IPTables 3
- Adding new chain :
You can use this flag (-N)
example
iptables -N LAN
Practical example :
To manage your Intranet easily you should write a new chain and write Intranet rules in this chain.
1- Create new chain
iptables -N LAN
2- Forward all traffic in network (192.168.0.0/24) into LAN chain.
iptables -I INPUT 1 -s 192.168.0.0/24 -J LAN
Then you can manage your Intranet rules easily in LAN chain such as :
iptables -A LAN -p tcp --dport 22 -J ACCEPT
- Change Default Policy :
You can change default policy for a chain from ACCEPT to DROP or to LOG ... etc
For example to change default policy for INPUT chain to DROP all communication instead of ACCEPT
Example :
iptables -P INPUR DROP
- Matching multiple ports :
Uses to match more than one port in one rule
You can use this flag (-m multiport)
Example
Deny hosts to connect to SSH and Telnet
iptables -A INPUT -p tcp -m multiport --dport 22,23 -J DROP
- List rules :
Use this command to list rules for all chains
Example :
iptables -L
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
- List rules by line number :
Use this command to list rules by line number
Example :
sudo iptables -L –line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
- Deleting :
For deleting rules by rule number (line number)
You can use this flag (-D)
Example :
iptables -D INPUT 4
This will delete line number 4 from input chain.
- Replace :
For replacing one rule with anther one by line number
You can use this flag (-R)
Example :
iptables -R INPUT 3 -s 192.168.0.5 -J ACCEPT
This will replace rule number 4 in input chain with ( Accept 192.168.0.5 )
- Inserting :
For inserting rule in a chain by line number
You can use this flag (-I)
Example :
iptables -I INPUT 4 -p tcp --dport 22 -J ACCEPT
This will insert in line number 4 (ACCEPT SSH)
- Negation :
You can use this flag (!)
Example :
Deny all traffic but not from 192.168.0.10
iptables -A INPUT -s ! 192.168.0.10 -J DROP
- Logging :
For logging a traffic
You can use this flag (-J LOG)
Example :
Log all traffic from 192.168.0.10
iptables -A INPUT -s 192.168.0.10 -J LOG
- Dealing with wildcard :
Such as eth , ppp ... etc
You can use this flag (-i) , and replace the number beside the interface with + such as (eth+) instead of (eth0 or eth1 .. etc).
Example :
Deny SSH from eth interface
iptables -A INPUT -i eth+ -p tcp --dport 22 -J DROP
Hint :You must manage your chains and rules in perfect way because processing occurs in IPTables on packages from up to down , and this may affect on your connection speed.