Difference between revisions of "Talk:Iptables"

From ArchWiki
Jump to: navigation, search
m (moved NAT example to own section below other comments)
(Correct?)
Line 1: Line 1:
 +
== Is that correct? ==
 +
"Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: INPUT, OUTPUT and FORWARD. '''All outbound traffic passes through the forward chain, and all inbound traffic passes through the FORWARD chain.''' The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient."
 +
Is the bold marked text really correct? If yes: what does output/input chains do?
 +
--[[User:Evilandi666|Evilandi666]] 11:57, 17 July 2011 (EDT)
 +
 
== Merge ==
 
== Merge ==
 
It seems to me that [[Iptables]] and [[Simple stateful firewall HOWTO]] should be merged into a single document named iptables. Ideally, various pages could point to the iptables page for configuration options. These include router instructions, etc. Of course, I volunteer to do all the work. --[[User:Arcanazar|Arcanazar]] 14:58, 30 July 2009 (EDT)
 
It seems to me that [[Iptables]] and [[Simple stateful firewall HOWTO]] should be merged into a single document named iptables. Ideally, various pages could point to the iptables page for configuration options. These include router instructions, etc. Of course, I volunteer to do all the work. --[[User:Arcanazar|Arcanazar]] 14:58, 30 July 2009 (EDT)

Revision as of 15:57, 17 July 2011

Is that correct?

"Chains are used to specify rulesets. A packet begins at the top of a chain and progresses downwards until it hits a rule. There are three built-in chains: INPUT, OUTPUT and FORWARD. All outbound traffic passes through the forward chain, and all inbound traffic passes through the FORWARD chain. The three built-in chains have default targets which are used if no rules are hit. User-defined chains can be added to make rulesets more efficient." Is the bold marked text really correct? If yes: what does output/input chains do? --Evilandi666 11:57, 17 July 2011 (EDT)

Merge

It seems to me that Iptables and Simple stateful firewall HOWTO should be merged into a single document named iptables. Ideally, various pages could point to the iptables page for configuration options. These include router instructions, etc. Of course, I volunteer to do all the work. --Arcanazar 14:58, 30 July 2009 (EDT)

I agree on the merge, the link provided has much more in depth. In short this page should pint there or visa versa.--Prometheanfire 15:05, 30 July 2009 (EDT)

Basically, I'm suggesting that Simple stateful firewall HOWTO be moved to this page. Everything I have put on this page, so far, came from there anyway. --Arcanazar 15:10, 30 July 2009 (EDT)

I guess it just depends on whether or not we want to classify the age as a class (Stateful Firewall) or a program (IPTABLES). This is honestly the first time I have edited a wiki except for gramatical errors so I do not know the proper procedure.--Prometheanfire 16:24, 30 July 2009 (EDT)

There really is no proper procedure. Basically, the best page is whatever is going to be the most useful. Since (IMHO), more people will search for "iptables" than "Stateful Firewall", iptables is the better name. --Arcanazar 16:31, 30 July 2009 (EDT)

NAT Firewall

This is a combination of lazyness and the like, this is an old setup that I have since moved from this config to a hardware firewall. This setup is of a natting firewall with a few port forwards.

# Generated by iptables-save v1.3.5 on Tue Jun  5 19:52:40 2007
*raw
:PREROUTING ACCEPT [123119306:66686923721]
:OUTPUT ACCEPT [8218577:4064226432]
COMMIT
# Completed on Tue Jun  5 19:52:40 2007
# Generated by iptables-save v1.3.5 on Tue Jun  5 19:52:40 2007
*nat
:PREROUTING ACCEPT [1284892:103455725]
:POSTROUTING ACCEPT [708950:58789746]
:OUTPUT ACCEPT [81288:4974397]
:DNS - [0:0]
-A PREROUTING -p udp -m udp --dport 1337 -j DNAT --to-destination 10.0.0.42:1337 
-A PREROUTING -p udp -m udp --dport 54420 -j DNAT --to-destination 10.0.0.42:54420 
-A PREROUTING -p tcp -m tcp --dport 54420 -j DNAT --to-destination 10.0.0.42:54420 
-A PREROUTING -p tcp -m tcp --dport 54421 -j DNAT --to-destination 10.0.0.42:54421 
-A PREROUTING -p udp -m udp --dport 54421 -j DNAT --to-destination 10.0.0.42:54421 
-A PREROUTING -p udp -m udp --dport 7314 -j DNAT --to-destination 10.0.0.42:7314 
-A PREROUTING -p udp -m udp --dport 2424 -j DNAT --to-destination 10.0.0.42:2424 
-A PREROUTING -i eth3 -p tcp -m tcp --dport 3724 -j DNAT --to-destination 10.0.0.42:3724 
-A PREROUTING -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 10.0.0.42 
-A POSTROUTING -o eth3 -j MASQUERADE 
COMMIT
# Completed on Tue Jun  5 19:52:40 2007
# Generated by iptables-save v1.3.5 on Tue Jun  5 19:52:40 2007
*mangle
:PREROUTING ACCEPT [123119304:66686924548]
:INPUT ACCEPT [8600443:3272731641]
:FORWARD ACCEPT [114518165:63414136121]
:OUTPUT ACCEPT [8218577:4064226432]
:POSTROUTING ACCEPT [122677262:67474602455]
COMMIT
# Completed on Tue Jun  5 19:52:40 2007
# Generated by iptables-save v1.3.5 on Tue Jun  5 19:52:40 2007
*filter
:INPUT ACCEPT [3327494:1199833518]
:FORWARD ACCEPT [1:0]
:OUTPUT ACCEPT [8211773:4063626894]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m multiport --dports 111,2049,4001,32764:32767 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m multiport --dports 111,2049,4001,32764:32767 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 49152:65534 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 1337 -j ACCEPT 
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 54420 -j ACCEPT 
-A FORWARD -d 10.0.0.42 -p tcp -m tcp --dport 54420 -j ACCEPT 
-A FORWARD -d 10.0.0.42 -p tcp -m tcp --dport 54421 -j ACCEPT 
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 54421 -j ACCEPT 
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 7314 -j ACCEPT 
-A FORWARD -d 10.0.0.42 -p udp -m udp --dport 2424 -j ACCEPT 
-A FORWARD -d 10.0.2.0/255.255.255.0 -i eth2 -j DROP 
-A FORWARD -d 10.0.1.0/255.255.255.0 -i eth1 -j DROP 
-A FORWARD -d 10.0.0.0/255.255.255.0 -i eth0 -j DROP 
-A FORWARD -d 10.0.0.0/255.255.255.0 -i eth3 -j ACCEPT 
-A FORWARD -d 10.0.1.0/255.255.255.0 -i eth3 -j ACCEPT 
-A FORWARD -d 10.0.2.0/255.255.255.0 -i eth3 -j ACCEPT 
-A FORWARD -s 10.0.0.0/255.255.255.0 -i eth0 -j ACCEPT 
-A FORWARD -s 10.0.1.0/255.255.255.0 -i eth1 -j ACCEPT 
-A FORWARD -s 10.0.2.0/255.255.255.0 -i eth2 -j ACCEPT 
-A FORWARD -s 10.0.0.42 -p tcp -m tcp --dport 6881:6999 -j ACCEPT 
-A FORWARD -s 192.168.1.2 -p tcp -m tcp --dport 6881:6889 -j ACCEPT 
COMMIT
# Completed on Tue Jun  5 19:52:40 2007

--Prometheanfire 14:31, 30 July 2009 (EDT)