Configure iptables firewall in Linux

About iptables firewall configuration in linux, the relationship between Iptables and netfilter modules in the firewall in linux is not a service, but a module loaded into the kernel. This module is the netfilter module. We use iptables to manage this netfilter module. Iptables mode Enable

Configuration in linuxIptablesFirewall discussion,

Relationship between Iptables and the netfilter module

The firewall in linux is not a service, but a module loaded into the kernel. This module is the netfilter module. We use iptables to manage this netfilter module.

Iptables mode

Enabled rejects all

Disabled allows all

You can use the system-config-securitylevel command to modify it on the GUI,

Enabled and disabled modes can be selected here.

About netfilter table and netfilter chain

This figure clearly shows the netfilter table and netfilter chain.

The Filter table contains three links:

The INPUT destination is the data packet accessing the firewall.

The OUTPUT source address is the data packet sent out by the firewall.

Both the source address and destination address of the FORWARD packet are not firewall data packets.

There are also three links in the Nat table:

The OUTPUT packet is thrown to the proxy server before it is sent to the Gateway.

PREROUTING performs destination NAT translation (before route judgment)

POSTROUTING for Source NAT translation (after route judgment)

There are five links in Mangle talbe:

INPUT

OUTPUT

FORWARD

PREROUTING

POSTROUTING

Process of iptables data packets

This figure shows the packet flow of the entire iptables firewall at work.

Iptables access control rules

When a data packet passes through the iptables firewall, the first policy is read first. if the first policy matches, the policy is executed and not read. If the first policy does not match, the second policy is read. if the second policy is matched, the policy is executed and not read. If the data packet does not match any policy, the default policy is matched. The default policy is allow or deny, which can be defined by the user.

Iptables matching rules

-S 192.168.0.0/24

CIDR block whose source address is 192.168.0.0/24

-D 192.168.0.10

Host whose destination address is 192.168.0.10

-I eth0

Packets from eht0

-O eth0

Packets sent from eth0

'! '192.168.0.10

Reverse selection

-P tcp? Dport 80

Protocol Type. the target Port is 80.

-P udp? Sport 53

Protocol Type. the Source port is 53.

Rules target of iptables

DROP reject

ACCEPT allowed

LOG. after this policy is matched, the policy will continue to be read below.

The REJECT rejects the request, but returns the response to the user.

Iptables basic chain operations

Iptables-L

View iptables table (filter table is displayed by default)

Iptables-nL

Display as IP address

Iptables-L? Line-numbers

Display the row number of a policy entry

Iptables-vL

View iptables table (display more details)

Iptables-

Append an iptables policy entry (the last part of the policy will be appended by default)

Iptables-I

Insert iptables policy entries (insert to the beginning of the policy by default)

Iptables-I INPUT 2

Insert it into the second policy of the iptables policy entry

Iptables-d input 2

Delete the second policy of the iptables policy entry

Iptables-F

Clear all policies, but do not clear the default chain policies.

Iptables-Z

Clear counter

Iptables-N

Add custom links

Iptables-X

Clear custom links

About the default chain policy of iptables

Iptables-P INPUT DROP

Change the default policy of the INPUT chain. DROP and REJECT can be used only for rejection. (This policy is finally executed)

Iptables-P OUTPUT DROP

Change the default OUTPUT chain policy

Iptables-P FORWARD DROP

Change the default FORWARD chain policy

Next we will test and write a few simple strategies.

[Root @ localhost ~] #

[Root @ localhost ~] # Lftp 192.168.0.254

Lftp 192.168.0.254: ~> Ls

Drwxrwxrwx 230 0 4096 Mar 25 pub

Lftp 192.168.0.254:/> cd pub/

Lftp 192.168.0.254:/pub>

We can see that there is no problem with accessing the ftp service on the server on our host 192.168.0.10. now we write a policy to reject access to this host.

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-t filter-a input-s 192.168.0.10-ptcp? Dport 21-j REJECT

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-nL

Chain INPUT (policy ACCEPT)

Target prot opt source destination

REJECT tcp? 192.168.0.10 0.0.0.0/0 tcp dpt: 21 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

Target prot optsource destination

Chain OUTPUT (policy ACCEPT)

Target prot optsource destination

[Root @ server1 ~] #

OK. this simple policy is successfully written.

Now let's test,

[Root @ server1 ~] #

[Root @ server1 ~] # Ssh 192.168.0.10

Root@192.168.0.10's password:

Last login: Thu Mar 25 21:52:37 2010 from ftp.example.com

[Root @ localhost ~] # Lftp 192.168.0.254

Lftp 192.168.0.254: ~> Ls

'Ls' at 0 [Delaying before reconnect: 30]

The policy you just wrote takes effect. Currently, 192.168.0.10 cannot access the ftp service on the server.

The INPUT chain we just used. now we use the OUTPUT chain,

Now we reject the server ssh to 192.168.0.20,

[Root @ server1 ~] # Ssh 192.168.0.10

Root@192.168.0.10's password:

Last login: Thu Mar 25 22:04:53 2010 fromserver1.example.com

[Root @ localhost ~] #

Now we can ssh to the host 192.168.0.10.

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-t filter-a output-d 192.168.0.10-p tcp? Dport 22-j REJECT

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-nL

Chain INPUT (policy ACCEPT)

Target prot optsource destination

Chain FORWARD (policy ACCEPT)

Target prot optsource destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

REJECT tcp? 0.0.0.0/0 192.168.0.10 tcp dpt: 22 reject-with icmp-port-unreachable

[Root @ server1 ~] #

OK, this policy is written.

Now let's test again,

[Root @ localhost ~] #

[Root @ localhost ~] # Ssh 192.168.0.10

Ssh: connect to host 192.168.0.10 port 22: Connectionrefused

[Root @ localhost ~] #

OK. Now the connection is rejected, indicating that the policy has taken effect.

There is also a special policy,

# Iptables-a input-j DROP/REJECT

This policy is generally written at the end, and all users that do not match it are rejected.

This policy has a side effect, that is, the server itself will not be able to access itself.

Now let's test,

First, access your ftp service,

[Root @ server1 ~] #

[Root @ server1 ~] # Lftp localhost

Lftp 192.168.0.254: ~> Ls

Drwxrwxrwx 230 0 4096 Mar 25 pub

Lftp 192.168.0.254:/> cd pub/

Lftp 192.168.0.254:/pub>

OK. Now there is no problem with access.

Now let's add the policy just now.

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-a input-j REJECT

[Root @ server1 ~] #

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

REJECT all? Anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

Target prot optsource destination

Chain OUTPUT (policy ACCEPT)

Target prot optsource destination

[Root @ server1 ~] #

The policy is added. now we can access the local ftp service,

[Root @ server1 ~] #

[Root @ server1 ~] # Lftp localhost

Lftp 192.168.0.254: ~> Ls

As you can see, it cannot be accessed now.

Ls 'at 0 [Connecting...]

This is because the local loop is not enabled, so you must write a policy to enable the local loop.

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-I input-I lo-j ACCEPT

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all? Anywhere

REJECT all? Anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

Target prot optsource destination

Chain OUTPUT (policy ACCEPT)

Target prot optsource destination

[Root @ server1 ~] #

Now we have inserted a policy to test whether the local ftp service can be accessed.

[Root @ server1 ~] #

[Root @ server1 ~] # Lftp localhost

Lftp localhost: ~> Ls

Drwxrwxrwx 230 0 4096 Mar 25 pub

Lftp localhost:/> cd pub/

Lftp localhost:/pub>

OK. Now we can access the local ftp service when we allow local loopback access.

The default chain policy also has this side effect.

After the iptables policy is written, these policies will not take effect after the computer is restarted.

You can use this command,

# Service iptables save

[Root @ localhost ~] #

[Root @ localhost ~] # Service iptables save

Saving firewall rules to/etc/sysconfig/iptables: [OK]

[Root @ localhost ~] #

After you press this command, the system automatically writes the iptables policy to/etc/sysconfig/iptables.

We only filter the source and destination addresses of data packets. Next we will filter the packet status. This is called link tracing.

When using status filtering, we must first load the corresponding module,

Modprobe ip_conntrack_ftp

Modprobe ip_conntrack_tftp

Modprobe ip_nat_ftp

Modprobe ip_nat_tftp

Packet status

NEW indicates the status of the data packet that initiates the connection request for the first time.

The data packet status of the three-way handshake ESTABLISHED by ESTABLISHED

Status of the response packet sent by the RELATED

INVALID data packet status

Example of connection tracing:

Iptables-a input-m state? State ESTABLISHED, RELATED-j ACCEPT

Iptables-a input-m state? State NEW-p tcp? Dport 25-j ACCEPT

Iptables-a input-m state? State NEW-j DROP

Now we take FTP as an example to test,

Under normal circumstances, we can now access the ftp service on the server,

[Root @ localhost ~] #

[Root @ localhost ~] # Lftp 192.168.0.254

Lftp 192.168.0.254: ~> Ls

Drwxrwxrwx 230 0 4096 Mar 25 pub

Lftp 192.168.0.254:/>

We can see that there is no problem with access now,

Now let's write several policies,

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-a input-s 192.168.0.10-p tcp? Dport 21-j ACCEPT

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-a input-j REJECT

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT tcp? 192.168.0.10 anywhere tcp dpt: ftp

REJECT all? Anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

Target prot optsource destination

Chain OUTPUT (policy ACCEPT)

Target prot optsource destination

[Root @ server1 ~] #

Now let's test it on 192.168.0.10,

[Root @ localhost ~] #

[Root @ localhost ~] # Lftp 192.168.0.254

Lftp 192.168.0.254: ~> Ls

'Ls' at 0 [Delaying before reconnect: 20]

As you can see, the ftp service on the server cannot be accessed now.

Because I only open port 21, and Port 21 of the ftp service is used to transmit command channels, the client and server cannot establish three handshakes.

Now we can only use the status firewall to allow three handshakes.

To use the status firewall, you must first load the module,

[Root @ server1 ~] #

[Root @ server1 ~] # Modprobe ip_conntrack_ftp

[Root @ server1 ~] #

[Root @ server1 ~] # Iptables-I INPUT 2-m state? State