Linuxiptables firewall settings FAQ

Title List Project: (generally, the firewall configuration problem on the local machine) 1. how do I query my current iptables configuration settings? 2. how do I disable the firewall configuration of LinuxDistro and disable clearing rules? 3. about RedHat9, Fedora and RHEL firewall configuration 4. how to manually clear and reset

Title List Project: (generally, the firewall configuration problem on the local machine)

1. how to query my currentIptables?
2. how do I disable the firewall configuration of Linux Distro and disable clearing rules?
3. about firewall configuration of RedHat 9, Fedora and RHEL
4. how do I manually clear and reset iptables firewall rule?
5. what is the flowchart of iptables firewall packet comparison and judgment?
6. What are the rules for iptables firewall packet comparison?
7. what is the master caused by-p input drop? C itself? Why B? No problem?
8. is the use of-p input drop limiting access to services on the local machine?
9. The network access caused by the use of-p input drop is normal, but the ftp connection fails?
10. what is the network failure caused by the use of-p output drop?
11. Is it recommended that the firewall service of the local machine be only open to external projects, and other prohibited configuration methods?

Title List Project: (NAT service configuration issues)

1. what is the configuration syntax of a single purified NAT service?
2. what is the ftp connection access error for an internal ip host that accesses the Internet through NAT?
3. how can I configure a connection to an external Port on the NAT host to be transferred to an internal host?
4. what is the difference between using-j MASQUERADE and-j SNAT for NAT?

========================================================== =

Firewall configuration problems on the local machine

=====

1. how can I query my current iptables configuration settings?

Iptables provides the iptables-save program file. after running the file, you can view the current configuration.

Iptables-save

If you use iptables, you can use the-L option to list the rules. However, because iptables filtering can be performed on different tables, input-t can be used to view the specified table. if it is not specified, the filter table Project is used by default. General usage:

Iptables-L

Iptables-t nat-L

However, iptables will reverse query and parse the host name when there is an ip address item in the rule. This also often results in time-consuming re-query, which leads to the failure to operate when listing the rule, therefore, the input-n option is usually used together to indicate that the host name result after reverse lookup is not displayed.

Iptables-L-n

Iptables-t nat-L-n

Of course, for more detailed information, you can use the-v option.
Iptables-L-n-v

Iptables-t nat-L-n-v

=====

2. how do I disable the firewall configuration of Linux Distro and disable clearing rules?

Each release version provides its own firewall script to automatically bring in the setting rules at startup, so there is no unified approach.

--

In RHEL and Fedora Linux, the boot script itself is/etc/init. d/iptables. Therefore, you can manually disable the script:

/Etc/init. d/iptables stop

You can use chkconfig to disable this service item if it is enabled each time.

Chkconfig iptables off

--
If SLES is used, modify the/etc/sysconfig/network/config configuration, which can be found in:

# With this variableyou can determine if the SuSEfirewall when enabled

# Shocould get startedwhen network interfaces are starte

FIREWALL = "yes | no"
This allows you to set whether to enable the firewall configuration each time you start the network.

=====

3. about firewall configuration of RedHat 9, Fedora and RHEL

The system itself provides the firewall configuration mode. in the text mode, you can run the setup program. after the Firewall project enters, you can choose to add relevant rules. Finally, the allowed configurations are stored in the/etc/sysconfig/iptables file.

When/etc/init. d/iptables start or service iptables start is used, firewall is enabled based on the configuration set in/etc/sysconfig/iptables.

In the format of/etc/sysconfig/iptables, you can use the iptables-restore Program to enable it after reading standard input. Simply put, the service is actually enabled:

Iptables-restore </etc/sysconfig/iptables

Run/etc/init. d/iptables save can store the rules that are currently being executed by the system to the/etc/sysconfig/iptables file. the underlying layer is actually called the iptables-save program to achieve this result. Simply put:

Iptables-save>/etc/sysconfig/iptables

Only the rules contained in/etc/sysconfig/iptables for firewall rule are described, and no iptables-related kernel module is included in the loading configuration, to load additional modules, modify/etc/sysconfig/iptables-config.

/Etc/sysconfig/iptables-config itself or read and use the script file/etc/ini. d/iptables. Based on this content, the variables can be defined to specify the necessary module project to be loaded:

# Load additionaliptables modules (nat helpers)

# Default:-none-

# Space separatedlist of nat helpers (e.g. 'IP _ nat_ftp ip_nat_irc '),

# Which are loadedafter the firewall rules are applied. Options

# The helpers arestored in/etc/modprobe. conf.

IPTABLES_MODULES = ""
=====

4. how do I manually clear and reset iptables firewall rule?

If all rule settings are cleared manually, the following methods can be used:

Iptables-F # if-t is not added to the specified table,-t filter is used by default.

Iptables-X

Iptables-F-tnat

Iptables-X-tnat

Iptables-F-tmangle

Iptables-X-tmangle

-F indicates clearing the rule list settings for all chain projects in the specified table. -X indicates that the user-defined chain project is deleted.

In addition to cleanup, we recommend that you set the pre-configured policy for filtering to ACCEPT, that is, the transmission of any packets is not blocked.

Iptables-p inputaccept # The-t specified table is not added. The-t filter is used by default.

Iptables-P OUTPUTACCEPT

Iptables-P FORWARDACCEPT

Iptables-t nat-POUTPUT ACCEPT

Iptables-t nat-PPREROUTING ACCEPT

Iptables-t nat-PPOSTROUTING ACCEPT

Iptables-t mangle-PPREROUTING ACCEPT

Iptables-t mangle-PPOSTROUTING ACCEPT

Iptables-t mangle-PINPUT ACCEPT

Iptables-t mangle-POUTPUT ACCEPT

Iptables-t mangle-PFORWARD ACCEPT

At the same time, this technique should also be used when you create iptables firewall rule manually in the future, that is, to clear the previous rules first, including changing all preset policies to ACCEPT, in this way, the configuration of firewall rules will not be messy.

=====

5. what is the flowchart of iptables firewall packet comparison and judgment?

For details, refer to this table:

Http://ebtables.sourceforge.net/br_fw_ia/bridge3b.png

=====

6. What are the rules for iptables firewall packet comparison?

This should be divided into several points to explain:

1) the general saying is that first match, that is, the rule will not go down after it complies with the rule description.

For example:

Iptables-P INPUT ACCEPT

Iptables-a input-s 192.168.1.1-j ACCEPT

Iptables-a input-s 192.168.1.0/24-j DROP

In 192.168.1.0/24, only 192.168.1.1 is allowed for access, and other ip addresses of 192.168.1.0/24 are not allowed for access.

Common incorrect ideas are as follows:

Iptables-P INPUT ACCEPT

Iptables-a input-j ACCEPT

Iptables-a input-s 192.168.1.0/24-j DROP

Why is access allowed in 1921.68.1.0/24 disabled? This means that the matching results will not proceed.

However, it must be noted that the-j LOG and-j MARK rules will continue to be compared, which is different from the-j ACCEPT and-jDROP rules.

2) when none of the matching rules are met, the final result depends on the preset policy settings.

Iptables-P INPUT ACCEPT

Iptables-a input-s 192.168.1.0/24-j DROP

......

For the above rules, it indicates that all the preset packets are allowed to be connected to access. only 192.168.1.0/24 is forbidden. that is to say, after the comparison process rules are completed, there is no matching description. Finally, access is allowed.

Iptables-P INPUT DROP

Iptables-a input-s 192.168.1.0/24-j ACCEPT

......

In terms of the above rules, it indicates that the default packets are not allowed to be connected to access. only 192.168.1.0/24 is allowed. that is to say, after the comparison process rules are completed, there is no matching description, and finally the prohibition is allowed.

To adjust the preset policy to DROP, you need to pay attention to a lot of procedures. the following sections will discuss the precautions for this section. In general, it is recommended that you do not rashly configure and use the default access unless you clearly set the default access to the result of DROP. Because? @? Customized glaze ?,? But yes? Only? Can I put 192.168.1.0/24? Access,? S ?? Zookeeper @ server? Cover? C can only ?? To 192.168.1.0/24? Segment master? C. Other purposes are forbidden.

=====

7. what is the master caused by-p input drop? C itself? Why B? No problem?

For more stringent firewall access restrictions, this configuration is generally used by beginners:

Iptables-P INPUT DROP

Iptables-a input-p tcp -- dport 22-j ACCEPT

That is, the host only wants to open the ssh service to provide external access.

At first glance, it seems to be very correct, but can it be used outside after it is set? To? Port 22 server? Blinking ??? S? Е aluminum ship ?? ? ???, That is "? Master? C if you want to master ?? ν ?? 7. B ?? S is forbidden ". For example? Servers? Cover? C? How can I log in? End master? C, too? O method? G? See other Masters? Http server of C port 80? Zhan Xu

Cause ???? Why? TCP/IP itself is bidirectional, that is, inbound and outbound. This rule is not taken into account.

When the host needs to establish external connections, the other party must also respond to packets sent to the original host, so the response packets must be allowed. However, this problem is not taken into account in this configuration. as a result, the response packet is discarded, so the connection fails to be established.

So? Fixed-p input drop? R. Generally, the correct method should be to add the allow master? C itself? Why B ?? R? Are you sure you want to transfer them? Too many? Book fading

Iptables-P INPUT DROP

Iptables-a input-m state -- state ESTABLISHED-j ACCEPT

Iptables-a input-p tcp -- dport 22-j ACCEPT

-M state -- state ESTABLISHED plays a very important role, that is, the packets that the host of the other party responds to after the connection is allowed.

=====

8. is the use of-p input drop limiting access to services on the local machine?

Iptables-P INPUT DROP

Iptables-a input-m state -- state ESTABLISHED-j ACCEPT

Iptables-a input-p tcp -- dport 22-j ACCEPT

However, the above rules should generally consider that the host itself only provides the ssh service that can be linked to access port 22, but if the host has services such as port80 and port 25, this configuration also limits access to your host services.

Based on this problem, it is generally recommended that the loopback interface be blocked because it is not restricted by the firewall configuration. it is generally recommended to change it:

Iptables-P INPUT DROP

Iptables-a input-I lo-j ACCEPT

Iptables-a input-m state -- state ESTABLISHED-j ACCEPT

Iptables-a input-p tcp -- dport 22-j ACCEPT

=====

9. The network access caused by the use of-p input drop is normal, but the ftp connection fails?

According to the method described above, only the ftp port 21 service is enabled. if other services are disabled, it is generally configured to use:

Iptables-P INPUT DROP

Iptables-a input-m state -- state ESTABLISHED-j ACCEPT

Iptables-a input-p tcp -- dport 21-j ACCEPT

In this configuration, it is confirmed that the ftp client can be connected to the ftp host and the welcome login screen is displayed. However, an error will occur when viewing the file directory list and file capturing in the future...

The ftp protocol itself can also distinguish between the active mode and passive mode in the data channnel mode. in the passive mode, finally, the protocol allows the ftp client to connect to the ftp server itself, which is specified to transfer data to a port greater than 1024 port.
In this way, the configuration may work normally during ftp transmission, but the passive mode is incorrect, the reason is that the firewall rule configuration of the host does not allow the ftp client to be connected to the port specified by the ftp server.

To solve this problem, in iptables, a helper with the name ip_conntrack_ftp can intercept the communication between the ftp protocol commands with the connection port 21 and the external destination port 21, you can configure firwewall rules for iptables. Open practices:

Modprobe ip_conntrack_ftp

Iptables-P INPUT DROP

Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT

Iptables-a input-I lo-j ACCEPT

Iptables-a input-p tcp -- dport 21-j ACCEPT

Among them, the-m state part has another RELATED project, which is the packet in the active state, however, it is because the connection architecture like existing ftp will lead to additional active projects.

However, if the ftp service on the host is not port 21, make the following adjustments:

Modprobe ip_conntrack_ftp ports = 21,30000

Iptables-P INPUT DROP

Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT

Iptables-a input-I lo-j ACCEPT

Iptables-a input-p tcp -- dport 21-j ACCEPT

Iptables-a input-p tcp -- dport 30000-j ACCEPT

That is, the ftp service provided by the host is on port 21 and port 30000 respectively, so that the ftp helper ip_conntrack_ftp can normally provide the ftp client with passive mode access without any problems.

=====

10. what is the network failure caused by the use of-p output drop?

Let's take a look at the configuration snippet description:

Iptables-P INPUT ACCEPT

Iptables-P OUTPUT DROP

In this configuration, it seems that the host is completely open to the outside world and there is no restriction on inbound connections. However, the host itself is limited to external connections, but the result is that it cannot be connected regardless of the outside.

This problem is the same as the configuration problem with-p input drop mentioned above. This also does not take into account the TCP/IP itself as a two-way communication problem.

Consider the items that the host will respond to after the packet is connected. it also needs to be included with the-m state to provide the items that allow the response to the packet. the whole part is described as follows:

Iptables-P OUTPUT DROP

Iptables-a output-m state -- state ESTABLISHED, RELATED-jACCEPT

Iptables-a output-o lo-j ACCEPT

In this way, the result is that the host itself can connect to its own host services, but access to external links will be disabled.

But do you need to configure-p output drop? To be honest, I feel that this is usually the case, because the actual application does not limit the external connection function of my host.

However, if you insist on setting-p output drop, you should consider that the subsequent open description of active external connections may be more... for example:

Iptables-P OUTPUT DROP

Iptables-a output-m state -- state ESTABLISHED, RELATED-jACCEPT

Iptables-a output-o lo-j ACCEPT

Iptables-a output-p tcp -- dport 25-j ACCEPT

Iptables-a output-p udp -- dport 53-j ACCEPT

Iptables-a output-p tcp -- dport 80-j ACCEPT

Is it a bit difficult to find yourself?

Therefore, the conclusion is that, unless you do not want your host to have active connections, you should set the preset policy of the OUTPUT chain to DROP. otherwise, do not use this configuration.

=====

11. Is it recommended that the firewall service of the local machine be only open to external projects, and other prohibited configuration methods?

Based on the process mentioned above, if the preset INPUT access is disabled, the following configuration references are provided:

Modprobe ip_conntrack_ftp

Iptables-P INPUT DROP