Hello i wanna delete a specific chain


ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https


i have this chains ... how can i delete only the one that is used for ftp

First suppress all references to the chain :
iptables -D
Then
iptables -X

==> man iptables

man i said newb question so give a answer for a newb to understand not what u said before.. i can`t understand nothing of what u said

Chain INPUT (policy ACCEPT)
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp


i wanna delete just this one:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http

how i do i delete it from iptables
don`t give me the answer "man iptables" that doesn`t help at all

iptables -D INPUT 3

This command deletes the 3rd rule (the one you want to delete) from INPUT chain.

thanks alot man now i understand

That.. 'sentence'? didn't make much sense to me either...

Man pages are a great help if you invest time in learning their conventions.

I prefer to look them up online, always seems more managable.

ripper,

This is not the type of response you want to give to someone who is trying to help you. The more correct response would have been "I don't understand, can you explain what that is doing?"

Even better, in standard linux method, and as Agrouf said, you could have manned the iptables command to figure out what the -D and -X options are and see if they fit your needs.

my bad sorry

i have another question about iptables

i want to leave default port of ssh but i wanna block all access to it
except me
how do add only the ip i enter with via ssh in iptables to let only me use it and still block the others who try

dunno if u understand me clearly ...:|
thanks in advance

Sorry but what are iptables and for what I need them?
(this is a real newb question^^)

thx Apfelbox =)

PS:I really want to know it!

There are a couple of different ways of doing that. If you know that you will only be accessing SSH from a particular range of IP addresses (like your home LAN) you could use iptables to restrict what addresses have access to port 22. However, a much better solution is to ditch password based authentication on SSH and move to key based authentication. Basically, you generate a public/private key pair and put the public key on the SSH server. Then the only client that has access is one with the private key. There is an excellent tutorial here.

Generally, iptables is used to create firewalls on Linux computers, but it is actually much more flexible than that. Iptables rules control how TCP/IP packets are handled on a Linux system, so you can use them to do things like build a router.

hangdog i wanna use the first one because i only access via ssh from particular ip addresses .. how could i restrict the rest


waiting for ur reply thanks

Currently you have the following rule:

as rule number 2 in the input chain. The rule allows SSH from everywhere, however, you want to restrict this to one specific IP. First off, you should delete the original rule:

iptables -D INPUT 3

Then you need to construct a new rule to do what you want. You can do this with:

iptables -A INPUT -p tcp -s YOUR.REMOTE.IP.ADDR --dport 22 -j ACCEPT

Here's a brief explanation (see the man page for more info):

-A INPUT is to append (-A) a rule to the INPUT chain
-p tcp says that the rule applies only to TCP packets (SSH runs over TCP)
-s YOUR.REMOTE.IP.ADDR says that the source (-s) must match your remote IP for this to apply (obviously, you need to replace YOUR.REMOTE.IP.ADDR with the actual address you want to use).
--dport 22 says that the destination TCP port must be 22 for the rule to match(this is the port SSH uses by default)
Finally -j ACCEPT specifies that if the three criteria (TCP, from YOUR.REMOTE.IP.ADDR, and going to port 22) all match then the packet should be accepted.

Note: This assumes that the chains default policy is DROP (it appears to be ACCEPT in your post) so that packets that don't match any rule are dropped. The alternative to this is setting up some rule later down the chain that actually drops the unwanted packets (if you're unsure of whether you have this right, post the full output of "iptables -L" so we can help you).

Warning 1: It's not wise to tinker with firewall settings for SSH when your shell is connected via SSH, for obvious reasons. You can easily lock yourself out if you're not careful, necessitating a trip to the machine's physical location so you can fix the rule from the console (I've done this more times than I care to admit).

Warning 2: Linux distros generally load the iptables rules from a config file on boot since the kernel has no way of preserving them between reboots (some distros have a script that does it automatically). What I like to do is make a little script with my iptables set up and then run it from /etc/rc.local so it starts at boot (it's probably better to run it slightly earlier after networking has started but before any services so there's no gap between when services start and firewall rules are applied, however running it out of rc.local should be fine for all but the truly, truly paranoid).

thanks miller i understand but i have a dillema

supose i don`t have this rule:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

but i still can login via ssh
how is that possible?

If the INPUT chain's default policy is accept then all packets not specifically dropped will be allowed. Since you don't appear to have a rule explicitly dropping new SSH connections, they will be accepted. As I said, please post the complete output of "iptables -L" if you are unsure about this.