Good URLS http://forums.pcper.com/showthread.php?t=432469 <- nice tutorial https://help.ubuntu.com/community/IptablesHowTo <- nice tutorial http://forums.pcper.com/showthread.php?t=432469 http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables http://blogs.techrepublic.com.com/10things/?p=539 http://involution.com/iptables_demo/ What is an iptable table It's a way of mangling packets for things like network address translation What is an Iptable chain? It's an ordered set of rules. When a rule matches, the packet is processes and not more rules are checked. But if it was a log rule, more rules are checked. If you reach the end of the chain, you get the default policy. What chains exist INPUT All packets coming into the system destined for the system FORWARD All packets coming into the system destined for elsewhere OUTPUT All packets leaving the system except forwarded packets user defined Can make your own chains like a subroutine Do not have a default policy, instead they 'return' to the original chain. Find your interface with ifconfig Find troublesome IP numbers with dig hostname dig mx hostname Sometimes no mx rule Addresses can be specified like this 1.2.3.4/24 Can delete all ruleds with iptables -F # Delete all rules in chains iptables -X # Delete all chains Can check rules with iptables -L # List all rules Can filter strings with iptables -I OUTPUT -j DROP -m string --string "f*ck" --algo bm The following commands exist iptables-apply iptables-restore iptables-save The State Machine Can check current connections with cat /proc/net/ip_conntrack Table 7-1. User-land states (from http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES) State Explanation NEW The NEW state tells us that the packet is the first packet that we see. This means that the first packet that the conntrack module sees, within a specific connection, will be matched. For example, if we see a SYN packet and it is the first packet in a connection that we see, it will match. However, the packet may as well not be a SYN packet and still be considered NEW. This may lead to certain problems in some instances, but it may also be extremely helpful when we need to pick up lost connections from other firewalls, or when a connection has already timed out, but in reality is not closed. ESTABLISHED The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. ESTABLISHED connections are fairly easy to understand. The only requirement to get into an ESTABLISHED state is that one host sends a packet, and that it later on gets a reply from the other host. The NEW state will upon receipt of the reply packet to or through the firewall change to the ESTABLISHED state. ICMP reply messages can also be considered as ESTABLISHED, if we created a packet that in turn generated the reply ICMP message. RELATED The RELATED state is one of the more tricky states. A connection is considered RELATED when it is related to another already ESTABLISHED connection. What this means, is that for a connection to be considered as RELATED, we must first have a connection that is considered ESTABLISHED. The ESTABLISHED connection will then spawn a connection outside of the main connection. The newly spawned connection will then be considered RELATED, if the conntrack module is able to understand that it is RELATED. Some good examples of connections that can be considered as RELATED are the FTP-data connections that are considered RELATED to the FTP control port, and the DCC connections issued through IRC. This could be used to allow ICMP error messages, FTP transfers and DCC's to work properly through the firewall. Do note that most TCP protocols and some UDP protocols that rely on this mechanism are quite complex and send connection information within the payload of the TCP or UDP data segments, and hence require special helper modules to be correctly understood. INVALID The INVALID state means that the packet can't be identified or that it does not have any state. This may be due to several reasons, such as the system running out of memory or ICMP error messages that do not respond to any known connections. Generally, it is a good idea to DROP everything in this state. UNTRACKED This is the UNTRACKED state. In brief, if a packet is marked within the raw table with the NOTRACK target, then that packet will show up as UNTRACKED in the state machine. This also means that all RELATED connections will not be seen, so some caution must be taken when dealing with the UNTRACKED connections since the state machine will not be able to see related ICMP messages et cetera.