Iptables is hard to understand and configure for beginners of Linux. However, if you master the secrets, you will find that it is not that difficult to learn. Iptables is a Linux static firewall used to create rules to filter packets and NAT modules. In short, Iptables is the firewall for Linux network connection.
Check whether Iptables is installed
Before configuring Iptables, we must first check whether Iptalbes has been installed:
# Rpm-qa | grep iptables
After the command is executed, information such as the iptables-your.installed.version should be printed. If not, it indicates there is no installation, you can download the latest rpm package to install via command rpm-Uvh iptables-downloaded.version.rpm, or directly use yum installation:
# Yum install iptables
Iptables-Related Files
/Etc/init. d/iptables: This is the initialization script used to start, stop Iptables, or save the rule.
/Etc/sysconfig/iptables: all rules are saved in this file.
/Sbin/iptables: the binary file of Iptables.
When configuring rules, let's first look at the current configuration:
# Iptables-L
By default, there are currently only three rule chains: INPUT, OUTPU, and FORWARD. The INPUT rule chain contains inbound packet rules, the OUTPUT rule chain contains outbound packet rules, and the FORWARD rule chain contains rules for forwarding data packets to other hosts.
Most Iptables are used to configure and process data packets from the network to the Linux server. Therefore, the INPUT rule chain is often used. When a packet passes through the Linux core, the following commands determine how to handle the packet after it is matched.
ACCEPT: data packets are allowed to reach their destination.
REJECT: a simple explanation of the host that rejects the data packet and returns it to the host that sends the data packet.
DROP: The data packet is rejected and no information is returned.
Configure Iptables rules
Before you start configuring rules, you need to make three suggestions:
1. The order of rules is very important. For example, if you add a rule to block any one at the beginning, the following rules will not work.
2. Remember that the written rules are stored in the memory and will not automatically store disks. Therefore, after you restart the system, the rules will no longer exist. Therefore, you need to manually execute the initialization script to save the rules.
3. If you are remotely managing servers, such as SSH, you must first add rules that allow ssh before configuring the rules, or Iptables will block you out.
# Iptables-a input-s 213.10.10.13-d 192.168.1.1-p TCP-dport 22-j ACCEPT
Note:
-A: append the INPUT rule chain;
-S: source IP address. In this example, the IP address of the computer you are currently using to log on to ssh;
-D: Destination Address. In this example, the server IP address is used.
-P: Communication Protocol
-Dport: Destination Port. In this example, the default ssh port 22 is used;
-J: indicates "Jump". Therefore, if all the preceding rules match, data packets are accepted.
Next let's set basic rules for general data packets. One of the features of Iptables is the ability to determine the packet status. The following is the status of a new connection packet:
NEW: The first server sends a SYN packet to the second server to create a NEW connection.
RELATED: The second server receives SYN packets and sends them to the first server with a SYN-ACK packet to determine if the connection is normal.
ESTABLISHED: The first server receives the SYN-ACK packet and sends it to the second server ACK server for final confirmation. Now the connection is ESTABLISHED and the two servers start to transmit data.
To allow your server to establish a TCP connection with other servers, Iptables must be configured as follows:
# Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT
# Iptables-a forward-I eth0-m state -- state RELATED, ESTABLISHED-j ACCEPT
# Iptables-a output-m state -- state RELATED, ESTABLISHED
Custom Rules
Blocked IP Address:
# Iptables-a input-s 213.10.10.13-j DROP
This rule blocks packets transmitted from IP213.10.10.13.
# Iptables-a input-d 192.168.1.15-j REJECT
This rule blocks packets from the lan ip address 192.168.1.15.
Allowed IP Address:
# Iptables-a input-s 213.10.10.13-d 192.168.1.4-p tcp -- dport 21
This rule accepts packets from IP address 213.10.10.13 to destination address FTP server 192.168.1.4.
After necessary rules are configured, all rules will be rejected at the end:
# Iptables-a input-j REJECT
# Iptables-a forward-j REJECT
These rules must be added at the end.
To delete A rule, replace "-A" with "-D.
Save rule
To save Iptables rules, run the following command:
#/Etc/init. d/iptables save
Stop Iptables to refresh all rules:
#/Etc/init. d/iptables stop
Restart Iptables to load the latest rules from/etc/sysconfig/iptables:
#/Etc/init. d/iptables start
This is just a basic Iptables tutorial. It is suitable for configuring simple rules. If you need to configure complex rules, you also need to learn in depth.