Setup firewalls with iptables

One of the tasks of a Linux system administrator is to set up firewalls and the rules firewalls should be configured in such a way that you allow incoming and outcoming network traffic but you also say could your set of are well enough. So we don't be vulnerable to attacks. One of the ways to secure the search it's actually to use IP tables. I bet they would. It's usually installed by default on many of these two Bushman's and it's used to deal with packet filtering. But they also has three types of cables. They're not unmangled And in this video I'm going to deal more with the filters they will which is also the default table for IP tables. Each table has a couple of chains that contain rules. So for instance the field that they will which is displayed here has the chain input which feels like it's coming to the server and then the chain forward that filters the bank gets that data routed through the local server and have the destination set on another network interface card on the same set of water. And the last one the output chain for brackets generated by the set of and I mean if you want to check if they can distinguish rules you can around might be both minus and or MVL which is numeric verbose and the difference between the two of them for instance is that the one these planes these planes the chain five get counted. The number of packets and bytes that match the rules within that chain not by default this command only displays the field that they will which is the default one. But if you want to display an other one you can use the option D and the name of the table for instance not. And you can see the change in the rules we've seen that they will for instance change the routing change input output and post routing. Now that's on some rules. IP tables minus a. And specify a fan specified the chain input minus as the source 192 60 133 jump to the target drop. So I want all the packets coming from 190 to 168 12 133 to be dropped and least the rules and target drop all the close source. J.C. and I have this IP as an entry in ATC hosts. That's why the source appears as Jesse here and destination anywhere. So all the packets coming through all the ports on all protocols from these IP are going to be dropped. Now one other way to block an IP is actually to reject the packets instead of dropping them minus J rejects. And the difference between the two of them means that when you use that eject you let the other end know that the parties are unreachable. What is with that up. It doesn't give any answer. It's as if the server doesn't exist or it's done Dock's. Now I'm going to connect on the set of words and tried to as I say these set of words to see what reply do I get. So when I'm on the Jessee set of order and I'm trying to connect the other set of going on that maybe instead of one and you can't hear them get any started because all the buckets are dropped dropped the rule it's the first one within the chain and it's matched in the case and the packets are dropped. Now I'm back on the Debian server and I'm going to delete that rule and leave only that eject one to see what happens when the packets are actually ejected instead of dropping and a way of letting go. It's like the IP tables minus the from delete input and write all the rule 1 the source 192 168 was 163 minus G drop. This is a way of didn't think Gurule another way to actually specify the rule number within the chain. For instance when listing the rules the drop rule is the first one within the input chain and these the one I want to delete and I can run like these IP tables minus the delete input chain the rule number one will be extra careful with this. If you have a longer list of will not to delete another one. Now I only have the rejects rule and then going back to the server and tried to connect as you say on the set of one and you can see that I get the connection Noojee fused for 22. So this is the difference between that object and it gets. Now if you need to modify an existing Greuel you can actually replace it like these and replace the rule number one. In this case and this thing you actually want to modify and in this case they want to modify the thought and get what object to accept these is very handy when you want to block a user very very fast. You can look in the list of rules and for instance you have a web service and you see a an IP that tries to connect then you don't need to connect there actually which actually might block your application or it might return a narrower and so on and you want to block it I think be very very fast and you can enter and you can and 30 IP tables and replace that through ladies looking the least see the rule number one they inputs from number one and block it's right the way that all or reject. Now these rules I did from the command line on the eastward but. So you need to save them before but like they say they might have saved to a certain file and I think the ones that can for instance and after the server booted you can restore them PPC I believe was Korn's and they can also put this within a script if you don't want to manually do with them.