mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 23:06:36 +00:00
523 lines
19 KiB
Text
523 lines
19 KiB
Text
= How to edit iptables rules
|
|
|
|
'''
|
|
|
|
[IMPORTANT]
|
|
======
|
|
|
|
This page was automatically converted from https://fedoraproject.org/wiki/How_to_edit_iptables_rules
|
|
|
|
It is probably
|
|
|
|
* Badly formatted
|
|
* Missing graphics and tables that do not covert well from mediawiki
|
|
* Out-of-date
|
|
* In need of other love
|
|
|
|
Please fix it, remove this notice, and then add to `_topic_map.yml`
|
|
|
|
Pull requests accepted at https://pagure.io/fedora-docs/fedora-howto
|
|
|
|
Once that is live, go to the original wiki page and add an `{{old}}`
|
|
tag, followed by a note like
|
|
|
|
....
|
|
{{admon/note|This page has a new home!|
|
|
This wiki page is no longer maintained. Please find the up-to-date
|
|
version at: https://docs.fedoraproject.org/whatever-the-url
|
|
}}
|
|
....
|
|
|
|
======
|
|
|
|
'''
|
|
|
|
|
|
In this how-to, we will illustrate three ways to edit iptables Rules :
|
|
|
|
* *CLI :* iptables command line interface and system configuration file
|
|
/etc/sysconfig/iptables.
|
|
* *TUI (text-based) interface :* setup or system-config-firewall-tui
|
|
* *GUI :* system-config-firewall
|
|
|
|
NOTE: This how-to illustrates editing existing iptables Rules, not the
|
|
initial creation of Rules chains.
|
|
|
|
__TOC__
|
|
|
|
[[cli-command-line-interface]]
|
|
CLI (command line interface)
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
[[hot-changes-to-iptables-rules]]
|
|
Hot changes to iptables Rules
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
The following procedures allow changes in the behaviour of the firewall
|
|
while it is running.
|
|
|
|
Read the man pages for iptables (man iptables) for further explanations
|
|
and more sophisticated Rules examples.
|
|
|
|
[[listing-rules]]
|
|
Listing Rules
|
|
+++++++++++++
|
|
|
|
Current running iptables Rules can be viewed with the command
|
|
|
|
....
|
|
iptables -L
|
|
....
|
|
|
|
.
|
|
|
|
Example of iptables Rules allowing any connections already established
|
|
or related, icmp requests, all local traffic, and ssh communication:
|
|
|
|
....
|
|
[root@server ~]# iptables -L
|
|
Chain INPUT (policy DROP)
|
|
target prot opt source destination
|
|
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
|
|
ACCEPT icmp -- anywhere anywhere
|
|
ACCEPT all -- anywhere anywhere
|
|
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
|
|
|
|
Chain FORWARD (policy ACCEPT)
|
|
target prot opt source destination
|
|
|
|
Chain OUTPUT (policy ACCEPT)
|
|
target prot opt source destination
|
|
....
|
|
|
|
Note that Rules are applied in order of appearance, and the inspection
|
|
ends immediately when there is a match. Therefore, for example, if a
|
|
Rule rejecting ssh connections is created, and afterward another Rule is
|
|
specified allowing ssh, the Rule to reject is applied and the later Rule
|
|
to accept the ssh connection is not.
|
|
|
|
[[appending-rules]]
|
|
Appending Rules
|
|
+++++++++++++++
|
|
|
|
The following adds a Rule at the end of the specified chain of iptables:
|
|
|
|
....
|
|
[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
|
|
[root@server ~]# iptables -L
|
|
Chain INPUT (policy DROP)
|
|
target prot opt source destination
|
|
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
|
|
ACCEPT icmp -- anywhere anywhere
|
|
ACCEPT all -- anywhere anywhere
|
|
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
|
|
ACCEPT tcp -- anywhere anywhere tcp dpt:http
|
|
|
|
Chain FORWARD (policy ACCEPT)
|
|
target prot opt source destination
|
|
|
|
Chain OUTPUT (policy ACCEPT)
|
|
target prot opt source destination
|
|
....
|
|
|
|
Notice the last line in chain INPUT. There are now five Rules in that
|
|
chain.
|
|
|
|
[[deleting-rules]]
|
|
Deleting Rules
|
|
++++++++++++++
|
|
|
|
To delete a Rule, you must know its position in the chain. The following
|
|
example deletes an existing Rule created earlier that is currently in
|
|
the fifth position:
|
|
|
|
....
|
|
[root@server ~]# iptables -D INPUT 5
|
|
[root@server ~]# iptables -L
|
|
Chain INPUT (policy DROP)
|
|
target prot opt source destination
|
|
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
|
|
ACCEPT icmp -- anywhere anywhere
|
|
ACCEPT all -- anywhere anywhere
|
|
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
|
|
|
|
Chain FORWARD (policy ACCEPT)
|
|
target prot opt source destination
|
|
|
|
Chain OUTPUT (policy ACCEPT)
|
|
target prot opt source destination
|
|
....
|
|
|
|
[[inserting-rules]]
|
|
Inserting Rules
|
|
+++++++++++++++
|
|
|
|
Create a Rule at the top (first) position:
|
|
|
|
....
|
|
[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
|
|
[root@server ~]# iptables -L
|
|
Chain INPUT (policy DROP)
|
|
target prot opt source destination
|
|
ACCEPT tcp -- anywhere anywhere tcp dpt:http
|
|
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
|
|
ACCEPT icmp -- anywhere anywhere
|
|
ACCEPT all -- anywhere anywhere
|
|
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
|
|
|
|
Chain FORWARD (policy ACCEPT)
|
|
target prot opt source destination
|
|
|
|
Chain OUTPUT (policy ACCEPT)
|
|
target prot opt source destination
|
|
....
|
|
|
|
The number given after the chain name indicates the position *before* an
|
|
existing Rule. So, for example, if you want to insert a Rule *before*
|
|
the third rule you specify the number 3. Afterward, the existing Rule
|
|
will then be in the fourth position in the chain.
|
|
|
|
[[replacing-rules]]
|
|
Replacing Rules
|
|
+++++++++++++++
|
|
|
|
Rules may be specified to replace existing Rules in the chain.
|
|
|
|
In the example shown previously, the first Rule given allows connections
|
|
to the http port (port 80) from anywhere. The following replaces this
|
|
Rule, restricting connections to the standard http port (port 80) only
|
|
from the network address range 192.168.0.0/24:
|
|
|
|
....
|
|
[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
|
|
[root@server ~]# iptables -L
|
|
Chain INPUT (policy DROP)
|
|
target prot opt source destination
|
|
ACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:http
|
|
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
|
|
ACCEPT icmp -- anywhere anywhere
|
|
ACCEPT all -- anywhere anywhere
|
|
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
|
|
|
|
Chain FORWARD (policy ACCEPT)
|
|
target prot opt source destination
|
|
|
|
Chain OUTPUT (policy ACCEPT)
|
|
target prot opt source destination
|
|
....
|
|
|
|
[[flushing-rules]]
|
|
Flushing Rules
|
|
++++++++++++++
|
|
|
|
To flush or clear iptables Rules, use the *--flush*, *-F* option :
|
|
|
|
....
|
|
iptables -F <chain>
|
|
....
|
|
|
|
Specifying a ** is optional; without a chain specification, all chains
|
|
are flushed.
|
|
|
|
Example to flush Rules in the *OUTPUT* chain :
|
|
|
|
....
|
|
[root@server ~]# iptables -F OUTPUT
|
|
....
|
|
|
|
[[making-changes-persistent]]
|
|
Making changes persistent
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
The iptables Rules changes using CLI commands will be lost upon system
|
|
reboot. However, iptables comes with two useful utilities:
|
|
*iptables-save* and *iptables-restore*.
|
|
|
|
* *iptables-save* prints a dump of current iptables rules to *stdout*.
|
|
These may be redirected to a file:
|
|
|
|
....
|
|
[root@server ~]# iptables-save > iptables.dump
|
|
[root@server ~]# cat iptables.dump
|
|
# Generated by iptables-save v1.4.12 on Wed Dec 7 20:10:49 2011
|
|
*filter
|
|
:INPUT DROP [45:2307]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [1571:4260654]
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -p icmp -j ACCEPT
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
COMMIT
|
|
# Completed on Wed Dec 7 20:10:49 2011
|
|
....
|
|
|
|
* iptables-restore : restore a dump of rules made by iptables-save.
|
|
|
|
....
|
|
[root@server ~]# iptables-restore < iptables.dump
|
|
[root@server ~]# iptables -L
|
|
Chain INPUT (policy DROP)
|
|
target prot opt source destination
|
|
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
|
|
ACCEPT icmp -- anywhere anywhere
|
|
ACCEPT all -- anywhere anywhere
|
|
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
|
|
|
|
Chain FORWARD (policy ACCEPT)
|
|
target prot opt source destination
|
|
|
|
Chain OUTPUT (policy ACCEPT)
|
|
target prot opt source destination
|
|
....
|
|
|
|
In the default configuration, stopping or restarting the iptables
|
|
service will discard the running configuration. This behavior can be
|
|
changed by setting IPTABLES_SAVE_ON_STOP="yes" or
|
|
IPTABLES_SAVE_ON_RESTART="yes" in /etc/sysconfig/iptables-config. If
|
|
these values are set, the affected files are:
|
|
|
|
* ....
|
|
/etc/sysconfig/iptables
|
|
....
|
|
+
|
|
for IPv4
|
|
* ....
|
|
/etc/sysconfig/ip6tables
|
|
....
|
|
+
|
|
for IPv6
|
|
|
|
If preferred, these files may be edited directly, and iptables service
|
|
restarted to commit the changes. The format is similar to that of the
|
|
iptables CLI commands:
|
|
|
|
....
|
|
# Generated by iptables-save v1.4.12 on Wed Dec 7 20:22:39 2011
|
|
*filter <--------------------------------------------------------- Specify the table of the next rules
|
|
:INPUT DROP [157:36334] <----------------------------------------- This is the three chain belong to filter table, then the policy of the chain
|
|
:FORWARD ACCEPT [0:0] <------------------------------------------- and between brackets [<packet-counter>:<byte-counter>] numbers is for
|
|
:OUTPUT ACCEPT [48876:76493439] <--------------------------------- debug/informations purpose only. Leave them at their current value.
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT <--------- A rule.
|
|
-A INPUT -p icmp -j ACCEPT <-------------------------------------- You just have to take all arguments
|
|
-A INPUT -i lo -j ACCEPT <---------------------------------------- of an iptables command.
|
|
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
COMMIT <---------------------------------------------------------- Needed at each end of table definition. Commit rules in that table.
|
|
# Completed on Wed Dec 7 20:22:39 2011
|
|
....
|
|
|
|
If needed, to reset packet and byte counters, use *-Z*, *--zero* :
|
|
|
|
....
|
|
iptables -Z <chain> <rule_number>
|
|
....
|
|
|
|
It is possible to reset only reset a single rule counter. It can be
|
|
useful, if you want to know how many packets were captured for a
|
|
specific rule.
|
|
|
|
[[tui-text-based-user-interface]]
|
|
TUI (text-based user interface)
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
There is two ways to managing iptables rules with a text-based user
|
|
interface, either using *setup* or *system-config-firewall-tui*. Using
|
|
*system-config-firewall-tui* takes you directly to editing the rules.
|
|
Using *setup* you need to select *firewall configuration* and then you
|
|
can edit rules. Starting with *setup* looks like this:
|
|
|
|
image:Firewall-tui.PNG[setup menu
|
|
utility,title="setup menu utility",width=700]
|
|
|
|
On the next screen, which is where you start with
|
|
*system-config-firewall-tui*, make sure that "Firewall" is enabled, or
|
|
you cannot edit the settings. Then select *Customize* :
|
|
|
|
image:First_menu_firewall_tui.PNG[Firewall Configuration by TUI. First
|
|
screen.,title="Firewall Configuration by TUI. First screen.",width=700]
|
|
|
|
There is good chance that a service you want to modify is part of the
|
|
list of standard "Trusted" services. Select the services you want to
|
|
trust (ports to open) and press *Forward* (which means 'next', it is not
|
|
port forwarding):
|
|
|
|
image:Firewall_TUI_Trusted_services..PNG[Editing trusted service with
|
|
firewall tui
|
|
interface.,title="Editing trusted service with firewall tui interface.",width=700]
|
|
|
|
The Other Ports menu lets you open additional ports not in the list of
|
|
standard Trusted Services, or to edit an existing list of additional
|
|
ports :
|
|
|
|
image:Firewall_TUI_other_ports.PNG[Editing Other ports on firewall
|
|
configuration by TUI
|
|
interface.,title="Editing Other ports on firewall configuration by TUI interface.",width=700]
|
|
|
|
To add other ports, specify one port or a port range, and choose between
|
|
*tcp* or *udp* for the protocol. The port range format is _beginningPort
|
|
- endingPort_.
|
|
|
|
image:Firewall_TUI_adding_other_ports[Adding other ports on firewall
|
|
configuration by TUI
|
|
interface.,title="Adding other ports on firewall configuration by TUI interface.",width=700]
|
|
|
|
The trusted interfaces menu allows you to trust all traffic on a network
|
|
interface. All traffic will be allowed and the port filtering rules will
|
|
never match. You should only select an interface that faces a private
|
|
network, never an interface that directly faces the Internet.
|
|
|
|
image:Firewall_TUI_trusted_interfaces.PNG[Trusted
|
|
interfaces.,title="Trusted interfaces.",width=700]
|
|
|
|
The Masquerading menu lets you select an interface to be masqueraded.
|
|
Masquerading is better known as
|
|
*http://en.wikipedia.org/wiki/Network_address_translation[NAT]* (Network
|
|
Address Translation), and it is useful for example when your computer is
|
|
used as gateway to access the internet:
|
|
|
|
image:Firewall_TUI_masquerading.PNG[Firewall TUI interface :
|
|
masquerading.,title="Firewall TUI interface : masquerading.",width=700]
|
|
|
|
Port forwarding, also known as
|
|
*http://en.wikipedia.org/wiki/Network_address_translation#Port_address_translation[PAT]*,
|
|
permits traffic from one port to be rerouted to another port.
|
|
|
|
image:Firewall_TUI_Port_Forwarding.PNG[Firewall TUI interface :
|
|
configuring Port
|
|
Forwarding.,title="Firewall TUI interface : configuring Port Forwarding.",width=700]
|
|
|
|
For example:
|
|
|
|
image:Firewall_TUI_Port_Forwarding_Adding.PNG[Firewall TUI : adding port
|
|
forwarding
|
|
rules.,title="Firewall TUI : adding port forwarding rules.",width=700]
|
|
|
|
The ICMP Filter menu lets you reject various types of ICMP packets. By
|
|
default, no limitations are made, but you can define rules to reject
|
|
ICMP traffic, define the return error to an ICMP request, etc.
|
|
|
|
image:Firewall_TUI_ICMP_Filter.PNG[Firewall TUI: configuring ICMP
|
|
behaviour.,title="Firewall TUI: configuring ICMP behaviour.",width=700]
|
|
|
|
Finally, you can add custom firewall rules. These must be prepared ahead
|
|
of time in files that use the same format as the iptables file.
|
|
|
|
image:Firewall_TUI_Custom_Rules.PNG[Firewall TUI: create custom
|
|
rules.,title="Firewall TUI: create custom rules.",width=700]
|
|
|
|
For adding custom rules you have specify the protocol between *ipv4* or
|
|
*ipv6* and on what table add the custom rules *filter*, *mangle* or
|
|
*nat* then the path to the file containing rules to add :
|
|
|
|
image:Firewall_TUI_Custom_Rules_Adding.PNG[Firewall TUI: adding a custom
|
|
rules.,title="Firewall TUI: adding a custom rules.",width=700]
|
|
|
|
When you have completed all menus, *Close* the interface, which brings
|
|
you back to the first screen of firewall configuration. Select *OK* and
|
|
a warning message appear :
|
|
|
|
image:Firewall_TUI_Warning.PNG[Firewall TUI
|
|
warning.,title="Firewall TUI warning.",width=700]
|
|
|
|
Select *Yes* if the configuration you made fits to you and exit
|
|
interface, or *No* to go back to the firewall configuration screen.
|
|
|
|
[[gui]]
|
|
GUI
|
|
~~~
|
|
|
|
[[red-hat-gui-configuration-tool]]
|
|
Red Hat GUI configuration tool
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
GUI interface allow you exactly the same thing that TUI interface, but
|
|
it is more friendly usable.
|
|
|
|
First time you start GUI, you have a welcome message that warning you
|
|
that if you have existing manual rules then this rules will be
|
|
overwritten. image:Firewall_GUI_First_Time_Startup.PNG[First time
|
|
startup message,title="fig:First time startup message"]
|
|
|
|
Before all, you need to *Enable* your firewall to use Firewall
|
|
Configuration utility.
|
|
|
|
image:FireWwall_GUI_startup.PNG[Firewall Gui startup
|
|
screen,title="Firewall Gui startup screen"]
|
|
|
|
Then utility warn you that you don't have any existing configuration and
|
|
want you execute the wizard. Click on *Start wizard*:
|
|
|
|
image:No_configuration.PNG[No firewall
|
|
configuration,title="No firewall configuration"]
|
|
|
|
Click on forward :
|
|
|
|
image:Firewall_Wizard.PNG[Firewall Wizard : welcome
|
|
screen,title="Firewall Wizard : welcome screen"]
|
|
|
|
_System with network access_ enable Firewall and _System without network
|
|
access_ disable Firewall, so select _System with network access_ :
|
|
|
|
image:Firewall_Wizard_2.PNG[Firewall Wizard : network
|
|
access?,title="Firewall Wizard : network access?"]
|
|
|
|
Beginner allow you to modify only _Trusted Services_, it's fine if you
|
|
use only known services like ftp, dns, http, etc but don't allow you to
|
|
configure customs ports range, select _Expert_ to have full featured
|
|
Firewall Configuration utility, you can change this option later in the
|
|
*Options* menu Main windows, in *User Skill Level* :
|
|
|
|
image:Firewall_Wizard_3.PNG[Firewall Wizard :
|
|
skill?,title="Firewall Wizard : skill?"]
|
|
|
|
*Server* template enable only ssh port on firewall configuration
|
|
_Desktop_ template enable additional ports for _IPsec_, _Multicast DNS_,
|
|
_Network Printing Client_ and _SSH_. For convenience select Desktop, and
|
|
*OK* :
|
|
|
|
image:Firewall_Wizard_4.PNG[Firewall Wizard : configuration
|
|
base?,title="Firewall Wizard : configuration base?"]
|
|
|
|
As described earlier _Desktop_ template enable 4 services _IPsec_,
|
|
_mDNS_, _IPP_ and _SSH_. If you have services listed in *Trusted
|
|
Services* section that you want to enabled, you just have to click on
|
|
it, that's all. It is possible to change template by using the *Options*
|
|
menu, in *Load Default Configuration*.
|
|
|
|
image:Firewall_Wizard_5.PNG[Firewall Main interface :
|
|
enabled,title="Firewall Main interface : enabled"]
|
|
|
|
*Other Ports* allow you to edit custom rules if your service port wasn't
|
|
in *Trusted service*. To begin, just click on *Add* button. Then either
|
|
you choose in services list the right service or you tick *User Defined*
|
|
and fill requested information about *Port / Port Range* and *Protocol*.
|
|
|
|
image:Firewall_GUI_other_ports.PNG[Firewall GUI : edit other ports
|
|
rules.,title="Firewall GUI : edit other ports rules."]
|
|
|
|
*Trusted Interfaces*, *Masquerading*, *Port Forwarding*, *ICMP Filter*
|
|
and _Custom Rules_' have exactly the same effect than in TUI interface.
|
|
|
|
When configuration fits to you, just click on the *Apply* button.
|
|
|
|
[[others-gui]]
|
|
Others GUI
|
|
^^^^^^^^^^
|
|
|
|
There are others GUI available to configure iptables rules.
|
|
|
|
* http://www.fwbuilder.org/_fwbuilder[http://www.fwbuilder.org/
|
|
fwbuilder] : very complete gui tools to configure iptables.
|
|
* http://shorewall.net/_Shorewall[http://shorewall.net/ Shorewall] :
|
|
another very complete gui like fwbuilder.
|
|
* http://www.turtlefirewall.com/_Turtle_firewall_project[http://www.turtlefirewall.com/
|
|
Turtle firewall project] : web interface and integrated to webmin. Fits
|
|
to basic usage of Iptables, can not handle all iptables options like
|
|
fwbuilder
|
|
* http://users.telenet.be/stes/ipmenu.html_IPmenu[http://users.telenet.be/stes/ipmenu.html
|
|
IPmenu] : console based interface that allow you all iptables
|
|
functionalities.
|
|
'''
|
|
|
|
See a typo, something missing or out of date, or anything else which can be
|
|
improved? Edit this document at https://pagure.io/fedora-docs/fedora-howto.
|