iptablesrocks.org - Maintaining, modifying and more...
DROP
- As denoted above, this is the state that the rule "jumps" to. In the example above, any traffic to coming from
1.2.3.4
will "jump" to an "DROP"
state, and thus will be blocked.
What if I only want to block someone from accessing a certain port, while allowing them to access all others?
This would just be a more specific version of the above rule. In this case, you would specify the destination port and the protocal type with the "-p", "-
m" and "--dport" flags. If you wanted to block anyone from
1.2.3.4
from accessing port 25 on your server, it would look like this:
-A INPUT -s 1.2.3.4 -p tcp -m tcp --dport 25 -j DROP
Easy enough, right?
The previous questions are only a sampling of the many, many modifications and customizations that can be made to your firewall. Check out the
iptables man page (man iptables) for the whole gamut.
As I said before, always make sure you enable your iptables "safetynet" before you start playing with your firewall setup. You don't want to accdientally
lock yourself out of your server!
Starting your fiewall on boot
The final part of this setup guide will cover the integration of your firewall into the server's boot process. If you would like your firewall to start on boot
and work correctly, you will want to do the following:
cp /root/primary_firewall /etc/sysconfig/iptables
This will cause your iptables config script to be loaded at boot time.The last step is to make sure that the "ip_conntrack_ftp" kernel module
loads on boot as well to ensure correct FTP functionality.
vi /etc/rc.local
add the following line:
/sbin/insmod ip_conntrack_ftp
Save and exit the file.
That's it! You're all done. Enjoy your new firewall! Please take a moment to go to the next page and provide me with some feedback and/or
commentary.
Proceed to the next step
home
|
syntax & structure
|
examples
|
faq
|
contact
|
links
Site last modified:
February 13, 2004 15:27:51
http://www.iptablesrocks.org/guide/maintain.php (3 of 3) [2/13/2004 8:04:47 PM]
