HOWTOlabs  
 Services     Software     Commentary     Design     Astral Musings   
iptables
Configuration tips
Elsewhere Food for thought ...

Basic Configuration

The * precedes the 'table' name.  'filter' is typically the name of the base table.  : precedes the the name of a chain associated with a table, the default policy (e.g. ACCEPT), followed by [in:out] packet counters.

# iptables -L

  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         


# cd /etc/sysconfig

# cat iptables

  # Firewall configuration written by system-config-securitylevel
  # Manual customization of this file is not recommended.
  *filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :RH-Firewall-1-INPUT - [0:0]
  -A INPUT -j RH-Firewall-1-INPUT
  -A FORWARD -j RH-Firewall-1-INPUT
  -A RH-Firewall-1-INPUT -i lo -j ACCEPT
  -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
  -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
  -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
  -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
  -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
  -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
  COMMIT
# iptables  --list -n -v

  Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
     80  5292 RH-Firewall-1-INPUT  all  -- * *   0.0.0.0/0            0.0.0.0/0

  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 RH-Firewall-1-INPUT  all  --  * *  0.0.0.0/0            0.0.0.0/0           

  Chain OUTPUT (policy ACCEPT 58 packets, 10634 bytes)
   pkts bytes target     prot opt in     out     source               destination         

  Chain RH-Firewall-1-INPUT (2 references)
   pkts bytes target     prot opt in     out     source               destination         
      0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
      0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
      0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0           
      0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0           
      0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353 
      0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631 
      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
     80  5292 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
      0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
      0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
# iptables --list -n 

  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         
  RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         
  RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain RH-Firewall-1-INPUT (2 references)
  target     prot opt source               destination         
  ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
  ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
  ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
  ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
  ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
  ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
  REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Adding Rule to allow incoming HTTP (port 80) traffic

# rcsdiff iptables

  diff -r1.1 iptables
  18a19
  > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

# service iptables restart

  Flushing firewall rules:
  Setting chains to policy ACCEPT: filter
  Unloading iptables modules:
  Applying iptables firewall rules:
  Loading additional iptables modules: ip_conntrack_netbios_n
# service iptables status

  Table: filter
  Chain INPUT (policy ACCEPT)
  num  target     prot opt source               destination         
  1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

  Chain FORWARD (policy ACCEPT)
  num  target     prot opt source               destination         
  1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

  Chain OUTPUT (policy ACCEPT)
  num  target     prot opt source               destination         

  Chain RH-Firewall-1-INPUT (2 references)
  num  target     prot opt source               destination         
  1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
  2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
  3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
  4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
  5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
  6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
  7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
  8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
  10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
  11   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Setting up a firewall with multiple external interfaces (*)

Challenge: AT&T's Uverse routers, prevent IP based routing

Solution: Use virtual machine with many network interface/each with different MAC address as firewall

[edit]
zap technologies
tablet | printable