Linux Firewall startup and Shutdown
I
1.1 start command
[Root @ singledb ~] # Service iptables stop
Flushing firewall rules: [OK]
Setting chains to policy ACCEPT: filter nat [OK]
Unloading iptables modules: [OK]
[Root @ singledb ~] # Service iptables start
Applying iptables firewall rules: [OK]
Loading additional iptables modules: ip_conntrack_netbios_n [OK]
1.2 set auto-start upon startup
[Root @ singledb ~] # Chkconfig iptables off
[Root @ singledb ~] # Chkconfig -- list iptables
Iptables 0: off 1: off 2: off 3: off 4: off 5: off 6: off
[Root @ singledb ~] # Chkconfig iptables on
[Root @ singledb ~] # Chkconfig -- list iptables
Iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off
[Root @ singledb ~] #
The chkconfig -- list command lists the statuses of 0 to 6 numbers. There are 7 Linux Startup modes. The data represents the status of iptables in these modes. 3 is the command line mode, and 5 is the interface.
For more information about these modes, see my BLog:
Linux boot and Shutdown Process
Http://blog.csdn.net/tianlesoftware/archive/2010/10/24/5962460.aspx
5.1 init and Operation Level
The traditional init defines seven run levels, each of which represents some specific services that the system should supplement:
(1) level 0 is the level at which the system is completely shut down
(2) Level 1 or level S represents the single-user mode
(3) Level 2-5: multi-user level
(4) level 6 is the level of reboot
Ii. Iptables Parameters
Iptalbes is used to set, maintain, and check the IP packet filtering rules of the Linux kernel. Different tables can be defined. Each table contains several internal chains and user-defined chains. Each chain is a rule list that matches the corresponding package: each rule specifies how the matching package should be processed. This is called a 'target' (target) and can also jump to a user-defined chain in the same table.
[Root @ singledb ~] # Iptables -- help
Iptables v1.3.5
Usage: iptables-[AD] chain rule-specification [options]
Iptables-[RI] chain rulenum rule-specification [options]
Iptables-D chain rulenum [options]
Iptables-[LFZ] [chain] [options]
Iptables-[NX] chain
Iptables-E old-chain-name new-chain-name
Iptables-P chain target [options]
Iptables-h (print this help information)
Commands:
Either long or short options are allowed.
-- Append-A chain Append to chain
-- Delete-D chain Delete matching rule from chain
-- Delete-D chain rulenum
Delete rule rulenum (1 = first) from chain
-- Insert-I chain [rulenum]
Insert in chain as rulenum (default 1 = first)
-- Replace-R chain rulenum
Replace rule rulenum (1 = first) in chain
-- List-L [chain] List the rules in a chain or all chains
-- Flush-F [chain] Delete all rules inchain or all chains
-- Zero-Z [chain] Zero counters in chain or all chains
-- New-N chain Create a new user-defined chain
-- Delete-chain
-X [chain] Delete a user-defined chain
-- Policy-P chain target
Change policy on chain to target
-- Rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
-- Proto-p [!] Proto protocol: by number or name, eg. 'tcp'
-- Source-s [!] Address [/mask]
Source specification
-- Destination-d [!] Address [/mask]
Destination specification
-- In-interface-I [!] Input name [+]
Network interface name ([+] for wildcard)
-- Jump-j target
Target for rule (may load target extension)
-- Goto-g chain
Jump to chain with no return
-- Match-m match
Extended match (may load extension)
-- Numeric-n numeric output of addresses and ports
-- Out-interface-o [!] Output name [+]
Network interface name ([+] for wildcard)
-- Table-t table to manipulate (default: 'filter ')
-- Verbose-v verbose mode
-- Line-numbers print line numbers when listing
-- Exact-x expand numbers (display exact values)
[!] -- Fragment-f match second or further fragments only
-- Modprobe = <command> try to insert modules using this command
-- Set-counters pkts bytes set the counter during insert/append
[!] -- Version-V print package version.
[Root @ singledb ~] #
2.1 TARGETS
Firewall rules specify the characteristics and objectives of the checked packets. If the package does not match, it is sent to the next rule check in the chain. If yes, the next rule is determined by the target value. the target value can be a user-defined chain name or a specific value, such as ACCEPT [pass], DROP [delete], QUEUE [QUEUE], or RETURN [RETURN].
ACCEPT indicates that the package passes. DROP indicates dropping this package. QUEUE indicates to pass this package to the user space. RETURN indicates that the matching of the chain is stopped and the rule of the previous chain starts again. If a built-in chain is reached, or the rule of the built-in chain is RETURN, the fate of the package will be determined by the target specified by the chain criterion.
2.2 TABLES
There are currently three tables (which table is the current table depends on the Kernel configuration option and the current module ).
-T table: Specifies the table of matching packages to be operated by the command. If the kernel is configured to automatically load modules, if the modules are not loaded, the system will try to load the appropriate modules (for this table. These tables are as follows:
(1) filter table: This is the default table, which contains the built-in chain INPUT (the packet to be processed) and FORWORD (the packet to be processed) and OUTPUT (processing locally generated packages ).
(2) nat table: When this table is queried, it indicates that a new connection package is generated, which consists of three built-in chains: PREROUTING (modify the incoming package), OUTPUT (the local package before the route is modified), and POSTROUTING (the package to be modified ).
(3) mangle table: This table is used to modify the specified package. It has two built-in rules: PREROUTING (the package before the route is modified) and OUTPUT (the local package before the route is modified ).
2.3 OPTIONS:
These options that can be recognized by iptables can be different types.
2.4 COMMANDS
These options specify to execute a specific action: If there is no other rule under the command line, this row can only specify one option. for long-Format Commands and option names, you only need to ensure that the iptables command can be distinguished from other options.
(1)-A-append
Add one or more rules at the end of the selected chain. When the source (Address) or/and destination (Address) are converted to multiple addresses, this rule is added to all possible addresses (combinations.
(2)-D-delete
Delete one or more rules from the selected chain. This command can be used to specify the deleted rule as the serial number in the chain (the first serial number is 1) or as the rule to be matched.
(3)-R-replace
Replaces a rule from the selected chain. If the source (Address) or/and destination (Address) are converted to multiple addresses, this command fails. The rule sequence number starts from 1.
(4)-I-insert
Insert one or more rules to the selected Chain Based on the given rule sequence number. Therefore, if the rule number is 1, the rule will be inserted into the chain header. This is the default method when no rule serial number is specified.
(5)-L-list
Displays all the rules of the selected chain. If no link is selected, all links are displayed. It can also be used with the z option, and the chain will be automatically listed and zeroed. Precise output is affected by other parameters.
(6)-F-flush
Clear the selected chain. This means that all rules are deleted one by one.
(7) -- Z-zero
Clears the packets and byte counters of all links. It can be used with-L to view the counter before clearing. See the previous article.
(8)-N-new-chain
Create a new user-defined Chain Based on the given name. This must ensure that no chain with the same name exists.
(9)-X-delete-chain
Deletes a specified user-defined chain. This chain must not be referenced. If it is referenced, you must delete or replace the relevant rules before deleting it. If no parameter is provided, this command will try to delete each non-built chain.
(10)-P-policy
Set the target rule of the chain.
(11)-E-rename-chain
Rename the specified Chain Based on the name given by the user. This is only a modifier and does not affect the structure of the entire table. The TARGETS parameter provides a valid target. Rules can be used only for non-user-defined chains, and both built-in and user-defined chains cannot be the target of rules.
(12)-h Help.
Help. The syntax of the current command is very short.
2.5 PARAMETERS
The following parameters constitute detailed rules, such as the add, delete, replace, append, and check commands.
(1)-p-protocal [!] Protocol
Protocol for rule or package check (package to be checked. The specified protocol can be either one or all of tcp, udp, or icmp, or a numerical value, representing one of these protocols. You can also use the Protocol name defined in/etc/protocols. Add "! "Indicates the opposite rule. The number 0 is equivalent to all. Protocol all matches all protocols, and this is a time-saving option. When combined with the check command, all can be disabled.
(2)-s-source [!] Address [/mask]
Specifies the source address, which can be the host name, network name, and clear IP address. The mask can be a network mask or a clear number. specify the number of "1" on the left of the network mask. Therefore, the value of the mask is 24 or 255.255.255.0. Add "! "Indicates that the opposite address segment is specified. Flag -- src is short for this option.
(3)-d -- destination [!] Address [/mask]
Specify the target address. For more information, see the description of the-s flag. The flag-dst is short for this option.
(4)-j -- jump target
-J: Jump to the target, specifying the target of the Rule; that is, what to do if the package matches. The target can be a user-defined chain (not where this rule is located), a private built-in target that will immediately determine the fate of the package, or an extension (see EXTENSIONS below ). If the rule option is ignored, the matching process will not affect the package, but the rule counter will increase.
(5)-I-in-interface [!] [Name]
I-access (network) interface [!] [Name]. This is the optional entry name received by the package through this interface. The package is received through this interface (the package entered in the chain INPUT, FORWORD, and PREROUTING ). Before the Interface Name, use "! "After description, it refers to the opposite name. If the interface name is followed by "+", all interfaces starting with this interface name will be matched. If this option is ignored, it is assumed to be "+", then any interface will be matched.
(6)-o -- out-interface [!] [Name]
-O -- OUTPUT interface [name], which is the optional outlet name sent by the package through this interface. The package is OUTPUT through this port (the package sent in the chain FORWARD, OUTPUT, and POSTROUTING ). Before the Interface Name, use "! "After description, it refers to the opposite name. If the interface name is followed by "+", all interfaces starting with this interface name will be matched. If this option is ignored, it is assumed as "+", then all arbitrary interfaces will be matched.
(7) [!] -F, -- fragment
[!] -F -- fragment, which means that in the package of the fragment, the rule only queries the second and later parts. Since then, because the source port or target port (or ICMP type) of the packet cannot be determined, such packets cannot match any rules specified for matching them. If "! "The description is used before the"-f "sign to indicate the opposite.
2.6 OTHER OPTIONS
You can also specify the following additional options:
(1)-v -- verbose
-V -- Detailed, detailed output. This option allows the list command to display the interface address, rule option (if any), and TOS (Type of Service) mask. The package and byte counters will also be displayed. K, M, and G (prefix) are used to indicate 1000, 1,000,000, and 1,000,000,000 times respectively (but refer to the-x flag to change it). For addition, insert, delete, and replace commands. This prints detailed information about one or more rules.
(2)-n -- numeric
-N -- number, number output. The IP address and port are printed in numbers. By default, the program displays the host name, network name, or service (as long as it is available ).
(3)-x-exact
-X-precision, extended number. Display the exact value of the package and byte counter, instead of the approximate number expressed in K, M, G. This option can only be used for the-L command.
(4) -- line-numbers
When a rule is displayed in the list, add a row number before each rule to match the rule's position in the chain.
2.7 MATCH EXTENSIONS
Iptables can use some extension packages that match the module. The following are the extension packages included in the basic package, and most of them can be added in front! To indicate the opposite.
2.7.1 tcp
When -- protocol tcp is specified and other matching extensions are not specified, these extensions are loaded. It provides the following options:
(1) -- source-port [!] [Port [ort]
Specifies the source port or port range. This can be the service name or port number. Format port: You can specify the port range. If the first port number is ignored, the default value is "0". If the end port number is ignored, the default value is "65535". If the second port number is greater than the first port number, it is switched. You can use the -- sport alias for this option.
(2) -- destionation-port [!] [Port: [port]
Specify the target port or port range. This option can be replaced by the -- dport alias.
(3) -- tcp-flags [!] Mask comp
Matches the specified TCP tag. The first parameter is the tag we want to check, a list separated by commas, and the second parameter is a tag table separated by commas, which must be set. Mark as follows: syn ack fin rst urg psh all none. Therefore, this command: iptables-a forward-p tcp -- tcp-flags SYN, ACK, FIN, rst syn only matches the packets whose SYN flag is set but the ACK, FIN, and RST tags are not set.
(4) [!] -- Syn
Only TCP packets whose SYN bit is set and ACK and FIN bit are cleared. These packages are used to send requests during TCP connection initialization. For example, a large number of such packages will block the TCP connection when an interface is blocked, and the outgoing TCP connection will not be affected. This is equal to -- tcp-flags SYN, RST, and ack syn. If "-- syn" is preceded "! "Mark, indicating the opposite.
(5) -- tcp-option [!] Number
Match the TCP option.
2.7.2udp
When protocol udp is specified and other matching extensions are not specified, these extensions are loaded and provide the following options:
(1) -- source-port [!] [Port: [port]
Specifies the source port or port range. For details, see the description of the TCP extended -- source-port option.
(2) -- destination-port [!] [Port: [port]
Specify the target port or port range. For details, see the -- destination-port option of TCP extension.
2.7.3icmp
When protocol icmp is specified and other matching extensions are not specified, the extension is loaded. It provides the following options:
(1) -- icmp-type [!] Typename
This option allows you to specify the ICMP type, which can be a numeric ICMP type, or an icmp type name displayed by the command iptables-p ICMP-h.
2.7.4mac
-- Mac-source [!] Address
Match the physical address. The format must be XX: XX. Note that it is only valid for packets from the Ethernet device that enter the PREROUTING, FORWORD, and INPUT chains.
2.7.5 limit
This module matching flag matches with a tag bucket filter at a certain speed. It is used with LOG targets to provide a limited number of logins. when the limit value is reached, the rules that use this extension package will match. (Unless "! "Mark)
(1) -- limit rate
Maximum average matching rate: The value can be assigned to units such as '/second','/minute ','/hour', or '/Day'. The default value is 3/hour.
(2) -- limit-burst number
Maximum initial number of packages to be matched: if the limit specified earlier has not reached this value, the total number is increased by 1. The default value is 5.
2.7.6 multiport
This module matches a group of source or target ports. You can specify up to 15 ports. It can only be used with-p tcp or-p udp.
(1) -- source-port [port [, port]
If the source port is one of the given ports
(2) -- destination-port [port [, port]
If the target port is one of the given ports, it matches
(3) -- port [port [, port]
If the source port and destination port are the same and are the same as a given port, they match.
2.7.7 mark
This module matches the netfilter tag field (you can set MARK as below ).
-- Mark value [/mask]
Match those unsigned tag values (if the mask is specified, a logical tag is added to the mask before comparison ).
2.7.8 owner
This module generates a local package to match different features of the package creator. It can only be used for OUTPUT chains, and even some packets (such as ICMP ping responses) may not have owners, so they will never match.
(1) -- uid-owner userid
If a valid user id is provided, it matches the package generated by the process.
(2) -- gid-owner groupid
If a valid group id is provided, it matches the package generated by the process.
(3) -- sid-owner seessionid
Match the packets generated by the process according to the given session group.
2.7.9state
This module allows the connection trace status of the access package when used in conjunction with the connection trace.
-- State
The state is a comma-separated list of matched connection statuses. The possible status is: INVALID indicates that the package is an unknown connection, ESTABLISHED indicates a two-way transmission connection, and NEW indicates that the package is a NEW connection. Otherwise, the package is not transmitted in two directions, RELATED indicates that the package starts from a new connection, but is connected with an existing connection, such as FTP data transmission or an ICMP error.
2.7.10unclean
This module has no options, but it tries to match those strange and uncommon packages. In the lab.
2.7.11tos
This module matches the eight-bit tos (service type) field (that is, included in the priority) of the IP package header ).
-- Tos
This parameter can be a standard name (view the list with iptables-m tos-h) or a value.
2.8LOG
Enable the kernel record for the matching package. After this option is set in the rule, the Linux kernel prints some information about all matching packages (such as the IP header field) through printk ).
(1) -- log-level
Record level (numeric or see syslog. conf (5 )).
(2) -- log-prefix
Add a specific prefix before the record information: a maximum of 14 letters are used to distinguish it from other information in the record.
(3) -- log-tcp-sequence
Record the TCP serial number. If records can be read by users, this poses a security risk.
(4) -- log-tcp-options
Record the options from the TCP header.
(5) -- log-ip-options
Record the options from the IP packet header.
2.9 MARK
Set the netfilter flag value of the package. Only applicable to mangle tables.
-- Set-mark
2.10 REJECT
As a response to the matched package, an error package is returned: the package is the same as the DROP in other cases. This target applies only to INPUT, FORWARD, and OUTPUT chains, and user-defined chains that call these chains. These options control the returned error Package features:
-- Reject-with type
The Type can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-nreachable, icmp-proto-unreachable, icmp-net-prohibited, or icmp-host-prohibited, this type will return the corresponding ICMP error message (default: port-unreachable ). The echo-reply option is also allowed. It can only be used to generate a ping response in the rule that specifies the ICMP ping packet. Finally, the tcp-reset option can be used in the INPUT chain or in the Rules called by the self-INPUT chain. Only the TCP protocol is matched: a tcp rst packet will be returned.
2.11 MIRROR
This is a test demonstration target. It can be used to convert the source address and target address in the IP address header field, and then transfer the package. It is only applicable to INPUT, FORWARD, and OUTPUT chains, and user-defined chains that only call them.
2.12 SNAT
This target only applies to the POSTROUTING chain of the nat table. It specifies to modify the source address of the package (all packages will be affected after this connection) and stop checking the rule. It includes the following options:
(1) -- to-source [-] [ort-port]
You can specify a single new IP address, a range of IP addresses, or a port range (only in rules specifying-p tcp or-p udp ). If no port range is specified, ports lower than 512 in the source port will be placed as other ports lower than 512; ports between 512 and 1024 will be placed below 1024, other ports are placed as 1024 or above. If possible, the port is not modified.
(2) -- to-destiontion [-] [ort-port]
You can specify a single new IP address, a range of IP addresses, or a port range (only in rules specifying-p tcp or-p udp ). If no port range is specified, the target port is not modified.
2.13 MASQUERADE
Only used for the POSTROUTING chain of the nat table. It can only be used to dynamically obtain IP (dial-up) connections: If you have a static IP address, you must use SNAT. Disguise is equivalent to setting an image for the IP address of the interface through which the packet is sent. When the interface is closed, the connection will be terminated. This is because the current dial-up may not be the same interface address (all established connections will be closed later ). It has an option:
-- To-ports [-port>]
Specify the source port range to be used, and overwrite the default SNAT source address selection (see the above ). This option applies only to rules with-p tcp or-p udp specified.
2.14 REDIRECT
Only applicable to the PREROUTING and OUTPUT chains of nat tables, and user-defined chains that only call them. It modifies the target IP address of the package to send the package to the machine itself (the locally generated package is placed at 127.0.0.1 ). It contains an option:
-- To-ports []
Specified destination port or port range: If this parameter is not specified, the target port is not modified. Only rules with-p tcp or-p udp can be specified.
2.15 DIAGNOSTICS
Diagnosis. Different error messages are printed as standard errors: Exit code 0 to indicate correct. If the command line parameter is incorrect or the command line parameter is abused, error code 2 is returned, and other error codes are returned as 1.
2.16 COMPATIBILITY WITH IPCHAINS
Iptables is similar to Rusty Russell's ipchains. The main difference is that the INPUT chain is only used to enter the package of the local host, and the OUTPUT is only used to generate the package from the local host. Therefore, each packet passes through only one of the three chains. The previously forwarded packet passes through all three chains. The other major difference is that-I references the incoming interface;-o references the output interface, both of which are applicable to the packets that enter the FORWARD chain. When the default filter table is used with the optional extension module, iptables is a pure package filter. This can greatly reduce the previous obfuscation of IP camouflage and packet filtering, so the following options are different:
-J MASQ
-M-S
-M-L
Iii. Iptables example
1. view the settings of IPTABLES on the local machine:
[Root @ singledb ~] # Iptables-L-n
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
ACCEPT all -- 0.0.0.0/0192.168.122.0/24 state RELATED, ESTABLISHED
ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
The IP address and network number are displayed. The network number is/24. For details about IP addresses, refer to Blog:
IP (Internet Protocal) Address description
Http://blog.csdn.net/tianlesoftware/archive/2011/02/25/6207289.aspx
2. Save Iptables
The configuration of iptables is the same as that of other commands to configure IP addresses. You can save the IP addresses in the following two ways to restart the IP address.
# Service iptables save
Or:
# Iptables-save>/etc/sysconfig/iptables
/Etc/sysconfig/iptables is the default storage location. There is also an iptables configuration file in the/etc/sysconfig Directory: etc/sysconfig/iptables-config
Note: It is generally not recommended that you manually modify the content of this file. This file is only used to save the firewall rules that need to be automatically applied when iptables is started.
After saving, restart the firewall to make it take effect.
# Service iptables restart
3. Clear the original rules (with caution ):
# Iptables-F --> clear rules of all rule chains in the filter of the preset table
# Iptables-X --> clear the rules in the User-Defined chain in the filter of the preset table
4. Set preset rules
View the rule status:
[Root @ localhost ~] # Iptables-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Change rules:
[Root @ tp ~] # Iptables-P INPUT DROP
[Root @ tp ~] # Iptables-P OUTPUT ACCEPT
[Root @ tp ~] # Iptables-P FORWARD DROP
If it is an ssh connection, the connection will be interrupted.
The above means that when two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, the data packets not in these two rules will be dropped (abandoned ). it should be said that the configuration is safe. we need to control inbound data packets. For the OUTPUT chain, that is, the outgoing package, we do not need to impose too many restrictions, but adopt ACCEPT.
The INPUT and FORWARD chains use packages that are allowed to pass, while the OUTPUT chain uses packages that are not allowed to pass. This setting is quite reasonable. Of course you can also DROP all three links, but I don't think it is necessary to do so, and the rules to be written will increase. but if you only want a limited number of rules, for example, only WEB servers. we recommend that all three links be DROP.
5. Add Rules.
First, add the INPUT chain. For example, we want to enable port 22:
# Iptables-a input-p tcp -- dport 22-j ACCEPT
Note: If you set OUTPUT to DROP, you need to write the upper and lower rules. Many people forget to write this rule, which leads to SSH failure.
# Iptables-a output-p tcp -- sport 22-j ACCEPT
6. Example of port operations:
6.1 add Port
(1) allow hosts with the source address x. x/x to use port 22 (ssh.
Iptables-a input-p tcp-s x. x/x -- dport 22-j ACCEPT
(2) Allow inbound packets from port 80 (http)
Iptables-a input-p tcp -- dport 80-j ACCEPT
(3) allow incoming packets from port 110 (pop3). If this rule is not added, emails can only be received through web pages (OE Or Foxmail cannot be used)
Iptables-a input-p tcp -- dport 110-j ACCEPT
(4) allow incoming packets from port 25 (smtp). If this rule is not added, emails can only be sent through web pages (OE Or Foxmail cannot be used)
Iptables-a input-p tcp -- dport 25-j ACCEPT
(5) Allow inbound data packets from port 21 (ftp)
Iptables-a input-p tcp -- dport 21-j ACCEPT
(6) allow data packets on Port 20 (ftp) to enter (execute ftp commands, such as dir)
Iptables-a input-p tcp -- dport 20-j ACCEPT
(7) Allow 53 (dns) port data packets to enter (tcp)
Iptables-a input-p tcp -- dport 53-j ACCEPT
(8) Allow 53 (dns) port data packets to enter (udp)
Iptables-a input-p udp -- dport 53-j ACCEPT
(9) Allow ICMP packets to pass, that is, allow ping
Iptables-a input-p icmp-j ACCEPT
(10) Support for connection status using iptables
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
(11) set the default rule of the INPUT chain to DROP
Iptables-P INPUT DROP
6.2 view port information
[Root @ singledb ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 2222
After adding the port information to the trusted chain, you can view it, such as the previously added 22 port. It is in the INPUT chain.
6.3 delete port information
[Root @ singledb ~] # Iptables-d input-p tcp -- dport 22-j ACCEPT
[Root @ singledb ~] # Iptables-d input-p tcp -- dport 2222-j ACCEPT
[Root @ singledb ~] # Iptables-L-n
After deletion, we can view the information in the INPUT chain.
7. iptables restrict IP addresses from accessing specific ports
7.1 allow SSH connection to a machine with an IP address (192.168.6.100:
[Root @ singledb ~] # Iptables-a input-s 192.168.6.100-p tcp -- dport 22-j ACCEPT
[Root @ singledb ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp -- 192.168.6.100 0.0.0.0/0 tcp dpt: 22
7.2 allow a certain segment of IP address to access SSH
[Root @ singledb ~] # Iptables-d input-s 192.168.6.100-p tcp -- dport 22-j ACCEPT
[Root @ singledb ~] # Iptables-a input-s 192.168.6.0/24-p tcp -- dport 22-j ACCEPT
[Root @ singledb ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp -- 192.168.6.0/24 0.0.0.0/0 tcp dpt: 22
Because this port has been added before, the configuration of 22 is deleted first and then added. Here we use 192.168.6.0/24. It indicates that all IP addresses of 192.168.6.1-192.168.6.254 can be accessed. Here 24 represents the network number. For details, refer:
IP (Internet Protocal) Address description
Http://blog.csdn.net/tianlesoftware/archive/2011/02/25/6207289.aspx
7.3 restrict access to SSH from an IP address
[Root @ singledb ~] # Iptables-a input-p tcp-s! 192.168.6.100 -- dport 22-j ACCEPT -- note! There is a space
[Root @ singledb ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp -- 192.168.6.0/24 0.0.0.0/0 tcp dpt: 22
8. configure a NAT table
8.1 view local NAT settings
[Root @ singledb ~] # Iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
MASQUERADEall -- 192.168.122.0/24! 192.168.122.0/24
MASQUERADEall -- 192.168.122.0/24! 192.168.122.0/24
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
You can also view the information in the iptables configuration file (/etc/sysconfig/iptables.
8.2 clear the NET table information:
[Root @ singledb ~] # Iptables-F-t nat
[Root @ singledb ~] # Iptables-X-t nat
[Root @ singledb ~] # Iptables-Z-t nat
8.3 Add Rules
(1) prevent Internet spoofing using Intranet IP addresses
[Root @ singledb ~] # Iptables-t nat-a prerouting-I eth0-s 10.0.0.0/8-j DROP
[Root @ singledb ~] # Iptables-t nat-a prerouting-I eth0-s 172.16.0.0/12-j DROP
[Root @ singledb ~] # Iptables-t nat-a prerouting-I eth0-s 192.168.0.0/16-j DROP
(2) disallow all connections to 211.101.46.253
[Root @ singledb ~] # Iptables-t nat-a prerouting-d 211.101.46.253-j DROP
(3) disable FTP (21) Port
[Root @ singledb ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-j DROP
In this way, the write range is too large, so we can define it more accurately.
[Root @ singledb ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-d 211.101.46.253-j DROP
In this way, only the FTP connection of the 211.101.46.253 address is disabled. Other connections can also be. For example, web (port 80) connections.
(4) drop illegal connection
[Root @ singledb ~] # Iptables-a input-m state -- state INVALID-j DROP
[Root @ singledb ~] # Iptables-a output-m state -- state INVALID-j DROP
[Root @ singledb ~] # Iptables-a forward-m state -- state INVALID-j DROP
(5) Allow all established and related connections
[Root @ singledb ~] # Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
[Root @ singledb ~] # Iptables-a output-m state -- state ESTABLISHED, RELATED-j ACCEPT
9. Save
[Root @ singledb ~] # Service iptables save
Saving firewall rules to/etc/sysconfig/iptables: [OK]
[Root @ singledb ~] # Service iptables restart
Flushing firewall rules: [OK]
Setting chains to policy ACCEPT: filter nat [OK]
Unloading iptables modules: [OK]
Applying iptables firewall rules: [OK]
Loading additional iptables modules: ip_conntrack_netbios_n [OK]
[Root @ singledb ~] #