Please write a short explanation of what that line is doing. Add these explanati
ID: 3796018 • Letter: P
Question
Please write a short explanation of what that line is doing. Add these explanations in as comments to the script. The first few lines of the script have been done for you as an example.
#!/bin/bash
# tells the program loader to use BASH (Bourne Again Shell) for running the script
IPTABLES="/sbin/iptables"
# assigns the value /sbin/iptables to the variable IPTABLES
$IPTABLES –F
# flushes all firewall rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -j LOG
$IPTABLES -A INPUT -j REJECT --reject-with icmp-host-prohibited
Explanation / Answer
$IPTABLES -F INPUT
# Deletes all of the rules in the INPUT chain i.e., it flushes all the rules under the INPUT chain.
$IPTABLES -F OUTPUT
# Deletes all of the rules in the OUTPUT chain i.e., it flushes all the rules under the OUTPUT chain.
$IPTABLES -F FORWARD
# Deletes all of the rules in the FORWARD chain i.e., it flushes all the rules under the FORWARD chain.
$IPTABLES -P INPUT DROP
# '-p' is used to set default policy on the specified chain. In this command we are setting the default policy as DROP on the INPUT chain. With this rule all the incoming packets that doesn't satisfy one of the following rules will be dropped.
$IPTABLES -P OUTPUT ACCEPT
# In this command we are setting the default policy as ACCEPT on the OUTPUT chain. With this rule all the outgoing packets are accepteds.
$IPTABLES -P FORWARD DROP
# In this command we are setting the default policy as DROP on the FORWARD chain. With this rule none of the packets are forwarded from the system on which this setting is enabled.
$IPTABLES -A INPUT -i lo -j ACCEPT
#In this command '-A' switch is used to append rule to the INPUT chain. After that '-i' is used to specify the interface to which the packets are routed. Here we used 'lo' for localhost interface(127.0.0.1). After that '-j' is used to specify that it should jump to the target action i.e., ACCEPT in this line. This entire command line specifies that all the incoming packets routed to the localhost interface are accepted.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#In this command '-A' switch is used to append rule to the INPUT chain. After that '-m' is used to load the state module that is used to identify the state (NEW, ESTABLISHED, RELATED) of the packet. Here we are identifying packets that are part of an already established connection or related to an established connection.
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#In this command '-A' switch is used to append rule to the INPUT chain. After that we are using '-p' to specify port. In this command we are accepting SSH connections over tcp port 22.
$IPTABLES -A INPUT -p tcp -j LOG
#In this command '-A' switch is used to append rule to the INPUT chain. After that we are using '-p' to specify port. In this command we are logging all the tcp incoming packets.
$IPTABLES -A INPUT -j REJECT --reject-with icmp-host-prohibited
#In this command '-A' switch is used to append rule to the INPUT chain. In this command ICMP packets are rejected with an error message and error packet is sent to the host. icmp-host-prohibited error message is sent.