Linuxiptables firewall configuration

The built-in firewall mechanism of Linux is implemented through the netfilter module in the kernel. Linuxkernel uses netfilter to filter incoming and outgoing data packets. netfilter consists of three rule tables, each of which consists of many built-in chains. You can use the iptables command to operate these table chains, such as adding, deleting, and listing rules. Net Linux's built-in firewall mechanism is implemented through the netfilter module in the kernel. Linuxkernel uses netfilter to filter incoming and outgoing data packets. netfilter consists of three rule tables, each of which consists of many built-in chains. Use IptablesCommands can be used to operate these table chains, such as adding, deleting, and listing rules.
Netfilter rule table-filter nat mangle
Filter, used to route network data packets. Yes, that is, if the-t parameter is not specified, when a new rule is created, it will be stored in the table by default.
INPUT network packet flow to server
OUTPUT network packet outflow from the server
FORWARD network data packets are routed by the server
Nat, used for NAT table. NAT (Net Address Translation) is an IP Address conversion method.
The PREROUTING network packet can be modified when it reaches the server.
OUTPUT network data packets flow out from the server
The POSTROUTING network packet can be modified when it is about to be sent from the server.
Mangle, used To modify tables Of network data packets, such as TOS (Type Of Service), TTL (Time To Live), etc.
INPUT network packet flow to server
OUTPUT network packet outflow server
FORWARD network packets through the server
The PREROUTING network packet can be modified when it reaches the server.
The POSTROUTING network packet can be modified when it is about to be sent from the server.



Iptables configuration
When a data packet enters the server, LinuxKernel searches for the corresponding link until a rule matches the data packet. If the target of the rule is ACCEPT, the remaining rules will be skipped and data packets will be sent again. If the target of the rule is DROP, the packet will be intercepted and the kernel will not refer to other rules.
Note: If there is no rule from the beginning that matches the data packet, and there is no dropall rule at the end of the table, the data packet will be accept. Cisco, on the contrary, will follow the rules containing deny all at the end of the table.
1. view the settings of IPTABLES on the local machine: iptables-L-n
2. clear the original rules (with caution ):
# Iptables-F clear the rules of all rule chains in the filter of the preset table
# Iptables-X clear the rules in the user-defined chain in the filter of the preset table
3. note: these configurations are the same as configuring IP addresses with commands. restarting these configurations will render useless. how to save them.
#/Etc/rc. d/init. d/iptables save
In this way, you can write it to the/etc/sysconfig/iptables file. remember to repeat the firewall after writing it to make it take effect.
# Service iptables restart
4. set the preset rules. if you are using an ssh connection, please be careful when you cannot connect.
[Root @ only ~] # Iptables-p INPUT DROP
[Root @ only ~] # Iptables-p OUTPUT ACCEPT
[Root @ only ~] # Iptables-p FORWARD DROP
The above means that when two chain rules (INPUT and FORWARD) in the filter table in IPTABLES are exceeded, how can we process data packets not in these two rules, that is, DROP (discard ). it should be said that the configuration is safe. we want to control inbound data packets
For the OUTPUT chain, that is, the outgoing package, we do not need to impose too many restrictions, but adopt ACCEPT. that is to say, what should we do if the package is not in a rule.
We can see what packets are allowed to pass through the INPUT and FORWARD chains, and what packets are not allowed to pass through the OUTPUT chain.
This setting is quite reasonable. of course you can also DROP all three links, but I don't think it is necessary to do so, and the rules to be written will increase. but if you only want a limited number of rules, for example, only WEB servers. we recommend that all three links be DROP.
5. add rules.
First, add the INPUT chain. the default rule of the INPUT chain is DROP, so we need to write the ACCETP (pass.
For example, we want to enable port 22:
# Iptables-a input-p tcp? Dport 22-j ACCEPT
Note: If you set OUTPUT to DROP, you need to write the upper and lower rules. many people forget to write this rule, which leads to SSH failure.
# Iptables-a output-p tcp? Sport 22-j ACCEPT
6. examples:
If the WEB server is configured, enable port 80.
[Root @ only ~] # Iptables-a input-p tcp? Dport 80-j ACCEPT
If the email server is configured, enable Port 25,110.
[Root @ only ~] # Iptables-a input-p tcp? Dport 110-j ACCEPT
[Root @ only ~] # Iptables-a input-p tcp? Dport 25-j ACCEPT
If the FTP server is configured, enable port 21.
[Root @ only ~] # Iptables-a input-p tcp? Dport 21-j ACCEPT
[Root @ only ~] # Iptables-a input-p tcp? Dport 20-j ACCEPT
If the DNS server is configured, enable Port 53.
[Root @ only ~] # Iptables-a input-p tcp? Dport 53-j ACCEPT
If you have another server, you just need to open the port and write it.
The above mainly writes the INPUT chain, and all the rules that are not in the above DROP
Allow icmp packets to pass, that is, allow ping,
[Root @ only ~] # Iptables-a output-p icmp-j ACCEPT (if OUTPUT is set to DROP)
[Root @ only ~] # Iptables-a input-p icmp-j ACCEPT (if INPUT is set to DROP)
Allow loopback! (Otherwise, DNS may fail to be shut down normally)
IPTABLES-a input-I lo-p all-j ACCEPT (if it is INPUT DROP)
IPTABLES-a output-o lo-p all-j ACCEPT (if it is output drop)
7. iptables restrict IP addresses from accessing specific ports
For example, we only allow SSH connections to machines with 192.168.0.125
[Root @ only ~] # Iptables-a input-s 192.168.0.125-p tcp? Dport22-j ACCEPT
If you want to allow or restrict the availability of a certain IP address, 192.168.0.0/24 indicates all IP addresses of 192.168.0.1-255.
24 indicates the number of subnet masks. remember to delete this line in/etc/sysconfig/iptables.
-A input-p tcp-m tcp? Dport 22-j ACCEPT because it indicates that all addresses can be logged on.
Write it like this! 192.168.0.3 indicates IP address other than 192.168.0.3
8. FORWARD chain
The default FORWARD chain rule is DROP, so we will write the chain that requires ACCETP (via) to monitor the ongoing forwarding chain.
Enable the forwarding function (required when the default FORWARD rule is DROP when performing NAT)
[Root @ only ~] # Iptables-a forward-I eth0-o eth1-m state? State RELATED, ESTABLISHED-j ACCEPT
[Root @ only ~] # Iptables-a forward-I eth1-o eh0-j ACCEPT
Discard bad TCP packets
[Root @ only ~] # Iptables-a forward-p TCP! ? Syn-m state? StateNEW-j DROP
Number of IP fragments processed to prevent attacks. up to 100 IP fragments are allowed per second.
[Root @ only ~] # Iptables-a forward-f-m limit? Is limit 100/s? Limit-burst 100-j ACCEPT
Set ICMP packet filtering to allow 1 packet per second. the trigger condition is 10 packets.
[Root @ only ~] # Iptables-a forward-p icmp-m limit? Limit 1/s? Limit-burst 10-j ACCEPT
I only allow ICMP packets to pass in the front, because I have restrictions here.
9. configure a NAT table
1. View local NAT settings
[Root @ only rc. d] # iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
SNAT all-192.168.0.0/24 anywhere to: 211.101.46.235
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
My NAT has been configured (only the simplest proxy Internet access function is provided, and no firewall rules have been added). for how to configure NAT, refer to my other article.
Of course, if you have not configured NAT, you do not need to clear the rules, because NAT does not have anything by default.
If you want to clear, the command is
[Root @ only ~] # Iptables-F-t nat
[Root @ only ~] # Iptables-X-t nat
[Root @ only ~] # Iptables-Z-t nat
2. add rules
Add basic NAT address translation (see my other article on how to configure NAT ),
To add rules, we only add DROP links. because the default links are all ACCEPT.
Prevent internet spoofing using intranet IP addresses
[Root @ only sysconfig] # iptables-t nat-a prerouting-I eth0-s10.0.0.0/8-j DROP
[Root @ only sysconfig] # iptables-t nat-a prerouting-I eth0-s172.16.0.0/12-j DROP
[Root @ only sysconfig] # iptables-t nat-a prerouting-I eth0-s192.168.0.0/16-j DROP
If we want to, for example, block MSN, QQ, BT, etc., we need to find the port or IP address they use (I think it is not necessary)
Example:
Disable all connections to 211.101.46.253
[Root @ only ~] # Iptables-t nat-a prerouting-d 211.101.46.253-j DROP
Disable FTP (21) Port
[Root @ only ~] # Iptables-t nat-a prerouting-p tcp? Dport 21-jDROP
In this way, the write range is too large, so we can define it more accurately.
[Root @ only ~] # Iptables-t nat-a prerouting-p tcp? Dport 21-d211.101.46.253-j DROP
In this way, only the FTP connection of the 211.101.46.253 address is disabled. Other connections can also be. for example, web (port 80) connections.
According to what I wrote, you only need to find the IP addresses, ports, and protocols of other software such as QQ and MSN.
Finally:
Drop illegal connection
[Root @ only ~] # Iptables-a input-m state? State INVALID-jDROP
[Root @ only ~] # Iptables-a output-m state? State INVALID-jDROP
[Root @ only ~] # Iptables-a forward-m state? State INVALID-jDROP
Allow all established and related connections
[Root @ only ~] # Iptables-a input-m state? State