- Forums
- Networking
- How To Create Firewall Rules In Linux Commands
creating firewall rules is complex, but you can start with the iptables command. you can probably begin with the -l option [3507], Last Updated: Mon Jun 24, 2024
Hostman
Sun Feb 28, 2010
0 Comments
846 Visits
creating firewall rules is complex, but you can start with the iptables command. you can probably begin with the -L option. for example, you can use this command to list the current configurations in your linux server
iptables -L -t filter
you might get an output that looks like this:
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- base-address.mcast.net/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain PAROLE (10 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:imap
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:ndmp
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
you can use the -P option to set the default CHAIN POLICY
SHELL COMMAND:
iptables -t filer -F FORWARD
SHELL COMMAND:
iptables -t filer -P FORWARD DROP
NOTE: the -p (--protocol) option lets you specify the low-level protocols used
-F, --flush [chain]
Flush the selected chain (all the chains in the table if none is given). This is
equivalent to deleting all the rules one by one.
-Z, --zero [chain]
Zero the packet and byte counters in all chains. It is legal to specify the -L,
--list (list) option as well, to see the counters immediately before they are
cleared. (See above.)
-N, --new-chain chain
Create a new user-defined chain by the given name. There must be no target of that
name already.
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must be no references to the
chain. If there are, you must delete or replace the referring rules before the chain
can be deleted. The chain must be empty, i.e. not contain any rules. If no argument
is given, it will attempt to delete every non-builtin chain in the table.
-P, --policy chain target
Set the policy for the chain to the given target. See the section TARGETS for the
legal targets. Only built-in (non-user-defined) chains can have policies, and nei-
ther built-in nor user-defined chains can be policy targets.
-E, --rename-chain old-chain new-chain
Rename the user specified chain to the user supplied name. This is cosmetic, and has
no effect on the structure of the table.
-h Help. Give a (currently very brief) description of the command syntax.
for example, you can combine multiple items to filter based on several criteria. for example, in ta default/deny configuration you can open traffic to TCP port 445 from the 192.168.1.0/24 network with a single command:
SHELL COMMAND:
iptables -A INPUT -p tcp --dport 445 -s 192.168.1.0/24 -j ACCEPT