bash-3.1# cat iptables-save1
untuk melihat isi file iptables-save1
# Generated by iptables-save v1.4.3.2 on Fri Apr 2 15:58:07 2010 *nat -:PREROUTING ACCEPT [0:0] -:POSTROUTING ACCEPT [16:1136] :OUTPUT ACCEPT [50:3704] -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Fri Apr 2 15:58:07 2010 # Generated by iptables-save v1.4.3.2 on Fri Apr 2 15:58:07 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [26:3082] -:DEFAULT - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP -A INPUT -s 192.168.0.0/16 -i eth0 -j DROP -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP -A INPUT -s 169.254.0.0/16 -i eth0 -j DROP -A INPUT -s 224.0.0.0/4 -i eth0 -j DROP -A INPUT -s 240.0.0.0/5 -i eth0 -j DROP -A INPUT -s 255.255.255.255/32 -j DROP -A INPUT -i eth1 -j ACCEPT -A INPUT -d 192.168.0.80/32 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -d 192.168.0.80/32 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -d 192.168.0.80/32 -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -d 192.168.0.80/32 -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -j DEFAULT -A FORWARD -j DEFAULT -A DEFAULT -m state --state RELATED,ESTABLISHED -j ACCEPT -A DEFAULT ! -i eth0 -m state --state NEW -j ACCEPT -A DEFAULT -m limit --limit 30/min -j LOG --log-prefix "Dropping: " -A DEFAULT -j DROP COMMIT # Completed on Fri Apr 2 15:58:07 2010
catatan:
hapus tanda “-” pada baris 4,5, dan 32. tanda “-” ditulis karena “:” dan “D” atau “:” dan “P” akan berubah menjadi “smile” ….
mengaktifkan dengan perintah iptable-restore
bash-3.1# iptables-restore iptables-save1 bash-3.1# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 9 1419 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- eth0 * 10.0.0.0/8 0.0.0.0/0 0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0 0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0 0 0 DROP all -- eth0 * 169.254.0.0/16 0.0.0.0/0 0 0 DROP all -- eth0 * 224.0.0.0/4 0.0.0.0/0 0 0 DROP all -- eth0 * 240.0.0.0/5 0.0.0.0/0 0 0 DROP all -- * * 255.255.255.255 0.0.0.0/0 0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.80 tcp dpt:80 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.80 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.80 icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 192.168.0.80 icmp type 11 5 268 DEFAULT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DEFAULT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 14 packets, 5800 bytes) pkts bytes target prot opt in out source destination Chain DEFAULT (2 references) pkts bytes target prot opt in out source destination 5 268 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- !eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Dropping: ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
hasil nya ada di /var/log/syslog
bash-3.1# cat /var/log/syslog | grep Drop Apr 5 08:48:27 pisang kernel: Dropping: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:xx:00:13:xx:3a:a7:83:xx:xx SRC=xxx.xxx.x.xx DST=192.168.0.80 LEN=xx TOS=0x00 PREC=0x00 TTL=xx ID=0 DF PROTO=xxx SPT=xx DPT=62357 LEN=XX
sumber: http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/index.html