newb question about iptables
Hello i wanna delete a specific chain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https i have this chains ... how can i delete only the one that is used for ftp |
First suppress all references to the chain :
iptables -D Then iptables -X ==> man iptables |
man i said newb question so give a answer for a newb to understand not what u said before.. i can`t understand nothing of what u said
Chain INPUT (policy ACCEPT) ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp i wanna delete just this one: ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http how i do i delete it from iptables don`t give me the answer "man iptables" that doesn`t help at all |
iptables -D INPUT 3
This command deletes the 3rd rule (the one you want to delete) from INPUT chain. |
thanks alot man :D now i understand
|
Quote:
Man pages are a great help if you invest time in learning their conventions. I prefer to look them up online, always seems more managable. |
Quote:
This is not the type of response you want to give to someone who is trying to help you. The more correct response would have been "I don't understand, can you explain what that is doing?" Even better, in standard linux method, and as Agrouf said, you could have manned the iptables command to figure out what the -D and -X options are and see if they fit your needs. |
my bad :( sorry
|
i have another question about iptables
i want to leave default port of ssh but i wanna block all access to it except me how do add only the ip i enter with via ssh in iptables to let only me use it and still block the others who try dunno if u understand me clearly ...:| thanks in advance |
Sorry but what are iptables and for what I need them?
(this is a real newb question^^) thx Apfelbox =) PS:I really want to know it! |
Quote:
Quote:
|
hangdog i wanna use the first one because i only access via ssh from particular ip addresses .. how could i restrict the rest
waiting for ur reply thanks :D |
Currently you have the following rule:
Code:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh iptables -D INPUT 3 Then you need to construct a new rule to do what you want. You can do this with: iptables -A INPUT -p tcp -s YOUR.REMOTE.IP.ADDR --dport 22 -j ACCEPT Here's a brief explanation (see the man page for more info): -A INPUT is to append (-A) a rule to the INPUT chain -p tcp says that the rule applies only to TCP packets (SSH runs over TCP) -s YOUR.REMOTE.IP.ADDR says that the source (-s) must match your remote IP for this to apply (obviously, you need to replace YOUR.REMOTE.IP.ADDR with the actual address you want to use). --dport 22 says that the destination TCP port must be 22 for the rule to match(this is the port SSH uses by default) Finally -j ACCEPT specifies that if the three criteria (TCP, from YOUR.REMOTE.IP.ADDR, and going to port 22) all match then the packet should be accepted. Note: This assumes that the chains default policy is DROP (it appears to be ACCEPT in your post) so that packets that don't match any rule are dropped. The alternative to this is setting up some rule later down the chain that actually drops the unwanted packets (if you're unsure of whether you have this right, post the full output of "iptables -L" so we can help you). Warning 1: It's not wise to tinker with firewall settings for SSH when your shell is connected via SSH, for obvious reasons. You can easily lock yourself out if you're not careful, necessitating a trip to the machine's physical location so you can fix the rule from the console (I've done this more times than I care to admit). Warning 2: Linux distros generally load the iptables rules from a config file on boot since the kernel has no way of preserving them between reboots (some distros have a script that does it automatically). What I like to do is make a little script with my iptables set up and then run it from /etc/rc.local so it starts at boot (it's probably better to run it slightly earlier after networking has started but before any services so there's no gap between when services start and firewall rules are applied, however running it out of rc.local should be fine for all but the truly, truly paranoid). |
thanks miller i understand but i have a dillema
supose i don`t have this rule: ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh but i still can login via ssh how is that possible? |
If the INPUT chain's default policy is accept then all packets not specifically dropped will be allowed. Since you don't appear to have a rule explicitly dropping new SSH connections, they will be accepted. As I said, please post the complete output of "iptables -L" if you are unsure about this.
|
Chain INPUT (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination i deleted all rules now ho do i start from the begining :| |
Quote:
My script starts out like this: Code:
iptables -P INPUT DROP 2nd section: allows all established connections to go through 3rd section: allows local machine processes to talk to each other. This is very important. 4th section: is where you can specifically allow connections via port. This is not nearly all my script, but it should get you started. Don't place your script in the rc.local until you're sure it will work. You can just restart your box to regain access. Otherwise if you make a booboo you might not be able to access your system. |
All times are GMT -5. The time now is 02:53 AM. |