Using Iptables you can define rules which will allow only selective traffic on your server
The order of the rules is important. The rules are processed by order.
If a packet doesn't match a rule, the next rule is examined until a rule is matched.
When you add/delete a new rule, that rule gets active inmmediately.
# Display iptables rules
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- servername.net anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGGING (0 references)
target prot opt source destination
You can display the number of line for each rule
iptables -L --line-numbers
iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- servername.net anywhere tcp dpt:ssh
You can use iptables -S to list active rules by specification
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LOGGING
-A INPUT -s 10.4.x.x/32 -p tcp -m tcp --dport 22 -j DROP
You can use verbose option which is useful when trying to get an idea of which rules are matching against packets
iptables -L -n -v
# Make rules persistent to a reboot
service iptables save
When you run that, your rules are added into the file /etc/sysconfig/iptables
# Insert rules
You can use the option - A which appends the rule to the end of the chain
iptables -A INPUT -p tcp -s 10.26.0.0/15 --dport 19001 -j ACCEPT
or you can use -I which adds the rule as the given rule number. If you skip the number, it will be added
at the top of the chain
iptables -I INPUT 2 -p tcp -s 10.4.64.39 --dport 1526 -j ACCEPT
# Delete rules
iptables -F to delete all the rules
iptables -F INPUT to delete all of the rules in the INPUT chain
iptables -D INPUT 3 to delete rules by specification
# LOG
Open your /etc/syslog.conf file and append the following line:
kern.warning /var/log/iptables.log
iptables -A INPUT -p tcp -s vhali100 --dport 22 -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
m limit: This uses the limit matching module. Using this you can limit the logging using –limit option.
–limit 2/min: This indicates the maximum average matching rate for logging. In this example, for the similar packets it will limit logging to 2 per minute. You can also specify 2/second, 2/minute, 2/hour, 2/day. This is helpful when you don’t want to clutter your log messages with repeated messages of the same dropped packets.
-j LOG: This indicates that the target for this packet is LOG. i.e write to the log file.
–log-prefix “IPTables-Dropped: ” You can specify any log prefix, which will be appended to the log messages that will be written to the /var/log/messages file
–log-level 4 This is the standard syslog levels. 4 is warning. You can use number from the range 0 through 7. 0 is emergency and 7 is debug.
No comments:
Post a Comment