Home > Others

) Iptables Firewall

Source: Internet
Author: User
Tags ftp commands ftp protocol
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

From: http://blog.csdn.net/jixiuffff/article/details/5879547

[C-sharp] View plaincopy
  2. # Five checkpoints prerouting, forward postrouting Input Output
  4. # A data packet enters my machine from prerouting. It has two destinations. One is to access the applications on my machine through input.ProgramAfter output, postrouting
  6. # The other direction is to direct the forward postrouting to another machine. That is to say, my machine only acts as a route and data packets are routed to other machines through my machine.
  8. #
  10. # Prerouting ----------------> forward ---------------------> postrouting
  12. # | ^
  14. # |
  16. # Input Output
  18. # |
  20. # V |
  22. # ---> Application on my machine ---------->
  24. #
  26. # The structure of iptables is from top to bottom: Table, rule chain, and rule. A table is composed of Rule chains, and rule chains are composed of rules.
  28. # Iptables has three filters, Nat, and mangle by default. The-t parameter is used to specify which table to operate on. If this parameter is not specified, the filter table is operated by default.
  30. #
  32. # The filter has three built-in rule chains by default. The input forward Output
  34. # Nat ........... Postrouting, output prerouting
  36. # Mangle ...... two .......... output prerouting
  38. #
  40. # The general format of the iptables command iptables [-T table] operation [Chain] [Options]
  42. # An example of checking complete Parameters
  44. # Iptables-T filter-I input 2-I eth0-s 10.2.1.111 -- Sport 1234-D 10.2.1.123 -- dport 22-J accept
  46. # Iptables-T filter-I output 2-I eth0-D 10.2.1.123 -- dport 22-s 10.2.1.123 -- Sport 1234-J accept
  48. # This command inserts a rule at 2 in the input chain of the filter table (this rule is placed in the second position). The rule details are: connecting me from my eth0 Nic, the IP address of the host on the other side is 10.2.1.111 and the port on the other side is 1234. It is accepted only when the IP address is 10.2.1.123 and my port on port 22 is accessed.
  50. # Then, from my IP address 10.2.1.123: 22 to 10.2.1.111: 1234 through the eth0 Nic package release
  52. # Iptables-F: clears all rule chains of the filter.
  54. # Iptables-T nat-F clear all rule chains in the NAT table
  56. ######################################## ######################################## ###################
  58. # For input, output is relative to the "I" machine, that is, input: indicates that data is input to me, and output indicates "I" to output data.
  60. #-S-d -- Sport -- dport indicates the Source IP (source), destination IP (destination), Source IP port, and destination IP port respectively.
  62. # When processing input,-S refers to the opposite machine, and-D refers to my machine, because data flows from the other machine to me,
  64. # When processing the output,-S refers to me, and-D refers to the opposite machine.
  66. # Correct use of the firewall, which is usually set to deny all, and then only open to allow, rather than allow all, only refuse to reject
  68. # First start iptables service/etc/init. d/iptables start
  70. # After iptables is installed on the Gentoo system, the first time you run the kernel command, it prompts you to run/etc/init. d/iptables save first, as if you were doing some initialization or saving some files,
  72. /Etc/init. d/iptables save
  74. /Etc/init. d/iptables start
  76. # Check the default access rules after startup
  78. Iptables-l or iptables-l -- line-number: displays the row number and-V details.
  80. Chain input (Policy accept)
  82. Target prot opt source destination
  84. Chain forward (Policy accept)
  86. Target prot opt source destination
  88. Chain output (Policy accept)
  90. Target prot opt source destination
  92. # By default, the policy is accept, which means no firewall exists. Now, modify the Default policy.
  94. # Do not use a remote SSH connection for this operation, because it will also disable port 22 used by SSH,
  96. # Use SSH to connect. First open port 22 and then run the following three commands:
  98. # Sshd
  100. # Allow any machine to send requests to port 22
  102. #-T is not used here. The default value is-T filter.
  104. Iptables-A input-p tcp -- dport 22-J accept
  106. # Equivalent to iptables-T filter-A input-p tcp -- dport 22-J accept
  108. # Allow data output from port 22
  110. Iptables-A output-p tcp -- Sport 22-J accept
  112. # If only machines with certain IP addresses can access me, replace the above two
  114. Iptables-A input-p tcp -- dport 22-s 10.2.1.110-J accept
  116. Iptables-A output-p tcp -- Sport 22-D 10.2.1.110-J accept
  118. # Currently, only IP address 10.2.1.110 can access me.
  120. #
  122. Iptables-P input drop
  124. Iptables-P output drop
  126. Iptables-P forward drop
  128. # The Default policy can only be accept, drop, or reject.
  130. Chain input (Policy drop)
  132. Target prot opt source destination
  134. Chain forward (Policy drop)
  136. Target prot opt source destination
  138. Chain output (Policy drop)
  140. Target prot opt source destination
  142. # At present, no matter whether input, output, or forward are both packet loss (drop rejection) by default, rather than accept acceptance
  144. # At this time, I am extremely secure. I am not connected to the Internet. I am not allowed to access others. Others are not allowed to access me.
  146. # Now I want to access the Internet
  148. # If I want to access port 80 of the other party, there are actually two aspects. First, I have the permission to send a request to port 80 of the other party, second, you have the permission to obtain data from port 80 of the other party. Here, only port 80 of the other party is specified, but port 80 of the other party is not specified, this means that I can access the port 80 of the other party from any port, where the port is of the TCP type.
  150. # Allow me to send a request to the other party's port 80
  152. Iptables-A output-p tcp -- dport 80-J accept
  154. # Allow the other party's port 80 to return data to me
  156. Iptables-A input-p tcp -- Sport 80-J accept
  158. # Although we can access port 80 of the other party at this time, entering www.baidu.com in the browser does not display the webpage of the other party, but http: // 202.108.22.142/does. Because in this process, we need to perform DNS domain name resolution and have another permission, that is, to allow me to request to the UDP port 53 of the DNS server and to return data from it
  160. Iptables-A output-p udp -- dport 53-J accept
  162. Iptables-A input-p udp -- Sport 53-J accept
  164. # The IP address of the DNS server is not specified here. If you want to limit the IP address of the DNS server
  166. # Write like this
  168. Iptables-A output-p udp-D 211.64.208.1 -- dport 53-J accept
  170. Iptables-A input-p udp-s 211.64.208.1 -- Sport 53-J accept
  172. #
  174. # I need to open port 61440 of UPD for traffic billing using drcom on the campus network.
  176. # Drcom
  178. # Allow 211.64.208.160 to connect to the 61440 (dport) of my machine from its 61440 (sport) Port)
  180. #-S indicates the source, which machine sends data to me
  182. Iptables-A input-p udp -- Sport 61440 -- dport 61440-s 211.64.208.160-J accept
  184. # Allow my machine to send data from Port 61440 (sport) to port 61440 (dport) of 211.64.208.160
  186. #-D specify the target machine)
  188. Iptables-A output-p udp -- Sport 61440 -- dport 61440-D 211.64.208.160-J accept
  190. # So far, I have been visiting other people as a customer. What if I want to set up a server on my computer, such as setting up sshd and web servers?
  192. # Web server, open port 80
  194. Iptables-A input-p tcp -- dport 80-J accept
  196. Iptables-A output-p tcp -- Sport 80-J accept
  198.  
  200. # Open FTP service
  202. # Iptables-A input-M State-State established, related-J accept
  204. # Allow passive access maintained by connections.
  206. # The FTP protocol is a simple TCP protocol with poor confidentiality (plaintext). Its working principle is that the client first connects to port 21 on the server, A connection is established after three steps of handshake. It should be noted that this connection can only be used to transmit FTP commands. Nothing can be passed through this connection, even if you use the "ls" command to view files.
  208. # After a command connection is established, the server needs to establish a data connection. Data connections are divided into active and passive modes ). By default, FTP is in passive mode. The "pass" command is used between the active and passive modes. The active mode is connected to the client through Port 20, while the passive mode is connected to the client through the port after Port 1024. Because ports later than 1024 are randomly allocated, in passive mode, we do not know what ports the server uses to connect to the client. That is to say, we do not know what port iptables should open.
  210. #
  212. #
  214. #1 Add the following statement to the/etc/CONF. d/iptables configuration file (different distributions may have different file locations)
  216. # Iptables_modules = "ip_conntrack_ftp"
  218. #
  220. Iptables-A input-M state -- State established, related-J accept
  222. Iptables-A output-M state -- State established, related-J accept
  224. Iptables-A input-p tcp -- dport 21-J accept
  226. Iptables-A output-p tcp -- Sport 21-J accept
  228. # Use port 20 in Active Mode
  230. Iptables-A output-p tcp -- Sport 20-J accept
  232. Iptables-A input-p tcp -- dport 20-J accept
  234.  
  236. # All data packets of the LO device are allowed, that is, local data-I indicates input, and-O indicates output
  238. # Indicates all data from Lo's accept
  240. Iptables-T filter-I input l-I lo-J accept
  242. # Accept
  244. Iptables-T filter-I output 1-O lo-J accept
  246. #
  248. #
  250. #
  252. #
  262. Complete script:
  264. Sudo/etc/init. d/iptables save
  266. Sudo/etc/init. d/iptable restart
  268. # Clearing the rule chain in a table
  270. Iptables-F
  272. Iptables-x
  274. Iptables-T nat-F
  276. Iptables-T nat-x
  278. # Opening the sshd service
  280. Iptables-A input-p tcp -- dport 22-J accept
  282. Iptables-A output-p tcp -- Sport 22-J accept
  284. # Drop all packages by default
  286. Iptables-P input drop
  288. Iptables-P output drop
  290. Iptables-P forward drop
  292. # Allow local devices
  294. Iptables-T filter-I input 1-I lo-J accept
  296. Iptables-T filter-I output 1-O lo-J accept
  298. # DNS
  300. Iptables-A output-p udp -- dport 53-J accept
  302. Iptables-A input-p udp -- Sport 53-J accept
  304. # Surfing the internet
  306. Iptables-A output-p tcp -- dport 80-J accept
  308. Iptables-A input-p tcp -- Sport 80-J accept
  310. # Drcom
  312. Iptables-A input-p udp -- Sport 61440 -- dport 61440-s 211.64.208.160-J accept
  314. Iptables-A output-p udp -- Sport 61440 -- dport 61440-D 211.64.208.160-J accept
  316. # Ftp
  318. # Add iptables_modules = "ip_conntrack_ftp" to the configuration file"
  320. Iptables-I input 2-M state -- State established, related-J accept
  322. Iptables-I output 2-M state -- State established, related-J accept
  324. Iptables-A input-p tcp -- dport 21-J accept
  326. Iptables-A output-p tcp -- Sport 21-J accept
  328. Iptables-A output-p tcp -- Sport 20-J accept
  330. Iptables-A input-p tcp -- dport 20-J accept
  332. # Web Services
  334. Iptables-A input-p tcp -- dport 80-J accept
  336. Iptables-A output-p tcp -- Sport 80-J accept
  338. # DHCP: use DHCP to obtain the IP address,
  340. # DHCP
  342. Iptables-A input-p udp -- Sport 67 -- dport 68-J accept

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
firewall linux iptables server firewall iptables ubuntu firewall iptables centos firewall iptables iptables linux firewall iptables firewall example iptables linux firewall configuration

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More