Iptable configuration instance tutorial

When iptables uses an instance, let's first take a look at the interaction principle between the server and client. Services provided by servers with certain functions are always provided by specific background programs. In TCP/IP networks, this specific service is often bound to a specific TCP or UDP port. Then, the background program continuously listens to the port (listen), once the qualified ip address is received

IptablesWhen using an instance, let's first take a look at the interaction principle of the server/client. Services provided by servers with certain functions are always provided by specific background programs. In TCP/IP networks, this specific service is often bound to a specific TCP or UDP port. Then, the background program continuously listens to the port (listen ).

Iptables instances

First, let's take a look at the interaction principle between the server and client. Services provided by servers with certain functions are always provided by specific background programs. In TCP/IP networks, this specific service is often bound to a specific TCP or UDP port. Then, the background program continuously listens to the port (listen). Once a client request that meets the conditions is received, the service performs a TCP handshake and establishes a connection with the client, respond to customer requests. At the same time, a copy of the binding will be generated to continue listening to client requests.

For example, assume that one server A (IP address 1.1.1.1) in the network provides the WWW service, and clients B (2.2.2.2) and C (3.3.3.3 ). First, server A runs the background program (such as Apache) that provides the WWW service and binds the service to port 80, that is, listening on port 80. When B initiates a connection request, B opens a connection port greater than 1024 (defined Port in 1024), which is assumed to be 1037. After receiving the request, A establishes A connection with Port 80 to respond to the request of port B. At the same time, A copy bound to port 80 is generated to continue listening to client requests. If A Receives A connection request from C (set the connection request port to 1071 ), then, when A establishes A connection with C, it generates A copy bound to port 80 to continue listening to the client request. As shown below, because the system identifies a connection with the source address, source port, destination address, and destination port, each connection is unique here.

Server client
Connection 1: a. B. c.1: 80 <=> a. B. c.4: 1037
Connection 2: a. B. c.1: 80 <=> a. B. c.7: 1071

Each specific service has its own specific port. generally, ports smaller than 1024 are reserved ports, or defined ports, low ports are allocated to well-known services (such as WWW and FTP). ports from 512 to 1024 are usually reserved for specialUNIXTCP/IP application. for details, see The/etc/services file or RFC1700.

Assume that the network environment is as follows: a ddnleased line is used to connect to the internet. The network topology is as follows:

+ -------------- +
| Intranet segment | eth1 + -------- + eth0 DDN
| + ------------ | Firewall | <==================> Internet
| 198.168.80.0 | + -------- +
+ -------------- +
Eth0: 198.199.37.254
Eth1: 198.168.80.254

The above IP addresses are all real IP addresses on the Internet, so IP spoofing is not used. In addition, we assume that the following servers exist in the intranet:
Www Server: www.yourdomain.com 198.168.80.11
Ftp server: ftp.yourdomain.com 198.168.80.12
Email Server: mail.yourdomain.com 198.168.80.13

Next we will use iptables to build our packet filtering firewall step by step. it should be noted that in this example, we mainly provide protection for various internal servers.

1. in/etc/rc. run the touch command in the d/directory to create the firewall file, run the chmod u + x firewll command to change the file attributes, and edit/etc/rc. d/rc. add/etc/rc at the end of the local file. d/firewall to ensure that the script is automatically executed at startup.

2. refresh all chain rules
#! /Bin/sh

Echo "Starting iptables rules ..."

# Refresh all chains

/Sbin/iptables-F

3. we will first disable forwarding of any packages, and then step by step set the packages that are allowed to pass.
Therefore, first set the firewall FORWARD chain policy to DROP:

/Sbin/iptables-P FORWARD DROP

4. set the server package consideration rules:

It should be noted that server/client interaction is always the same, that is, two-way interaction. Therefore, we should not only set the rules for outbound data packets, but also set the rules for returned data packets, first, we will establish a rule for excessive consideration of data packets from the Internet.

WWW Service: The service port is 80 and adopts tcp or udp protocol. The rule is: eth0 => allow packages for the WWW server on the intranet.

########################### Define HTTP packets ########## ##########################

# Allow www request packets from Internet clients to www servers
/Sbin/iptables-a forward-p tcp-d 198.168.80.11 -- dport www-I eth0-jCCEPT

FTP service: FTP service is a bit special, because two ports are required, because FTP has command channel and data channel. The command port is 21, the data port is 20, and there are two active and negative service modes. the passive connection process is: the FTP client first initiates a connection request to the FTP server, after three-step handshake, create a command channel, and then create a data channel for FTP server requests. after successful handshake, data transmission starts. Currently, most FTP clients support the negative mode because this mode can improveSecurity. The FTP service adopts the tcp protocol. The rule is: eth0 => only packages for intranet ftp servers are allowed.

########################### Define FTP packets ######### ############################

# Allow ftp request packets from Internet clients to Intranet ftp server
/Sbin/iptables-a forward-p tcp-d 198.168.80.12 -- dport ftp-I eth0-j ACCEPT

EMAIL service: Includes two protocols: smtp and pop3. For the sake of security, only internal pop3 services are usually provided, so here we only consider smtp security issues. The smtp port is 21 and the tcp protocol is used. Eth0 => only allow smtp requests for the email server.

########################### Define smtp packets ########## ##########################
/Sbin/iptables-a forward-p tcp-d 198.168.80.13 -- dport smtp-I eth0-j ACCEPT

5. set excessive rules for Intranet customers:

In this example, our firewall is located at the gateway, so we mainly prevent attacks from the Internet and not from the Intranet. Assume that our servers are based onLinuxYou can also set related overhead rules on each server to prevent attacks from the Intranet. The following rule is defined for the response packets returned from the Internet to Intranet customers.

############ Define packets from Internet server to Intranet #################### ###
/Sbin/iptables-a forward-p TCP/IP 0/0 -- sport ftp-data-d 198.168.80.0/24-I eth0-j ACCEPT
/Sbin/iptables-a forward-p tcp-d 198.168.80.0/24! -Syn-I eth0-j ACCEPT
/Sbin/iptables-a forward-p udp-d 198.168.80.0/24-I eth0-j ACCEPT

Note: The first option allows Intranet customers to access the Internet's FTP server in passive mode; the second option is to receive non-connection request tcp packets from the Internet; the last option is to receive all udp packets, mainly for oiCqAnd so on.

6. accept data packets from the entire Intranet. we define the following rules:

############ Define packets from Internet server to Intranet server ###############
/Sbin/iptables-a forward-s 198.168.80.0/24-I eth1-j ACCEPT

7. Process ip fragmentation

We accept all ip fragments, but use the limit matching extension to limit the number of ip fragments that can be passed per unit time to prevent ip fragment attacks.

################################ Define fregment rule #### ##############################
/Sbin/iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

Note: no matter where the ip address fragment comes from, it is allowed to pass 100 ip address fragments per second. this limit is triggered by 100 ip address fragments.

8. set icmp packet filtering

Icmp packets are usually used for networkTestSo that all icmp packets are allowed to pass. However, hackers often use icmp attacks, such as ping of death. Therefore, we use limit matching extension to limit the following:

################################# Define icmp rule #### ##############################
/Sbin/iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT

Note: no matter where the icmp packet comes from, it is allowed to pass one packet per second. the condition triggered by this restriction is 10 packets.

Through the above steps, we have established a relatively complete firewall. Only a limited number of ports are opened to the outside world, and the customer's seamless access to the Internet is also provided, and effective protection measures are provided for ip fragment attacks and icmp ping of death. The following is the complete script file content. I hope to use this instance to understand iptables usage:

#! /Bin/sh

Echo "Starting iptables rules ..."

# Refresh all chains

/Sbin/iptables-F

########################### Define HTTP packets ########## ##########################

# Allow www request packets from Internet clients to www servers
/Sbin/iptables-a forward-p tcp-d 198.168.80.11 -- dport www-I eth0-j ACCEPT

########################### Define FTP packets ######### ############################

# Allow ftp request packets from Internet clients to Intranet ftp server

/Sbin/iptables-a forward-p tcp-d 198.168.80.12 -- dport ftp-I eth0-j ACCEPT

########################### Define smtp packets ########## ##########################
/Sbin/iptables-a forward-p tcp-d 198.168.80.13 -- dport smtp-I eth0-j ACCEPT

############ Define packets from Internet server to Intranet #################### ###
/Sbin/iptables-a forward-p TCP/IP 0/0 -- sport ftp-data-d 198.168.80.0/24-I eth0-j ACCEPT
/Sbin/iptables-a forward-p tcp-d 198.168.80.0/24! -Syn-I eth0-j ACCEPT
/Sbin/iptables-a forward-p udp-d 198.168.80.0/24-I eth0-j ACCEPT

############ Define packets from Intranet to Internet ###############
/Sbin/iptables-a forward-s 198.168.80.0/24-I eth1-j ACCEPT

################################ Define fregment rule #### ##############################
/Sbin/iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

################################# Define icmp rule #### ##############################
/Sbin/iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT