Iptables command

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 04:12, 26 May 2005 (edit)
203.63.137.225 (Talk)
(Examples)
← Previous diff		 Revision as of 17:14, 26 May 2005 (edit) (undo)
Sveasoft (Talk | contribs)
(Examples - formatting -- Tip: proceed lines with spaces to make a preformat box)
Next diff →
Line 68: Line 68:
traffic coming in to my router will hit. traffic coming in to my router will hit.
-.# iptables -L INPUT+ .# iptables -L INPUT
then I might want to add a rule so that I can ssh in to my router from a specific then I might want to add a rule so that I can ssh in to my router from a specific
host/address outside. So I might type the followin host/address outside. So I might type the followin
-.# iptables -A INPUT -p tcp -s 150.100.whatever.something --dport 22 -j logaccept+ .# iptables -A INPUT -p tcp -s 150.100.whatever.something --dport 22 -j logaccept
So i am saying Append to the INPUT chain a rule allowing protocl tcp, with a source of So i am saying Append to the INPUT chain a rule allowing protocl tcp, with a source of
Line 84: Line 84:
now if I type now if I type
-.# iptables -L INPUT + .# iptables -L INPUT
I see my shiny new rule Appended to the INPUT chain which is no good because in my case I see my shiny new rule Appended to the INPUT chain which is no good because in my case
Line 93: Line 93:
first lets delete the rule we just made first lets delete the rule we just made
-.# iptables -L INPUT --line-numbers+ .# iptables -L INPUT --line-numbers
will list the rules with their rule numbers. lets say our rule is number 11 will list the rules with their rule numbers. lets say our rule is number 11
-.# iptables -D INPUT 11 + .# iptables -D INPUT 11
clearly this Deletes rule number 11 from the input chain. clearly this Deletes rule number 11 from the input chain.
Line 102: Line 102:
now instead of Appending I am going to Insert my rule into the number 1 position. now instead of Appending I am going to Insert my rule into the number 1 position.
-.# iptables -I INPUT -p tcp -s 150.100.whatever.something --dport 22 -j logaccept+ .# iptables -I INPUT -p tcp -s 150.100.whatever.something --dport 22 -j logaccept
so now rule number 1 is my new rule and the other rules have all shifted down a so now rule number 1 is my new rule and the other rules have all shifted down a
Line 110: Line 110:
the -R (Replace) option and simply type in the new rule , ie the -R (Replace) option and simply type in the new rule , ie
-.# iptables -R INPUT 1 -p tcp -s 100.100.200.100 --dport 22 -j ACCEPT+ .# iptables -R INPUT 1 -p tcp -s 100.100.200.100 --dport 22 -j ACCEPT
this would replace rule number 1 on the INPUT chain with the new rule which has a this would replace rule number 1 on the INPUT chain with the new rule which has a

Revision as of 17:14, 26 May 2005

You are here: Main Page/DD-WRT Docu (EN)/Telnet/SSH and the Command Line/Iptables command

Contents


This is an infant page. Clean it up and fill it with content!

I think we should have something about firewall builder on this page, since they're kind of related....

Basic Usage

iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands

--append  -A chain            Append to chain
--delete  -D chain            Delete matching rule from chain
--delete  -D chain rulenum
                              Delete rule rulenum (1 = first) from chain
--insert  -I chain [rulenum]
                              Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
                              Replace rule rulenum (1 = first) in chain
--list    -L [chain]          List the rules in a chain or all chains
--flush   -F [chain]          Delete all rules in  chain or all chains
--zero    -Z [chain]          Zero counters in chain or all chains
--new     -N chain            Create a new user-defined chain
--delete-chain
          -X [chain]          Delete a user-defined chain
--policy  -P chain target
                              Change policy on chain to target
--rename-chain
          -E old-chain new-chain
                              Change chain name, (moving any references)

Options

--proto       -p [!] proto    protocol: by number or name, eg. `tcp'
--source      -s [!] address[/mask]
                              source specification
--destination -d [!] address[/mask]
                              destination specification
--in-interface -i [!] input name[+]
                              network interface name ([+] for wildcard)
--jump        -j target
                              target for rule (may load target extension)
--match       -m match
                              extended match (may load extension)
--numeric     -n              numeric output of addresses and ports
--out-interface -o [!] output name[+]
                              network interface name ([+] for wildcard)
--table       -t table        table to manipulate (default: `filter')
--verbose     -v              verbose mode
--line-numbers                print line numbers when listing
--exact       -x              expand numbers (display exact values)
--fragment  -f                match second or further fragments only
--modprobe=<command>          try to insert modules using this command
--set-counters PKTS BYTES     set the counter during insert/append
--version   -V                print package version.

Examples

I think examples are the best way to demonstrate the use of iptables.

First I want to view the rules on my INPUT chain, this is the the first chain traffic coming in to my router will hit. 

.# iptables -L INPUT

then I might want to add a rule so that I can ssh in to my router from a specific host/address outside. So I might type the followin 

.# iptables -A INPUT -p tcp -s 150.100.whatever.something --dport 22 -j logaccept

So i am saying Append to the INPUT chain a rule allowing protocl tcp, with a source of <my external IP that i want access from> traffic destined for port 22 on my router, Jump to logaccept, I could have used -j ACCEPT which simply jumps to ACCEPT but in this case I want to log it just to keep track so I use logaccept which is a chain we have set up for this purpose.

But why doesn't it work ?

now if I type 

.# iptables -L INPUT

I see my shiny new rule Appended to the INPUT chain which is no good because in my case I have a rule blocking this traffic which occurs BEFORE the rule allowing it.

How do I change it? simple.

first lets delete the rule we just made 

.# iptables -L INPUT --line-numbers

will list the rules with their rule numbers. lets say our rule is number 11 

.# iptables -D INPUT 11

clearly this Deletes rule number 11 from the input chain.

now instead of Appending I am going to Insert my rule into the number 1 position. 

.# iptables -I INPUT -p tcp -s 150.100.whatever.something --dport 22 -j logaccept

so now rule number 1 is my new rule and the other rules have all shifted down a position.

If I wanted to change the IP address or any other aspect of my ssh rule I could use the -R (Replace) option and simply type in the new rule , ie 

.# iptables -R INPUT 1 -p tcp -s 100.100.200.100 --dport 22 -j ACCEPT

this would replace rule number 1 on the INPUT chain with the new rule which has a new source IP address and jumps to ACCEPT instead of logaccept.

External Resources

http://www.iptables.org/documentation/HOWTO//packet-filtering-HOWTO-7.html
http://www.iptables.org/documentation/HOWTO//netfilter-hacking-HOWTO.html

You are here: Main Page/DD-WRT Docu (EN)/Telnet/SSH and the Command Line/Iptables command

Retrieved from "http://forum.dd-wrt.com/wiki/index.php/Iptables_command"