= How to edit iptables rules ''' [IMPORTANT] ====== This page was automatically converted from https://fedoraproject.org/wiki/How_to_edit_iptables_rules It is probably * Badly formatted * Missing graphics and tables that do not convert well from mediawiki * Out-of-date * In need of other love Pull requests accepted at https://pagure.io/fedora-docs/quick-docs Once you've fixed this page, remove this notice, and update [filename]`modules/ROOT/nav.adoc`. Once the document is live, go to the original wiki page and replace its text with the following macro: .... {{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}} .... ====== ''' In this how-to, we will illustrate three ways to edit iptables Rules : * *CLI :* iptables command line interface and system configuration file /etc/sysconfig/iptables. * *TUI (text-based) interface :* setup or system-config-firewall-tui * *GUI :* system-config-firewall NOTE: This how-to illustrates editing existing iptables Rules, not the initial creation of Rules chains. __TOC__ [[cli-command-line-interface]] == CLI (command line interface) [[hot-changes-to-iptables-rules]] === Hot changes to iptables Rules The following procedures allow changes in the behaviour of the firewall while it is running. Read the man pages for iptables (man iptables) for further explanations and more sophisticated Rules examples. [[listing-rules]] ==== Listing Rules Current running iptables Rules can be viewed with the command .... iptables -L .... . Example of iptables Rules allowing any connections already established or related, icmp requests, all local traffic, and ssh communication: .... [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .... Note that Rules are applied in order of appearance, and the inspection ends immediately when there is a match. Therefore, for example, if a Rule rejecting ssh connections is created, and afterward another Rule is specified allowing ssh, the Rule to reject is applied and the later Rule to accept the ssh connection is not. [[appending-rules]] ==== Appending Rules The following adds a Rule at the end of the specified chain of iptables: .... [root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .... Notice the last line in chain INPUT. There are now five Rules in that chain. [[deleting-rules]] ==== Deleting Rules To delete a Rule, you must know its position in the chain. The following example deletes an existing Rule created earlier that is currently in the fifth position: .... [root@server ~]# iptables -D INPUT 5 [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .... [[inserting-rules]] ==== Inserting Rules Create a Rule at the top (first) position: .... [root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .... The number given after the chain name indicates the position *before* an existing Rule. So, for example, if you want to insert a Rule *before* the third rule you specify the number 3. Afterward, the existing Rule will then be in the fourth position in the chain. [[replacing-rules]] ==== Replacing Rules Rules may be specified to replace existing Rules in the chain. In the example shown previously, the first Rule given allows connections to the http port (port 80) from anywhere. The following replaces this Rule, restricting connections to the standard http port (port 80) only from the network address range 192.168.0.0/24: .... [root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .... [[flushing-rules]] ==== Flushing Rules To flush or clear iptables Rules, use the *--flush*, *-F* option : .... iptables -F .... Specifying a ** is optional; without a chain specification, all chains are flushed. Example to flush Rules in the *OUTPUT* chain : .... [root@server ~]# iptables -F OUTPUT .... [[making-changes-persistent]] === Making changes persistent The iptables Rules changes using CLI commands will be lost upon system reboot. However, iptables comes with two useful utilities: *iptables-save* and *iptables-restore*. * *iptables-save* prints a dump of current iptables rules to *stdout*. These may be redirected to a file: .... [root@server ~]# iptables-save > iptables.dump [root@server ~]# cat iptables.dump # Generated by iptables-save v1.4.12 on Wed Dec 7 20:10:49 2011 *filter :INPUT DROP [45:2307] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1571:4260654] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT COMMIT # Completed on Wed Dec 7 20:10:49 2011 .... * iptables-restore : restore a dump of rules made by iptables-save. .... [root@server ~]# iptables-restore < iptables.dump [root@server ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination .... In the default configuration, stopping or restarting the iptables service will discard the running configuration. This behavior can be changed by setting IPTABLES_SAVE_ON_STOP="yes" or IPTABLES_SAVE_ON_RESTART="yes" in /etc/sysconfig/iptables-config. If these values are set, the affected files are: * .... /etc/sysconfig/iptables .... + for IPv4 * .... /etc/sysconfig/ip6tables .... + for IPv6 If preferred, these files may be edited directly, and iptables service restarted to commit the changes. The format is similar to that of the iptables CLI commands: .... # Generated by iptables-save v1.4.12 on Wed Dec 7 20:22:39 2011 *filter <--------------------------------------------------------- Specify the table of the next rules :INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain :FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [:] numbers is for :OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule. -A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments -A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command. -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table. # Completed on Wed Dec 7 20:22:39 2011 .... If needed, to reset packet and byte counters, use *-Z*, *--zero* : .... iptables -Z .... It is possible to reset only reset a single rule counter. It can be useful, if you want to know how many packets were captured for a specific rule. [[tui-text-based-user-interface]] == TUI (text-based user interface) There is two ways to managing iptables rules with a text-based user interface, either using *setup* or *system-config-firewall-tui*. Using *system-config-firewall-tui* takes you directly to editing the rules. Using *setup* you need to select *firewall configuration* and then you can edit rules. Starting with *setup* looks like this: image:Firewall-tui.PNG[setup menu utility,title="setup menu utility",width=700] On the next screen, which is where you start with *system-config-firewall-tui*, make sure that "Firewall" is enabled, or you cannot edit the settings. Then select *Customize* : image:First_menu_firewall_tui.PNG[Firewall Configuration by TUI. First screen.,title="Firewall Configuration by TUI. First screen.",width=700] There is good chance that a service you want to modify is part of the list of standard "Trusted" services. Select the services you want to trust (ports to open) and press *Forward* (which means 'next', it is not port forwarding): image:Firewall_TUI_Trusted_services.PNG[Editing trusted service with firewall tui interface.,title="Editing trusted service with firewall tui interface.",width=700] The Other Ports menu lets you open additional ports not in the list of standard Trusted Services, or to edit an existing list of additional ports : image:Firewall_TUI_other_ports.PNG[Editing Other ports on firewall configuration by TUI interface.,title="Editing Other ports on firewall configuration by TUI interface.",width=700] To add other ports, specify one port or a port range, and choose between *tcp* or *udp* for the protocol. The port range format is _beginningPort - endingPort_. image:Firewall_TUI_adding_other_ports.PNG[Adding other ports on firewall configuration by TUI interface.,title="Adding other ports on firewall configuration by TUI interface.",width=700] The trusted interfaces menu allows you to trust all traffic on a network interface. All traffic will be allowed and the port filtering rules will never match. You should only select an interface that faces a private network, never an interface that directly faces the Internet. image:Firewall_TUI_trusted_interfaces.PNG[Trusted interfaces.,title="Trusted interfaces.",width=700] The Masquerading menu lets you select an interface to be masqueraded. Masquerading is better known as *http://en.wikipedia.org/wiki/Network_address_translation[NAT]* (Network Address Translation), and it is useful for example when your computer is used as gateway to access the internet: image:Firewall_TUI_masquerading.PNG[Firewall TUI interface : masquerading.,title="Firewall TUI interface : masquerading.",width=700] Port forwarding, also known as *http://en.wikipedia.org/wiki/Network_address_translation#Port_address_translation[PAT]*, permits traffic from one port to be rerouted to another port. image:Firewall_TUI_Port_Forwarding.PNG[Firewall TUI interface : configuring Port Forwarding.,title="Firewall TUI interface : configuring Port Forwarding.",width=700] For example: image:Firewall_TUI_Port_Forwarding_Adding.PNG[Firewall TUI : adding port forwarding rules.,title="Firewall TUI : adding port forwarding rules.",width=700] The ICMP Filter menu lets you reject various types of ICMP packets. By default, no limitations are made, but you can define rules to reject ICMP traffic, define the return error to an ICMP request, etc. image:Firewall_TUI_ICMP_Filter.PNG[Firewall TUI: configuring ICMP behaviour.,title="Firewall TUI: configuring ICMP behaviour.",width=700] Finally, you can add custom firewall rules. These must be prepared ahead of time in files that use the same format as the iptables file. image:Firewall_TUI_Custom_Rules.PNG[Firewall TUI: create custom rules.,title="Firewall TUI: create custom rules.",width=700] For adding custom rules you have specify the protocol between *ipv4* or *ipv6* and on what table add the custom rules *filter*, *mangle* or *nat* then the path to the file containing rules to add : image:Firewall_TUI_Custom_Rules_Adding.PNG[Firewall TUI: adding a custom rules.,title="Firewall TUI: adding a custom rules.",width=700] When you have completed all menus, *Close* the interface, which brings you back to the first screen of firewall configuration. Select *OK* and a warning message appear : image:Firewall_TUI_Warning.PNG[Firewall TUI warning.,title="Firewall TUI warning.",width=700] Select *Yes* if the configuration you made fits to you and exit interface, or *No* to go back to the firewall configuration screen. [[gui]] == GUI [[red-hat-gui-configuration-tool]] === Red Hat GUI configuration tool GUI interface allow you exactly the same thing that TUI interface, but it is more friendly usable. First time you start GUI, you have a welcome message that warning you that if you have existing manual rules then this rules will be overwritten. image:Firewall_GUI_First_Time_Startup.PNG[First time startup message,title="fig:First time startup message"] Before all, you need to *Enable* your firewall to use Firewall Configuration utility. image:FireWwall_GUI_startup.PNG[Firewall Gui startup screen,title="Firewall Gui startup screen"] Then utility warn you that you don't have any existing configuration and want you execute the wizard. Click on *Start wizard*: image:No_configuration.PNG[No firewall configuration,title="No firewall configuration"] Click on forward : image:Firewall_Wizard.PNG[Firewall Wizard : welcome screen,title="Firewall Wizard : welcome screen"] _System with network access_ enable Firewall and _System without network access_ disable Firewall, so select _System with network access_ : image:Firewall_Wizard_2.PNG[Firewall Wizard : network access?,title="Firewall Wizard : network access?"] Beginner allow you to modify only _Trusted Services_, it's fine if you use only known services like ftp, dns, http, etc but don't allow you to configure customs ports range, select _Expert_ to have full featured Firewall Configuration utility, you can change this option later in the *Options* menu Main windows, in *User Skill Level* : image:Firewall_Wizard_3.PNG[Firewall Wizard : skill?,title="Firewall Wizard : skill?"] *Server* template enable only ssh port on firewall configuration _Desktop_ template enable additional ports for _IPsec_, _Multicast DNS_, _Network Printing Client_ and _SSH_. For convenience select Desktop, and *OK* : image:Firewall_Wizard_4.PNG[Firewall Wizard : configuration base?,title="Firewall Wizard : configuration base?"] As described earlier _Desktop_ template enable 4 services _IPsec_, _mDNS_, _IPP_ and _SSH_. If you have services listed in *Trusted Services* section that you want to enabled, you just have to click on it, that's all. It is possible to change template by using the *Options* menu, in *Load Default Configuration*. image:Firewall_Wizard_5.PNG[Firewall Main interface : enabled,title="Firewall Main interface : enabled"] *Other Ports* allow you to edit custom rules if your service port wasn't in *Trusted service*. To begin, just click on *Add* button. Then either you choose in services list the right service or you tick *User Defined* and fill requested information about *Port / Port Range* and *Protocol*. image:Firewall_GUI_other_ports.PNG[Firewall GUI : edit other ports rules.,title="Firewall GUI : edit other ports rules."] *Trusted Interfaces*, *Masquerading*, *Port Forwarding*, *ICMP Filter* and _Custom Rules_' have exactly the same effect than in TUI interface. When configuration fits to you, just click on the *Apply* button. [[others-gui]] === Others GUI There are others GUI available to configure iptables rules. * http://www.fwbuilder.org/_fwbuilder[http://www.fwbuilder.org/ fwbuilder] : very complete gui tools to configure iptables. * http://shorewall.net/_Shorewall[http://shorewall.net/ Shorewall] : another very complete gui like fwbuilder. * http://www.turtlefirewall.com/_Turtle_firewall_project[http://www.turtlefirewall.com/ Turtle firewall project] : web interface and integrated to webmin. Fits to basic usage of Iptables, can not handle all iptables options like fwbuilder * http://users.telenet.be/stes/ipmenu.html_IPmenu[http://users.telenet.be/stes/ipmenu.html IPmenu] : console based interface that allow you all iptables functionalities. ''' See a typo, something missing or out of date, or anything else which can be improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.