Cisco Certified Expert

Example 111 Configuring Net Filter with IPTables

TView full width]

# iptables -P INPUT DENY

# iptables -P OUTPUT ACCEPT

# iptables -P FORWARD ACCEPT

# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 --dport 22 -m state --state NEW -

1=1 j ACCEPT

# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 --dport 25 -m state --state NEW -j

# iptables -A INPUT -p tcp -s 0.0.0.0/0 -d 10.16.17.202 --dport 80 -m state --state NEW -j

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -A INPUT --reject-with icmp-host-prohibited -j REJECT

Example 11-2 provides a similar configuration with the PIX command set. Example 11-2. Configuring a PIX

gandaif (config) # access-list acl_test permit tcp any host 10.16.17.202 eq ssh gandaif (config) # access-list acl_test permit tcp any host 10.16.17.202 eq smtp gandaif (config) # access-list acl_test permit tcp any host 10.16.17.202 eq 80

gandaif (config) # access-list acl_test permit icmp any any gandaif (config) # access-list acl_test deny ip any any gandaif (config) # show access-list acl_test access-iist aci_test; 5 eiements access-iist aci_test iine 1 permit tcp any host 10.16.17.202 eq ssh (hitcnt=0)

access-iist aci_test iine 2 permit tcp any host 10.16.17.202 eq smtp (hitcnt=0)

access-iist aci_test iine 3 permit tcp any host 10.16.17.202 eq www (hitcnt=0)

access-iist aci_test iine 4 permit icmp any any (hitcnt=0) access-iist aci_test iine 5 deny ip any any (hitcnt=0)

Knowledge of the command set is critical to effectively configure a firewall through a CLI. Many vendors (and third parties) have worked hard to reduce the configuration of a firewall to a more simplistic method. When the initial configuration is done (supplying the firewall software with an IP address and net mask), the end user can immediately switch to a more graphical method of configuring the firewall.