13,420
edits
Changes
no edit summary
# Issue the following Linux command: <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>
# Issue the iptables command verify the INPUT policy has been set (look for the Policy section, NOT INPUT).<br><br>After the overall default policy is set, then you can create policy rules that are "exceptions" to the default policy rules. These iptables commands are more complex since you need to determine: <ul><li>'''Where each rules appears in the chain'''? (order can be important)</li><li>'''Which protocol(s)''' are affected (eg. tcp, udp, icmp)</li><li>'''What source or destination IP Addresses''' are affected?</li><li>'''What port numbers''' are affected?</li><li>'''What action to take''' if all of the above conditions are met? (eg. ACCEPT, REJECT, DROP, or LOG)</li></ul><br><br>'''iptables Command Structure (for setting exceptions):<br>(NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<br><table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action<br> -></td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain)<br>'''-I''' (insert at top of chain)<br>'''-i CHAIN-NAME 5''' (insert before line #5 in CHAIN-NAME)</td><td>'''INPUT'''<br>'''OUTPUT'''<br>'''FORWARD'''<br>'''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets)<br>'''-p udp''' (datagram packets)<br>'''-p tcp,udp,icmp''' (combined)<br><br>(refer to '''/etc/protocols''' for available network protocols)</td><td>'''-s IPADDR''' (originating IPADDR)<br>'''-d IPADDR''' (destination IPADDR)</td><td>'''--sport 22''' (originating port 22 - SSH)<br>'''--sport 80''' (originating port 80 - http)<br>'''--dport 22''' (originating port 22 - SSH)<br>'''--dport 80''' (destination port 80 - http)<br><br>(refer to '''/etc/services''' for available port numbers)</td><td>'''-j''' </td><td>'''ACCEPT'''<br>'''REJECT'''<br>'''DROP'''<br>'''LOG'''</td></tr></table><br><br>
# Issue the commmand <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -L</span></code></b> to verify that the policies on your INPUT and OUTPUT chain are set to DROP
# Open a browser and attempt to access the Internet. Were you successful?