Viewing StatusIs it running?# service iptables status Firewall is stopped. What is allowed: $ sudo /sbin/iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:amqp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache ACCEPT tcp -- 1.1.1.1 anywhere state NEW tcp dpt:epmd ACCEPT udp -- 1.1.1.1 anywhere state NEW udp dpt:epmd ACCEPT udp -- 1.1.1.1 anywhere state NEW udp dpts:newoak:pxc-roid ACCEPT tcp -- 1.1.1.1 anywhere state NEW tcp dpts:newoak:pxc-roid ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:55672 ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited $ Edit the rules:Shut down iptables before making a change: systemctl stop iptables modify the iptables ACL list vim /etc/sysconfig/iptables add a string allowing some field. In this example, the red allows ssh inbound from a specific ClassC network. # Generated by iptables-save v1.4.21 on Tue Dec 26 14:52:29 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2098:33328884] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -s 10.33.32.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "Allow in-bound SSH from a friendly network" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Dec 26 14:52:29 2017 Save the changes and re-enable iptables [root@box1 ~]# service iptables save iptables: Nothing to save. [WARNING] [root@box1 ~]# vim /etc/sysconfig/iptables [root@box1 ~]# systemctl start iptables [root@box1 ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 10.33.32.0/24 0.0.0.0/0 state NEW tcp dpt:22 /* Allow in-bound SSH from the Juniper VPN subnet */ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@box1 ~]# systemctl enable iptables [root@box1 ~]# Log dropped packets(remove the REJECT lines at the end of the current table) and create a new chain called LOGGING at the end of your iptables list. In the new chain, log and drop everything from there: Drop all outbound and log: -N LOGGING -A INPUT -j LOGGING -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 --log-ip-options -A LOGGING -j DROP
Note on the Log command:
References:
|
Home > unix/linux >