Difference between revisions of "Firewall"
From Linuxintro
imported>ThorstenStaerk (Created page with "In a typical network, all traffic to the outside world has to pass one router/computer/cluster. On this router, you can prevent access to specific network ports. It is called...") |
imported>ThorstenStaerk |
||
| (7 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | In a typical [[network]], all traffic to the outside world has to pass one router/computer/cluster. On this router, you can prevent access to specific network ports. It is called the firewall. | + | In a typical [[network]], all traffic to the outside world has to pass one router/computer/cluster. On this router, you can prevent access to specific [[network ports]]. It is called the firewall. |
Now every Linux kernel can play firewall by deciding which network traffic to forward and which not. Starting with Linux 2.4 the respective command is iptables. | Now every Linux kernel can play firewall by deciding which network traffic to forward and which not. Starting with Linux 2.4 the respective command is iptables. | ||
= Check if your firewall is running = | = Check if your firewall is running = | ||
| − | To check if your firewall is running, use the [[command]] <code> | + | To check if your firewall is running, use the [[command]] <code>iptables --list</code>. Here's an output that means your firewall is turned off: |
iptables --list | iptables --list | ||
Chain INPUT (policy ACCEPT) | Chain INPUT (policy ACCEPT) | ||
| Line 15: | Line 15: | ||
target prot opt source destination | target prot opt source destination | ||
If you look at it, you will find that for all incoming [http://en.wikipedia.org/wiki/Network_packet packets] ("Chain INPUT" entry above), the policy is set to ACCEPT with no exceptions. The same is true for FORWARD and OUTPUT. | If you look at it, you will find that for all incoming [http://en.wikipedia.org/wiki/Network_packet packets] ("Chain INPUT" entry above), the policy is set to ACCEPT with no exceptions. The same is true for FORWARD and OUTPUT. | ||
| + | |||
| + | = Stop your firewall = | ||
| + | To stop your firewall issue | ||
| + | iptables --flush | ||
| + | |||
| + | = Configure your firewall = | ||
| + | |||
| + | == Allow port 5901 only from localhost == | ||
| + | root@cloud-server-01:~# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT | ||
| + | root@cloud-server-01:~# iptables -A INPUT -p tcp --dport 5901 -j DROP | ||
| + | |||
| + | == Delete rules == | ||
| + | To delete a rule, issue the same command as you did with -A with -D: | ||
| + | * create the rule: | ||
| + | root@cloud-server-01:~# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT | ||
| + | * delete the rule: | ||
| + | root@cloud-server-01:~# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT | ||
| + | |||
| + | == drop some chains == | ||
| + | <pre> | ||
| + | root@cloud-server-01:~# iptables --list | ||
| + | Chain INPUT (policy ACCEPT) | ||
| + | target prot opt source destination | ||
| + | |||
| + | [...] | ||
| + | |||
| + | Chain ufw-before-forward (0 references) | ||
| + | target prot opt source destination | ||
| + | </pre> | ||
| + | |||
| + | root@cloud-server-01:~# iptables --delete-chain ufw-before-forward | ||
| + | |||
| + | = See also = | ||
| + | * [[security]] | ||
Latest revision as of 13:10, 5 June 2015
In a typical network, all traffic to the outside world has to pass one router/computer/cluster. On this router, you can prevent access to specific network ports. It is called the firewall.
Now every Linux kernel can play firewall by deciding which network traffic to forward and which not. Starting with Linux 2.4 the respective command is iptables.
Contents
Check if your firewall is running
To check if your firewall is running, use the command iptables --list. Here's an output that means your firewall is turned off:
iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
If you look at it, you will find that for all incoming packets ("Chain INPUT" entry above), the policy is set to ACCEPT with no exceptions. The same is true for FORWARD and OUTPUT.
Stop your firewall
To stop your firewall issue
iptables --flush
Configure your firewall
Allow port 5901 only from localhost
root@cloud-server-01:~# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT root@cloud-server-01:~# iptables -A INPUT -p tcp --dport 5901 -j DROP
Delete rules
To delete a rule, issue the same command as you did with -A with -D:
- create the rule:
root@cloud-server-01:~# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT
- delete the rule:
root@cloud-server-01:~# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -d 127.0.0.1 -j ACCEPT
drop some chains
root@cloud-server-01:~# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination [...] Chain ufw-before-forward (0 references) target prot opt source destination
root@cloud-server-01:~# iptables --delete-chain ufw-before-forward
