Docs/quick-docs
2
0
Fork 0
Code Issues 48 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Merge #99 Fix edit-iptables-rules article

Browse source
This commit is contained in:
Petr Bokoč 2019-04-23 10:26:46 +00:00
commit fdf9741859
6 changed files with 471 additions and 514 deletions
Download patch file Download diff file Expand all files Collapse all files

30
modules/ROOT/nav.adoc
View file

@ -51,9 +51,32 @@
* xref:upgrading.adoc[Upgrading to a new release]
** xref:dnf-system-upgrade.adoc[Upgrading Fedora using the DNF system upgrade]
* xref:using-aide.adoc[Checking integrity with AIDE]
* xref:anaconda/anaconda.adoc[Anaconda]
** xref:anaconda/anaconda_distros.adoc[Anaconda-based Distributions]
** xref:anaconda/anaconda_updates.adoc[Anaconda Updates]
** xref:anaconda/anaconda_logging.adoc[Anaconda Logging]
** xref:anaconda/anaconda_product_image.adoc[Anaconda Product Image]
* xref:getting-started-with-apache-http-server.adoc[Getting started with Apache HTTP Server]
* xref:finding-and-installing-linux-applications.adoc[Finding and installing Linux applications]
* xref:installing-chromium-or-google-chrome-browsers.adoc[Installing Chromium or Google Chrome browsers]
* xref:switching-desktop-environments.adoc[Switching desktop environments]
* xref:fedora-and-red-hat-enterprise-linux.adoc[Difference between Fedora and Red Hat Enterprise Linux]
* xref:dnf.adoc[Using the DNF software package manager]
* xref:dnf-system-upgrade.adoc[Upgrading Fedora using the DNF system upgrade]
* xref:securing-the-system-by-keeping-it-up-to-date.adoc[Securing the system by keeping it up-to-date]
* xref:upgrading.adoc[Upgrading to a new release of Fedora]
* xref:firewalld.adoc[Controlling network traffic with firewalld]
* xref:iptables/overview.adoc[How to edit iptables rules]
** xref:iptables/cli.adoc[Command Line Interface]
** xref:iptables/tui.adoc[Text-based Interface]
** xref:iptables/gui.adoc[Graphical User Interface]
* xref:using-adobe-flash.adoc[Using Adobe Flash]
* xref:adding-new-fonts-fedora.adoc[Adding new fonts in Fedora]
* xref:create-gpg-keys.adoc[Creating GPG Keys]
* xref:bootloading-with-grub2.adoc[Bootloading with GRUB2]
* xref:creating-and-using-a-live-installation-image.adoc[Creating and using a live installation image]
* xref:installing-java.adoc[Installing Java]
* xref:kernel/overview.adoc[Kernel]
** xref:kernel/troubleshooting.adoc[Troubleshooting]
** xref:kernel/build-custom-kernel.adoc[Building a Custom Kernel]
@ -72,7 +95,6 @@
//FIXME * xref:debug-systemd-problems.adoc[How to debug systemd problems]
//FIXME * xref:debug-wayland-problems.adoc[How to debug Wayland problems] - note: maintained on wiki, does not fit quick-docs IMHO
//FIXME * xref:fedora-life-cycle.adoc[Fedora Release Life Cycle] - note: maintained on wiki, does not fit quick-docs IMHO
//FIXME * xref:edit-iptables-rules.adoc[How to edit iptables rules]
//FIXME * xref:enable-touchpad-click.adoc[How to enable touchpad click]
//FIXME * xref:mirroring.adoc[Mirroring]
//FIXME * xref:openh264.adoc[OpenH264]

510
modules/ROOT/pages/edit-iptables-rules.adoc
View file

@ -1,510 +0,0 @@
= How to edit iptables rules
'''
[IMPORTANT]
======
This page was automatically converted from https://fedoraproject.org/wiki/How_to_edit_iptables_rules
It is probably
* Badly formatted
* Missing graphics and tables that do not convert well from mediawiki
* Out-of-date
* In need of other love
Pull requests accepted at https://pagure.io/fedora-docs/quick-docs
Once you've fixed this page, remove this notice, and update
[filename]`modules/ROOT/nav.adoc`.
Once the document is live, go to the original wiki page and replace its text
with the following macro:
....
{{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}}
....
======
'''
include::{partialsdir}/unreviewed-message.adoc[]
In this how-to, we will illustrate three ways to edit iptables Rules :
* *CLI :* iptables command line interface and system configuration file
/etc/sysconfig/iptables.
* *TUI (text-based) interface :* setup or system-config-firewall-tui
* *GUI :* system-config-firewall
NOTE: This how-to illustrates editing existing iptables Rules, not the
initial creation of Rules chains.
__TOC__
[[cli-command-line-interface]]
== CLI (command line interface)
[[hot-changes-to-iptables-rules]]
=== Hot changes to iptables Rules
The following procedures allow changes in the behaviour of the firewall
while it is running.
Read the man pages for iptables (man iptables) for further explanations
and more sophisticated Rules examples.
[[listing-rules]]
==== Listing Rules
Current running iptables Rules can be viewed with the command
....
iptables -L
....
.
Example of iptables Rules allowing any connections already established
or related, icmp requests, all local traffic, and ssh communication:
....
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
Note that Rules are applied in order of appearance, and the inspection
ends immediately when there is a match. Therefore, for example, if a
Rule rejecting ssh connections is created, and afterward another Rule is
specified allowing ssh, the Rule to reject is applied and the later Rule
to accept the ssh connection is not.
[[appending-rules]]
==== Appending Rules
The following adds a Rule at the end of the specified chain of iptables:
....
[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
Notice the last line in chain INPUT. There are now five Rules in that
chain.
[[deleting-rules]]
==== Deleting Rules
To delete a Rule, you must know its position in the chain. The following
example deletes an existing Rule created earlier that is currently in
the fifth position:
....
[root@server ~]# iptables -D INPUT 5
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
[[inserting-rules]]
==== Inserting Rules
Create a Rule at the top (first) position:
....
[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
The number given after the chain name indicates the position *before* an
existing Rule. So, for example, if you want to insert a Rule *before*
the third rule you specify the number 3. Afterward, the existing Rule
will then be in the fourth position in the chain.
[[replacing-rules]]
==== Replacing Rules
Rules may be specified to replace existing Rules in the chain.
In the example shown previously, the first Rule given allows connections
to the http port (port 80) from anywhere. The following replaces this
Rule, restricting connections to the standard http port (port 80) only
from the network address range 192.168.0.0/24:
....
[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
[[flushing-rules]]
==== Flushing Rules
To flush or clear iptables Rules, use the *--flush*, *-F* option :
....
iptables -F <chain>
....
Specifying a ** is optional; without a chain specification, all chains
are flushed.
Example to flush Rules in the *OUTPUT* chain :
....
[root@server ~]# iptables -F OUTPUT
....
[[making-changes-persistent]]
=== Making changes persistent
The iptables Rules changes using CLI commands will be lost upon system
reboot. However, iptables comes with two useful utilities:
*iptables-save* and *iptables-restore*.
* *iptables-save* prints a dump of current iptables rules to *stdout*.
These may be redirected to a file:
....
[root@server ~]# iptables-save > iptables.dump
[root@server ~]# cat iptables.dump
# Generated by iptables-save v1.4.12 on Wed Dec 7 20:10:49 2011
*filter
:INPUT DROP [45:2307]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1571:4260654]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Dec 7 20:10:49 2011
....
* iptables-restore : restore a dump of rules made by iptables-save.
....
[root@server ~]# iptables-restore < iptables.dump
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
In the default configuration, stopping or restarting the iptables
service will discard the running configuration. This behavior can be
changed by setting IPTABLES_SAVE_ON_STOP="yes" or
IPTABLES_SAVE_ON_RESTART="yes" in /etc/sysconfig/iptables-config. If
these values are set, the affected files are:
* ....
/etc/sysconfig/iptables
....
+
for IPv4
* ....
/etc/sysconfig/ip6tables
....
+
for IPv6
If preferred, these files may be edited directly, and iptables service
restarted to commit the changes. The format is similar to that of the
iptables CLI commands:
....
# Generated by iptables-save v1.4.12 on Wed Dec 7 20:22:39 2011
*filter <--------------------------------------------------------- Specify the table of the next rules
:INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain
:FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [<packet-counter>:<byte-counter>] numbers is for
:OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule.
-A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments
-A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
# Completed on Wed Dec 7 20:22:39 2011
....
If needed, to reset packet and byte counters, use *-Z*, *--zero* :
....
iptables -Z <chain> <rule_number>
....
It is possible to reset only reset a single rule counter. It can be
useful, if you want to know how many packets were captured for a
specific rule.
[[tui-text-based-user-interface]]
== TUI (text-based user interface)
There is two ways to managing iptables rules with a text-based user
interface, either using *setup* or *system-config-firewall-tui*. Using
*system-config-firewall-tui* takes you directly to editing the rules.
Using *setup* you need to select *firewall configuration* and then you
can edit rules. Starting with *setup* looks like this:
image:Firewall-tui.PNG[setup menu
utility,title="setup menu utility",width=700]
On the next screen, which is where you start with
*system-config-firewall-tui*, make sure that "Firewall" is enabled, or
you cannot edit the settings. Then select *Customize* :
image:First_menu_firewall_tui.PNG[Firewall Configuration by TUI. First
screen.,title="Firewall Configuration by TUI. First screen.",width=700]
There is good chance that a service you want to modify is part of the
list of standard "Trusted" services. Select the services you want to
trust (ports to open) and press *Forward* (which means 'next', it is not
port forwarding):
image:Firewall_TUI_Trusted_services.PNG[Editing trusted service with
firewall tui
interface.,title="Editing trusted service with firewall tui interface.",width=700]
The Other Ports menu lets you open additional ports not in the list of
standard Trusted Services, or to edit an existing list of additional
ports :
image:Firewall_TUI_other_ports.PNG[Editing Other ports on firewall
configuration by TUI
interface.,title="Editing Other ports on firewall configuration by TUI interface.",width=700]
To add other ports, specify one port or a port range, and choose between
*tcp* or *udp* for the protocol. The port range format is _beginningPort
- endingPort_.
image:Firewall_TUI_adding_other_ports.PNG[Adding other ports on firewall
configuration by TUI
interface.,title="Adding other ports on firewall configuration by TUI interface.",width=700]
The trusted interfaces menu allows you to trust all traffic on a network
interface. All traffic will be allowed and the port filtering rules will
never match. You should only select an interface that faces a private
network, never an interface that directly faces the Internet.
image:Firewall_TUI_trusted_interfaces.PNG[Trusted
interfaces.,title="Trusted interfaces.",width=700]
The Masquerading menu lets you select an interface to be masqueraded.
Masquerading is better known as
*http://en.wikipedia.org/wiki/Network_address_translation[NAT]* (Network
Address Translation), and it is useful for example when your computer is
used as gateway to access the internet:
image:Firewall_TUI_masquerading.PNG[Firewall TUI interface :
masquerading.,title="Firewall TUI interface : masquerading.",width=700]
Port forwarding, also known as
*http://en.wikipedia.org/wiki/Network_address_translation#Port_address_translation[PAT]*,
permits traffic from one port to be rerouted to another port.
image:Firewall_TUI_Port_Forwarding.PNG[Firewall TUI interface :
configuring Port
Forwarding.,title="Firewall TUI interface : configuring Port Forwarding.",width=700]
For example:
image:Firewall_TUI_Port_Forwarding_Adding.PNG[Firewall TUI : adding port
forwarding
rules.,title="Firewall TUI : adding port forwarding rules.",width=700]
The ICMP Filter menu lets you reject various types of ICMP packets. By
default, no limitations are made, but you can define rules to reject
ICMP traffic, define the return error to an ICMP request, etc.
image:Firewall_TUI_ICMP_Filter.PNG[Firewall TUI: configuring ICMP
behaviour.,title="Firewall TUI: configuring ICMP behaviour.",width=700]
Finally, you can add custom firewall rules. These must be prepared ahead
of time in files that use the same format as the iptables file.
image:Firewall_TUI_Custom_Rules.PNG[Firewall TUI: create custom
rules.,title="Firewall TUI: create custom rules.",width=700]
For adding custom rules you have specify the protocol between *ipv4* or
*ipv6* and on what table add the custom rules *filter*, *mangle* or
*nat* then the path to the file containing rules to add :
image:Firewall_TUI_Custom_Rules_Adding.PNG[Firewall TUI: adding a custom
rules.,title="Firewall TUI: adding a custom rules.",width=700]
When you have completed all menus, *Close* the interface, which brings
you back to the first screen of firewall configuration. Select *OK* and
a warning message appear :
image:Firewall_TUI_Warning.PNG[Firewall TUI
warning.,title="Firewall TUI warning.",width=700]
Select *Yes* if the configuration you made fits to you and exit
interface, or *No* to go back to the firewall configuration screen.
[[gui]]
== GUI
[[red-hat-gui-configuration-tool]]
=== Red Hat GUI configuration tool
GUI interface allow you exactly the same thing that TUI interface, but
it is more friendly usable.
First time you start GUI, you have a welcome message that warning you
that if you have existing manual rules then this rules will be
overwritten. image:Firewall_GUI_First_Time_Startup.PNG[First time
startup message,title="fig:First time startup message"]
Before all, you need to *Enable* your firewall to use Firewall
Configuration utility.
image:FireWwall_GUI_startup.PNG[Firewall Gui startup
screen,title="Firewall Gui startup screen"]
Then utility warn you that you don't have any existing configuration and
want you execute the wizard. Click on *Start wizard*:
image:No_configuration.PNG[No firewall
configuration,title="No firewall configuration"]
Click on forward :
image:Firewall_Wizard.PNG[Firewall Wizard : welcome
screen,title="Firewall Wizard : welcome screen"]
_System with network access_ enable Firewall and _System without network
access_ disable Firewall, so select _System with network access_ :
image:Firewall_Wizard_2.PNG[Firewall Wizard : network
access?,title="Firewall Wizard : network access?"]
Beginner allow you to modify only _Trusted Services_, it's fine if you
use only known services like ftp, dns, http, etc but don't allow you to
configure customs ports range, select _Expert_ to have full featured
Firewall Configuration utility, you can change this option later in the
*Options* menu Main windows, in *User Skill Level* :
image:Firewall_Wizard_3.PNG[Firewall Wizard :
skill?,title="Firewall Wizard : skill?"]
*Server* template enable only ssh port on firewall configuration
_Desktop_ template enable additional ports for _IPsec_, _Multicast DNS_,
_Network Printing Client_ and _SSH_. For convenience select Desktop, and
*OK* :
image:Firewall_Wizard_4.PNG[Firewall Wizard : configuration
base?,title="Firewall Wizard : configuration base?"]
As described earlier _Desktop_ template enable 4 services _IPsec_,
_mDNS_, _IPP_ and _SSH_. If you have services listed in *Trusted
Services* section that you want to enabled, you just have to click on
it, that's all. It is possible to change template by using the *Options*
menu, in *Load Default Configuration*.
image:Firewall_Wizard_5.PNG[Firewall Main interface :
enabled,title="Firewall Main interface : enabled"]
*Other Ports* allow you to edit custom rules if your service port wasn't
in *Trusted service*. To begin, just click on *Add* button. Then either
you choose in services list the right service or you tick *User Defined*
and fill requested information about *Port / Port Range* and *Protocol*.
image:Firewall_GUI_other_ports.PNG[Firewall GUI : edit other ports
rules.,title="Firewall GUI : edit other ports rules."]
*Trusted Interfaces*, *Masquerading*, *Port Forwarding*, *ICMP Filter*
and _Custom Rules_' have exactly the same effect than in TUI interface.
When configuration fits to you, just click on the *Apply* button.
[[others-gui]]
=== Others GUI
There are others GUI available to configure iptables rules.
* http://www.fwbuilder.org/_fwbuilder[http://www.fwbuilder.org/
fwbuilder] : very complete gui tools to configure iptables.
* http://shorewall.net/_Shorewall[http://shorewall.net/ Shorewall] :
another very complete gui like fwbuilder.
* http://www.turtlefirewall.com/_Turtle_firewall_project[http://www.turtlefirewall.com/
Turtle firewall project] : web interface and integrated to webmin. Fits
to basic usage of Iptables, can not handle all iptables options like
fwbuilder
* http://users.telenet.be/stes/ipmenu.html_IPmenu[http://users.telenet.be/stes/ipmenu.html
IPmenu] : console based interface that allow you all iptables
functionalities.
'''
See a typo, something missing or out of date, or anything else which can be
improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.

251
modules/ROOT/pages/iptables/cli.adoc Normal file
View file

@ -0,0 +1,251 @@
== Command Line Interface
=== Changes to iptables Rules
The following procedures allow for changes in the behaviour of the firewall
while it is running. It is important to understand that every change
is applied immediately.
Read the man pages (`man iptables`) for further explanations
and more sophisticated examples.
==== Listing Rules
Currently running iptables rules can be viewed with the command:
....
# iptables -L
....
The following example shows four rules. These rules permit
established or related connections, any ICMP traffic, any local traffic as
well as incoming connections on port 22. Please note that the output has
no indication that the third rule applies only to local traffic. Therefore
you might want to add the `-v` option. This will reveal that the rule only
applies to traffic on the loopback interface.
....
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
Also remember that rules are applied in order of appearance and that after the
first match, no further rules are considered (there are exceptions, please refer
to the man pages for details). For example, in case there is a rule rejecting
ssh connections and subsequently a second rule permitting ssh connections, the
first rule would be applied to incoming ssh connections while the latter would
never be evaluated.
==== Appending Rules
The following adds a rule at the end of the specified chain of iptables:
....
[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
Notice the last line in the INPUT chain. There are now five rules.
==== Deleting Rules
To delete a rule you need to know its position in the chain. The following will
delete the rule from the previous example. To do so, the rule in the fifth
position has to be deleted:
....
[root@server ~]# iptables -D INPUT 5
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
==== Inserting Rules
You can also insert rules at a specific position. To insert a rule at the top
(i.e. first) position, use:
....
[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
The number given after the chain name indicates the position of your new rule
*after* the insertion. So, for example, if you want to insert a rule at the
third position, you specify the number 3. Afterwards your new rule is at
position 3, while the old rule from position 3 is now shifted to position 4.
==== Replacing Rules
Rules may be specified to replace existing rules in the chain.
In the previous example, the first rule grants access to tcp port 80 from
any source. To restrict the access to sources within a local net, the following
command replaces the first rule:
....
[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
==== Flushing Rules
To flush or clear all iptables rules, use the `--flush`, `-F` option:
....
# iptables -F <chain>
....
Specifying a chain is optional. Without a given chain, all chains
are flushed. Remember that the new rule set is immediately active.
Depending on the default policies, you might loose access to a remote machine
by flushing the rules.
To flush all rules in the OUTPUT chain use:
....
# iptables -F OUTPUT
....
=== Making changes persistent
All changes to iptables rules using the CLI commands will be lost upon system
reboot. However, `iptables` comes with two useful utilities:
`iptables-save` and `iptables-restore`.
`iptables-save` prints a dump of current rule set to *stdout*. This may be
redirected to a file:
....
[root@server ~]# iptables-save > iptables.dump
[root@server ~]# cat iptables.dump
# Generated by iptables-save v1.4.12 on Wed Dec 7 20:10:49 2011
*filter
:INPUT DROP [45:2307]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1571:4260654]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Dec 7 20:10:49 2011
....
Use `iptables-restore` to restore a dump of rules made by `iptables-save`.
....
[root@server ~]# iptables-restore < iptables.dump
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
....
In the default configuration, stopping or restarting the iptables
service will discard the running configuration. This behavior can be
changed by setting `IPTABLES_SAVE_ON_STOP="yes"` or
`IPTABLES_SAVE_ON_RESTART="yes"` in `/etc/sysconfig/iptables-config`. If
these values are set, the configuration will be automatically dumped to
`/etc/sysconfig/iptables` and `/etc/sysconfig/ip6tables` for IPv4 and IPv6
respectively.
If you prefer, you may edit these files directly. Restart the iptables
service or restore the rules to apply your changes. The rules are in the same
format as you would specify them on the command line:
....
# Generated by iptables-save v1.4.12 on Wed Dec 7 20:22:39 2011
*filter
:INPUT DROP [157:36334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48876:76493439]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Dec 7 20:22:39 2011
....
The numbers in brackets are counters and usually you don't have to mangle them.
If needed, you can reset packet and byte counters using the `-Z` or `--zero`
option:
....
# iptables -Z <chain> <rule_number>
....
It is possible to reset only a single rule counter. This might become handy
if you want to know how many packets were captured for a specific rule.

85
modules/ROOT/pages/iptables/gui.adoc Normal file
View file

@ -0,0 +1,85 @@
== Graphical User Interface
There are several graphical user interfaces available to configure iptables.
* link:http://www.fwbuilder.org/_fwbuilder[fwbuilder]: Very complete GUI tools
to configure iptables.
* link:http://shorewall.net/_Shorewall[Shorewall]: Another very complete GUI
like fwbuilder.
* link:http://www.turtlefirewall.com/_Turtle_firewall_project[Turtle firewall
project]: Web interface and integrated to webmin. But it can not handle all
iptables options.
* link:http://users.telenet.be/stes/ipmenu.html_IPmenu[IPmenu] :A console based
interface that covers all iptables functionality.
The following section describes yet another frontend: `system-config-firewall`.
=== system-config-firewall
The GUI interface is similar to the text based interface just more friendly.
The first time you start the GUI you will receive a warning. The program will
*not* load your custom configuration. So any preexisting rules will be
overwritten.
image:Firewall_GUI_First_Time_Startup.PNG[First time
startup message,title="fig:First time startup message"]
Before you start, you have to enable your firewall to activate the
configuration utility.
image:FireWwall_GUI_startup.PNG[Firewall Gui startup
screen,title="Firewall Gui startup screen"]
The initial configuration is empty and will not allow any network traffic.
image:No_configuration.PNG[No firewall
configuration,title="No firewall configuration"]
You can ignore the warning and start the wizard. Click _forward_:
image:Firewall_Wizard.PNG[Firewall Wizard : welcome
screen,title="Firewall Wizard : welcome screen"]
Choose _System with network access_ to enable the firewall. The other option
_System without network access_ would disable the firewall and don't allow
access to any network.
image:Firewall_Wizard_2.PNG[Firewall Wizard : network
access?,title="Firewall Wizard : network access?"]
Next, you have to choose your skill level. The *Beginner* options only
allows the configuration of _trusted services_. This option is fine if you only
want to use services like _ftp_, _dns_, _http_, etc. It does not allow you to
configure customs port ranges. If you select *Expert*, you will have access to
firewall options. You can change the skill level later via _Options_ in the
main window.
image:Firewall_Wizard_3.PNG[Firewall Wizard :
skill?,title="Firewall Wizard : skill?"]
You can choose from a set of default configurations to start with. The *Server*
template will only enable SSH on the firewall. The _desktop template_ enables
additional ports (_IPsec_, _multicast DNS_, _Network Printing Client_ and
_SSH_). For convenience select *Desktop* and continue:
image:Firewall_Wizard_4.PNG[Firewall Wizard : configuration
base?,title="Firewall Wizard : configuration base?"]
To enable additional _trusted services_ just choose the services from the list.
image:Firewall_Wizard_5.PNG[Firewall Main interface :
enabled,title="Firewall Main interface : enabled"]
You can add custom rules after choosing *Other ports* from the side bar. Click
the *Add* button and either choose form services list on the right or tick
*User Defined* and fill in the requested information.
image:Firewall_GUI_other_ports.PNG[Firewall GUI : edit other ports
rules.,title="Firewall GUI : edit other ports rules."]
The other options in the sidebar *Trusted Interfaces*, *Masquerading*, *Port
Forwarding* and so on work exactly as in the text based interface.
When you finished the configuration, click *Apply* to save and activate the
firewall.

11
modules/ROOT/pages/iptables/overview.adoc Normal file
View file

@ -0,0 +1,11 @@
= How to edit iptables rules
In this how-to, we will illustrate three ways of editing iptables rules, via:
* xref:iptables/cli.adoc[Command line interface] (CLI) `iptables` and system configuration file
`/etc/sysconfig/iptables`.
* xref:iptables/tui.adoc[Text-based interfaces] (TUI) `setup` or `system-config-firewall-tui`
* xref:iptables/gui.adoc[Graphical user interface](GUI) `system-config-firewall`
NOTE: This how-to illustrates editing existing iptables rules, not the
initial creation of rules chains.

98
modules/ROOT/pages/iptables/tui.adoc Normal file
View file

@ -0,0 +1,98 @@
== Text-based User Interface
There are two ways to manage iptables rules using a text-based user
interface. These are `setup` and `system-config-firewall-tui`. If you start
`setup`, you will see something similar to the following:
image:Firewall-tui.PNG[setup menu
utility,title="setup menu utility",width=700]
If you select "Firewall configuration" you will see the screen below. You could
also invoke `system-config-firewall-tui`. This will take you directly to the
same screen. Make sure that "Firewall" is enabled, otherwise you cannot edit its
rule set. Continue by selecting "Customize":
image:First_menu_firewall_tui.PNG[Firewall Configuration by TUI. First
screen.,title="Firewall Configuration by TUI. First screen.",width=700]
There is a good chance, that a service you want to modify is part of the
list of standard "trusted services". Select the services you want to
trust (i.e. open their ports) and press "Forward". (This has to be read as
"next", it has nothing to do with port forwarding):
image:Firewall_TUI_Trusted_services.PNG[Editing trusted service with
firewall tui
interface.,title="Editing trusted service with firewall tui interface.",width=700]
The "Other ports" menu lets you open additional ports which are not in the list
of standard trusted services:
image:Firewall_TUI_other_ports.PNG[Editing Other ports on firewall
configuration by TUI
interface.,title="Editing Other ports on firewall configuration by TUI interface.",width=700]
To add other ports, specify one port or a port range. Choose between
_tcp_ and _udp_ for the protocol. The port range format is: _beginningPort
- endingPort_.
The "Trusted interfaces" menu allows you to trust all traffic on a network
interface. All traffic will be allowed and the port filtering rules will
never apply. You should only select interfaces which face private
networks. Never trust an interface that deals with traffic from networks which
are not under your full control.
image:Firewall_TUI_trusted_interfaces.PNG[Trusted
interfaces.,title="Trusted interfaces.",width=700]
The masquerading menu lets you select an interface to be masqueraded.
Masquerading is better known as
*http://en.wikipedia.org/wiki/Network_address_translation[NAT]* (Network
Address Translation). It is useful, to setup your computer as a gateway
between different networks:
image:Firewall_TUI_masquerading.PNG[Firewall TUI interface :
masquerading.,title="Firewall TUI interface : masquerading.",width=700]
Port forwarding, also known as
*http://en.wikipedia.org/wiki/Network_address_translation#Port_address_translation[PAT]*
(Port Address Translation), permits traffic from one port to be "rerouted" to
another port.
image:Firewall_TUI_Port_Forwarding.PNG[Firewall TUI interface :
configuring Port
Forwarding.,title="Firewall TUI interface : configuring Port Forwarding.",width=700]
You have to specify source and destination, as well as the interface and protocol
accordingly:
image:Firewall_TUI_Port_Forwarding_Adding.PNG[Firewall TUI : adding port
forwarding
rules.,title="Firewall TUI : adding port forwarding rules.",width=700]
The ICMP Filter menu lets you reject various types of ICMP packets. By
default, no limitations are made. You may define rules to reject
ICMP traffic, define the return type to ICMP request, etc.
image:Firewall_TUI_ICMP_Filter.PNG[Firewall TUI: configuring ICMP
behaviour.,title="Firewall TUI: configuring ICMP behaviour.",width=700]
Finally, you can add custom firewall rules. These must be prepared ahead
of time in files that use the same format for the command line interface.
image:Firewall_TUI_Custom_Rules.PNG[Firewall TUI: create custom
rules.,title="Firewall TUI: create custom rules.",width=700]
For adding custom rules you have specify the protocol (i.e. _ipv4_ or
_ipv6_) and the table you want your rules add to (_filter_, _mangle_, _nat_,...)
and - of course - the file containing your rules:
image:Firewall_TUI_Custom_Rules_Adding.PNG[Firewall TUI: adding a custom
rules.,title="Firewall TUI: adding a custom rules.",width=700]
When you have completed all menus, choose "Close" to resume to the first screen.
Select "OK" and confirm your changes by choosing "Yes". If you choose "No" you
will get back the configuration screen with no changes applied to your
firewall.
image:Firewall_TUI_Warning.PNG[Firewall TUI
warning.,title="Firewall TUI warning.",width=700]