- Linux Firewall service
How to start it?
- #service iptables start
3 important factors (tables) : Filter, NAT, Mangle (filter is default unless you choose others)
3 important factors (filter chains) : INPUT, OUTPUT, FORWARD
Default iptable configuration in Fedora Linux : (simply attach 'iptables' before respective lines below.)
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTThe line order is very important because iptables module processes line by line.
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
If the packet in the process droped in the middle of those lines, the process stops right there.
To save the firewall status,
#iptables-save > firewall.bak
To restore the firewall status,
#iptables-restore < firewall.bak
To make userdefined chain,
#iptables -N [userdefinedchain-name]
To delete userdefined chain,
#iptables -X [userdefinedchain-name]
To flush all the rules,
To show all the tables in filters,
if you would like to accept the http packets,
#iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Packet protocol is tcp, destination port is 80(for http packet), all those packet mached on this rule jumps into ACCEPT chain, which means 'allowed'.
-I indicates 'INSERT' to put the rule at the beginning. If you want to put it in the middle of the list, you can simply put the number, which points the position, such as 3 for the third order in the chain.
Take a look at this,
-A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
This rule has state keyword which tells us about the packet type such as established, related.
Once a packet gets the permission to pass, some processes sustain the connection, which is ESTABLISHED.
Some other processes would follow up, which is RELATED.
That's all about iptables. You can simply configure it with GUI in X-window.