Home‎ > ‎unix/linux‎ > ‎


Viewing Status

Is it running?
# service iptables status
Firewall is stopped.

What is allowed: 
$ sudo /sbin/iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:amqp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --              anywhere            state NEW tcp dpt:epmd
ACCEPT     udp  --              anywhere            state NEW udp dpt:epmd
ACCEPT     udp  --              anywhere            state NEW udp dpts:newoak:pxc-roid
ACCEPT     tcp  --              anywhere            state NEW tcp dpts:newoak:pxc-roid
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:55672
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Edit the rules: 

Shut down iptables before making a change: 
systemctl stop iptables

modify the iptables ACL list
vim /etc/sysconfig/iptables

add a string allowing some field.  In this example, the red allows ssh inbound from a specific ClassC network. 
# Generated by iptables-save v1.4.21 on Tue Dec 26 14:52:29 2017
:OUTPUT ACCEPT [2098:33328884]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A INPUT -s -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "Allow in-bound SSH from a friendly network" -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# Completed on Tue Dec 26 14:52:29 2017

Save the changes and re-enable iptables
[root@box1 ~]# service iptables save
iptables: Nothing to save.                                 [WARNING]
[root@box1 ~]# vim /etc/sysconfig/iptables
[root@box1 ~]# systemctl start iptables
[root@box1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --              state RELATED,ESTABLISHED
ACCEPT     icmp --  
ACCEPT     all  --  
ACCEPT     tcp  --            state NEW tcp dpt:22 /* Allow in-bound SSH from the Juniper VPN subnet */
REJECT     all  --              reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --              reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@box1 ~]# systemctl enable iptables
[root@box1 ~]# 

Log dropped packets

(remove the REJECT lines at the end of the current table) and create a new chain called LOGGING at the end of your iptables list.  In the new chain, log and drop everything from there: 

Drop all outbound and log: 
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 --log-ip-options

  • -m limit: This uses the limit matching module. Using this you can limit the logging using –limit option.
  • --limit 2/min: This indicates the maximum average matching rate for logging. In this example, for the similar packets it will limit logging to 2 per minute. You can also specify 2/second, 2/minute, 2/hour, 2/day. This is helpful when you don’t want to clutter your log messages with repeated messages of the same dropped packets.
  • -j LOG: This indicates that the target for this packet is LOG. i.e write to the log file.
  • --log-prefix “IPTables-Dropped: ” You can specify any log prefix, which will be appended to the log messages that will be written to the /var/log/messages file
  • –log-level 4 This is the standard syslog levels. 4 is warning. You can use number from the range 0 through 7. 0 is emergency and 7 is debug.
  • --log-ip-options  Log IP and above.  Don't fill up your logs with blocked ethernet logs

Note on the Log command: 

       Turn on kernel logging of matching packets.  When this option 
       is set for a rule, the Linux kernel will print some 
       information  on  all  matching  packets
       (like most IP header fields) via the kernel log (where it can 
       be read with dmesg or syslogd(8)).  This is a "non-terminating 
       target", i.e. rule traversal
       continues at the next rule.  So if you want to LOG the packets 
       you refuse, use two separate rules with the same matching 
       criteria, first using target LOG
       then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

       --log-prefix prefix
              Prefix log messages with the specified prefix; up to 29 
              letters long, and useful for distinguishing messages in 
              the logs.

              Log TCP sequence numbers. This is a security risk if the 
              log is readable by users.

              Log options from the TCP packet header.

              Log options from the IP packet header.

              Log the userid of the process which generated the packet.