Unix/Linux Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

Editing rules on iptables

Security


Tags
edit, iptables, remove, rules

Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 05-30-2011
garric garric is offline
Registered User
 
Join Date: Apr 2006
Last Activity: 1 June 2011, 5:11 AM EDT
Posts: 101
Thanks: 0
Thanked 0 Times in 0 Posts
Editing rules on iptables

Hello,

I was playing around with iptables to setup an isolated system. On a SLES10 system, I ran the below to setup my first draft of rules. I noticed that the rules come into effect immediately and do not require any restart of iptables.


Code:
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -d xx.xx.xx.xx

iptables -A OUTPUT -o lo -j ACCEPT
iptables -P OUTPUT DROP

Now, I want to add a new rule in the middle (lets say, open outbound communication on port 500 for ip yy.yy.yy.yy). But since the rules are evaluated sequentially, it will become effective after my last rule (which is iptables -P OUTPUT DROP). Since all packets match this default rule for output, I cannot add a new rule without rebooting the machine.

I wanted to know if there is a way to introduce new rules without having to reboot a machine, ie introduce a rule above the 'iptables -P OUTPUT DROP'. Any help or leads into documentation will help.

Last edited by pludi; 05-30-2011 at 08:06 AM..
Sponsored Links
    #2  
Old Unix and Linux 05-30-2011
pludi's Unix or Linux Image
pludi pludi is offline Forum Advisor  
Cat herder
 
Join Date: Dec 2008
Last Activity: 28 March 2014, 8:35 AM EDT
Location: Vienna, Austria, Earth
Posts: 5,521
Thanks: 38
Thanked 335 Times in 308 Posts
First, you can set the default policy anywhere you want, since it's not a rule. I myself always set the default policy right at the beginning of my firewall scripts.

Second, take a look at the man page for iptables. Using iptables -I you can insert rules at any position.
Sponsored Links
    #3  
Old Unix and Linux 06-01-2011
garric garric is offline
Registered User
 
Join Date: Apr 2006
Last Activity: 1 June 2011, 5:11 AM EDT
Posts: 101
Thanks: 0
Thanked 0 Times in 0 Posts
Thanks pludi.

>> First, you can set the default policy anywhere you want, since it's not a rule.

I want to open specific ports at the output and block the rest. Putting the default output blocking policy would make the machine unusable. Thus, I shifted it to the bottom the firewall script and that worked. Anything I am doing wrong here?

>> Second, take a look at the man page for iptables.

Thank you!
    #4  
Old Unix and Linux 06-01-2011
pludi's Unix or Linux Image
pludi pludi is offline Forum Advisor  
Cat herder
 
Join Date: Dec 2008
Last Activity: 28 March 2014, 8:35 AM EDT
Location: Vienna, Austria, Earth
Posts: 5,521
Thanks: 38
Thanked 335 Times in 308 Posts
Quote:
Originally Posted by garric View Post
I want to open specific ports at the output and block the rest. Putting the default output blocking policy would make the machine unusable. Thus, I shifted it to the bottom the firewall script and that worked. Anything I am doing wrong here?
The default policy takes immediate effect when set, that's true. However, it only blocks you out if you enter the commands manually, which should be the exception, not the rule. When using a script you can set the default policy first, and then open the ports you need without interrupting any traffic.
Sponsored Links
    #5  
Old Unix and Linux 09-13-2011
Randeep Randeep is offline
Registered User
 
Join Date: Jun 2011
Last Activity: 20 October 2011, 12:00 PM EDT
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
iptables -I INPUT NUMBER_OF_LINE ** -j ACCEPT
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Help in editing timezone rules linuxroOot Red Hat 0 07-27-2010 04:10 AM
Iptables rules at boot solaris_user IP Networking 2 01-06-2010 06:49 PM
SED inserting iptables rules in while loop verbalicious Shell Programming and Scripting 2 12-22-2009 11:12 AM
iptables, ftp sTorm UNIX for Dummies Questions & Answers 2 03-19-2002 02:18 AM



All times are GMT -4. The time now is 11:24 PM.