Difference between revisions of "Iptables"

From ArchWiki
Jump to: navigation, search
m
m
Line 1: Line 1:
 +
[[Category:Security (English)]][[Category:Networking (English)]][[Category:HOWTOs (English)]]
 
{{stub}}
 
{{stub}}
 
{{Article summary start}}
 
{{Article summary start}}

Revision as of 22:13, 27 October 2009

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:Iptables#)
Template:Article summary start

Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary end

Introduction

iptables is a tool for administering the built-in firewall capabilities of the Linux kernel. It is a very large and complex piece of software.

Installation

The installation of iptables is the only simple part of this process:

# pacman -S iptables

That's it! Now, move on to configuration.

Configuration

These configuration instructions require that there are currently no rules set. Check, using the command:

# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination   
     
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination    
    
Chain OUTPUT (policy ACCEPT 0K packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

If the output looks like the above, then there are no rules. If it does not look like the above, reset iptables with:

# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -X

Iptables logging

Assuming you are using syslog-ng which is the default in Archlinux, you can control where iptables' log output goes this way:

filter f_everything { level(debug..emerg) and not facility(auth, authpriv); };

to

filter f_everything { level(debug..emerg) and not facility(auth, authpriv) and not filter(f_iptables); };

This will stop logging iptables output to /var/log/everything.log.

If you also want iptables to log to a different file than /var/log/iptables.log, you can simply change the file value of destination d_iptables here (still in syslog-ng.conf)

destination d_iptables { file("/var/log/iptables.log"); };