:'''iptables Command Structure (for setting exceptions):<br>(NOTE: If element in column is not specified in the iptables command, then rule relates to ALL elements)'''<br><table width="100%" cellpadding="10" cellspacing="0" border="1"><tr valign="top><td>Place Rule in Chain</td><td>Chain Name</td><td>Specify Protocol</td><td>Source/Destination IPADDR</td><td>Port Number</td><td>Action<br> -></td><td>Target</td></tr><tr valign="top"><td>'''-A''' (add / Append to bottom of chain)<br>'''-I''' (insert at top of chain)<br>'''-i CHAIN-NAME 5''' (insert before line #5 in CHAIN-NAME)</td><td>'''INPUT'''<br>'''OUTPUT'''<br>'''FORWARD'''<br>'''CHAIN-NAME'''</td><td>'''-p tcp''' (tcp packets)<br>'''-p udp''' (datagram packets)<br>'''-p tcp,udp,icmp''' (combined)<br>(refer to '''/etc/protocols''' for available network protocols)</td><td>'''-s IPADDR''' (originating IPADDR)<br>'''-d IPADDR''' (destination IPADDR)</td><td>'''--sport 22''' (originating port 22 - SSH)<br>'''--sport 80''' (originating port 80 - http)<br>'''--dport 22''' (originating port 22 - SSH)<br>'''--dport 80''' (destination port 80 - http)<br><br>(refer to '''/etc/services''' for available port numbers)</td><td>'''-j''' </td><td>'''ACCEPT'''<br>'''REJECT'''<br>'''DROP'''<br>'''LOG'''</td>
</tr></table><br><br>
The <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-j</span></code></b> option is used to redirect (jump) packets to actions (ACCEPT, REJECT, DROP, LOG) if the packet match that policy rule. The option <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-p</span></code></b> will indicate the protocol used (eg. tcp, upd, icmp). The options <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">--dport</span></code></b> or <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">--sport</span></code></b> indicate the "destination communication port" or "source communication port" respectively. You can view the file '''/etc/services''' to determine the communication port number for the appropriate network service. The option <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-A</span></code></b> is used to append the policy rule to the <u>bottom</u> of the chain. The option <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-I</span></code></b> is used to insert a policy rule before an existing policy line number (if used with no number, will insert at the <u>top</u> of the chain)
'''Examples:'''
<table width="100%" cellpadding="10" cellspacing="0" border="1">
<tr>
<td width="40%">'''iptables -A INPUT -p tcp --sport 80 -j ACCEPT'''</td><td>Append policy to <u>'''bottom'''</u> of INPUT chain to accept all tcp packets from port 80</td>
</tr><tr>
<td>'''iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT'''</td><td>Append policy to <u>'''bottom'''</u> of OUTPUT chain to accept all tcp packets to port 80</td>
</tr><tr>
<td>'''iptables -I INPUT -p tcp --sport 22 -j LOG'''</td><td>Insert policy at '''<u>top</u>''' of INPUT chain to log all tcp packets from port 22</td>
</tr><tr>
<td>'''iptables -I INPUT 3 -p tcp --dport 22 -j LOG'''</td><td>Insert policy <u>'''before line 3'''</u> of INPUT chain to log all tcp packets from port 22</td>
</tr>
</table>
You can also set exceptions to the default policy for specific IP Addresses by using the options <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-d IPADDR</span></code></b> or <b><code><span style="pointer-events: none;cursor: default;color:#3366CC;font-size:1.5em;">-s IPADDR</span></code></b>
<table width="100%" cellpadding="10" cellspacing="0" border="1">
<tr>
<td width="45%">'''iptables -A INPUT -p tcp -s 192.168.0.0/24 -sport 22 -j ACCEPT'''</td><td>Append policy to bottom of INPUT chain to ACCEPT tcp packets from IP Address 192.168.0.0 from communication port 22</td>
</tr><tr>
<td>'''iptables -A OUTPUT -p tcp -d 192.168.0.138/24 -dport 80 -j REJECT'''</td><td>Append policy to bottom of OUTPUT chain to REJECT tcp packets to IP Address 192.168.0.138 via communication port 80</td>
</tr>
</table>
:'''Perform the following steps:'''
# Remain in your '''c7host''' VM for this section.
# Set the default policy for the INPUT chain to DROP by issuing the command:<br><b><code><span style="color:#3366CC;font-size:1.2em;">iptables -P INPUT DROP</span></code></b>
# Now try on your own to change the default policies for the OUTPUT chain to DROP
# Issue the commmand <b><code><span style="color:#3366CC;font-size:1.2em;">iptables -L</span></code></b> to verify that the policies on your INPUT and OUTPUT chain are set to DROP
# Open a browser and attempt to access the Internet. Were you successful?
