LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-03-2007, 04:16 PM   #1
ripper
LQ Newbie
 
Registered: Apr 2007
Posts: 24

Rep: Reputation: 0
newb question about iptables


Hello i wanna delete a specific chain


ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https


i have this chains ... how can i delete only the one that is used for ftp
 
Old 04-04-2007, 04:49 AM   #2
Agrouf
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: LFS
Posts: 1,591

Rep: Reputation: 79
First suppress all references to the chain :
iptables -D
Then
iptables -X

==> man iptables
 
Old 04-04-2007, 07:06 AM   #3
ripper
LQ Newbie
 
Registered: Apr 2007
Posts: 24

Original Poster
Rep: Reputation: 0
man i said newb question so give a answer for a newb to understand not what u said before.. i can`t understand nothing of what u said

Chain INPUT (policy ACCEPT)
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp


i wanna delete just this one:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http

how i do i delete it from iptables
don`t give me the answer "man iptables" that doesn`t help at all

Last edited by ripper; 04-04-2007 at 07:25 AM.
 
Old 04-04-2007, 08:53 AM   #4
Agrouf
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: LFS
Posts: 1,591

Rep: Reputation: 79
iptables -D INPUT 3

This command deletes the 3rd rule (the one you want to delete) from INPUT chain.
 
Old 04-05-2007, 09:33 AM   #5
ripper
LQ Newbie
 
Registered: Apr 2007
Posts: 24

Original Poster
Rep: Reputation: 0
thanks alot man now i understand
 
Old 04-05-2007, 09:33 AM   #6
ethics
Senior Member
 
Registered: Apr 2005
Location: London
Distribution: Arch - Latest
Posts: 1,522

Rep: Reputation: 45
Quote:
Originally Posted by ripper
man i said newb question so give a answer for a newb to understand not what u said before.. i can`t understand nothing of what u said
That.. 'sentence'? didn't make much sense to me either...

Man pages are a great help if you invest time in learning their conventions.

I prefer to look them up online, always seems more managable.
 
Old 04-05-2007, 02:52 PM   #7
SlowCoder
Member
 
Registered: Oct 2004
Location: Southeast, U.S.A.
Distribution: Fedora (Desktop), CentOS (Server), Knoppix (Diags)
Posts: 934

Rep: Reputation: 38
Quote:
Originally Posted by ripper
man i said newb question so give a answer for a newb to understand not what u said before.. i can`t understand nothing of what u said
ripper,

This is not the type of response you want to give to someone who is trying to help you. The more correct response would have been "I don't understand, can you explain what that is doing?"

Even better, in standard linux method, and as Agrouf said, you could have manned the iptables command to figure out what the -D and -X options are and see if they fit your needs.
 
Old 04-06-2007, 04:41 AM   #8
ripper
LQ Newbie
 
Registered: Apr 2007
Posts: 24

Original Poster
Rep: Reputation: 0
my bad sorry
 
Old 04-06-2007, 05:47 AM   #9
ripper
LQ Newbie
 
Registered: Apr 2007
Posts: 24

Original Poster
Rep: Reputation: 0
i have another question about iptables

i want to leave default port of ssh but i wanna block all access to it
except me
how do add only the ip i enter with via ssh in iptables to let only me use it and still block the others who try

dunno if u understand me clearly ...:|
thanks in advance
 
Old 04-06-2007, 10:11 AM   #10
Apfelbox
Member
 
Registered: Mar 2007
Location: Vienna
Distribution: Antix
Posts: 32

Rep: Reputation: 15
Sorry but what are iptables and for what I need them?
(this is a real newb question^^)

thx Apfelbox =)

PS:I really want to know it!
 
Old 04-06-2007, 12:25 PM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by ripper
i have another question about iptables

i want to leave default port of ssh but i wanna block all access to it
except me
how do add only the ip i enter with via ssh in iptables to let only me use it and still block the others who try

dunno if u understand me clearly ...:|
thanks in advance
There are a couple of different ways of doing that. If you know that you will only be accessing SSH from a particular range of IP addresses (like your home LAN) you could use iptables to restrict what addresses have access to port 22. However, a much better solution is to ditch password based authentication on SSH and move to key based authentication. Basically, you generate a public/private key pair and put the public key on the SSH server. Then the only client that has access is one with the private key. There is an excellent tutorial here.

Quote:
Originally Posted by Apfelbox
Sorry but what are iptables and for what I need them?
Generally, iptables is used to create firewalls on Linux computers, but it is actually much more flexible than that. Iptables rules control how TCP/IP packets are handled on a Linux system, so you can use them to do things like build a router.
 
Old 04-06-2007, 10:16 PM   #12
ripper
LQ Newbie
 
Registered: Apr 2007
Posts: 24

Original Poster
Rep: Reputation: 0
hangdog i wanna use the first one because i only access via ssh from particular ip addresses .. how could i restrict the rest


waiting for ur reply thanks
 
Old 04-07-2007, 02:54 AM   #13
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Currently you have the following rule:

Code:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
as rule number 2 in the input chain. The rule allows SSH from everywhere, however, you want to restrict this to one specific IP. First off, you should delete the original rule:

iptables -D INPUT 3

Then you need to construct a new rule to do what you want. You can do this with:

iptables -A INPUT -p tcp -s YOUR.REMOTE.IP.ADDR --dport 22 -j ACCEPT

Here's a brief explanation (see the man page for more info):

-A INPUT is to append (-A) a rule to the INPUT chain
-p tcp says that the rule applies only to TCP packets (SSH runs over TCP)
-s YOUR.REMOTE.IP.ADDR says that the source (-s) must match your remote IP for this to apply (obviously, you need to replace YOUR.REMOTE.IP.ADDR with the actual address you want to use).
--dport 22 says that the destination TCP port must be 22 for the rule to match(this is the port SSH uses by default)
Finally -j ACCEPT specifies that if the three criteria (TCP, from YOUR.REMOTE.IP.ADDR, and going to port 22) all match then the packet should be accepted.

Note: This assumes that the chains default policy is DROP (it appears to be ACCEPT in your post) so that packets that don't match any rule are dropped. The alternative to this is setting up some rule later down the chain that actually drops the unwanted packets (if you're unsure of whether you have this right, post the full output of "iptables -L" so we can help you).

Warning 1: It's not wise to tinker with firewall settings for SSH when your shell is connected via SSH, for obvious reasons. You can easily lock yourself out if you're not careful, necessitating a trip to the machine's physical location so you can fix the rule from the console (I've done this more times than I care to admit).

Warning 2: Linux distros generally load the iptables rules from a config file on boot since the kernel has no way of preserving them between reboots (some distros have a script that does it automatically). What I like to do is make a little script with my iptables set up and then run it from /etc/rc.local so it starts at boot (it's probably better to run it slightly earlier after networking has started but before any services so there's no gap between when services start and firewall rules are applied, however running it out of rc.local should be fine for all but the truly, truly paranoid).
 
Old 04-07-2007, 10:37 AM   #14
ripper
LQ Newbie
 
Registered: Apr 2007
Posts: 24

Original Poster
Rep: Reputation: 0
thanks miller i understand but i have a dillema

supose i don`t have this rule:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

but i still can login via ssh
how is that possible?

Last edited by ripper; 04-07-2007 at 10:42 AM.
 
Old 04-07-2007, 01:15 PM   #15
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
If the INPUT chain's default policy is accept then all packets not specifically dropped will be allowed. Since you don't appear to have a rule explicitly dropping new SSH connections, they will be accepted. As I said, please post the complete output of "iptables -L" if you are unsure about this.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Newb Question Tsarok Fedora 5 07-14-2005 03:05 PM
Very newb question m2azer Linux - Newbie 3 09-19-2004 07:58 PM
Newb question tombomb300 Linux - Newbie 1 01-28-2004 01:20 PM
A Newb Question pt. 2 gnr2k3 Linux - Newbie 3 08-30-2003 06:37 PM
A Newb Question gnr2k3 Linux - Newbie 1 08-30-2003 05:54 PM


All times are GMT -5. The time now is 11:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration