Detailed description of IPTABLES configuration in linux (1)

If you do not know the basic knowledge about IPTABLES, we recommend that you first check it out.

Start Configuration

Let's configure a filter table firewall. (1) view the settings of IPTABLES on the local machine [root @ tp ~] # Iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination Chain FORWARD (policy ACCEPT)

Target prot opt source destination Chain OUTPUT (policy ACCEPT)

Target prot opt source destination Chain RH-Firewall-1-INPUT (0 references)

Target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255

ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0

ACCEPT udp -- 0.0.0.0/0 224.0.0.20.udp dpt: 5353

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 uddpt: 631

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 22

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 25

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

We can see that when I installed linux, I chose to have a firewall and opened ports 22, 80, and 25. if you do not choose to start the firewall when installing linux, this is the case [root @ tp ~] # Iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination Chain FORWARD (policy ACCEPT)

Target prot opt source destination Chain OUTPUT (policy ACCEPT)

Target prot opt source destination has no rules. (2) Clear the original rules. whether or not you have enabled the firewall when installing linux, if you want to configure your own firewall, clear all the filter rules. [root @ tp ~] # Iptables-F clear the rules of all rule chains in the filter of the preset table

[Root @ tp ~] # Iptables-X clear the rules in the User-Defined chain in the filter of the preset table. Let's take a look at [root @ tp ~]. # Iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination Chain FORWARD (policy ACCEPT)

Target prot opt source destination Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

Nothing, just like we didn't start the firewall when installing linux. (say in advance, these configurations are the same as configuring IP addresses with commands, so restarting them will lose effect.) How to save them. [root @ tp ~] #/Etc/rc. d/init. d/iptables save to write it to the/etc/sysconfig/iptables file. after writing, remember to repeat the firewall to make it work. [root @ tp ~] # Service iptables restart: No configuration is available in the IPTABLES configuration table. Let's start our configuration. (3) set the default rule [root @ tp ~] # Iptables-p input drop [root @ tp ~] # Iptables-p output accept [root @ tp ~] # Iptables-p FORWARD DROP

The above means that when two chain rules (INPUT and FORWARD) in the filter table in IPTABLES are exceeded, how can we process data packets not in these two rules, that is, DROP (discard ). it should be said that the configuration is safe. we need to control inbound data packets, but we do not need to impose too many restrictions on the OUTPUT chain, that is, the outgoing packet, but adopt ACCEPT. That is to say, what should we do if the packet is not in a rule, that is through. we can see what packets are allowed to pass through the INPUT and FORWARD chains, and what packets are not allowed to pass through the OUTPUT chain. this setting is quite reasonable. Of course you can also DROP all three links, but I don't think it is necessary to do so, and the rules to be written will increase. but if you only want a limited number of rules, for example, only WEB servers. we recommend that all three links be DROP. note: If you log on remotely through SSH, you should drop it when you enter the first command and press Enter. because you have not set any rules. what should I do? Go to the local machine to operate it! (4) Add a rule. first, add the INPUT chain. The default rule of the INPUT chain is DROP, so we will write the chain requiring ACCETP (VIA). In order to enable remote SSH Login, We need to enable port 22. [root @ tp ~] # Iptables-a input-p tcp -- dport 22-j ACCEPT [root @ tp ~] # Iptables-a output-p tcp -- sport 22-j ACCEPT (Note: If you set OUTPUT to DROP, write this rule, many people are eager to write this rule, and SSH is always unavailable. remotely, is it okay. the same applies to other ports. If the web server is enabled and the OUTPUT is set to DROP, a chain should also be added: [root @ tp ~] # Iptables-a output-p tcp -- sport 80-j ACCEPT, similarly.) If the WEB server is configured, enable port 80. [root @ tp ~] # Iptables-a input-p tcp -- dport 80-j ACCEPT

If the email server is configured, enable port 25,110. [root @ tp ~] # Iptables-a input-p tcp -- dport 110-j ACCEPT

[Root @ tp ~] # Iptables-a input-p tcp -- dport 25-j ACCEPT