Detailed description of Iptables firewall configuration on CentOS/Redhat

Source: Internet
Author: User
Tags ack commit ftp centos iptables server port


1. Iptables configuration file & para;

The default configuration file in RHEL/CentOS/Fedora Linux is:

/Etc/sysconfig/iptables-the system executes the script to activate the firewall function by reading the file.
2. Basic operation: Display the default rule & para;

Enter the following command in the command line window:

Iptables -- line-numbers-n-L
The-line-numbers parameter indicates adding a number before each rule;-n indicates displaying the IP address, port, and other content in numbers;-L indicates listing all chains). You can use iptables -- help to view the meaning of all available parameters.

You can get the output similar to the following (the comments on the behavior starting ):

# Below is the Chain INPUT)
Chain INPUT (policy ACCEPT)
Num target prot opt source destination
# The following RH-Firewall-1-INPUT is a rule for the inbound chain INPUT
# That is, all inbound connections are handled by the RH-Firewall-1-INPUT chain
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
# Forwarding chain
Chain FORWARD (policy ACCEPT)
Num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
# Outbound links
Chain OUTPUT (policy ACCEPT)
Num target prot opt source destination
#1 ~ 8 is all rules (rule) in the ingress chain RH-Firewall-1-INPUT)
Chain RH-Firewall-1-INPUT (2 references)
Num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT udp -- 0.0.0.0/0 1.2.3.4 udp dpt: 5353
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt: 53
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 22
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 53
8 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
3. Basic operations: enable firewall & para;

Commands are directly input from the Linux control terminal (command line.

Enter the following two commands to enable the firewall:

Chkconfig iptables on
Service iptables start
The first one is to add iptables to the system service and start it as the system starts; the second is to directly start the iptables service.

Restart the firewall:

Service iptables restart
Stop firewall:

Service iptables stop
4. Basic operation: other iptables Operation Commands & para;

For other commonly used commands to operate iptables through Linux command line (control terminal), see instructions for adding rules for Linux iptables.

5. Understand firewall & para;

The firewall (iptables) listed above has four links:

INPUT-this is the set of rules used by default to process data packets entering the system. It can be used to enable or disable incoming ports (such as 80, 443, 25, and 110) and IP addresses/subnets (such as 1.2.3.4/29 ).
OUTPUT-this is a set of rules that are used by default to process data packets generated (sent) by the system. It can be used to enable or disable outgoing ports and IP addresses/subnets.
FORWARD-this is also a default chain, which is used when data packets need to be sent through other interfaces. For example, when the network adapter eth0 is connected to the ADSL/Cable cat and eth1 is connected to the local LAN, you can use the FORWARD chain to communicate with the LAN and the Internet for sending and receiving.
RH-Firewall-1-INPUT-this is a user-defined chain. It is called by the INPUT, OUTPUT, and FORWARD chains.
Packet matching rules & para;
Each package starts matching from the first rule of the chain.
It is processed only when it matches a rule.
If a rule is matched, it is redirected to a specific target (such as REJECT, ACCEPT, DROP ).
Target description & para;
ACCEPT indicates that the packet is accepted.
REJECT indicates that the packet is discarded and an error message is sent to the remote host.
DROP indicates that the packet is discarded and no error message is provided to the remote host or the sender.
6. Configure the/etc/sysconfig/iptables File & para;

Although you can use the iptables command to edit firewall rules, it is always troublesome for a large number of rules to input one by one. In fact, you can directly edit the iptables configuration file in the correct format, reload iptables to make it take effect.

To edit/etc/sysconfig/iptables, enter:

# Vi/etc/sysconfig/iptables
The preceding default rules stored in files are shown as follows:

* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]
: RH-Firewall-1-INPUT-[0: 0]
-A input-j RH-Firewall-1-INPUT
-A forward-j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT-I lo-j ACCEPT
-A RH-Firewall-1-INPUT-p icmp -- icmp-type any-j ACCEPT
-A RH-Firewall-1-INPUT-p udp -- dport 5353-d 1.2.3.4-j ACCEPT
-A RH-Firewall-1-INPUT-p udp-m udp -- dport 53-j ACCEPT
-A RH-Firewall-1-INPUT-m state -- state ESTABLISHED, RELATED-j ACCEPT
-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 22-j ACCEPT
-A RH-Firewall-1-INPUT-m state -- state NEW-m tcp-p tcp -- dport 53-j ACCEPT
-A RH-Firewall-1-INPUT-j REJECT -- reject-with icmp-host-prohibited
COMMIT
The-j parameter indicates that the jump is redirected to jump.

We can see that the rule format is the same as the rule we input through the command line, because when iptables is enabled, the command in this file is automatically loaded one line at a time, just like batch processing.

DROP all communication & para;
Find the rule:

* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]
The preceding rules indicate that all three links (INPUT, FORWARD, and OUTPUT) are accepted by default. You can change the first two to DROP by default (because the communication sent by the local machine is generally accepted by default and does not need to be changed ):

: Input drop [0: 0]
: Forward drop [0: 0]
Record (LOG) and DROP the source address of the spoofing message & para;
Add the following rules before the last line of COMMIT:

-A input-I eth0-s 10.0.0.0/8-j LOG -- log-prefix "IP DROP SPOOF"
-A input-I eth0-s 172.16.0.0/12-j LOG -- log-prefix "IP DROP SPOOF"
-A input-I eth0-s 192.168.0.0/16-j LOG -- log-prefix "IP DROP SPOOF"
-A input-I eth0-s 224.0.0.0/4-j LOG -- log-prefix "IP DROP MULTICAST"
-A input-I eth0-s 240.0.0.0/5-j LOG -- log-prefix "IP DROP SPOOF"
-A input-I eth0-d 127.0.0.0/8-j LOG -- log-prefix "IP DROP LOOPBACK"
-A input-I eth0-s 169.254.0.0/16-j LOG -- log-prefix "IP DROP MULTICAST"
-A input-I eth0-s 0.0.0.0/8-j LOG -- log-prefix "IP DROP"
-A input-I eth0-s 240.0.0.0/4-j LOG -- log-prefix "IP DROP"
-A input-I eth0-s limit 255/32-j LOG -- log-prefix "IP DROP"
-A input-I eth0-s 168.254.0.0/16-j LOG -- log-prefix "IP DROP"
-A input-I eth0-s 248.0.0.0/5-j LOG -- log-prefix "IP DROP"
Record and discard all communication packets & para;
Find the following line:

-A RH-Firewall-1-INPUT-j REJECT -- reject-with icmp-host-prohibited
COMMIT
It indicates that all communication data packets that do not comply with the previous rules are REJECT by default. This is a polite approach. Generally, packages that do not comply with the preceding rules are not a good thing, so we can discard them directly without replying to the error message. Edit it as follows:

-A RH-Firewall-1-INPUT-j LOG
-A RH-Firewall-1-INPUT-j DROP
COMMIT
The first line above is recorded first, and the second is discarded directly. This is actually a default operation for all communications.

Enable Port & para;
To enable port 80 (HTTP server port), add the following rules before the COMMIT line (to be precise, before the default operation, the same below:

-A RH-Firewall-1-INPUT-m tcp-p tcp -- dport 80-j ACCEPT
-P tcp indicates only tcp communication. -Dport: specifies the port number.

To enable Port 53 (DNS server port), add the following rules before the COMMIT line:

-A RH-Firewall-1-INPUT-m tcp-p tcp -- dport 53-j ACCEPT
-A RH-Firewall-1-INPUT-m udp-p tcp -- dport 53-j ACCEPT
Port 53 is enabled for both tcp and udp protocols.

To enable port 443 (HTTPS encrypted connection to the server port), add the following rules before the COMMIT line:

-A RH-Firewall-1-INPUT-m tcp-p tcp -- dport 443-j ACCEPT
To enable port 25 (SMTP mail server port), add the following rules before the COMMIT line:

-A RH-Firewall-1-INPUT-m tcp-p tcp -- dport 25-j ACCEPT
In addition, more specific provisions can be made, such:

Only allow SSH connections from 192.168.1.0/24 & para;
-A RH-Firewall-1-INPUT-s 192.168.1.0/24-m state -- state NEW-p tcp -- dport 22-j ACCEPT
Enable print service communication & para; for 192.168.1.0/24;
-A RH-Firewall-1-INPUT-s 192.168.1.0/24-p udp-m udp -- dport 631-j ACCEPT
-A RH-Firewall-1-INPUT-s 192.168.1.0/24-p tcp-m tcp -- dport 631-j ACCEPT
Allow valid NTP clients to access the server & para;
-A RH-Firewall-1-INPUT-s 192.168.1.0/24-m state -- state NEW-p udp -- dport 123-j ACCEPT
Enable FTP port 21 (ftp) & para;
-A RH-Firewall-1-INPUT-m state -- state NEW-p tcp -- dport 21-j ACCEPT
Save and close the file (Ctrl + C,: wq ). Edit/etc/sysconfig/iptables-config and enter:

# Vi/etc/sysconfig/iptables-config
Make sure that the ftp module has been loaded:

IPTABLES_MODULES = "ip_conntrack_ftp"
To restart the firewall, enter the following command:

# Service iptables restart
# Iptables-vnL -- line-numbers
7. Edit/etc/sysctl. conf to defend against DoS and Syn attacks & para;

Edit the/etc/sysctl. conf file to help defend against some types of attacks. Add or change it to the following parameter settings:

 
Net. ipv4.conf. all. log_martians = 1
Net. ipv4.conf. default. accept_source_route = 0
Net. ipv4.conf. default. accept_redirects = 0
Net. ipv4.conf. default. secure_redirects = 0
Net. ipv4.icmp _ echo_ignore_broadcasts = 1
# Net. ipv4.icmp _ ignore_bogus_error_messages = 1
Net. ipv4.tcp _ syncookies = 1
Net. ipv4.conf. all. rp_filter = 1
Net. ipv4.conf. default. rp_filter = 1
8. Flexible configuration & para;

The following is another work und to configure the firewall, so you do not need to edit files such as/etc/sysconfig/iptables, but create a script similar to the following code:

#! /Bin/bash
# Example of a firewall automatic configuration script
EPT = "/sbin/iptables"
SPAMLIST = "blockedip"
SPAMDROPMSG = "blocked ip drop"
SYSCTL = "/sbin/sysctl"
BLOCKEDIPS = "/root/scripts/blocked.ips.txt"

# Defend against some attacks
Echo "Setting sysctl IPv4 settings ..."
$ SYSCTL net. ipv4.ip _ forward = 0
$ SYSCTL net. ipv4.conf. all. send_redirects = 0
$ SYSCTL net. ipv4.conf. default. send_redirects = 0
$ SYSCTL net. ipv4.conf. all. accept_source_route = 0
$ SYSCTL net. ipv4.conf. all. accept_redirects = 0
$ SYSCTL net. ipv4.conf. all. secure_redirects = 0
$ SYSCTL net. ipv4.conf. all. log_martians = 1
$ SYSCTL net. ipv4.conf. default. accept_source_route = 0
$ SYSCTL net. ipv4.conf. default. accept_redirects = 0
$ SYSCTL net. ipv4.conf. default. secure_redirects = 0
$ SYSCTL net. ipv4.icmp _ echo_ignore_broadcasts = 1
# $ SYSCTL net. ipv4.icmp _ ignore_bogus_error_messages = 1
$ SYSCTL net. ipv4.tcp _ syncookies = 1
$ SYSCTL net. ipv4.conf. all. rp_filter = 1
$ SYSCTL net. ipv4.conf. default. rp_filter = 1
$ SYSCTL kernel.exe c-shield = 1
$ SYSCTL kernel. randomize_va_space = 1

Echo "Starting IPv4 Firewall ..."
$ Ipt-f
$ Ipt-x
$ Ipt-t nat-F
$ Ipt-t nat-X
$ Ipt-t mangle-F
$ Ipt-t mangle-X

# Loading module
Modprobe ip_conntrack

[-F "$ BLOCKEDIPS"] & BADIPS = $ (egrep-v-E "^ # | ^ $" "$ {BLOCKEDIPS }")

# Interface connected to the Internet
PUB_IF = "eth0"

# Unlimited traffic for loopback
$ Ipt-a INPUT-I lo-j ACCEPT
$ Ipt-a OUTPUT-o lo-j ACCEPT

# DROP all incomming traffic
$ Ipp-input DROP
$ Ipp-output DROP
$ Ipt-p FORWARD DROP

If [-f "$ {BLOCKEDIPS}"];
Then
# Create a new iptables list
$ Ipt-n $ SPAMLIST

For ipblock in $ BADIPS
Do
$ IPT-A $ SPAMLIST-s $ ipblock-j LOG -- log-prefix "$ SPAMDROPMSG"
$ Ip-a $ SPAMLIST-s $ ipblock-j DROP
Done

$ Ipt-i INPUT-j $ SPAMLIST
$ Ipt-i OUTPUT-j $ SPAMLIST
$ Ipt-i FORWARD-j $ SPAMLIST
Fi

# Block sync
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp! -- Syn-m state -- state NEW-m limit -- limit 5/m -- limit-burst 7-j LOG -- log-level 4 -- log-prefix "Drop Sync"
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp! -- Syn-m state -- state NEW-j DROP

# Block Fragments
$ Ipt-a INPUT-I $ {PUB_IF}-f-m limit -- limit 5/m -- limit-burst 7-j LOG -- log-level 4 -- log-prefix "Fragments packets"
$ Ipt-a INPUT-I $ {PUB_IF}-f-j DROP

# Block bad stuff
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags ALL FIN, URG, PSH-j DROP
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags ALL-j DROP

$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags ALL NONE-m limit -- limit 5/m -- limit-burst 7-j LOG -- log-level 4 -- log-prefix "NULL Packets"
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags ALL NONE-j DROP # NULL packets

$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags SYN, RST SYN, RST-j DROP

$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags SYN, FIN SYN, FIN-m limit -- limit 5/m -- limit-burst 7-j LOG -- log-level 4 -- log-prefix "XMAS Packets"
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags SYN, FIN SYN, FIN-j DROP # XMAS

$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags FIN, ack fin-m limit -- limit 5/m -- limit-burst 7-j LOG -- log-level 4 -- log-prefix "Fin Packets Scan"
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags FIN, ACK FIN-j DROP # FIN packet scans

$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- tcp-flags ALL SYN, RST, ACK, FIN, URG-j DROP

# Allow full outgoing connection but no incomming stuff
$ Ipt-a INPUT-I $ {PUB_IF}-m state -- state ESTABLISHED, RELATED-j ACCEPT
$ Ipt-a OUTPUT-o $ {PUB_IF}-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT

# Allow ssh
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- destination-port 22-j ACCEPT

# Allow http/https (open port 80/443)
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- destination-port 80-j ACCEPT
# $ Ipt-a INPUT-o $ {PUB_IF}-p tcp -- destination-port 443-j ACCEPT

# Allow incomming ICMP ping pong stuff
$ Ipt-a INPUT-I $ {PUB_IF}-p icmp -- icmp-type 8-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT
# $ Ipt-a OUTPUT-o $ {PUB_IF}-p icmp -- icmp-type 0-m state -- state ESTABLISHED, RELATED-j ACCEPT

# Allow port 53 tcp/udp (DNS Server)
$ Ipt-a INPUT-I $ {PUB_IF}-p udp -- dport 53-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT
# $ Ipt-a OUTPUT-o $ {PUB_IF}-p udp -- sport 53-m state -- state ESTABLISHED, RELATED-j ACCEPT

$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- destination-port 53-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT
# $ Ipt-a OUTPUT-o $ {PUB_IF}-p tcp -- sport 53-m state -- state ESTABLISHED, RELATED-j ACCEPT

# Open port 110 (pop3)/143
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- destination-port 110-j ACCEPT
$ Ipt-a INPUT-I $ {PUB_IF}-p tcp -- destination-port 143-j ACCEPT

##### Add your own special rules for START ######
#
#
##### END of a special rule ############

# Do not log smb/windows sharing packets-too much logging
$ Ipt-a INPUT-p tcp-I $ {PUB_IF} -- dport 137: 139-j REJECT
$ Ipt-a INPUT-p udp-I $ {PUB_IF} -- dport 137: 139-j REJECT

# Log everything else and drop
$ Ipt-a INPUT-j LOG
$ Ipt-a FORWARD-j LOG
$ Ipt-a INPUT-j DROP

Exit 0

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.