gentoo Iptables

转载 2010年05月31日 11:41:00



From Gentoo Linux Wiki

Jump to: navigation , search


[hide ]

[edit ] Introduction

iptables is a program for controlling the Linux Kernel's firewall. By default it allows all incoming and outgoing connections.

[edit ] Installation

emerge -av

[edit ] Getting Started

By default iptables permits all incoming and outgoing connections, however it is possible that some rules may already exist on your system. To see the current set of rules type:

/sbin/iptables -L

You should see three Chains, all empty, if you don't you can back up your rules by running

> ~/

which will put the file into your home directory. Should you want to reload your old configuration you can run

< ~/

So now that any old rules have been saved for later reference, you can type:

iptables -F

to flush (delete everything in) the rules set. The most basic rule to apply is the default policy. If no other rules match on the chain, the default destination (policy) is used. For input we want this to be DROP, but before setting that you want to be sure that you won't get cut off from the internet by doing it (since this would block ALL traffic). To make this policy viable you need for your kernel to be able to keep track of active TCP connections as well as related udp packets. Therefore, you must enable connection tracking in the kernel:

Linux Kernel Configuration: iptables configuration

Networking support --->

   Networking options  --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<*> Netfilter connection tracking support
-*- Netfilter Xtables support (required for ip_tables)
<*> "state" match support

After configuring your kernel, you can now type:

iptables -A INPUT

What this is telling iptables is that you want to add a rule to the input (-A INPUT) that will accept (-j ACCEPT) packets as long as they are related to previous packets. the -m state tells iptables to use the module (or match extension) state, and the --state RELATED,ESTABLISHED are arguments to the module state. Thus -m state --state isn't actually redundant. --state is defining which states to match, namely (RELATED and ESTABLISHED). Now you are ready to secure your system. Change the default policy for input to DROP,

iptables -P INPUT

Now you should still be able to get on the internet and do all your normal tasks, its just that no new connections can be made from the outside in. Assuming you have no need for incoming connections you are set, however if you want to do something more advanced, move on to the next section.

And last you need to allow outgoing connections.

iptables -I INPUT
-i lo -j ACCEPT

[edit ] Advanced

[edit ] Logging

Logging messages requires syslog-ng to be installed and running:

emerge -av

It may be a good idea to make this a default process:

rc-update add
syslog-ng default

Once this is set up, you can add the LOG rule to your chains:

iptables -A INPUT
-j LOG

The LOG chain returns, so if you put it at the beginning of the chain then you will log ALL packets. If you put it at the end, and the policy is to drop it will log all the dropped packets. If your default policy is ACCEPT then you should probably create a chain called LOGDROP and instead of just dropping packets you can drop/log them. To do this you just run the following commands:

iptables -N

creates a new chain named LOGDROP,

iptables -A

logs the packets that come to the chain

iptables -A

drops the packets. Now instead of using "-j DROP" you should use "-j LOGDROP" when you want to do both, for instance if you were blocking specific ports.

Once all this is done, any logged packets will be sent to /var/log/messages, along with the rest of the dmesg output.

[edit ] Routing

A very good guide to using your linux box as a router can be found here: Many of the iptables tips in this section will cross over and allow you to better understand/modify what you do in that guide.

[edit ] Command Examples

  • Appends a rule that allows udp packets from port 22 to the INPUT chain
iptables -A INPUT
-p udp --dport 22 -j ACCEPT
  • Inserts a rule between rule 1 and 2 that does the same as above.
iptables -I INPUT
2 -p tcp --dport 22 -j ACCEPT
  • Deletes all the rules that match, for instance the previous two lines.
iptables -D INPUT
-p tcp --dport 22 -j ACCEPT
  • Deletes the second rule in the INPUT chain.
iptables -D INPUT
  • Prints out all the current rules with the option of printing just a specific chain
iptables -L -v
  • Zeros out the packet count, with the option of only zeroing the count for a particular chain.
iptables -Z

gentoo iptables 服务配置使用

gentoo iptables 服务安装:#emerge -v iptables启动:#/etc/init.d/iptables start停止:#/etc/init.d/iptables stop重...
  • kozazyh
  • kozazyh
  • 2010年03月19日 21:29
  • 1344

gentoo 下用hostapd和dnsmasq创建wifi热点

1. 安装hostapd与dnsmasq sudo emerge hostapd sudo emerge dnsmasq 2. 配置hostapd: 配置文件是 /etc/hostapd/hostap...
  • u011500307
  • u011500307
  • 2014年02月24日 17:10
  • 2661


放假在家闲来无事摆弄了一下Gentoo,以下是安装过程的一些记录。仅作为学习的笔记,有低级错误还望各位高人不吝指点。先谢过了 安装准备: 1)知识储备 ①看了大半本的《鸟哥的Linux私房菜(基...
  • oQianQu
  • oQianQu
  • 2013年02月18日 13:30
  • 2486


  • mhlwsk
  • mhlwsk
  • 2016年12月21日 23:39
  • 2120


  • leisure512
  • leisure512
  • 2009年09月20日 20:16
  • 2397


如果你现在想安装一套Linux,又不想随着Linux发行版本的版本号,不停的格式化系统,重新安装,或者升级安装。那么,最适合你的只有LFS、Debian和Gentoo。 本文尝试对Debian、G...
  • guo_wangwei
  • guo_wangwei
  • 2007年08月07日 09:58
  • 1221

Gentoo Linux 安装(四)配置Linux内核

选择一个合适的内核并使用emerge来安装它。 root #emerge --ask sys-kernel/gentoo-sources 这将在/usr/src/中安装Linux内核源码,并有一个符...
  • a1091311203
  • a1091311203
  • 2016年09月26日 15:47
  • 430

开始使用gentoo linux——gentoo安装笔记(下)

  • u014466109
  • u014466109
  • 2017年04月01日 15:01
  • 935


1.rc-update add samba default   添加开机启动项  2.rc-update show 查看启动项目...
  • bestboyxie
  • bestboyxie
  • 2016年08月22日 11:36
  • 286


 这几天有机会接触了gentoo的安装,看介绍,gentoo的安装比较难,需要手动做很多工作。我把这几天整理的安装文档发一下,顺便把自己的一些感想说一下。感想:1. 老版本的gentoo和2006.0...
  • mayabin
  • mayabin
  • 2006年08月18日 14:07
  • 5003
您举报文章:gentoo Iptables