1,234
edits
Changes
→Creating Customized Chains
'''Perform the following steps for your vm1 machine:'''
# Change the '''default policy''' on the '''INPUT''' and '''FORWARD''' chains in the filter table to '''DROP'''.
# Remove the rules from the '''INPUT''' and '''FORWARD''' chains that are rejecting all traffic (we are now better protected by the ''default policy'').<br><br>We will now create a new chain in order to create rules just relating to the '''ssh''' service:<br><br>
# Create a new chain named '''MYSSH''' in the filter table. Refer to notes or other resources to learn now to name a chain.
# Add a rule to the beginning of the '''INPUT''' chain of your filter table that sends all '''ssh''' traffic (i.e. tcp packets with destination port 22) to your '''MYSSH''' chain. Make sure this new rule follows (not preceeds) the RELATED,ESTABLISHED rule, so it doesn't apply to existing connections.
#* '''Note:''' Use '''--jump''' or '''-j''' (<u>not</u> --goto) to move to a target.
# Add a rule to your '''MYSSH''' chain to accept all traffic on your virtual interface from '''192.168.X.0/24''' (i.e. your internal network).
# Add rules to the '''end of the MYSSH chain''' to drop all remaining '''ssh''' connections, but to log these denied packets with log level 'info' and log prefix "DENIED BY MYSSH" before doing so.
# Issue '''iptables -L''' to view your firewall rules for your newly-created chain.<br><br>Let's create a new chain to create rules relating only to the '''ICMP''' protocol (ping):<br><br>
# Remove the rules in your '''INPUT''' chain that are allowing all '''icmp''' and '''ssh''' traffic.
# Make a new chain named '''MYICMP'''.
# Add a rule to the beginning of the '''INPUT''' chain to send '''ICMP''' packets to your '''MYICMP''' chain.
