Linux add firewall, iptables installation and configuration (pro-Test)

Iptables Foundation

A rule is a predefined condition for a network administrator, and the rule is generally defined as "if the packet header conforms to such a condition, it will handle the packet." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). The primary task of configuring a firewall is to add, modify, and delete these rules.

Rule chain:

1.input--incoming packets Apply the policy in this rule chain
2.output--outgoing packets Apply policies in this rule chain
3.forward--policies in this rule chain are applied when forwarding packets
4.prerouting--apply rules in this chain before routing packets to a packet
Remember All data packets are processed by this chain when they come in.
5.postrouting--apply the rules in this chain after the packet is routed
(All data packets are processed by this chain first)

-A  adds (append) a new rule at the end of the specified chain-d  Delete (delete) A rule in the specified chain, which can be deleted by the rule ordinal and content-  I inserts a new rule in the specified chain, by default in the first row add-R  Modify, replace (replace) a rule in the specified chain, which can be replaced by the sequence number and the content-L  list (list) All rules in the specified chain are viewed-e  renames the user-defined chain, does not change the chain itself-f  Empty (flush)-N  New (New-chain) a user-defined rule chain-x  Deletes a user-defined rule chain in the specified table (delete-chain)-p  sets the default policy for the specified chain (policies)-Z Clear all the chain bytes and packet counters for all tables 0-n  use digital form (numeric) to display output-V  view Rule table details (verbose) Information-v  view version (version)-H  Get Assistance (help)

Order of precedence between rule tables:

Raw--mangle--nat--filter
Order of precedence between rule chains (in three cases):

First case: Inbound Data flow

Packets arriving from the outside of the firewall are first processed by the prerouting rule chain (whether to modify the packet address, etc.), followed by a routing (which determines where the packet should be sent), if the packet The target host is the firewall native (for example, Internet users access the Web server in the firewall host packet), then the kernel will pass it to the input chain for processing (decide whether to allow the pass, etc.), and later to the system to the upper layer of the application (such as Apache server) to respond.

Second flush situation: forwarding Data flow

When the packet arrives at the firewall, it is first processed by the prerouting rule chain, and then routed, if the destination address of the packet is a different external address (for example, the LAN user accesses the QQ site's packet through the gateway), The kernel passes it to the forward chain for processing (forwarding or blocking) and then handing it over to the postrouting rule chain (whether to modify the address of the packet).

Third case: Outbound Data flow
When a firewall sends packets to an external address (for example, when a public DNS server is tested in a firewall host), it is first processed by the output rule chain, followed by routing, and then passed to the postrouting rule chain (whether to modify the address of the packet) for processing.

Installation and configuration of iptables

Since CENTOS7 defaults to using firewall as the firewall, the following describes how to set the system's firewall to iptables.

#停止firewall
Systemctl Stop Firewall.service

#禁止firewall开机启动
Systemctl Disable Firewall.service

#安装iptables
Yum Install Iptables-services

#编辑防火墙文件 ( recommended in configuration file configuration, do not command configuration )
Vi/etc/sysconfig/iptables
#添加80和3306端口, etc. (Configure yourself)
-A input-m state–state new-m tcp-p tcp–dport 80-j ACCEPT #80端口开放

-A input-m state–state new-m tcp-p tcp–dport 3306-j ACCEPT #3306端口开放　　　

-I input-s 113.106.93.110-p tcp--dport 8089-j DROP #禁止指定IP访问 8089　　　

-I input-s 113.106.93.110-p tcp--dport 8080-j ACCEPT #开放固定ipIP访问 8080　　　

#重启防火墙使配置文件生效
Systemctl Restart Iptables.service

#设置iptables防火墙为开机启动项
Systemctl Enable Iptables.service

service iptables Start # Start Service

Service iptables Stop # stop service

Service iptables Restart　　# restart Services

Turn off SELinux
Vi/etc/selinux/config
#注释以下配置
Selinux=enforcing
selinuxtype=targeted

#增加以下配置
Selinux=disabled

#使配置立即生效
Setenforce 0

Linux add firewall, iptables installation and configuration (pro-Test)