Tuesday, June 13, 2006

iptables cheats

Can't remember iptables commands and what youre doing? Its easier to modify the default saved configuration instead of trying to write your own ipchains especially if you do not do this on a daily basis.

step 1: find your iptables config file.

Use "locate iptables | more". This should give a listing of anything related to iptables. Normally this should be in the /etc/sysconfig/ directory

step 2: change your rules using vim

centos: /etc/sysconfig/iptables
openwrt: /etc/firewall.user

and run:

centos # /etc/init.d/iptables restart
openwrt(i think) # /etc/init.d/S45firewall restart

The good news is that in most cases now, the default firewall does give an example of a tcp port and udp port. and openwrt gives a commented version on forwarding ports. e.g.

WAN=$(nvram get wan_ifname)
### Port forwarding
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.0.2
iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.0.2 -j ACCEPT

Note that in this case, the port forwarded does not require the port to be open on the WAN interface. As it means that it will accept on the WAN

Alternatively, here's some iptables commands and basics to get you going. This is basically all I know and I managed to survive somewhat.

probably the 2 commonly used tables is nat and filter. By default it is set to filter so when listing existing firewall rules, you only need to do this:

# iptables -L --line

It is important to note that iptables works in a sequencial way, that means it looks at rule 1 before it looks at rule 2. I've recently started using --line which is really vital if you want an easy way to view what you want to insert to where. e.g. iptables -I INPUT 2 -j ACCEPT --dports 22 -p tcp

To view the nat (network address translation) table

# iptables -L -t nat --line

One of the more important entrys for this table is probably the masquerading for network sharing.

# iptables -A POSTROUTING -j MASQUERADE -t nat

I guess it does look intimidating, but it really isn't when it dawns upon you as in how the logic works.

if you have finished using iptables -I to create your rules, use "# iptables-save > /etc/sysconfig/iptables" to make sure your changes are saved.

More examples:

iptables -I RH-Firewall-1-INPUT 8 -p tcp --dport 80 -j ACCEPT

iptables -D RH-Firewall-1-INPUT 9

No comments:

Splitting the home network

Who wouldn't want to separate the traffic at home for security reasons. The more common ones include wireless guest and wireless users. ...