iptables.org 2.2 KB
vocabulary
chain
A set of specifiers that correspond to ip4/ip6 packets
target
1 specifier that tells the kernel what to do with a matching packet.
firewall rule
lists details for a packet and target. If the packet does match the target, the target can refer what to do via a user defined chain, a target described in iptables-extensions, or it can be ACCEPT, DROP, or RETURN.
ACCEPT
let the packet through
DROP
drop the packet. Don't let it come through
RETURN
stop looking for what to do in this chain, go back to the previous chain and figure out what to do there.
filter table
There are many different tables, but this is the default. It contains INPUT for packets that are going to local sockets. FORWARD packets that are going through the box, and OUTPUT for locally generated packets.
Creating a simple firewall
Naming the 2 chains
su
iptables -N TCP
iptables -N UDP
drop all incoming connections by default
su
iptables -P INPUT DROP
allow all outgoing traffic
su
iptables -P OUTPUT ACCEPT
white list some incoming connections
su
drop INVALID traffic
su
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
accept ping requests
su
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
more random stuff that I don't understand
su
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
su
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
su
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
Allow certain incoming connections
accept incoming connections on port 80/443 for a web server
su
iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A TCP -p tcp --dport 443 -j ACCEPT