Five predifined tables (operations) and chains.
Tables include:
chain: a list of rules that act on a packet flowing through the system.
Chains include:
We'll cover the filter table and the nat tables. As applied:
# iptables -L -v | less
# iptables -L | grep policy
Let's change the default policy for the FORWARD chain:
# iptables --policy FORWARD DROP
# iptables -L | grep policy
$ host www.facebook.com
$ whois 157.240.2.35 | grep CIDR
$ sudo su
# iptables -A OUTPUT -p tcp -d 157.240.0.0/16 -j DROP
# iptables -A INPUT -p tcp -d 157.240.0.0/16 -j DROP
# w3m facebook.com
# ping facebook.com
# comment: first, set policy to drop all incoming
$ sudo iptables --policy INPUT DROP
# comment: second, set policy to drop all forwarding
$ sudo iptables --policy FORWARD DROP
# comment: thir , set policy to drop all outgoing
$ sudo iptables --policy OUTPUT DROP
# comment: review new policies for the above chains
$ sudo iptables -L | grep policy
# comment: now accept only input, forwarding, and output from the following
# network ranges:
$ sudo iptables -A INPUT -s 10.163.34.0/24 -j ACCEPT
$ sudo iptables -A FORWARD -s 10.163.34.0/24 -j ACCEPT
$ sudo iptables -A OUTPUT -s 10.163.34.0/24 -j ACCEPT
Save changes permanently, otherwise on restart, iptables reverts to default settings:
$ sudo su
# /sbin/service iptabels save
There are lots of examples on the web. Examples from:
Forward all traffice to port 25 to port 2525:
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525
Disable outgoing eamil:
# iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT
firewalld is a slightly more user friendly interface to netfilters in Red Hat based distros.
Zones are important concept in firewalld. Some predefine zones:
Check if running:
# firewall-cmd --state
Get active zones and interfaces attached to them:
# firewall-cmd --get-zones
# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zones
FedoraServer interfaces: enp0s3
# firewall-cmd --zone=FedoraServer --add-port=22/tcp
# firewall-cmd --zone=FedoraServer --list-ports
# firewall-cmd --zone=FedoraServer --remove-service=ssh --permanent
# firewall-cmd --zone=FedoraServer --add-service=smtp --permanent
Go into panic mode (drop all incoming/outgoing packets):
# firewall-cmd --panic-on
# firewall-cmd --panic-off
To change default zone:
# firewall-cmd --permanent --set-default-zone=public
$ host www.facebook.com
$ whois 157.240.2.35 | grep CIDR
$ sudo su
# sudo ufw reject out to 157.240.0.0/16
# sudo ufw reject in to 157.240.0.0/16