Add Comment

You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.

To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.

This is the comment you were replying to, attached to the article Question: A good iptables tutorial?:

#1
Re: Question: A good iptables tutorial?
Posted by Steve (82.41.xx.xx) on Wed 24 Aug 2005 at 07:26

Whilst it's true that using iptables can be confusing it's pretty straightforward once you get the hang of it.

To start off with there are three real "chains" which iptables uses:

  • INPUT
    • Which is used to grant or deny incoming connections to your machine.
  • OUTPUT
    • Which is used to grant or deny outgoing connections from your machine.
  • FORWARD

Each of those chains can contain rules which control what you allow, or disallow.

Usually your firewall script will start off by resetting (emptying) all the chains then adding new rules to them. Some machines will only care about what packets are coming into them, others will care about what packets are leaving the machine - so you might find INPUT, or OUTPUT, or both chains being used.

Here's a quick example which seems relevent to your question on FTP usage.

# First of all delete any existing rules.
#
# This means you're back to a known state:
#
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X


#
#  Block all access to port 21 (ftpd)
#
#  BUT allow host 11.22.33.44
#
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP

There we've done two things:

  • Delete any prior rules to make sure when we run this again we won't have any problems.
  • Add two rules to the INPUT chain, which means they will apply to incoming connections:
    • 1. Allow incoming connections to port 21 from one IP address 11.22.33.44.
    • 2. Deny all other incoming connections to port 21.

The general form of an IP tables command is:

iptables -A CHAIN -p tcp/udp [options] -j ACTION

The CHAIN we've briefly covered before, "INPUT", "OUTPUT", "FORWARD", etc. Here "-A INPUT" means "append this rule to the input chain".

The "-p tcp" means this rule applies only to TCP connections, not UDP. (To specify UDP connections you'd use "-p udp" instead.)

"[options]" is where you specify what you wish to match against.

Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.

We used the "-m state --state NEW --dport 21" to match against new connections to port 21. Other options allow you to match against different things.

Really google is your friend; and if you're not able to search and experiment I'd suggest using an unstable distribution like Etch is going to be .. unwise. (Not trying to pick on you! Just thought it was worth mentioning.)

Actually if you're only concerned with access to your FTP server you might be better off seeing if that allows you to limit access on its own ..? Some of them do give configuration options to only allow particular IP addresses to use their services. If yours does then that could simplify things, as you won't need to learn anything new...

Steve
-- Steve.org.uk

Username:Anonymous
Title:
Your Comment:

Posting Format:
 

Inappropriate comments will be removed.

Some help on entry formatting is available

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search