Common iptables configuration commands in Linux

Iptables-F # clear all rules iptables-X # clear all custom rules iptables-Z # count to zero iptables-PINPUTDROP # set the default rules of the input chain to discard iptables-POUTPUTDROP # the default output chain rule is set to discard iptables-AINPUT-ilo-jACCEPTiptab.

Iptables-F # clear all rules
Iptables-X # clear all custom rules
Iptables-Z # counting to zero
Iptables-p input drop # set the default rules of the input chain to discard
Iptables-p output drop # set the default output chain rule to discard
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT # Allow all services running on the local loopback address
Iptables-a input-m state? State ESTABLISHED, RELATED-jACCEPT # insert this statement at the beginning of the input chain (the first one), and allow connections in the state of ESTABLISHED and RELATED.
Iptables-a output-p tcp? Dport 80-j ACCEPT # Allow local access to other 80 services
Iptables-a output-p udp? Dport 53-j ACCEPT # allow the local machine to send domain name requests
Iptables-a output-p icmp-j ACCEPT # Allow All icmp protocols sent from the local machine. In fact, if you only allow the local machine to ping other machines, A more rigorous approach is to modify this statement:
Iptables-a output-p icmp? Icmp-type echo-request-jACCEPT

To put it simply, the packets in the status of ESTABLISHED and RELATED are allowed to be sent to the other host. This statement is very important, saving you the trouble of writing many iptables statements, especially on ftp servers. If you understand this, you should know that with this statement, 6th statements can be omitted.

Website:
Iptables-F
Iptables-X
Iptables-Z
Iptables-P OUTPUT DROP
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Iptables-a output-p udp? Dport 53-j ACCEPT
Iptables-a output-p tcp-s 192.168.1.10-d www.qq.com-jDROP (website prohibited)
Iptables-a forward-p tcp-s 192.168.1.11/24-d www.qq.com-oeth0-j DROP (disable network segments)
Iptables-a forward-p tcp-s 192.168.1.12-d 192.168.1.13-oeth0-j DROP (disable IP)
Iptables-a output-p tcp? Dport 80-j ACCEPT (this is written below the forbidden website)

# Security rules are similar to windows Firewall
Iptables-a input-p tcp? Dport :1024-j DROP
Iptables-a input-p udp? Dport-j DROP can prevent nmap detection
Iptables-a input-p tcp? Dport **-j ACCEPT (port to be opened)
# Change the protocol to the allowed Port)
========================================================== ====

Set up a secure vsftp server using iptables

In actual work, you can use the following script to set up a very internal FTP. of course, you can also use Wireshark to understand the passive and active differences between vsftpd. take the local machine 192.168.0.10 as an example. the script is as follows:

#! /Bin/bash

-F

Iptables-X

Iptables-Z

Iptables-t nat-F

Iptables-t nat-X

Iptables-t nat-Z

# Enable ip forwarding

Echo "1">/proc/sys/net/ipv4/ip_forward

# Some module functions required for loading ftp

Modprobe ip_conntrack_ftp

Modprobe ip_conntrack-tftp

Modprobe ip_nat_ftp

Modprobe ip_nat_tftp

# To be safer, define the default OUTPUT policy as DROP

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

Iptables-P FORWARD ACCEPT

# Open the lo loopback port of the local machine. it is recommended that you open the loopback Port. otherwise, some inexplicable problems may occur.

Iptables-a input-I lo-j ACCEPT

Iptables-a output-o lo-j ACCEPT

# The following script sets up a secure vsftpd key. the last two scripts allow the server to send a response to the client and connect to the data packet that has been established. because the Passive FTP is complicated, there are six handshakes, so the status is used here.

Iptables-a input-s 192.168.0.0/24-p tcp? Dport 21-j ACCEPT

Iptables-a output-d 192.168.0.0/24-p tcp? Sport 21-j ACCEPT

Iptables-a input-m state? State RELATED, ESTABLISHED-j ACCEPT

Iptables-a output-m state? State RELATED, ESTABLISHED-j
ACCEPT

============================================
The intranet web server is suitable for medium and small enterprises that have an intranet server.
============================================

Attack Prevention scanning

Sync Flood prevention)

# Iptables-a forward-p tcp? Syn-m limit? Limit 1/s-j ACCEPT

Some people write

# Iptables-a input-p tcp? Syn-m limit? Limit 1/s-j ACCEPT

? Limit 1/s limits the number of syn concurrent connections per second. you can modify the number as needed.

Prevents various port scans

# Iptables-a forward-p tcp? Tcp-flags SYN, ACK, FIN, RST-m
Limit? Limit 1/s-j ACCEPT

Ping flood attack (Ping of Death)

# Iptables-a forward-p icmp? Icmp-type echo-request-m limit
? Limit 1/s-j ACCEPT

# Null Scan (possibly) XiKc. om

Iptables-a input-I eth0-p tcp? Tcp-flags all none-j DROP

# Saving and loading ubuntu

Iptables-save> iptables. up. rules

Cp iptables. up. rules/etc/

Vi/etc/network/interfaces

Iptables-save> iptables. up. rules cp iptables. up. rules/etc/
Vi/etc/network/interfaces

# Add at the end of interfaces

Pre-up iptables-restore </etc/iptables. up. rules

Pre-up iptables-restore </etc/iptables. up. rules

# You can also set the rules for network card disconnection.

Post-down iptables-restore </etc/iptables. down. rules

Post-down iptables-restore </etc/iptables. down. rules

# Save
Service iptables save
Force all clients to access the website 192.168.1.100
Iptables-t nat-I prerouting-I eth0-p tcp? Dport 80-j DNAT? To-destination 192.168.1.100 (PREROUTING and DNAT are used together, and POSTROUTING and SNAT are used together)
Publish the intranet web server 192.168.1.10
Iptables-t nat-I PREROUTING-p tcp? Dport 80-j DNAT? To-destination 192.168.1.10
Port ING to intranet 3389
Iptables-t nat-I PREROUTING-p tcp? Dport 3389-j DNAT? To-destination 192.168.1.10: 3389