There are three different chains : input , forward and output.
Input: This chain is used to control the behavior for incoming connections.
Forward: This chain is used for incoming connections that aren't actually being delivered locally. Think of a router -- data is always being sent to it but rarely actually destined for the router itself;
There is one sure-fire way to check whether or not your system uses the forward chain.
The screenshot above is of a server that's been running for a few months and has no restrictions on incoming or outgoing connections. As you can see, the output chain has processed 34M. The forward chain , on the other hand ,has processed 0GB. It means that this server isn't doing any kind of forwarding or being used as a pass-through device.
Output: this chain is used for outgoing connections. Iptables will check it's output chain to see what the rules are used before making a decision to allow or deny the connections attempt.
To see the default polices for the unmatched traffic.
Chain INPUT (policy ACCEPT)
Connection-specific Responses
Accept:
Drop:
Reject: Don't allow the connection, but send back an error.
You can use iptables -A to append rules to the existing chain.
iptables -A INPUT -s 10.10.10.10 -j DROP
You can use netmask or standard slash notation to specify the range of IP addresses.
iptables -A INPUT -s 10.10.10.0/24 -j DROP
iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP
Specific port
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
Connection States:
If you permit the SSH connections from 10.10.10.10, but SSH connections to 10.10.10.10 are not allowed.However, with the state ESTABLISHED ,the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
You should save the configuration
[root@localhost sysconfig]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
The configuration file is /etc/sysconfig/iptables:
[root@localhost sysconfig]# more iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT