I need help regarding iptables. I have the following iptables rules when i use the command iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain MYSSH (0 references)
target prot opt source destination
Now I want to add a rule to the INPUT chain of my filter table that will send all ssh traffic to the MYSSH chain. I have to make sure this new rule follows (not precedes) the RELATED,ESTABLISHED rule, so it doesn't apply to existing connections!
I tried:
iptables -I INPUT 1 -p tcp -m MYSSH --dport 22 -j ACCEPT
but this is not working. Can you please tell me how to do that?
This is kind of a question for Superuser, but okay. I have my admin hat on today. :P
The main thing is that you can use your chain as a target like ACCEPT, REJECT or DROP, so you want to pass it as -j option, i.e.
iptables -A INPUT -p tcp --dport 22 -j MYSSH
would append a rule to pipe all TCP traffic to port 22 through the MYSSH chain to the INPUT chain.
The other question is where to insert this rule. Generally, when I do this kind of stuff manually (these days I usually use shorewall because its easier to maintain), I just work with iptables -A commands and run them in the right order. In your case, it looks as though you want to insert it as the second or third rule, before the catchall
ACCEPT all -- anywhere anywhere
rule (although that might have some additionall conditions that iptables -L will not show without -v; I can't know that). Then we're looking at
iptables -I INPUT 2 -p tcp --dport 22 -j MYSSH
or
iptables -I INPUT 3 -p tcp --dport 22 -j MYSSH
depending on where you want it.
Note, by the way, that if this catch-all rule doesn't have additional conditions that I'm not seeing, the rule below it will never be reached.