You are not logged in.

Pages: 1

#1 2011-09-20 07:45:24

Swarfega
Member
Registered: 2011-08-19
Posts: 104

[solved]iptables Basic Configuration

Hi Guys,

Trying to learn iptables so have been reading and creating my own config.
I completed a basic config that drops all traffic but allows SSH.  I noticed after ICMP was dropping so added a rule.  My issue is its added the line the drop command so it still drops ICMP.  How do I add a new rule above the drop rule without editing the iptables.rules config?

*Edit*

I just read http://www.thegeekstuff.com/2011/02/iptables-add-rule/ which says -A is add and mentions it will add it to the rules at the end.  Other than removing the drop, adding my new rule then adding the drop back in is there a better way? I would imagine removing the drop command is a security hole whilst the new rule is added?

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
  243 15782 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    1    52 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
   26  3424 LOG        all  --  any    any     anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
  122 14696 DROP       all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 18 packets, 1956 bytes)
 pkts bytes target     prot opt in     out     source               destination

Also can anyone tell me what the 40:5840 is? On a blank config it starts as 0:0.

:OUTPUT ACCEPT [40:5840]

Thanks.

Last edited by Swarfega (2011-09-20 17:48:42)

Offline

#2 2011-09-20 12:05:31

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: [solved]iptables Basic Configuration

If you put your rules into a script and use that (clearing all rules, setting up default rules, adding your rules) then I guess it's not much of a problem since the script will take very little time to run.

As for the numbers, I believe they are the counters for packets and bytes accepted by that rule in that chain, in your case, the OUTPUT chain accepted 40 packets totaling 5840 bytes.

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#3 2011-09-20 12:26:37

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,224
Website

Re: [solved]iptables Basic Configuration

R00KIE wrote:

As for the numbers, I believe they are the counters for packets and bytes accepted by that rule in that chain, in your case, the OUTPUT chain accepted 40 packets totaling 5840 bytes.

Yes.

man iptables wrote:

-I, --insert chain [rulenum] rule-specification
              Insert one or more rules in the selected chain as the given rule number.  So, if the rule number is 1, the rule or rules are inserted at the head of the chain.  This is also the default if no
              rule number is specified.

So you want to -I or --insert at position 4

Last edited by fukawi2 (2011-09-20 12:27:40)

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#4 2011-09-20 17:48:15

Swarfega
Member
Registered: 2011-08-19
Posts: 104

Re: [solved]iptables Basic Configuration

Thanks guys.  Appreciate the help.

Offline

Pages: 1

Board footer

Powered by FluxBB