Open main menu

CDOT Wiki β

Changes

OPS235 Lab 6 - Fedora17

303 bytes removed, 19:45, 13 March 2011
Investigation 8: How do I view and configure the IPTABLES firewall? -- Basic Function/Configuration
#* <code>iptables -L</code>
# You should see something similar to this:<br /><br />Chain INPUT (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />Chain FORWARD (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />Chain OUTPUT (policy ACCEPT)<br /><br />target prot opt source destination<br /><br />
{{Admon/note | Chain Policies | Each chain has a default policy. In my example here the default policy is ACCEPT. This means that if data packets are checked and there is no rule that matches that packet in the chain the data will be allowed to pass to it's destination. Conversely, if the policy is set to DROP then the packet will be dropped if there is no match.See the MAN page for <code>iptables</code> for detailed information on switches and options.}}
# Set the default policy for the INPUT chain to DROP:
#* <code>iptables -P INPUT DROP</code>
{{Admon/note| |The <code>-P</code> switch stands for POLICY. This tells <code>iptables</code> that we are changing the policy for the INPUT chain. The policy is to be changed to DROP. Note that <code>iptables</code> commands (as well as all other Linux commands) are case sensitive. Check your syntax carefully.}}
# Now try on your own to change the default policies for the OUPUT and FORWARD chains to DROP
# Write the commands you executed in your lab book.
'''-j''' means jump to a particular target – Basic targets are ACCEPT, DROP, REJECT, and LOG. The available targets depend on which table contains the chain.
'''DROP''' means drop the packet – make it dissapear disappear - and do not continue processing rules. '''REJECT''' is similar, but causes an error packet to be sent back to the source host. '''ACCEPT''' causes the packet to be processed. '''LOG''' causes an entry to be made in the system logs showing that the packet was processed. Note that the ACCEPT target is the only one that does not stop rule-checking in the chaing chain - so you can log a packet with one rule, and then use a later rule in the chain to DROP, REJECT, or ACCEPT it.
}}