How to configure iptables in Linux

Source: Internet
Author: User

How to configure iptables in Linux

View and clear save rules:

View the local iptables settings: iptables-L-n

Clear all rules in the filter of the preset table: iptables-F

Clear the rules in the User-Defined chain in the filter of the preset table: iptables-X

Save the current configuration:/etc/rc. d/init. d/iptables save

Restart iptables: service iptables restart

Set preset rules:

Iptables-p INPUT DROP

Iptables-p OUTPUT ACCEPT

Iptables-p FORWARD DROP

The above means that when the two chain rules (INPUT and FORWARD) in the filter table in iptables are exceeded, data packets not in the two rule packages are directly dropped, that is, they are abandoned. This configuration is still safe. We need to control inbound data packets. For the OUTPUT chain, that is, the outgoing package, we do not need to impose too many restrictions, but use ACCEPT, that is, the package that is not in this rule can also pass.

That is to say, the INPUT and FORWARD chains use the packages allowed to pass, while the OUTPUT chain uses the packages not allowed to pass. Of course, we can also use DROP for all three links, but the Rules to be written will increase. If we only want a limited number of rules, such as serving as a web server, we recommend that all three links be DROP.

INPUT chain:

The default rule of the INPUT chain is DROP. We need to write the chain of ACCEPT (:

To enable remote logon, We need to enable port 22. The operation is as follows:

Iptables-a input-p tcp -- dport 22-j ACCEPT

Iptables-a output-p tcp -- sport 22-j ACCEPT (Note: if we set OUTPUT to DROP, write it. If we forget to write it, in this case, ssh is always unavailable)

If we have a web server, we need to enable port 80. The operation is as follows:

Iptables-a input-p tcp -- dport 80-j ACCEPT

Of course, if our WEB server also sets the OUTPUT to DROP, we also need to add:

Iptables-a output-p tcp -- sport 80-j ACCEPT

If we have an email server, we usually need to enable ports 25 and 110:

Iptables-a input-p tcp -- dport 110-j ACCEPT

Iptables-a input-p tcp -- dport 25-j ACCEPT

If we have a DNS server, port 53 is usually enabled:

Iptables-a input-p tcp -- dport 53-j ACCEPT

Allow loopback. Otherwise, DNS may fail to be shut down normally:

Iptables-a input-I lo-p all-j ACCEPT (if it is INPUT DROP)

Iptables-a output-o lo-p all-j ACCEPT (if it is output drop)

OUTPUT chain:

Because the default OUTPUT chain rule is ACCEPT, we need some DORP chains.

We can reduce insecure port connections, such as 31337, as follows:

Iptables-a output-p tcp -- sport 31337-j DROP

Iptables-a output-p tcp -- dport 31337-j DROP

For example, we only allow SSH connections on machines 192.168.0.101, as shown below:

Iptables-a input-s 192.168.0.101-p tcp -- dport 22-j ACCEPT

If you want to allow or limit an IP segment, you can use 192.168.0.0/24 to represent all IP addresses between 192.168.0.1-255. Here, 24 is the number of subnet masks.

If we allow SSH connections from all IP addresses, see the following:

Iptables-a input-p tcp -- dport 22-j ACCEPT

Save Configuration:

Because the command method is effective immediately, if you want to take effect after restart, you need to write it to/etc/sysconfig/iptables.

We can use/etc/rc. d/init. d/iptables save to save the current configuration to the configuration file.

FORWARD chain:

The default FORWARD chain rule is also DROP, so we will write the chain that requires ACCEPT to monitor the ongoing forwarding chain.

First, we need to enable the forwarding function. When performing NAT, the default FORWARD rule is DROP, which must be done:

Iptables-a forward-I eth0-o eth1-m state -- state RELATED, ESTABLLISHED-j ACCEPT

Iptables-a forward-I eth1-o eth0-j ACCEPT

We discard the bad TCP packet:

Iptables-a forward-p tcp! -- Syn-m state -- state NEW-j DROP

We process the number of IP fragments to prevent attacks. 100 IP fragments are allowed per second:

Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second. The trigger condition is 10 packets:

Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.