LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-22-2014, 10:08 PM   #1
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Rep: Reputation: Disabled
about iptables


I use the below iptables command to apply rule I would like to allow 192.168.2.2 only to access my server , but after apply it , it still not work


#iptables -A INPUT -s 192.168.2.2 -j ACCEPT

#iptable -L

ACCEPT all -- 192.168.2.2 anywhere [B]

I tried to use the below command , after use it , all rule is removed.
#iptables --flush

Could advise how can I apply rule ? what is wrong in my first command ? thanks
 
Old 01-22-2014, 10:46 PM   #2
divyashree
Senior Member
 
Registered: Apr 2007
Location: bbsr,orissa,India
Distribution: RHEL5 ,RHEL4,CENT OS5,FEDORA,UBUNTU
Posts: 1,363

Rep: Reputation: 135Reputation: 135
Be specific while creating rules in iptables. You are missing destination server(-d) i.e your server, network interface (-i) i.e. eth0 or any ,the port(--dport)port number , the protocol (-p) i.e. tcp/udp.

And after creating the rule have you saved and restarted iptables ?
 
Old 01-22-2014, 10:50 PM   #3
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 664

Rep: Reputation: 81
another what recommended by default is to drop all and then to allow specific IP's explicitly. If that could be done what happened would never had..
 
Old 01-26-2014, 08:23 PM   #4
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by divyashree View Post
Be specific while creating rules in iptables. You are missing destination server(-d) i.e your server, network interface (-i) i.e. eth0 or any ,the port(--dport)port number , the protocol (-p) i.e. tcp/udp.

And after creating the rule have you saved and restarted iptables ?
thanks reply ,

what I would like is just to accept 192.168.2.2 ( any service , port , eth0 , eth1 .. ) to access the server , do I still need -d ,eth0 , --dport -p ?

I have run the command iptables -A INPUT -s 192.168.2.2 -j ACCEPT , but other IP eg. 192.168.2.3 still can accept the server , what is the possible of it ? thanks
 
Old 01-27-2014, 03:31 AM   #5
yech
LQ Newbie
 
Registered: Dec 2007
Posts: 22

Rep: Reputation: 0
You should use

iptables -P INPUT DROP

to set the default rule for INPUT chain first.
 
Old 01-28-2014, 02:50 AM   #6
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
thanks reply ,

do I need to apply / save setting after run the ipchain command ? thanks

I also check from google , it suggest to add "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at the end of command as bdelow , could advise is it need to do that ? thanks

iptables -A INPUT -s 192.168.2.2 /24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Last edited by byran cheung; 01-28-2014 at 02:53 AM.
 
Old 01-28-2014, 02:53 AM   #7
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 664

Rep: Reputation: 81
eveytime you make the change you need to save changes.
 
Old 01-28-2014, 03:54 AM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,448

Rep: Reputation: Disabled
Quote:
Originally Posted by byran cheung View Post
I also check from google , it suggest to add "iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT" at the end of command as bdelow , could advise is it need to do that ?
Yes, that is a good idea.

The second you change the policy of the INPUT chain to "DROP", all traffic not explicitly allowed is blocked. This includes responses to outbound requests (like web pages you're trying to view) and all sorts of internal communication between system services over the loopback interface.

For that reason, you should start by adding two rules allowing this traffic. The loopback interface is easy, the "-i lo" match will do. For replies and such, the iptables state mechanism can be used in the way you suggested:
Code:
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Remember that the "-A" switch adds a rule at the bottom of the chain. If a rule further up the chain conflicts with the one you just added, your rule gets ignored.

To insert rules somewhere in the chain, either flush the chain and re-add everything from the top down, or use the "-I <number>" switch instead of "-A", <number> being a number indicating the position in the chain where you want to insert the new rule.

The iptables ruleset exists in kernel memory, and all rules are lost when you power off the system. Some distributions will automatically save the ruleset to a file during shutdown and reapply the saved rules at bootup. Others store the rules in a file but requires the user to manually save after making changes. You need to check the documentation for your distribution to see how it handles firewall rules.

You can always save the rules to a file with iptables-save > somefile and restore them later with iptables-restore < somefile .
 
Old 01-28-2014, 08:45 PM   #9
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
thx reply ,

I still can not set it , thanks help

I have add "iptables -A INPUT -s 192.168.2.2 -j ACCEPT" , and then try , but found that all IP can access server , then I add "iptables -P INPUT DROP" , found that all IP can not access the server , and can not use "iptables -L -v" to check the iptables setting , would advise what I need to do if I just would like to allow 192.168.2.2 to access the server ? thanks
 
Old 01-28-2014, 09:15 PM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,448

Rep: Reputation: Disabled
If you want to block access to the server from any IP address except 192.168.2.2, there are two ways to do that. You could allow 192.168.2.2 and explicitly deny all other incoming traffic:
Code:
iptables -F
iptables -P INPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
iptables -A INPUT -j DROP
Or you could allow 192.168.2.2 and let a DROP policy take care of everything else:
Code:
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
Note that in both cases the rulset is flushed first with iptables -F, then the relevant rules are added. Simply adding rules to an existing rulset is not likely to work, as the traffic you want to allow or block may match an existing rule further up the chain.

Allowing ESTABLISHED and RELATED traffic means replies to outgoing traffic is still allowed. It also means existing connections won't be affected by these rules, so if you have, say, an active SSH connection from a system other than 192.168.2.2, these rules will not sever that connection. New connections will be blocked, though.

And as I mentioned earlier, make sure you always allow incoming traffic to the "lo" interface. Only processes on the system itself can send packets to this interface, and blocking it will break all sorts of internal communication.
 
Old 01-29-2014, 12:16 AM   #11
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
If you want to block access to the server from any IP address except 192.168.2.2, there are two ways to do that. You could allow 192.168.2.2 and explicitly deny all other incoming traffic:
Code:
iptables -F
iptables -P INPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
iptables -A INPUT -j DROP
Or you could allow 192.168.2.2 and let a DROP policy take care of everything else:
Code:
iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
Note that in both cases the rulset is flushed first with iptables -F, then the relevant rules are added. Simply adding rules to an existing rulset is not likely to work, as the traffic you want to allow or block may match an existing rule further up the chain.

Allowing ESTABLISHED and RELATED traffic means replies to outgoing traffic is still allowed. It also means existing connections won't be affected by these rules, so if you have, say, an active SSH connection from a system other than 192.168.2.2, these rules will not sever that connection. New connections will be blocked, though.

And as I mentioned earlier, make sure you always allow incoming traffic to the "lo" interface. Only processes on the system itself can send packets to this interface, and blocking it will break all sorts of internal communication.
thx reply ,

once I run the command "iptables -P INPUT DROP" , it deny ALL server access immediately , would advise should it be change the sequence of issue command ? thanks
 
Old 01-29-2014, 12:22 AM   #12
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,448

Rep: Reputation: Disabled
Quote:
Originally Posted by byran cheung View Post
thx reply ,

once I run the command "iptables -P INPUT DROP" , it deny ALL server access immediately , would advise should it be change the sequence of issue command ? thanks
Then set the policy last, after you've created the entire ruleset.

Why is it a problem that connections are temporarily blocked? Are you trying to do this over a remote connection of some kind? If so, you could just put all the iptables commands in a script and run it.

Last edited by Ser Olmy; 01-29-2014 at 12:23 AM.
 
Old 01-29-2014, 01:57 AM   #13
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
thanks reply ,

I added "iptables -P INPUT DROP" , would suggest if I would like to remove this specific policy ( I tried iptables -D INPUT DROP but not work , iptables -F will remove all policy ) , what can I do ? thanks
 
Old 01-29-2014, 02:10 AM   #14
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,448

Rep: Reputation: Disabled
You don't "remove" a policy as such; it is either "ACCEPT" or "DROP". In other words, the command iptables -P INPUT ACCEPT is what you're looking for.
 
Old 01-29-2014, 02:26 AM   #15
byran cheung
Member
 
Registered: Sep 2013
Posts: 321

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
You don't "remove" a policy as such; it is either "ACCEPT" or "DROP". In other words, the command iptables -P INPUT ACCEPT is what you're looking for.
thx reply ,

what I mean is I have added the policy "iptables -A INPUT -j DROP" , but just would like to remove this policy , would advise what can I do ? thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 01:56 PM
On what basis CHAIN integer values are generated in IPtables under iptables file? haariseshu Linux - Server 3 11-05-2009 04:25 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 02:24 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration