20 Linux firewalls [iptables] application tips [go]

1. Show the status of the firewall

Run the following command with root privileges:

1. # iptables-l-n-v

Parameter description:

• -L: Lists the rules.
• -V: Displays detailed information. This option displays the interface name, rule options, and the TOS mask, as well as the packet and byte count.
• -N: Displays the IP address and port in digital form, without using DNS resolution.

If you want the output to show the line number in the result, you can run:

1. # iptables-l-n-v--line-nmubers

This allows you to add and remove rules from the firewall by line number.

To display input or output chain rules, you can run:

1. # iptables-l Input-n-V
2. # iptables-l Output-n-v--line-numbers

2. Stop, open, and restart the firewall

If you are using a rhel/fedora/centos system, you can run:

1. # Service Iptables Stop
2. # service Iptables Start
3. # Service Iptables Restart

We can also use the iptables command to stop the firewall and remove all rules:

1. # iptables-f
2. # Iptables-x
3. # iptables-t Nat-f
4. # iptables-t Nat-x
5. # iptables-t Mangle-f
6. # iptables-t Mangle-x
7. # iptables-p INPUT ACCEPT
8. # iptables-p OUTPUT ACCEPT
9. # iptables-p FORWARD ACCEPT

Parameter description:

• -F: Delete all rules
• -X: Delete Chain
• -T table_name: Match table (called Nat or mangle)
• -P: Set default policy (such as drop, reject, or accept)

3. Remove firewall rules

To display the existing firewall rule in the form of a line number, run:

1. # iptables-l Input-n--line-numbers
2. # iptables-l Output-n--line-numbers
3. # iptables-l Output-n--line-numbers | Less
4. # iptables-l Output-n--line-numbers | grep 202.54.1.1

Here we use the line number to delete the rule:

1. # iptables-d INPUT 4

Remove the IP address 202.54.1.1 from the rule:

1. # iptables-d Input-s 202.54.1.1-j DROP

Parameter description:

• -D: Delete one or more rules from the selected chain

4. Inserting a firewall rule

Run the following command first:

1. # iptables-l Input-n--line-numbers

Get the running result:

1. Chain INPUT (Policy DROP)
2. Num Target prot opt source destination
3. 1 DROP All--202.54.1.1 0.0.0.0/0
4. 2 ACCEPT All--0.0.0.0/0 0.0.0.0/0

Insert a rule between lines 1 and 2:

1. # iptables-i INPUT 2-s 202.54.1.2-j DROP

After reviewing the updated rules, you will find that the insert was successful, and here is an example:

1. Chain INPUT (Policy DROP)
2. Num Target prot opt source destination
3. 1 DROP All--202.54.1.1 0.0.0.0/0
4. 2 DROP All--202.54.1.2 0.0.0.0/0
5. 3 ACCEPT All--0.0.0.0/0 0.0.0.0/0

5. Save Firewall Rules

Under Rhel/fedora/centos Linux, you can save firewall rules using the following command:

1. # Service Iptables Save

On other Linux distributions (such as Ubuntu), you can use the Iptables-save command to save firewall rules:

1. # Iptables-save >/root/my.active.firewall.rules
2. # Cat/root/my.active.firewall.rules

6. Reload Firewall rules

We can use the Iptables-restore command to reload the firewall rules saved with the Iptables-save command:

1. # Iptables-restore </root/my.active.firewall.rules

We can also use this feature to quickly deploy firewall rules.

7. Set the default firewall policy

Let's first configure a firewall policy, which discards all network packets by default:

1. # iptables-p INPUT DROP
2. # iptables-p OUTPUT DROP
3. # iptables-p FORWARD DROP
4. # iptables-l-v-n
5. #连接失败, because the firewall drops all network packets
6. # ping Cyberciti.biz
7. # wget HTTP://WWW.KERNEL.ORG/PUB/LINUX/KERNEL/V3.0/TESTING/LINUX-3.2-RC5.TAR.BZ2

On this basis, we only close the inbound connection:

1. # iptables-p INPUT DROP
2. # iptables-p FORWARD DROP
3. # iptables-p OUTPUT ACCEPT
4. # iptables-a input-m State--state new,established-j ACCEPT
5. # iptables-l-v-n
6. #ping和wget可以正常工作
7. # ping Cyberciti.biz
8. # wget HTTP://WWW.KERNEL.ORG/PUB/LINUX/KERNEL/V3.0/TESTING/LINUX-3.2-RC5.TAR.BZ2

8. Disable the private network address on the public network interface

We can remove the private IPV4 network segment from the public network interface to prevent IP spoofing. Run the following command, and the packets without the source routing address will be discarded:

1. # iptables-a input-i eth1-s 192.168.0.0/24-j DROP
2. # iptables-a input-i eth1-s 10.0.0.0/8-j DROP

The following is a private network IPV4 address range, please verify that the public interface is blocked:

• 10.0.0.0/8-j (A)
• 172.16.0.0/12 (B)
• 192.168.0.0/16 (C)
• 224.0.0.0/4 (Multicast D)
• 240.0.0.0/5 (E)
• 127.0.0.0/8 (loopback)

9. Block IP address access

If we want to block an IP address, such as 1.2.3.4, you can run:

1. # iptables-a Input-s 1.2.3.4-j DROP
2. # iptables-a Input-s 192.168.0.0/24-j DROP

10. Block incoming port requests

If we want to block all service requests on port 80, you can run:

1. # iptables-a input-p TCP--dport 80-j DROP
2. # iptables-a input-i eth1-p tcp--dport 80-j DROP

Just want to block IP address 1.2.3.4 to 80 port request, can run:

1. # iptables-a input-p tcp-s 1.2.3.4--dport 80-j DROP
2. # iptables-a input-i eth1-p tcp-s 192.168.1.0/24--dport 80-j DROP

11. Block out the stack IP address

Now let's show you how to block out-of-stack access to the host name and IP address.

First, let's get the IP address of a domain name:

1. # Host-t a cyberciti.biz

Output Example:

1. Cyberciti.biz has address 75.126.153.206

To block network packets that access the domain name cyberciti.biz, you can run:

1. # iptables-a output-d 75.126.153.206-j DROP

The following is an example of using a subnet mask:

1. # iptables-a output-d 192.168.1.0/24-j DROP
2. # iptables-a Output-o eth1-d 192.168.1.0/24-j DROP

Below we take the shielding facebook.com as an example, to explain. First, we need all of Facebook's IP addresses:

1. # Host-t a www.facebook.com

Example output:

1. www.facebook.com has address 69.171.228.40

Find the CIDR for IP address 69.171.228.40:

1. # whois 69.171.228.40 | grep CIDR

Example output:

1. Cidr:69.171.224.0/19

Now let's stop the access to facebook.com:

1. # iptables-a output-p tcp-d 69.171.224.0/19-j DROP

We can also directly block the domain name:

1. # iptables-a output-p tcp-d www.facebook.com-j DROP
2. # iptables-a output-p tcp-d facebook.com-j DROP

12. Record and discard packets

Log and discard IP address spoofing packets on the public network interface:

1. # iptables-a input-i eth1-s 10.0.0.0/8-j LOG--log-prefix "Ip_spoof A:"
2. # iptables-a input-i eth1-s 10.0.0.0/8-j DROP

By default, logging is logged in the/var/log/messages file:

1. # tail-f/var/log/messages
2. # grep--color ' IP spoof '/var/log/messages

We can also limit logging with the-m parameter to prevent excessive file bloat.

1. # iptables-a Input-i eth1-s 10.0.0.0/8-M limit--limit 5/m--limit-burst 7-j LOG--log-prefix "Ip_spoof A:"
2. # iptables-a input-i eth1-s 10.0.0.0/8-j DROP

13. Allow or block incoming packets based on MAC address

We can allow or block incoming packets based on the MAC address:

1. # iptables-a Input-m mac--mac-source 00:0f:ea:91:04:08-j DROP

14. Masking ICMP Ping requests

We can mask the ping request by allowing the following command:

1. # iptables-a input-p ICMP--icmp-type echo-request-j DROP
2. # iptables-a input-i eth1-p ICMP--icmp-type echo-request-j DROP

You can also restrict ping requests by specific network segments and hosts:

1. # iptables-a input-s 192.168.1.0/24-p ICMP--icmp-type echo-request-j ACCEPT

The following command only accepts a restricted ping request:

1. #假定默认INPUT策略为丢弃数据包
2. # iptables-a input-p ICMP--icmp-type echo-reply-j ACCEPT
3. # iptables-a input-p ICMP--icmp-type destination-unreachable-j ACCEPT
4. # iptables-a input-p ICMP--icmp-type time-exceeded-j ACCEPT
5. #所有的服务器都对ping请求作出应答
6. # iptables-a input-p ICMP--icmp-type echo-request-j ACCEPT

15. Turn on the port sequence

The following command can allow TCP port access in the range of 7000 to 7010:

1. # iptables-a input-m State--state new-m tcp-p TCP--dport 7000:7010-j ACCEPT

16. Allow access to a range of IP addresses

The following command allows the IP address range to be

1. #运行IP地址范围192.168.1.100 to 192.168.1.200 access Port 80
2. # iptables-a input-p TCP--destination-port 80-m iprange--src-range 192.168.1.100-192.168.1.200-j ACCEPT
3. #NAT示例
4. # iptables-t nat-a postrouting-j SNAT--to-source 192.168.1.20-192.168.1.25

17. Establish a connection and restart the firewall

When the Iptables service is restarted, it disconnects all established connections. This is because the Iptables_modules_unload module is unloaded when the firewall is restarted.

To solve this problem, you can edit the/etc/sysconfig/iptables-config

1. Iptables_modules_unload = No

18. Using the Crit log level

1. # iptables-a input-s 1.2.3.4-p tcp--destination-port 80-j LOG--log-level crit

19. Block or turn on common ports

To block or turn on commonly used TCP, UDP ports:

2. #可以使用DROP替换ACCEPT, implement port masking.
4. #打开22端口 (SSH)
6. # iptables-a input-m State--state new-m tcp-p TCP--dport 22-j ACCEPT
8. # iptables-a input-s 192.168.1.0/24-m State--state new-p TCP--dport 22-j ACCEPT
10. #打开TCP/udp631 port (print service)
12. # iptables-a input-s 192.168.1.0/24-p udp-m UDP--dport 631-j ACCEPT
14. # iptables-a input-s 192.168.1.0/24-p tcp-m tcp--dport 631-j ACCEPT
16. # Open 123 port, allowing LAN users to synchronize NTP time
18. # iptables-a input-s 192.168.1.0/24-m State--state new-p UDP--dport 123-j ACCEPT
20. #打开25端口 (SMTP)
22. # iptables-a Input-m State--state new-p TCP--dport 25-j ACCEPT
24. # Open DNS Port
26. # iptables-a input-m State--state new-p UDP--dport 53-j ACCEPT
28. # iptables-a Input-m State--state new-p TCP--dport 53-j ACCEPT
30. #打开http/https Port
32. # iptables-a Input-m State--state new-p TCP--dport 80-j ACCEPT
34. # iptables-a Input-m State--state new-p TCP--dport 443-j ACCEPT
36. #打开TCP110端口 (POP3)
38. # iptables-a Input-m State--state new-p TCP--dport 110-j ACCEPT
40. #打开TCP143端口
42. # iptables-a Input-m State--state new-p TCP--dport 143-j ACCEPT
44. #为局域网用户开启Samba访问
46. # iptables-a input-s 192.168.1.0/24-m State--state new-p TCP--dport 137-j ACCEPT
48. # iptables-a input-s 192.168.1.0/24-m State--state new-p TCP--dport 138-j ACCEPT
50. # iptables-a input-s 192.168.1.0/24-m State--state new-p TCP--dport 139-j ACCEPT
52. # iptables-a input-s 192.168.1.0/24-m State--state new-p TCP--dport 445-j ACCEPT
54. #为局域网用户开启代理服务器访问
56. # iptables-a input-s 192.168.1.0/24-m State--state new-p TCP--dport 3128-j ACCEPT
58. #为局域网用户开启MySQL访问
60. # iptables-i input-p TCP--dport 3306-j ACCEPT

20. Limit the number of concurrent connections to client IPs

We can use the Connlimit module to limit the number of concurrent connections to client IPs. The following command allows only 3 SSH connections per client:

1. # iptables-a input-p TCP--syn--dport 22-m connlimit--connlimit-above 3-j REJECT

Set HTTP concurrent connections to 20:

1. # iptables-p TCP--syn--dport 80-m connlimit--connlimit-above--connlimit-mask 24-j DROP

Parameter description:

• --connlimit-above 3: Number of connections more than 3 auto-matching
• --connlimit-mask 24: Subnet Mask match

Better use of iptables

First, we'll learn to look at the Man Handbook:

1. $ mans Iptables

We can also view the help in this way:

1. # iptables-h

We can also view Help for specific commands:

1. # iptables-j Drop-h

Test firewall

Test whether the port is open:

1. # NETSTAT-TULPN

To test whether the TCP 80 port is open:

1. # NETSTAT-TULPN | Grep:80

If port 80 is not open, be sure to start the Apache server:

1. # service httpd Start

And be sure to open iptables Firewall 80 port:

1. # iptables-l input-v-n | grep 80

If port 80 is not open, you can run the following command:

1. # iptables-a Input-m State--state new-p TCP--dport 80-j ACCEPT
2. # Service Iptables Save

Use the Telnet command below to test if you can connect to port 80:

1. $ telnet www.cyberciti.biz 80

The following is an example output:

1. Trying 75.126.153.206 ...
2. Connected to Www.cyberciti.biz.
3. Escape character is ' ^] '.
4. ^]
5. Telnet> quit
6. Connection closed.

Finally, we recommend that you test your firewall settings using sniffer tools such as tcpdump, Ngrep.

These are just some basic firewall configuration policies, and if you want to construct more complex firewall policies, you need to learn more about TCP/IP and Linux kernel profile sysctl.conf.

20 Linux firewalls [iptables] application tips [go]