Iptables: Difference between revisions
No edit summary |
|||
| (60 intermediate revisions by the same user not shown) | |||
| Line 12: | Line 12: | ||
=Internal= | =Internal= | ||
* [[Linux | * [[Linux Security]] | ||
=Overview= | =Overview= | ||
<tt>iptables</tt> is a Linux ''command line tool'' used to query and manipulate the network packet filtering rules maintained by the Linux kernel. Network packet filtering in the kernel is implemented by the [[iptables Concepts#netfilter|netfilter framework]]. The term "iptables" is also used to refer to the iptables ''service'', which is a [[systemd]] service that uses the iptables tool to configure the packet filtering rules at boot. netfilter and iptables are used to implement network firewalls and NAT. The relationships between these concepts is explained in [[iptables Concepts#netfilter.2C_iptables_tool.2C_iptables_service_and_firewalld|iptables Concepts: netfilter, iptables tool, iptables service and firewalld]]. [[iptables Concepts#Overview|More details available here ...]] | |||
=Installation= | |||
==With yum== | |||
yum install iptables-services | |||
==With apt== | |||
apt-get update | |||
apt-get install -y iptables | |||
=Concepts= | =Concepts= | ||
| Line 22: | Line 35: | ||
</blockquote> | </blockquote> | ||
=Getting Information about iptables= | =iptables tool= | ||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[iptables Command Line Tool]] | |||
</blockquote> | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[iptables Command Line Tool Examples]] | |||
</blockquote> | |||
=iptables Service= | |||
==Getting Information about iptables Service== | |||
<pre> | |||
systemctl status iptables | |||
</pre> | |||
The following command tells whether the ip_tables modules are loaded: | |||
<pre> | |||
lsmod | grep tables | |||
ip_tables 9567 1 iptable_filter | |||
ip6_tables 10867 1 ip6table_filter | |||
</pre> | |||
==iptables Service Installation== | |||
iptables service and firewalld are incompatible. If iptables service is used, firewalld must be disabled: [[firewalld#Disable]]. | |||
<pre> | |||
yum -y install iptables iptables-services | |||
</pre> | |||
This will install both IPv4 and IPv6 support. | |||
==Lifecycle== | |||
The iptables service starts by reading the individual iptables tool commands from its configuration rule file <code>/etc/sysconfig/iptables</code> and applying those rules to [[iptables Concepts#Table|tables]] and the [[iptables Concepts#Chain|chains]] specified in the file. The rule commands are applied in order, then the commit command is issued for each table. | |||
==iptables Service Configuration== | |||
The service is configured in <code>/usr/libexec/iptables/iptables.init</code> and <code>/usr/libexec/iptables/ip6tables.init</code> (or <code>/etc/init.d/iptables</code>). | |||
This is where the file the service reads its rules from is configured: | |||
<pre> | |||
IPTABLES=iptables | |||
IPTABLES_DATA=/etc/sysconfig/$IPTABLES | |||
</pre> | |||
The rule file is read every time the service is started. These are some examples of base configuration: | |||
* [[iptables Command Line Tool Examples#Base_Configuration|IPv4 Base Configuration]] | |||
* [[iptables Command Line Tool Examples#Base_IPv6_Configuration|IPv6 Base Configuration]] | |||
Then [[#Enable_to_Start_at_Boot|enable the service to start at boot]]. | |||
Further rules will be added on a case by case basis. | |||
===Configuration Examples=== | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[iptables Command Line Tool Examples]] | |||
</blockquote> | |||
==iptables Service Operations== | |||
===Enable to Start at Boot=== | |||
After rule configuration, enable the iptables service to start at boot: | |||
<pre> | |||
systemctl enable iptables | |||
systemctl enable ip6tables | |||
</pre> | |||
===Reload the Rules=== | |||
This command restarts the service and reloads the rules from the configuration file, discarding the current memory rules: | |||
<pre> | |||
systemctl restart iptables | |||
</pre> | |||
=iptables-save/iptables-restore= | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[iptables-save/iptables-restore]] | |||
</blockquote> | |||
=iptables Troubleshooting= | |||
{{Internal|iptables Troubleshooting|iptables Troubleshooting}} | |||
Latest revision as of 23:33, 5 August 2023
External
- http://www.netfilter.org/
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Using_iptables
- http://wiki.centos.org/HowTos/Network/IPTables
- http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-iptables.html
- https://help.ubuntu.com/community/IptablesHowTo
- http://www.thegeekstuff.com/2011/01/iptables-fundamentals/
- http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
- http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/
- http://www.cyberciti.biz/tips/linux-iptables-examples.html
Internal
Overview
iptables is a Linux command line tool used to query and manipulate the network packet filtering rules maintained by the Linux kernel. Network packet filtering in the kernel is implemented by the netfilter framework. The term "iptables" is also used to refer to the iptables service, which is a systemd service that uses the iptables tool to configure the packet filtering rules at boot. netfilter and iptables are used to implement network firewalls and NAT. The relationships between these concepts is explained in iptables Concepts: netfilter, iptables tool, iptables service and firewalld. More details available here ...
Installation
With yum
yum install iptables-services
With apt
apt-get update apt-get install -y iptables
Concepts
iptables tool
iptables Service
Getting Information about iptables Service
systemctl status iptables
The following command tells whether the ip_tables modules are loaded:
lsmod | grep tables ip_tables 9567 1 iptable_filter ip6_tables 10867 1 ip6table_filter
iptables Service Installation
iptables service and firewalld are incompatible. If iptables service is used, firewalld must be disabled: firewalld#Disable.
yum -y install iptables iptables-services
This will install both IPv4 and IPv6 support.
Lifecycle
The iptables service starts by reading the individual iptables tool commands from its configuration rule file /etc/sysconfig/iptables and applying those rules to tables and the chains specified in the file. The rule commands are applied in order, then the commit command is issued for each table.
iptables Service Configuration
The service is configured in /usr/libexec/iptables/iptables.init and /usr/libexec/iptables/ip6tables.init (or /etc/init.d/iptables).
This is where the file the service reads its rules from is configured:
IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES
The rule file is read every time the service is started. These are some examples of base configuration:
Then enable the service to start at boot.
Further rules will be added on a case by case basis.
Configuration Examples
iptables Service Operations
Enable to Start at Boot
After rule configuration, enable the iptables service to start at boot:
systemctl enable iptables systemctl enable ip6tables
Reload the Rules
This command restarts the service and reloads the rules from the configuration file, discarding the current memory rules:
systemctl restart iptables