Linux study Notes-iptables firewall configuration

Iptables firewall configuration 1. firewall introduction 1. Functions: 1) configure the firewall through the source port, source IP address, source MAC address, specific tag in the package, and target iptables

1. firewall introduction

1. functions:

1) determine whether data packets can pass through the firewall through the source port, source IP address, source MAC address, specific port in the packet, destination port, IP address, and MAC address.

2) separate intranet and internet [vro function]

3) divide the servers to be protected

If the Linux server has enabled firewall, SELinux, and other protection measures, its security level can reach B2 [originally C2]

2. firewall classification

1) data packet filtering [most firewalls]

Analyze whether the IP address, port, and MAC meet the rules. If yes, accept

2) proxy server

3. firewall restrictions

1) The Firewall cannot effectively prevent viruses. Therefore, the firewall is basically ineffective in virus attacks, but it still has some restrictions on Trojans.

2) firewalls generally do not set access rules for internal [server hosts], so they are ineffective for internal attacks.

[Appendix] today's anti-virus software has a virus recognition rate of about 30%. That is to say, most viruses are not recognized by anti-virus software!

4. firewall configuration principles [Cross-use]

Deny all, allow one by one

Allow all, reject one by one

[Appendix:] firewall rules: who first configures and who applies first!

5. common Linux firewalls

2.4/2.6 kernel iptables # commonly used

2.2 kernel ipchains

IIIptablesFirewall

1. Structure: table ------- chain -------- rule

2. Tables: by default, the following three tables are available in iptables:

Filter table data filter table # filter, penetration

NAT table intranet and internet address translation

Special Mangle packet tag

3. chain

Filter table: INPUT OUTPUT FORWARD

III,IptablesBasic syntax

1. check and clarify the rules

Iptables [-t table name] [option]

Option:

-L view

-F: clear all rules.

-X clear custom links

-Z clear all chain statistics

-N is displayed as a port and ip address

Example:

Iptables-t nat-L # View nat table rules

Iptables-L # view the filter table rules. if you do not write a table name, the filter table is viewed by default!

2. define the default policy

Iptables-t table name-P chain name ACCEPT | DROP #-P (large) defines the default policy

Instance:

Iptables-t filter-P INPUT DROP

Note: do not kick yourself out of the server, so this rule should be set at the end.

3. limited IP address and Nic interface settings

Iptables [-AI chain] [-io Nic interface] [-p protocol] [-s source IP address] [-d Target ip address]-j action

Note:

-A: append A chain rule # add this rule at the end of the chain rule

-I INPUT 2 # insert this rule into the INPUT chain and change it to the second rule.

-D number of links # delete a specified number of links firewall

Example:

Iptables-d input 2 # delete the second rule on the input chain

-I eth0 # specifies the interface to enter, which must be defined on the INPUT chain

-O eth0 # specifies the OUTPUT interface, which must be defined on the OUTPUT chain

-P Protocol # [tcp/udp/icmp/all]

-J action # [ACCEPT | DROP]

Instance:

Iptables-a input-I lo-j ACCEPT

Allow local loopback Nic communication, in the INPUT chain

Iptables-a input-I eth0-s 192.168.140.254-j ACCEPT

Allow 254 to enter eth0

Iptables-a input-I eth0-s 192.168.140.0/24-j DROP

Deny access to CIDR block 140

4. set port access

Iptables-a input-I eth0-p all-s source ip -- sport source port-d Target IP address -- dport target port-j action

# The Target port must be specified and the protocol type must be set!

Instance:

Iptables-a input-I eth0-p tcp-s 192.168.140.0/24 -- dport 22-j DROP

Iptables-a input-I eth0-p tcp-s 192.168.140.0/24 -- dport 137: 139-j ACCEPT # allow access to ports 137 to 139

Note: The Protocol cannot use all when the port is specified,Specify the exact protocol, as shown in figureTCP

5. module call

-The m module name module option loads the iptables function module.

1)-m state -- state ESTABLISHED, RELATED

Iptables-a input-I eth0-m state -- state ESTABLISHED, RELATED-j ACCEPT

# StateStatus moduleCommon status: ESTABLISHED [online success status] RELATED [return package status]

2)-m mac -- mac-source restricts access according to the mac address

Iptables-a input-m mac -- mac-source aa: bb: cc: dd: ee: ff-j DROP

# Rejecting mac access

3)-mstring -- string "string in the packet to be matched"

Iptables-a forward-p udp -- dport 53-m string -- string "tencent" -- algo kmp-j DROP

# Reject QQ logon through dns

# -- Algo specifies the string mode matching policy. KMP and BM string search algorithms are supported. you can specify either of them.

6. simple firewall instances

Iptables-F

Iptables-a input-I lo-j ACCEPT

Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT

Iptables-a input-p tcp -- dport 80-j ACCEPT

Iptables-a input-p tcp -- dport 22-j ACCEPT

# Iptables-a input-p tcp -- dport 22-s -J ACCEPT

Iptables-a input-p tcp -- dport 873-j ACCEPT

Iptables-a input-p tcp -- dport 139-j ACCEPT

Iptables-a input-p tcp -- dport 21-j ACCEPT

Iptables-P INPUT DROP

7. firewall service is automatically started upon startup

Chkconfig iptables on

8. enable self-starting firewall rules

1) service iptables save

The rule is saved to the/etc/sysconfig/iptables file,Read automatically after restart

2) a. manually write the firewall script

Such as vi/root/iptables. rule

Iptables-a input-I lo-j ACCEPT

Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT

Iptables-a input-p tcp -- dport 80-j ACCEPT

Iptables-a input-p tcp -- dport 22-j ACCEPT

Iptables-a input-p tcp -- dport 873-j ACCEPT

Iptables-a input-p tcp -- dport 139-j ACCEPT

Iptables-a input-p tcp -- dport 21-j ACCEPT

Iptables-P INPUT DROP

B. Grant the execution permission chmod 755/root/iptables. rule

C. start vi/etc/rc. local

D. write/root/iptables. rule