Building Firewalls with iptables, Part 1 - Page 2

By Carla Schroder | Posted May 28, 2003
Page 2 of 3   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Starting and Stopping iptables

This depends on your individual flavor of Linux; a nice rc script does the job, or you can run it manually from the command line. Please consult the docs for your distribution. Part 2 in this series will have sample scripts.

TCP/IP

As always, the more you understand about TCP/IP, the more this stuff makes sense. iptables rules filter and match on packet headers and TCP/IP protocols -- any of them.

Installation

iptables is commonly included in Linux distributions; it would be very unusual to not have it. Run iptables --version to see what's on your system. If for some inexplicable reason you do not have it, see Resources at the end of this article.

Checking Rulesets

man iptables is a complete reference for all the commands and options, or run iptables --help for a quick reference. To view your existing iptables rules, run:

# iptables --list

This is what iptables looks like with no rules defined:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

As shown in the above example, every packet must first traverse one of three built-in chains: INPUT, OUTPUT, or FORWARD.

Filter is the most commonly used table. Here is the basic syntax for all iptables rules:

iptables [-t table] command [match] [target/jump]

Not every piece of this is required, nor does it need to be in this order; however, this is the usual method, and as always, I encourage verbosity for the sake of clarity.

The filter table is the default if none is specified. The three most common targets in the filter table are ACCEPT, DROP, and REJECT. DROP drops packets dead, with no further processing. No messages are sent at all to anyone. REJECT sends back an error message to the sending host. DROP is very useful, although at times it may have undesirable side effects, such as leaving a messy trail of dead sockets.

Page 3: Adding Rules

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter