I was playing around with iptables to setup an isolated system. On a SLES10 system, I ran the below to setup my first draft of rules. I noticed that the rules come into effect immediately and do not require any restart of iptables.
iptables -A INPUT -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -d xx.xx.xx.xx
iptables -A OUTPUT -o lo -j ACCEPT
iptables -P OUTPUT DROP
Now, I want to add a new rule in the middle (lets say, open outbound communication on port 500 for ip yy.yy.yy.yy). But since the rules are evaluated sequentially, it will become effective after my last rule (which is iptables -P OUTPUT DROP). Since all packets match this default rule for output, I cannot add a new rule without rebooting the machine.
I wanted to know if there is a way to introduce new rules without having to reboot a machine, ie introduce a rule above the 'iptables -P OUTPUT DROP'. Any help or leads into documentation will help.
First, you can set the default policy anywhere you want, since it's not a rule. I myself always set the default policy right at the beginning of my firewall scripts.
Second, take a look at the man page for man iptables (Linux). Using iptables -I you can insert rules at any position.
>> First, you can set the default policy anywhere you want, since it's not a rule.
I want to open specific ports at the output and block the rest. Putting the default output blocking policy would make the machine unusable. Thus, I shifted it to the bottom the firewall script and that worked. Anything I am doing wrong here?
>> Second, take a look at the man page for iptables.
The default policy takes immediate effect when set, that's true. However, it only blocks you out if you enter the commands manually, which should be the exception, not the rule. When using a script you can set the default policy first, and then open the ports you need without interrupting any traffic.