iptables firewall
Par PlaceOweb le dimanche, décembre 13 2009, 22:20 - Système - Lien permanent
Le pare feux iptables
iptables
SYNOPSIS
iptables [-t table] {-A|-D} chain rule-specification [options...]
iptables [-t table] -I [rulenum] rule-specification [options...]
iptables [-t table] -R rulenum rule-specification [options...]
iptables [-t table] -D chain rulenum [options...]
iptables [-t table] -S [chain]
iptables [-t table] {-F|-L|-Z} [chain] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target [options...]
iptables [-t table] -E old-chain-name new-chain-name
Lister les règles définies avec leur id
serveur:~# iptables -L --line-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP all -- sh15.ruskyhost.ru anywhere 2 DROP tcp -- host-41.234.161.207.tedata.net anywhere tcp dpt:www
Ou en précisant la chaîne INPUT
serveur:~# iptables -L INPUT --line-numbers
Supprimer la règle n°2
serveur:~# iptables -D INPUT 2 iptables: No chain/target/match by that name
Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation. in is valid in the PREROUTING, INPUT and FORWARD chains, out is valid
in the POSTROUTING, OUTPUT and FORWARD chains.
Extrait du man d'iptables
-D, --delete chain rule-specification
-D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule
to match.
-X, --delete-chain [chain]
Delete the optional user-defined chain specified. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted.
The chain must be empty, i.e. not contain any rules. If no argument is given, it will attempt to delete every non-builtin chain in the table.
-n, --numeric
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names, network names, or services (whenever
applicable).
--line-numbers
When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position in the chain.
Gestion des règles iptables par id (identifiant numérique : rulenum)
serveur:~# iptables --help |grep rulenum
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
--list-rules -S [chain [rulenum]]
serveur:~# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- sh15.ruskyhost.ru anywhere DROP udp -- host-41.234.161.207.tedata.net anywhere udp dpt:28960 DROP udp -- ctv-79-132-179-83.vinita.lt anywhere udp dpt:28960 DROP udp -- 83-156-229-36.rev.libertysurf.net anywhere udp dpt:28960 DROP udp -- lns-bzn-55-82-255-143-210.adsl.proxad.net anywhere udp dpt:28960 DROP tcp -- 95.84.16.113 anywhere tcp dpt:www DROP tcp -- server.globalcar.com anywhere tcp dpt:www DROP tcp -- mail.jackpine.net anywhere tcp dpt:www DROP tcp -- 209589-app1.barnstormers.com anywhere tcp dpt:www DROP tcp -- 234868-web1.barnstormers.com anywhere tcp dpt:www DROP tcp -- 223690-web1.wcwshost.com anywhere tcp dpt:www Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
serveur:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Ressources
- Iptables sur Wikipédia