives the packet
|
-p --protocol
|
connection protocol, match the
protocol used (e.g: tcp), the word all can
be used to match all protocols and is the default if no protocol is specified. |
Ohhh,
getting bored with reading and reading.
Now
I am getting angry, let’s do some action.
root@rhel6-server ~]# iptables -P OUTPUT DROP
eeeeeeee…..
first command and putty stopped working.
No
prob, this cant stops me.
Ping
response to above server,
[root@rhel6-client1 ~]# ping 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 56(84) bytes of data.
^C
---
192.168.135.142 ping statistics ---
6
packets transmitted, 0 received, 100% packet loss, time 5928ms
Great,
now I turned this Linux box into a real BOX.
Nothing
can come inside and nothing can go outside.
OMG,
I can’t even ping loopback address.
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
-A
= to add a line in output chain
INPUT
= is chain to control incoming packets (set of rules) from filter
table.
OUTPUT
= is chain to control outgoing packets (set of rules) from filter
table
-i
= incoming interface (here loopback lo) in input chain.
-o
= outgoing interface (here loopback lo) in output chain.
-j
= jump to specified target which is ACCEPT here
Now
trying to ping this from another server,
[root@rhel6-client1 ~]# ping 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 56(84) bytes of data.
64
bytes from 192.168.135.142: icmp_seq=1 ttl=64 time=2.48 ms
64
bytes from 192.168.135.142: icmp_seq=2 ttl=64 time=0.571 ms
^C
---
192.168.135.142 ping statistics ---
2
packets transmitted, 2 received, 0% packet loss, time 1532ms
rtt
min/avg/max/mdev = 0.571/1.526/2.482/0.956 ms
Great….
Let’s
see how our IPTable is looking,
Let’s
allow ssh also, so that we can use putty…
What
should I do to allow ssh?
Previously
we allowed protocol “icmp”, similarly we should allow ssh.
#iptables -A INPUT -p ssh -j ACCEPT
iptables
v1.4.7: unknown protocol `ssh' specified
Try
`iptables -h' or 'iptables --help' for more information.
It
seems we need to provide port also.
# iptables -A INPUT
-p ssh --dport 22 -j ACCEPT
iptables
v1.4.7: unknown protocol `ssh' specified
Try
`iptables -h' or 'iptables --help' for more information.
Again
failed…. But why? Let’s try in another way.
This
time command accepted because iptables is considering TCP as protocol and ssh
as port, let’s check.
Now
trying to connect with putty…
Still
no luck…. ☹☹
Again,
in frustration I allowed all TCP
Still
no luck…. ☹☹
As
it is confirmed that IPTables following/applying rules line by line, so there
might be deny first, lets allow ssh in 1st line.
I
applied the rules in first line, and restarted the iptables service.
It’s
frustrating now,
I
think I am completely messed up with rules.
Let’s
delete the rules one by one.
Before
that I want to allow everything,
Lets
check the rules by line numbers,
Now
let’s delete the rules.
Why
there is error while deleting rule 4 & 5?
Every
time we delete a rule, all underneath rules are raised above.
We
can see this in last commands where I deleted rule 1 twice.
Great…
now all set as it was.
[root@rhel6-server ~]# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
Chain FORWARD (policy ACCEPT)
target
prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target
prot opt source
destination
No comments:
Post a Comment