Comprendre IPTABLES

Trouvé ici :
http://www.debian-administration.org/articles/226

Voir également :
http://documentation.online.net/fr/serveur-dedie/tutoriel/iptables-netfilter-configuration-firewall 

Whilst it’s true that using iptables can be confusing it’s pretty straightforward once you get the hang of it.

To start off with there are three real « chains » which iptables uses:

• INPUT
  • Which is used to grant or deny incoming connections to your machine.
• OUTPUT
  • Which is used to grant or deny outgoing connections from your machine.
• FORWARD
  • Which is used to for forwarding packages across interfaces, only really needed (in general) when you’re setting up a gateway machine.

Each of those chains can contain rules which control what you allow, or disallow.

Usually your firewall script will start off by resetting (emptying) all the chains then adding new rules to them. Some machines will only care about what packets are coming into them, others will care about what packets are leaving the machine – so you might find INPUT, or OUTPUT, or both chains being used.

Here’s a quick example which seems relevent to your question on FTP usage.

# First of all delete any existing rules.
#
# This means you're back to a known state:
#
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -X

#
#  Block all access to port 21 (ftpd)
#
#  BUT allow host 11.22.33.44
#
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP

There we’ve done two things:

• Delete any prior rules to make sure when we run this again we won’t have any problems.
• Add two rules to the INPUT chain, which means they will apply to incoming connections:
  • 1. Allow incoming connections to port 21 from one IP address 11.22.33.44.
  • 2. Deny all other incoming connections to port 21.

The general form of an IP tables command is:

iptables -A CHAIN -p tcp/udp [options] -j ACTION

The CHAIN we’ve briefly covered before, « INPUT », « OUTPUT », « FORWARD », etc. Here « -A INPUT » means « append this rule to the input chain ».

The « -p tcp » means this rule applies only to TCP connections, not UDP. (To specify UDP connections you’d use « -p udp » instead.)

« [options] » is where you specify what you wish to match against.

Finally « -j ACTION » is used to specify what to do to packets which match your rule. Usually an action will be one of « -j DROP » to drop the package, « -j ACCEPT« , to accept the packet or « -j LOG » to log it.

We used the « -m state --state NEW --dport 21 » to match against new connections to port 21. Other options allow you to match against different things.