Initial settings of iptables firewall in fedora system

Do you want to know the truth about the Fedoraiptables system? do you want to know what is inherent in the Fedoraiptables system, I will only give you a full description of Fedoraiptables system iptables-static firewall instance tutorial followme1, Fedoraiptables introduction Fedoraiptables is complex and integrated into the Linux kernel. Want to know Fedora IptablesDo you want to know the truth about the system? IptablesIs there any inherent aoyi in the system? only I will give you a full introduction to Fedoraiptables system iptables-static firewall instance tutorial follow me
1. Introduction to Fedora iptables
Fedora iptables is complex and integrated into the Linux kernel. You can use Fedoraiptables to filter data packets that enter and exit your computer. Use the Fedoraiptables command to set your rules to keep your computer network secure-which data is allowed to pass, which cannot pass, and which data is logged ). Next, I will show you how to set your own rules, from now on.
2. Fedora iptables initialization
Enter iptables-Fiptables-Xiptables-t nat-F iptables-t nat-X at the shell prompt. each command above has its exact meaning. Before you set your Fedoraiptables, you must first clear all previously set rules and call them initialization. Although it does not do anything in many cases, be careful when you are out of warranty! If you are using redhat or fedora, you have a simpler way to stop the service iptables.
3. start setting rules:
Next, set your rules. The Fedora iptables-p inputdrop command will build a very "secure" firewall for you, it's hard to imagine which hacker can break this machine because it drops all the data from the network into your machine. This is of course too secure. at this time, your machine will be equivalent to no network. If you pinglocalhost, you will find that the screen is always there, because ping cannot receive any response.
4. add Fedora iptables rules
Run the following command: Fedora iptables-a input-I! Ppp0-jACCEPT: accept all data from the network interface ppp0. Assume that you have two network interfaces, eth0 is connected to the LAN, and loop is the back-to-loop network (localhost ). Ppp0 is an internet interface for internet access through adsl. if you are not using this method, it may be eth1.
Here I assume that you are using adsl to access the internet and your internet interface is ppp0. at this time, you are allowed to access the LAN. you can also access localhost and then enter the command ping localhost, will the results be the same as the previous one? At this point, we cannot access www or mail. let's take a look.
5. I want to access www
Fedora iptables-a input-I ppp0-p tcp -- sport 80-jACCEPT allows data from the network interface ppp0 (internet interface) and the source port is 80 to enter your computer. Port 80 is the port used by the www service. Now you can view the webpage.
But can you see it? If you enter http://www.baidu.com/in the browser address, can you see the webpage? The result must be: the host cannot be found at http://www.baidu.com/however, if you enter 220.181.27.5, you can still access the Baidu webpage.
Why? If you know dns, you must know the reason. If you enter www.baidu.com, your computer cannot obtain the IP address 220.181.27.5 that can be used by the name www.baidu.com. If you do remember this ip address, you can still access www. of course, you can only access www by ip address. if you want to challenge your memory, ^ _ ^, of course, we want to open DNS.
6. open the dns Port
Open your dns port and enter the following command: Fedora iptables-a input-I ppp0-p udp-sport53-jACCEPT: accept all network interfaces ppp0, data of port 53 of upd protocol. 53 is the famous dns port. In this case, test whether you can access www by host name? Can you access www through an ip address? Yes, of course!
7. view the firewall
In this case, you can view your firewall Fedora iptables-L. if you only want to access www, you can only access www. But don't worry, just summarize the content above and write it as a script.
#! /Bin/bash
# This is a script
# Edit by liwei
# Establish static firewall
Iptables-F
Iptables-X
Iptables-t nat-F
Iptables-t nat-X
Iptables-P INPUT DROP
Iptables-a input-I! Ppp0-j ACCEPT
Iptables-a input-I ppp0-p tcp -- sport 80-j ACCEPT
Iptables-a input-I ppp0-p udp -- sport 53-j ACCEPT
8. is it complicated? By now, Fedoraiptables can filter out packages as required. You can set some ports to allow your machine to access these ports. In this way, you may not be able to access QQ, or play online games. it may be good or bad, or it depends on your own.
By the way, QQ is really difficult to control. The connection between the user and the server seems to be Port 8888, while friends send messages to each other on QQ are using udp port 4444 (it is not clear whether it is 4444 ). QQ can also use port 80 of www to log on and send messages. it seems that there is no end to learning. do you really want to control this guy? Let's go to our topic. What if your machine is a server?
9. if your machine is a server and you need to provide www service. Obviously, the above scripts cannot meet our requirements. But as long as you hold on to the rules and make some modifications, it can also work well. Add a sentence at the end
Iptables-a input-I ppp0-p tcp -- dport 80-jACCEPT: Port 80 on your machine is opened to the outside world, in this way, other people on the internet can access your www.
Of course, you have to work on the www server. If your machine is a smtp and pop3 server at the same time, add two statements to change the 80 following -- dport to 25 and 110. If you still have an ftp server, what if you want to open port 100 ......
Our work seems to be repeating similar statements, and you may think of it yourself. I can use a loop statement to complete it. right, the shell script function can be effectively used here, it also allows you to experience the power of shell scripting. See the following:
10. use a script to simplify your work. Read the following script.
#! /Bin/bash
# This is a script
# Edit by liwei
# Establish a static firewall
# Define const here
Open_ports = "80 25 110 10" # open ports on your own machine
Allow_ports = "53 80 20 21" # internet data can enter the port of your machine
# Init
Iptables-F
Iptables-X
Iptables-t nat-F
Iptables-t nat-X
Iptables-p input drop # we can use another method to instead it
Iptables-a input-I! Ppp0-j ACCEPT
# Define ruler so that some data can come in.
For Port in "$ Allow_ports"; do
Iptables-a input-I ppp0-p tcp-sport $ Port-j ACCEPT
Iptables-a input-I ppp0-p udp-sport $ Port-j ACCEPT
Done
For Port in "$ Open_ports"; do
Iptables-a input-I ppp0-p tcp-dport $ Port-j ACCEPT
Iptables-a input-I ppp0-p udp-dport $ Port-j ACCEPT
Done
This script has three parts (the first part is the comment, not included in the three parts). The first part is to define some ports: access data on the "Open_ports" port of your machine, allow access. data from the "Allow_ports" port can also be accessed.
The second part is the initialization of Fedoraiptables, and the third part is the specific operation on the defined port. If our requirements change in the future, for example, if you add an ftp server to your machine, add ports 20 and 21 corresponding to ftp. Well, you must have realized the powerful scalability of the script function, but the script capability is far more than that!
11. improve your firewall
In the last sentence of the init part of the above script, Fedora iptables-p inputdrop, which is used to set default rules for the firewall. When the data entering our computer does not match any of our conditions, the default rule is used to process the data ---- drop, and no response is sent to the sender.
That is to say, if you ping your host from another computer on the internet, the ping will stop there without responding. If a hacker uses the namp tool to scan the port of your computer, it will prompt the hacker that your computer is under firewall protection.
I don't want hackers to know too much about my computer. what should I do? if we change drop to another action, we may be able to cheat this hacker. How to change it? Remove the previous sentence (iptables-p input drop, add iptables-a input-I ppp0-ptcp-j REJECT -- reject-with tcp-resetiptables-a input-I ppp0-pudp-j REJECT -- reject-with at the end of the script icmp-port-unreachable
This is much better. although hackers can scan open ports, it is hard to know that our machines are under firewall protection. If you only run ftp and only access the intranet, it is difficult for you to know whether ftp is running.
Here we give data that should not enter our machine, a fraudulent answer, instead of dropping it and then ignore it. This function is particularly useful in designing stateful firewalls (I am talking about static firewalls. You can perform this operation in person to see how the results of the modification are different from those obtained by using namp scan?
12. this tutorial is over. many of the things are not mentioned here, such as ip camouflage, port forwarding, and packet recording. Another important thing is the Fedoraiptables data packet processing process. here, I want to tell you that the order of the filtering rules you set is very important and should not be described in detail here, because in this way, this tutorial will stick to the details.
Fedoraiptables is complex. I have read many tutorials on linuxsir. they are often numerous and complete, but they are daunting. I hope this tutorial will help you get started. Come on! Finally, I write the complete script as follows. you only need to modify the definition of a constant to demonstrate great scalability. ^_^
#! /Bin/bash
# This is a script
# Edit by liwei
# Establish a static firewall
# Define const here
Open_ports = "80 25 110 10" # open ports on your own machine
Allow_ports = "53 80 20 21" # internet data can enter the port of your machine
# Init
Iptables-F
Iptables-X
Iptables-t nat-F
Iptables-t nat-X
# The follow is comment, for make it better
# Iptables-P INPUT DROP
Iptables-a input-I! Ppp0-j ACCEPT
# Define ruler so that some data can come in.
For Port in "$ Allow_ports"; do
Ptables-a input-I ppp0-p tcp-sport $ Port-j ACCEPT
Iptables-a input-I ppp0-p udp-sport $ Port-j ACCEPT
Done
For Port in "$ Open_ports"; do
Iptables-a input-I ppp0-p tcp-dport $ Port-j ACCEPT
Iptables-a input-I ppp0-p udp-dport $ Port-j ACCEPT
Done
# This is the last Rter, it can make you firewall better
Iptables-a input-I ppp0-p tcp-j REJECT -- reject-with tcp-reset
Iptables-a input-I ppp0-p udp-j REJECT -- reject-with icmp-port-unreachable