9
edits
Changes
→Investigation 8: How do I view and configure the IPTABLES firewall? -- Basic Function/Configuration
* Your IP, host names and date will be different, but the one thing that should be the same is the DPT=80 value.
* When your computer tried to send OUT a request to connect to the Internet using the WWW, the computer used a destination port of 80. This is the standard port for the WWW. Because we have set the default policy to DROP it drops these packets. The problem is we are dropping all packets. What if we just want to drop the WWW packets?
* Using the commands we already know, change the default policies on all of your chains to ACCEPT.
* Open a browser and confirm that you can access the world wide web.
* Enter the command:
** <code>iptables -I OUTPUT -p tcp -s0/0 -d 0/0 –dport 80 -j DROP</code>
{{Admon/note | | This command can be read like this: Insert a line into the iptables OUTPUT chain that will look at tcp information and DROP any packet with a source address from anywhere, to a destination address to anywhere if the destination port = 80 (WWW.) Let's break down the command to see how it works:
* The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a -A switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables where multiple matches can occur, it is important that the lines go in the right order. Most people simply write scripts to ensure this.
* The '''-p''' tcp switch tells iptables to filter data by looking at TCP information in the packets. For now, we simply want to filter data by source and destination TCP ports so we need this switch.
}}
This command can be read like this: Insert a line into the iptables OUTPUT chain that will look at tcp information and DROP any packet with a source address from anywhere, to a destination address to anywhere if the destination port = 80 (WWW.) Let's break down the command to see how it works.
The '''-I''' switch tells iptables to INSERT this line into the OUTPUT policy. This means it will be the first line in the policy. If we used a -A switch it would have appended the line and it would be the last line of the policy. If you are writing complex iptables where multiple matches can occur, it is important that the lines go in the right order. Most people simply write scripts to ensure this.
The '''-s0/0''' switch specifies the source IP address. 0/0 means a source address of “anywhere.” this has been put into the lab because your ip address will change because it is dynamically assigned. You can change this value if you want to the IP address that has been specifically assigned to your PC.