A INPUT: The -A flag adds a rule at the end of the chain. This part of the IP tables commands explained we wanted to add a new rule, we want that the rules are added to the end of the chain, and the chain we want to operate is the INPUT chain
-m conntrak: IP tables which have a set of core functionality, and also has a set of extensions or modules that have the extra ability to command part of this, we want to have access to the functionality provided by the conntrack module, mpdul It provides access to commands that are used to make decisions based on packet to the previous connection.
--ctstate: This is the command to invoke module available conntrak. the command allows us to match the packet with the previous packet
j ACCEPT: determining a target packet from which, here we say that the IP tables packet matching the previous criteria should be accepted and allowed through
we can see the changes if we make a list of rules
· sudo iptables -L
·
Output:
Chain INPUT (policy ACCEPT)
target port opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED, ESTABLISHED
Chain FORWARD (policy ACCEPT)
target port opt source destination
Chain OUTPUT (policy ACCEPT)
target port opt source destination
Now that you know the general syntax, let's continue by adding some more cases where we want to accept the connection.
Accept Other Necessary Connections
we have been told to keep open connection IP Tables that are already open and allow new connections associated with the connection,
we wanted to keep the two specific ports open, we want to keep the ssh port open (default port is port 22 if you have to change it in the ssh configuration, then you must change it here), we will also assume that the computer is running a web server on the default port 80
two lines of command that we will use in this rule
· sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
· sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
As we have seen, this is very similar to the first, but it might be simpler
-p tcp: This option is suitable packet if the protocol being used is TCP, it is a connection-based protocol that will be used by most applications because it is reliable in communication
-dport: This option is available if -p tcp flag awarded. This provides further requirement of matching the destination port for the packet that matches, the first rule is suitable for TCP packet addressed to port 22 while the second rule matches TCP traffic heading toward the port 80
No one else accepts the rules that we need to make sure that the server can function properly, because often the computer services communicate between client by sending a packet. they do this by utilizing a network interface called a loopback that direct traffic to themselves instead of to other clients. so if one service wants to communicate with other services listening on port 4555 connections, it can send a packet to port 4555 of the loopback device, we want this to be allowed, because it is very important for correct operation for many programs
rules that we need to add
· sudo iptables -I INPUT 1 -i lo -j ACCEPT
This looks a bit different than our other commands. Let's go over what it is doing:
I INPUT 1: The -I flag Tells IP tables to insert a rule.
this is different from the -A flag adds a rule to the end flag-I took the chain from the rule position where you want to insert the new rule.
in this case we add this rule as the first rule from the INPUT chain. This will meet under the rule, we want the top for fundamental and will not be affected by the following rules.
-i lo: This component of emergency rules that match the interface packet use interface "lo". "Lo" interface is another name for the loopback device, this means that all the interfaces that communicate using a packet (packet generated on our servers) must be accepted
to see our current rules, we must use the -S flag. this is because the -l flag does not include some information, such as the interface associated with the rule, which is an important part of the rule we just added
· sudo iptables -S
·
Output:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
To be Continue......
Labels:
JARINGAN KOMPUTER,
PROXY SERVER,
UBUNTU
Thanks for reading Set Up Firewall Using Iptables On Ubuntu Part 2. Please share...!
0 Komentar untuk "Set Up Firewall Using Iptables On Ubuntu Part 2"