Linux system iptables configuration commands

Source: Internet
Author: User
Tags iptables

Start configuration

Let's configure a Filter the firewall of the table .

(1) view this institution in IPTABLES the setup situation

[Email protected] ~]# Iptables-l–n

[Email protected] ~]/etc/sysconfig/iptables

[Email protected] ~]/etc/init.d/iptables Status|stop|start

[Email protected] ~]/sbin/chkconfig–level 2345 iptables off|on



(2) Clear Old rules .

Whether or not you start a firewall when you install Linux, if you want to configure your own firewall, clear all the rules for the filter now.

[[email protected] ~]# iptables-f clears all rule chain rules in the preset table filter
[[Email protected] ~] #iptables-X clears the preset table rules in the user-defined chain in the filter

We're having a look.

[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target Prot Optsource Destination

Chain FORWARD (Policy ACCEPT)
Target Prot Optsource Destination

Chain OUTPUT (Policy ACCEPT)
Target Prot Optsource Destination

Nothing at all, and we did not start the firewall when installing Linux is the same. (in advance, these configurations are like using commands to configure the IP, the restart will lose its effect), how to save.

[Email protected] ~]#/etc/rc.d/init.d/iptables Save

This will allow you to write to the/etc/sysconfig/iptables file. Remember to re-start the firewall after writing to make it work.

[Email protected] ~]# service iptables restart

Now that the Iptables configuration table does not have any configuration, let's start our configuration.

(3) Set preset rules

[Email protected] ~]# iptables-p INPUT DROP

[[email protected] ~]# iptables-p OUTPUT ACCEPT

[Email protected] ~]# iptables-p FORWARD DROP
the above means that , when beyond the IPTABLES in Filter two chain rules in a table (Input,forward) when , What about the packets that are not in these two rules? , That's Drop ( discard ). It should be said that this configuration is very safe. . we're going to control the incoming packets .

and for OUTPUT chain , which means we don't have to make too many restrictions on the outgoing packets. , but to take ACCEPT, Which means , What about a bag that's not in the rules? , that's through .

can see Input,forward two chains are used to allow what package to pass , and OUTPUT chain is not allowed what the package through .

it's pretty reasonable. , Of course you can also have three chains of DROP, but I don't think it's necessary to do this. , and the rules to be written will increase. . But if you just want a few rules that are limited , If only do WEB Server . or is it recommended that three chains are DROP.

Note: If you are a remote SSH login, you should drop it when you enter the first command. Because you didn't set any rules.

How to do, go to the machine operation Bai!

(4) Add Rule .

First Add INPUT chain , INPUT The default rule for chains is DROP, so we just write the need Accetp ( through ) the chain

in order to be able to use remote SSH Login , we're going to open A Port .

[Email protected] ~]# iptables-a input-p tcp--dport 22-j ACCEPT

[[email protected] ~]# iptables-aoutput-p TCP--sport 22-j ACCEPT ( Note : This rule , If you set the OUTPUT to drop , write this one , and a lot of people are looking at it . This rule leads , always cannot SSH. on the remote . , is it okay ? .

the other ports are the same , If you turn on Web Server , OUTPUT Set as DROP words , also add a chain :

[Email protected] ~]# iptables-a output-p tcp--sport 80-j ACCEPT, other similar.)

If you do, WEB Server , Open the Port .

[Email protected] ~]# iptables-a input-p tcp--dport 80-j ACCEPT
If you do a mail server , Open 25,110 Port .

[Email protected] ~]# iptables-a input-p tcp--dport 110-j ACCEPT
[[email protected] ~]# iptables-a input-p TCP--dport 25-j ACCEPT
If you do, FTP Server , Open + Port

[Email protected] ~]# iptables-a input-p tcp--dport 21-j ACCEPT

[Email protected] ~]# iptables-a input-p tcp--dport 20-j ACCEPT

If you do, DNS Server , Open - Port

[Email protected] ~]# iptables-a input-p tcp--dport 53-j ACCEPT

If you also do other servers, which port you need to open, just write it.

The main writing above is the input chain, usually not in the above rules, all drop

Allow ICMP Package through , Which allows Ping,

[[email protected] ~]# iptables-a output-p icmp-j ACCEPT (OUTPUT set to drop)

[[email protected] ~]# iptables-a input-p icmp-j ACCEPT (INPUT set to drop)

Allow loopback! ( This may cause problems such as DNS not shutting down properly )

Iptables-a input-i lo-p all-j ACCEPT (if INPUT DROP)
Iptables-a output-o lo-p all-j ACCEPT (if OUTPUT DROP)

Write the output chain below, the default rule for the output chain is accept, so we write a chain that needs drop (discard).

Reduce insecure port connections

[Email protected] ~]# iptables-a output-p tcp--sport 31337-j DROP

[Email protected] ~]# iptables-a output-p tcp--dport 31337-j DROP

Some Trojans scan services on ports 31337 through 31340 (that is, the elite ports in the hacker language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chance that your network may be infected by the machine and their remote primary server for independent communication

There are other ports as well, like: 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (SMB), 2049 (NFS) port should also be banned, I write in this is not all, interested friends should go to check the relevant information.

of course, it's safer to think about it. OUTPUT chain is set into DROP, then you've added more rules. , just like the top add

Allow SSH Landing the same . just write it. .

Let's write more detailed rules. , is to restrict it to a machine .

as : we only allow 192.168.0.3 the machine is SSH Connection

[[email protected] ~]# iptables-a input-s192.168.0.3-p TCP--dport 22-j ACCEPT

If you want to allow or restrict a certain IP address, you can use 192.168.0.0/24 to represent all IPs on the 192.168.0.1-255 side.

24 indicates the number of subnet masks. But remember to delete the line in the/etc/sysconfig/iptables.

-A input-p tcp-m TCP--dport 22-jaccept because it means all addresses can be landed.

or using the command mode:

[Email protected] ~]# iptables-d input-p tcp--dport 22-j ACCEPT

And then save, I say one side, the reverse is the way of the command, only at the time of entry into force, if you want to restart the role, it should be saved. Write to the/etc/sysconfig/iptables file.

[Email protected] ~]#/etc/rc.d/init.d/iptables Save

This write!192.168.0.3 indicates that the IP address except the 192.168.0.3

Other regular connections are set up as well.

in the following is FORWARD chain , FORWARD The default rule for chains is DROP, so we just write the need Accetp ( through ) the chain , monitoring of the forwarding chain .

Turn on forwarding function , ( when you do NAT , the FORWARD default rule is DROP , must be done )

[Email protected] ~]# iptables-a forward-i eth0-o eth1-m State--state related,established-j ACCEPT

[Email protected] ~]# iptables-a forward-i eth1-o eh0-j ACCEPT

Discard the Bad TCP Package

[[Email protected] ~] #iptables-A forward-ptcp! --syn-m State--state New-j DROP

processing IP Number of fragments , prevent attacks , Allow per second - a

[[Email protected] ~] #iptables-A forward-f-mlimit--limit 100/s--limit-burst 100-j ACCEPT

Set ICMP Packet filtering , Allow per second 1 a bag , the limit trigger condition is Ten a bag .

[[Email protected] ~] #iptables-A forward-p icmp-m limit--limit 1/s--limit-burst 10-j ACCEPT

I'm in front only so allow ICMP packets to pass because I have restrictions here.

two , Configure a NAT table on the fire wall

1, view this institution in NAT the setup situation

[Email protected]rc.d]# iptables-t nat-l
Chain prerouting (Policy ACCEPT)
Target Prot Optsource Destination

Chain postrouting (Policy ACCEPT)
Target Prot opt source destination
SNAT All-192.168.0.0/24 anywhere to:211.101.46.235

Chain OUTPUT (Policy ACCEPT)
Target Prot Optsource Destination

My NAT has been configured (just to provide the simplest proxy Internet access, and no firewall rules have been added). about how to configure NAT, refer to my other article

Of course you don't have to clear the rules if you haven't configured NAT, because Nat doesn't have anything by default.

If you want to clear , command is

[[email protected] ~]# iptables-f-t NAT

[[email protected] ~]# Iptables-x-t NAT

[[email protected] ~]# Iptables-z-t NAT

2, Add Rule

Add a basic NAT Address Translation , ( See my other article on how to configure NAT ),

Add Rule , We only add DROP chain . because the default chain is all ACCEPT.

Prevent extranet Use intranet IP Deception

[Email protected] sysconfig]# iptables-t nat-aprerouting-i eth0-s 10.0.0.0/8-j DROP
[Email protected] sysconfig]# iptables-t nat-a prerouting-i eth0-s 172.16.0.0/12-jdrop
[Email protected] sysconfig]# iptables-t nat-a prerouting-i eth0-s 192.168.0.0/16-jdrop
if we want to , like stopping MSN,QQ,BT wait. , need to find the port they are using or IP, ( personally think not too much necessary )

Cases:

Prohibit and 211.101.46.253 of all Connections

[Email protected] ~]# iptables-t nat-a prerouting-d 211.101.46.253-j DROP

Disabled FTP (+) Port

[[email protected] ~]# iptables-t nat-a prerouting-p tcp--dport 21-j DROP

It's too big to write. , we can define it more precisely. .

[[email protected] ~]# iptables-t nat-a prerouting-p tcp--dport 21-d211.101.46.253-j DROP

this disables only 211.101.46.253 Address of FTP Connection , Other connections can also . as Web ( Port ) Connection .

According to what I wrote. , you just have to find qq,msn and other software. IP Address , and Port , and based on what protocol , just write it down, okay? .

At last:

Drop Illegal Connection
[[Email protected] ~] #iptables-A input-m State--state invalid-j DROP
[Email protected] ~]# iptables-a output-m State--state Invalid-jdrop
[Email protected] ~]# iptables-a forward-m State--state invalid-j DROP
Allow all established and related connections
[[Email protected] ~] #iptables-A input-m State--state established,related-j ACCEPT
[Email protected] ~]# iptables-a output-m State--state established,related-j ACCEPT

[Email protected] ~]#/etc/rc.d/init.d/iptables Save

so that you can write to /etc/sysconfig/iptables It's in the file. . Remember to re-start the firewall after writing . , to work.

[[Email protected] ~] #service iptables restart


Do not forget to save, do not write a save once. You can save, experiment and see if it meets your requirements.

I've tried all the rules above, no problem.

It took me nearly 1 months to write this article. Look for information, do your own experiments, I hope to help you. If there is incomplete and imperfect place also please raise .

because this article is configured as the primary . about the IPTABLES the basic knowledge and instructions, etc. i will send it as soon as possible. , of course, you can search the Internet. , still a lot of .

Linux system iptables configuration commands

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.