Utilizzo dei rulenum con iptables

Ad ogni regola Ŕ associato un numero univoco per catena (rulenum) da 1 a infinito che pu˛ essere utilizzato per semplificare la gestione delle regole in un firewall (cancellazione, aggiunta nuove regole, visualizzazione).

Per visualizzare le regole con il relativo rulenum occorre specificare l'opzione  "--line-numbers":

[[email protected] root]# iptables -L -nv --line-numbers
Chain INPUT (policy DROP 325 packets, 56856 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        2   120 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
2     9673  677K ACCEPT     tcp  --  *      *       10.0.0.0/24          0.0.0.0/0          tcp dpt:22 state NEW,ESTABLISHED
3      329 57096 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `DENY INPUT:'

Chain FORWARD (policy DROP 299 packets, 28380 bytes)
num    pkts bytes target     prot opt in     out     source               destination        
1        6   288 ACCEPT     tcp  --  eth0   *       10.0.0.0/24          0.0.0.0/0          state NEW,ESTABLISHED
2        3   120 ACCEPT     tcp  --  eth1   *       192.168.0.0/24       10.0.0.0/24        state RELATED,ESTABLISHED
3      113 10722 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `FORWARD:'

Chain OUTPUT (policy DROP 665 packets, 98378 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1      235 38592 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0/24        
2        5   348 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
3        4   240 ACCEPT     all  --  *      *       192.168.0.0/24       10.0.0.0/24        state RELATED,ESTABLISHED
4      670  238K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `OUTPUT:'


Per quanto riguarda le operazioni  di cancellazione o aggiunta di nuove regole occorre solo specificare il numero della regola preceduto dalla catena:

Visualizzazione delle rules nella catena di FORWARD e cancellazione della regola numero 3
[[email protected] root]# iptables -L FORWARD  -nv --line-numbers
Chain FORWARD (policy DROP 299 packets, 28380 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        6   288 ACCEPT     tcp  --  eth0   *       10.0.0.0/24          0.0.0.0/0          state NEW,ESTABLISHED
2        3   120 ACCEPT     tcp  --  eth1   *       192.168.0.0/24       10.0.0.0/24        state RELATED,ESTABLISHED
3     113 10722 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `FORWARD:'
[[email protected] root]# iptables -D 3
[[email protected] root]# iptables -L FORWARD  -nv --line-numbers
Chain FORWARD (policy DROP 299 packets, 28380 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        6   288 ACCEPT     tcp  --  eth0   *       10.0.0.0/24          0.0.0.0/0          state NEW,ESTABLISHED
2        3   120 ACCEPT     tcp  --  eth1   *       192.168.0.0/24       10.0.0.0/24        state RELATED,ESTABLISHED


Visualizzazione rule della catena di INPUT e aggiunta di una nuova regola tramite rulemun per assegnargli il secondo posto nella catena
[[email protected] root]# iptables -L INPUT   -nv --line-numbers
Chain INPUT (policy DROP 369 packets, 64998 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        2   120 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
2   11484  803K ACCEPT     tcp  --  *      *       10.0.0.0/24          0.0.0.0/0          tcp dpt:22 state NEW,ESTABLISHED
3      373 65238 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `DENY INPUT:
[[email protected] root]# iptables -I INPUT 2  -p tcp -s 192.168.0.0/24
[[email protected] root]# iptables -L INPUT -nv --line-numbers
Chain INPUT (policy DROP 383 packets, 67613 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        2   120 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
2        0     0            tcp  --  *      *       192.168.0.0/24       0.0.0.0/0          
3    11635  814K ACCEPT     tcp  --  *      *       10.0.0.0/24          0.0.0.0/0          tcp dpt:22 state NEW,ESTABLISHED
4      387 67853 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 4 prefix `DENY INPUT:'

Privacy Policy