1,885
edits
Changes
→Testing policies
# After you have completed the test execute the following command:
#* <code>iptables -F</code>
{{Admon/note| Interpreting iptables commands |The Here is the command "you just used: iptables -I OUTPUT -p tcp -s0/0 -d 0/0 --dport 80 -j DROP" Which can be read like this: Insert a rule into the iptables OUTPUT chain that will match any tcp packet, with any a source address, any destination address, and a deistination port of 80. Any packet that matches will be dropped.
Let's break down the command to see how it works.
The '''-s0/0''' switch specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC. (Since the rule will, by default, match any source address, this switch may be left out).
The '''-d0/0''' switch specifies the destination address. It makes sense that this address is set to “anywhere” because if we want to block all requests to the WWW, we will never know the specific IP address of web server that is trying to be accessed. ('''Since the rule will, by default, match any destination address, this switch may -- and probably should -- be left out''').
The switch '''--dport 80''' tells iptables to look at the destination port in the packet and see if it is equal to 80. Alternately, you can filter based on source addresses using the <code>--sport</code> switch.