20 Linux Firewall Application Skills
1. Run the following command with root permission to display the Firewall Status: # iptables-L-n-v parameter description:-L: list rules. -V: displays details. This option displays the Interface Name, rule options, and TOS mask, as well as packets and byte counts. -N: the IP address and port are displayed in numbers without DNS resolution. If you want to display the row number in the output result, run: # iptables-L-n-v -- line-nmubers to add or delete rules in the firewall according to the row number. To display the INPUT or OUTPUT chain rules, run: # iptables-l input-n-v # iptables-l output-n-v -- line-numbers 2. stop, enable, and restart the firewall. If you are using the RHEL/Fedora/CentOS system, you can run: # service iptables stop # service iptables start # service iptables restart we can also use the iptables command to stop the firewall and delete all rules: # iptables-F # iptables-X # iptables-t nat-F # iptables-t nat-X # iptables-t mangle-F # iptables-t mangle-X # iptables-P input accept # iptables-P Output accept # iptables-p forward accept parameter description:-F: delete all rules-X: delete chain-t table_name: match table (called nat or mangle)-P: set the Default policy (such as DROP, REJECT, or ACCEPT) 3. delete a firewall rule to display the existing firewall rules in the form of a line number. Run the following command: # iptables-l input-n -- line-numbers # iptables-l output-n -- line-numbers | less # iptables-L OUTPUT -n -- line-numbers | grep 202.54.1.1 use the row number deletion rule below: # iptables-d input 4 remove the IP address 202.54.1.1 from the rule :# Iptables-d input-s 202.54.1.1-j DROP parameter description:-D: delete one or more rules from the selected chain. 4. to insert a firewall rule, run the following command: # iptables-l input-n -- line-numbers to get the running result: Chain INPUT (policy DROP) num target prot opt source destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 insert rules between Row 1 and row 2: # iptables-I INPUT 2-s 202.54.1.2-j DROP view the updated rule. The inserted rule is successful. The following is an example: Chain INPUT (policy DROP) Num target prot opt sou Rce destination 1 DROP all -- 202.54.1.1 0.0.0.0/0 2 DROP all -- 202.54.1.2 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 5. save the firewall rules in RHEL/Fedora/CentOS Linux. You can use the following command to save the firewall rules: # service iptables save on other Linux releases (such as Ubuntu, you can run the iptables-save command to save the firewall rules: # iptables-save>/root/my. active. firewall. rules # cat/root/my. active. firewall. rules 6. to reload firewall rules, we can use the iptables-restore command to reload the firewall saved by the iptables-save command. Rule: # iptables-restore </root/my. active. firewall. rules we can also use this feature to quickly deploy firewall rules. 7. to set the default firewall policy, we first configure a firewall policy, which discards all network packets by default: # iptables-p input drop # iptables-p output drop # iptables-p forward drop # iptables-L-v-n # connection failure, because the firewall discards all network packets # ping cyberciti. biz # wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2 on this basis, we only close the inbound connection: # iptables-p input drop # iptables-p forward drop # iptables-p output accept # iptables-a input-m state -- state NEW, ESTABLISHED-j ACCEPT # iptables-L-v-n # ping and wget can work normally # ping cyberciti. biz # wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2 8. if you disable the private network address on the public network interface, you can delete the private IPv4 network segment from the public network interface to prevent IP spoofing. Run the following command to discard data packets without the source route address: # iptables-a input-I eth1-s 192.168.0.0/24-j DROP # iptables-a input-I eth1-s 10.0.0.0/8-j DROP the private network IPv4 address range, please make sure that the public network interface is blocked: 10.0.0.0/8-j (A) 172.16.0.0/12 (B) 192.168.0.0/16 (C) 224.0.0.0/4 (Multicast D) 240.0.0.0/5 (E) 127.0.0.0/8 (loop) 9. to shield an IP address, such as 1.2.3.4, run the following command: # iptables-a input-s 1.2.3.4-j DROP # iptables-a input-s 192.168.0.0/24-j DROP 10. mask inbound port requests if To shield all service requests from port 80, run the following command: # iptables-a input-p tcp -- dport 80-j DROP # iptables-a input-I eth1-p tcp -- dport 80-j DROP, run: # iptables-a input-p tcp-s 1.2.3.4 -- dport 80-j DROP # iptables-a input-I eth1-p tcp-s 192.168.1.0/24 -- dport 80-j DROP 11. blocking out stack IP addresses now we will demonstrate how to block out stack access to host names and IP addresses. First, obtain the IP address of a domain name: # host-t a cyberciti. biz output example: cyberciti. biz has address 75.126.153.206 to shield access domain name cyberciti. for biz network data packets, run: # iptables-a output-d 75.126.153.206-j DROP. The following is an example of using A subnet mask: # iptables-a output-d 192.168.1.0/24-j DROP # iptables-a output-o eth1-d 192.168.1.0/24-j DROP the following section describes how to block facebook.com. First, we need all the facebook IP addresses: # host-t a www.facebook.com sample output: www.facebook.com has address 69.171.228.40 find the CIDR of the IP address 69.171.228.40: # whois unknown | grep CIDR sample output: 69.171.224.0/19 now Let's block access to facebook.com: # iptables-a output-p tcp-d 69.171.224.0/19-j DROP. We can also directly block domain names: # iptables-a output-p tcp-d www.facebook.com-j DROP # iptables-a output-p tcp-d facebook.com-j DROP 12. record and discard data packets Record and discard IP address spoofing packets on the public network interface: # iptables-a input-I eth1-s 10.0.0.0/8-j LOG -- log-prefix "IP_SPOOF: "# iptables-a input-I eth1-s 10.0.0.0/8-j DROP by default, logs are recorded in the/var/log/messages file: # tail-f/var/log/messages # grep -- color 'IP spoof'/var/log/messages we can also use the-m parameter to limit log records, to prevent excessive Log File expansion. # Iptables-a input-I eth1-s 10.0.0.0/8-m limit -- limit 5/m -- limit-burst 7-j LOG -- log-prefix "IP_SPOOF: "# iptables-a input-I eth1-s 10.0.0.0/8-j DROP 13. based on the MAC address, we can allow or block packet INPUT based on the MAC address: # iptables-a input-m mac -- mac-source 00: 0F: EA: 91: 04: 08-j DROP 14. to shield ICMP ping requests, we can use the following command to shield ping requests: # iptables-a input-p icmp -- icmp-type echo-request-j DROP # iptables-a input-I Eth1-p icmp -- icmp-type echo-request-j DROP can also restrict ping requests based on specific network segments and hosts: # iptables-a input-s 192.168.1.0/24-p icmp -- icmp-type echo-request-j ACCEPT the following command only accepts restricted ping requests: # assume that the default INPUT policy is to discard data packets # iptables-a input-p icmp -- icmp-type echo-reply-j ACCEPT # iptables-a input-p icmp -- icmp-type destination- unreachable-j ACCEPT # iptables-a input-p icmp -- icmp-type time-exceeded-j ACCEPT # ping Request Response # iptables-a input-p icmp -- icmp-type echo-request-j ACCEPT 15. enable the following command in the port sequence to allow TCP port access within the range of 7000 to 7010: # iptables-a input-m state -- state NEW-m tcp-p tcp -- dport 7000: 7010-j ACCEPT 16. allow A series of IP addresses to access the following commands: allow the IP address range # Run the IP address range 192.168.1.100 to 192.168.1.200 to access port 80 # iptables-a input-p tcp -- destination-port 80-m iprange -- src- range 192.168.1.100-192.168.1.200-j ACCEPT # NAT example # iptables-t Nat-a postrouting-j SNAT -- to-source 192.168.1.20-192.168.1.25 17. Establish A connection and restart the firewall. When the iptables service is restarted, it will disconnect all established connections. This is because the IPTABLES_MODULES_UNLOAD module is uninstalled when the firewall is restarted. To solve this problem, edit/etc/sysconfig/iptables-config IPTABLES_MODULES_UNLOAD = no 18. use the Crit LOG level # iptables-a input-s 1.2.3.4-p tcp -- destination-port 80-j log -- LOG-level crit 19. shield or enable common port shielding or enable common TCP and UDP ports: # Replace ACCEPT with DROP to shield ports. # Open Port 22 (SSH) # iptables-a input-m state -- state NEW-m tcp-p tcp -- dport 22-j ACCEPT # iptables-a input-s 192.168.1.0/24-m state -- state NEW- p tcp -- dport 22-j ACCEPT # Open TCP/UDP631 port (Print Service) # iptables-a input-s 192.168.1.0/24-p udp-m udp -- dport 631-j ACCEPT # iptables-a input-s 192.168.1.0/24-p tcp-m tcp -- dport 631-j ACCEPT # Open Port 123, allow LAN users to perform NTP time synchronization # iptables-a input-s 192. 168.1.0/24-m state -- state NEW-p udp -- dport 123-j ACCEPT # Open Port 25 (SMTP) # iptables-a input-m state -- state NEW-p tcp -- dport 25-j ACCEPT # Open the DNS port # iptables-a input-m state -- state NEW-p udp -- dport 53-j ACCEPT # iptables-a input-m state -- state NEW-p tcp -- dport 53-j ACCEPT # Open the http/https port # iptables-a input-m state -- state NEW-p tcp -- dport 80-j ACCEPT # iptables-a input-m State -- state NEW-p tcp -- dport 443-j ACCEPT # Open Port TCP110 (POP3) # iptables-a input-m state -- state NEW-p tcp -- dport 110-j ACCEPT # Open Port TCP143 # iptables-a input-m state -- state NEW-p tcp -- dport 143-j ACCEPT # enable Samba access for LAN users # iptables-a input-s 192.168.1.0/24-m state -- state NEW-p tcp -- dport 137-j ACCEPT # iptables- INPUT-s 192.168.1.0/24-m state -- state NEW-p tcp -- dport 138 -J ACCEPT # iptables-a input-s 192.168.1.0/24-m state -- state NEW-p tcp -- dport 139-j ACCEPT # iptables-a input-s 192.168.1.0/24-m state -- state NEW-p tcp -- dport 445-j ACCEPT # enable proxy server access for LAN users # iptables-a input-s 192.168.1.0/24-m state -- state NEW-p tcp -- dport 3128-j ACCEPT # enable MySQL access for LAN users # iptables-I INPUT-p tcp -- dport 3306-j ACCEPT 20. we can use the connlimit module to limit the number of concurrent connections of Client IP addresses. Number of concurrent connections. The following command allows each client to have only three concurrent ssh connections: # iptables-a input-p tcp -- syn -- dport 22-m connlimit -- connlimit-abve 3-j REJECT sets 20 HTTP concurrent connections: # iptables-p tcp -- syn -- dport 80-m connlimit -- connlimit-abve 20 -- connlimit-mask 24-j DROP parameter description: -- connlimit-abve 3: the number of connections exceeds three automatic match -- connlimit-mask 24: Subnet mask matching better use iptables first, we need to learn to view man Manual: $ man iptables we can also view help like this: # iptables-h We can also view the help of specific commands: # iptables-j DROP-h test Test the firewall to test whether the port is open: # netstat-tulpn test whether port TCP 80 is open: # netstat-tulpn | grep: 80 if port 80 is not open, make sure to start the Apache server: # service httpd start and ensure that port 80 of iptables firewall is Enabled: # iptables-l input-v-n | grep 80. If port 80 is not enabled, run the following command: # iptables-a input-m state -- state NEW-p tcp -- dport 80-j ACCEPT # service iptables save use the telnet command to test whether port 80 can be connected: $ telnet www. cyberciti. below is the sample output of biz 80: Trying 75.126.153.206... connected Www. cyberciti. biz. escape character is '^]'. ^] telnet> quit Connection closed. finally, we also recommend using sniffer tools (such as tcpdump and ngrep) to test firewall settings. The above are just some basic firewall configuration policies. If you want to construct more complex firewall policies, you need to learn more about the TCP/IP and Linux Kernel configuration files sysctl. conf.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
