You are not logged in.
Hi Guys,
Trying to learn iptables so have been reading and creating my own config.
I completed a basic config that drops all traffic but allows SSH. I noticed after ICMP was dropping so added a rule. My issue is its added the line the drop command so it still drops ICMP. How do I add a new rule above the drop rule without editing the iptables.rules config?
*Edit*
I just read http://www.thegeekstuff.com/2011/02/iptables-add-rule/ which says -A is add and mentions it will add it to the rules at the end. Other than removing the drop, adding my new rule then adding the drop back in is there a better way? I would imagine removing the drop command is a security hole whilst the new rule is added?
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
243 15782 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
1 52 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
26 3424 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
122 14696 DROP all -- any any anywhere anywhere
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 18 packets, 1956 bytes)
pkts bytes target prot opt in out source destination
Also can anyone tell me what the 40:5840 is? On a blank config it starts as 0:0.
:OUTPUT ACCEPT [40:5840]
Thanks.
Last edited by Swarfega (2011-09-20 17:48:42)
Offline
If you put your rules into a script and use that (clearing all rules, setting up default rules, adding your rules) then I guess it's not much of a problem since the script will take very little time to run.
As for the numbers, I believe they are the counters for packets and bytes accepted by that rule in that chain, in your case, the OUTPUT chain accepted 40 packets totaling 5840 bytes.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
As for the numbers, I believe they are the counters for packets and bytes accepted by that rule in that chain, in your case, the OUTPUT chain accepted 40 packets totaling 5840 bytes.
Yes.
-I, --insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no
rule number is specified.
So you want to -I or --insert at position 4
Last edited by fukawi2 (2011-09-20 12:27:40)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
Thanks guys. Appreciate the help.
Offline