Enhance Linux Box Security: Iptables made easy - tutorial part 2

This time, we will deal with filter rules of iptables. While using filter rules, we don't need to write filter as it default option in iptables.
We have three chains here input, output & forward.
Input chain checks those packets which are originate outside & meant for machine
Output chain checks those packets which originate from the machine & meant for outer systems
Forward chain checks those packets which are being routed from our machine.
The best way of implementing the iptables is to create a shell script & execute it.



Some basic examples of using filtering table are as follows:-

Rule 1:

#iptables -A INPUT -s 192.168.1.0/24 -j REJECT

Appends the input chain such that every input packet from given ip will be rejected.

Rule 2:

#iptables -A INPUT -s 192.168.0.20 -p icmp -j DROP

>Appends the Input chain such that every ping (icmp packet) request will be dropped without notifying the sender.

Rule 3:

#iptables -A INPUT -m mac --mac-source 12:23:56:89:34:qw -j ACCEPT

>Accepting the input packet from the given mac id

Rule 4:

#iptables -A OUTPUT -d www.yahoo.com -j REJECT

>Rejecting any packet going output destined for yahoo.com

Rule 5:

#iptables -A INPUT -p tcp --dport 22 -j ACCEPT

>Permit SSH

Rule 6:

#iptables -A INPUT -s x.x.x.x -p tcp --dport telnet -j DROP

>Reject telnet

Deleting & Replacing rules

Rule 7:

#iptables -D INPUT 4

>deleting rule 4

Rule 8:

#iptables -D INPUT -p tcp --dport telnet -j DROP

>deleting the give rule with the specified format.

Rule 9:

#iptables -R INPUT 4 -p tcp --dport telnet -j ACCEPT

replacing the rule 4 with the specified format.

Suppose, for example, that you have a router that connects the 192.168.1.0/24 network and the
10.100.100.0/24 network. Suppose further that this firewall’s eth0 interface con-
tains the internet-addressable IP address of 66.1.5.1/8.The following Ipchains
command issued on the router would enable both private-IP networks to com-
municate via the Internet:

Rule 10:

#iptables –A FORWARD –I eth0 –s 192.168.1.0/24 –j MASQUERADE
#iptables –A FORWARD –I eth0 –s 10.100.100.0/24 –j MASQUERADE

This particular configuration actually exposes the network.Any remote host
would be able to use your masquerading firewall to access your host.The fol-
lowing additions to the FORWARD chain of the filter table ensures that your
masquerading router masquerades only for your internal network

Rule 11:

#iptables –A FORWARD –s 192.168.1.0/24 –j ACCEPT
#iptables –A FORWARD –d 192.168.1.0/24 –j ACCEPT
#iptables –A FORWARD –s 10.100.100.0/24 –j ACCEPT
#iptables –A FORWARD –d 10.100.100.0/24 –j ACCEPT
#iptables –A FORWARD –j DROP

Here's a cool video, that will teach you creating nice shell script for executing iptables rules & mostly deals with filter rules.