CENTOS6 iptables Firewall Settings Learning notes

Iptables Introduction

Iptables is a core based firewall, very powerful, iptables built-in Filter,nat and mangle three tables.

Filter is responsible for filtering packets, including the chain of rules, input,output and forward;

NAT is concerned with network address translation, including the rule chain, prerouting,postrouting and output;

Mangle table is mainly used to modify the contents of the packet, used to do traffic shaping, the default chain of rules are: input,output,nat,postrouting,prerouting;

Input matching destination IP is the local packet, forward matching packets flowing through the computer, prerouting used to modify the destination address used to do dnat,postrouting to modify the source address to do snat.

Iptables Main parameters

-a adds a rule to the chain of rules, which is added to the end by default

-t specifies the table to be manipulated, the default is filter

-D Deletes a rule from the chain of rules, specifying an ordinal or matching rule to remove

-R for rule substitution

-I inserts a rule that is inserted into the header by default

-F clears the selected chain and resumes after reboot

-N Create a custom rule chain for a user

-X Delete user-defined rule chains

-P is used to specify that the protocol can be a tcp,udp,icmp or a number protocol number,

-s Specifies the source address

-D Specify Destination Address

-I Access interface

-O Outflow interface

-j take the action, Accept,drop,snat,dnat,masquerade

--sport Source Port

--dport destination port, port must be used in conjunction with protocol

Note: All chain names must be uppercase, indicating that they must be lowercase, the action must be uppercase, and the match must be lowercase

1. Install iptables Firewall

If you do not install iptables you need to install first, CentOS execution:

The code is as follows	Copy Code
Yum Install Iptables Debian/ubuntu Execution: Apt-get Install Iptables

2. Clear existing iptables rules

The code is as follows	Copy Code
Iptables-f Iptables-x Iptables-z

3, open the specified port

code is as follows

copy code

#允许本地回环接口 (that is, running native access to this computer) Iptables-a input-s 127.0.0.1-d 127.0.0.1-j the ACCEPT # allows established or associated traffic iptables-a input-m State--state established,related-j ACCEPT #允许所有本机向外的访问 iptables-a output-j ACCEPT # allow access to 22 ports Iptables-a input-p tcp--dport 22-j ACCEPT #允许访问80端口 Iptables-a input-p TCP--dport 80-j ACCEPT #允许FTP服务的21和20端口 Iptables-a input-p TCP--dport 21-j ACCEPT Iptables-a input-p TCP--dport 20-j ACCEPT #如果有其他端口的话, the rules are similar, slightly modifying the above statement on the line #禁止其他未允许的规则访问 Iptables-a input-j REJECT Note: If the 22 port does not join the Allow rule, the SSH link will be disconnected directly. Iptables-a forward-j REJECT

4, Shielding IP

The code is as follows	Copy Code
#如果只是想屏蔽IP的话 "3, open specified port" can be skipped directly. #屏蔽单个IP的命令是 Iptables-i input-s 123.45.6.7-j DROP #封整个段即从123.0.0.1 to 123.255.255.254 's orders. Iptables-i input-s 123.0.0.0/8-j DROP #封IP段即从123.45.0.1 to 123.45.255.254 's orders. Iptables-i input-s 124.45.0.0/16-j DROP #封IP段即从123.45.6.1 to 123.45.6.254 's order is Iptables-i input-s 123.45.6.0/24-j DROP

4, view the added iptables rules

The code is as follows	Copy Code
Iptables-l-N

V: Display details, including the number of matching packets per rule and the number of matched bytes

x: On the basis of V, Prohibit automatic unit conversion (K, M) VPS Detectives

N: only display IP address and port number, do not resolve IP to domain name

5, delete the added iptables rule

Displays all iptables as ordinal marks, executing:

The code is as follows	Copy Code
Iptables-l-N--line-numbers

For example, to delete the rule in input ordinal 8, execute:

The code is as follows	Copy Code
Iptables-d INPUT 8

6, iptables boot and rule save

CentOS may be installed on the iptables, iptables does not boot from boot, you can perform:

The code is as follows	Copy Code
Chkconfig--level 345 iptables on

Add it to boot up.

CentOS can be performed on: Service iptables save rule.

In addition, it is more necessary to note that the iptables on the Debian/ubuntu will not save the rule.

You need to follow these steps to have the NIC shutdown to save the iptables rule and load the iptables rule at startup:

Create the/etc/network/if-post-down.d/iptables file and add the following:

The code is as follows	Copy Code
#!/bin/bash Iptables-save >/etc/iptables.rules

Execution: chmod +x/etc/network/if-post-down.d/iptables Add execute permissions.

Create the/etc/network/if-pre-up.d/iptables file and add the following:

The code is as follows	Copy Code
#!/bin/bash Iptables-restore </etc/iptables.rules

Execution: chmod +x/etc/network/if-pre-up.d/iptables Add execute permissions.

More iptables can be used to perform: Iptables–help or online search for iptables parameter instructions.

Turn on forwarding function

The code is as follows	Copy Code
Iptables-a forward-i eth0-o eth1-m State--state related,established-j ACCEPT

Allow only established connections and related links to be forwarded internally

The code is as follows	Copy Code
Ptables-a forward-i eth1-o eh0-j ACCEPT

Allow Outbound forwarding

Filter a Mac

The code is as follows	Copy Code
Iptables-a Forward-m mac--mac-source mac address-j DROP

After the message is routed, the MAC information in the data packet is replaced, so it is meaningless to use Mac matching in the iptables after routing.

Data packet Rectification

The code is as follows	Copy Code
Iptables-a forward-d 192.168.0.1-m limit--limit 50/s-j ACCEPT Iptables-a forward-d 192.168.0.1-j DROP

Multi-port matching

Used to match multiple ports at a time

Iptables-a input-p tcp-m muliport--dport s 21,22,25,80,110-j ACCEPT

Discard illegal connections

The code is as follows	Copy Code
Iptables-a input-m State--state invalid-j DROP Iptables-a output-m State--state invalid-j DROP Iptables-a forward-m State--state invalid-j DROP

stored in recovery iptables rules

code is as follows	copy code
Iptables-save > Somefile Iptables-restore < somefile