Detailed steps for configuring the firewall in linux (iptables command usage)

This article describes the detailed steps for configuring the firewall in linux, that is, how to use the iptables command. For more information, see

In this tutorial, make sure that you can use the linux host. If you are using an ssh remote connection and cannot directly operate the local machine, we recommend that you be careful, careful, and careful!

Let's configure a filter table firewall.

(1) view the settings of IPTABLES on the local machine

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination

Chain FORWARD (policy ACCEPT)
Target prot opt source destination

Chain OUTPUT (policy ACCEPT)
Target prot opt source destination

Chain RH-Firewall-1-INPUT (0 Records)
Target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPTah -- 0.0.0.0/00.0.0.0/0
ACCEPTudp -- 0.0.0.0/0224.0.0.251udpdpt: 5353
ACCEPTudp -- 0.0.0.0/00.0.0.0/0 udpdpt: 631
ACCEPTall -- 0.0.0.0/00.0.0.0/0 stateRELATED, ESTABLISHED
ACCEPTtcp -- 0.0.0.0/00.0.0.0/0 stateNEWtcpdpt: 22
ACCEPTtcp -- 0.0.0.0/00.0.0.0/0 stateNEWtcpdpt: 80
ACCEPTtcp -- 0.0.0.0/00.0.0.0/0 stateNEWtcpdpt: 25
REJECTall -- 0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited

We can see that when I installed linux, I chose to have a firewall and opened ports 22, 80, and 25.
If you do not choose to start the firewall when installing linux

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination

Chain FORWARD (policy ACCEPT)
Target prot opt source destination

Chain OUTPUT (policy ACCEPT)
Target prot opt source destination

There are no rules.

(2) clear the original rules.

Whether or not you have enabled the firewall when installing linux, if you want to configure your own firewall, clear all the filter rules.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-F clear the rules of all rule chains in the filter of the preset table
[Root @ tp ~] # Iptables-X clear the rules in the user-defined chain in the filter of the preset table

Let's take a look.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination

Chain FORWARD (policy ACCEPT)
Target prot opt source destination

Chain OUTPUT (policy ACCEPT)
Target prot opt source destination

Nothing, just like we didn't start the firewall when installing linux. (say in advance, these configurations are the same as configuring IP addresses with commands, so restarting them will lose effect.) how to save them.

Copy codeThe code is as follows:
[Root @ tp ~] #/Etc/rc. d/init. d/iptables save

In this way, you can write it to the/etc/sysconfig/iptables file. remember to repeat the firewall after writing it to make it take effect.

Copy codeThe code is as follows:
[Root @ tp ~] # Service iptables restart

 
Now there are no configurations in the IPTABLES configuration table. let's start with our configuration.
(3) set preset rules

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-P INPUT DROP
[Root @ tp ~] # Iptables-P OUTPUT ACCEPT
[Root @ tp ~] # Iptables-P FORWARD DROP

The above means that when two chain rules (INPUT and FORWARD) in the filter table in IPTABLES are exceeded, how can we process data packets not in these two rules, that is, DROP (discard ). it should be said that the configuration is safe. we want to control inbound data packets

For the OUTPUT chain, that is, the outgoing package, we do not need to impose too many restrictions, but adopt ACCEPT. that is to say, what should we do if the package is not in a rule.

We can see what packets are allowed to pass through the INPUT and FORWARD chains, and what packets are not allowed to pass through the OUTPUT chain.

This setting is quite reasonable. of course you can also DROP all three links, but I don't think it is necessary to do so, and the rules to be written will increase. but if you only want a limited number of rules, for example, only WEB servers. we recommend that all three links be DROP.

Note: If you log on remotely through SSH, you should drop it when you enter the first command and press enter because you have not set any rules.

What should I do? go to the local machine to operate it!

(4) add a rule.

First, add the INPUT chain. the default rule of the INPUT chain is DROP, so we will write the chain that requires ACCETP ().

To enable remote SSH login, we need to enable port 22.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a input-p tcp -- dport 22-j ACCEPT
[Root @ tp ~] # Iptables-a output-p tcp -- sport 22-j ACCEPT

(Note: If you set the OUTPUT to DROP, you need to write this rule. many people are eager to write this rule, so they will never be able to SSH. check it remotely.

The same applies to other ports. if the web server is enabled and the OUTPUT is set to DROP, a chain should also be added:

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a output-p tcp -- sport 80-j ACCEPT

. Similarly.

If the WEB server is configured, enable port 80.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a input-p tcp -- dport 80-j ACCEPT

If the email server is configured, enable Port 25,110.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a input-p tcp -- dport 110-j ACCEPT
[Root @ tp ~] # Iptables-a input-p tcp -- dport 25-j ACCEPT

If the FTP server is configured, enable port 21.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a input-p tcp -- dport 21-j ACCEPT
[Root @ tp ~] # Iptables-a input-p tcp -- dport 21-j ACCEPT

If the DNS server is configured, enable Port 53.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a input-p tcp -- dport 53-j ACCEPT

If you have another server, you just need to open the port and write it.

The above mainly writes the INPUT chain, and all the rules that are not in the above DROP

Allow icmp packets to pass, that is, allow ping,

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a output-p icmp-j ACCEPT (if OUTPUT is set to DROP)
[Root @ tp ~] # Iptables-a input-p icmp-j ACCEPT (if INPUT is set to DROP)

Allow loopback! (Otherwise, DNS may fail to be shut down normally)

Copy codeThe code is as follows:
IPTABLES-a input-I lo-p all-j ACCEPT (if it is INPUT DROP)
IPTABLES-a output-o lo-p all-j ACCEPT (if it is output drop)

The OUTPUT chain is written below. the default rule of the OUTPUT chain is ACCEPT, so we will write the chain that needs to be dropped (abandoned.

Reduce insecure port connections

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a output-p tcp -- sport 31337-j DROP
[Root @ tp ~] # Iptables-a output-p tcp -- dport 31337-j DROP

Some Trojans scan services from ports 31337 to 31340 (elite ports in hacking languages. Since legal services do not use these non-standard ports for communication, blocking these ports can effectively reduce the chances of independent communication between machines that may be infected on your network and their remote master servers.

The same applies to other ports, such as 31335, 27444, 27665, 20034, 9704, 137-139 (smb), and 2049 (NFS, I have not written all of them here. if you are interested, check the relevant information.

Of course, you can set the OUTPUT chain to DROP for more secure access, so you can add more rules, just like adding

Allow SSH login. just write it.

The more detailed rules are as follows:

For example, we only allow SSH connections to machines 192.168.0.3.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a input-s 192.168.0.3-p tcp -- dport 22-j ACCEPT

If you want to allow or restrict the availability of a certain IP address, 192.168.0.0/24 indicates all IP addresses of 192.168.0.1-255.

24 indicates the number of subnet masks. remember to delete this line in/etc/sysconfig/iptables.

-A input-p tcp-m tcp -- dport 22-j ACCEPT because it indicates that all addresses can log on.

Or use the following command:

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-d input-p tcp -- dport 22-j ACCEPT

Save it. I'll talk about it again. Instead, it uses the command method and only takes effect at that time. if you want to restart it, save it. write to the/etc/sysconfig/iptables file.

Copy codeThe code is as follows:
[Root @ tp ~] #/Etc/rc. d/init. d/iptables save

Write it like this! 192.168.0.3 indicates IP address other than 192.168.0.3

The same is true for other rule connections.

The following is the FORWARD chain. the default rule of the FORWARD chain is DROP, so we will write the chain that requires ACCETP (via) to monitor the ongoing forwarding chain.

Enable the forwarding function (required when the default FORWARD rule is DROP when performing NAT)

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a forward-I eth0-o eth1-m state -- state RELATED, ESTABLISHED-j ACCEPT
[Root @ tp ~] # Iptables-a forward-I eth1-o eh0-j ACCEPT

Discard bad TCP packets

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP

Number of IP fragments processed to prevent attacks. up to 100 IP fragments are allowed per second.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second. the trigger condition is 10 packets.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT

I only allow ICMP packets to pass in the front, because I have restrictions here.

2. configure a NAT table

1. View local NAT settings

Copy codeThe code is as follows:
[Root @ tp rc. d] # iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to: 211.101.46.235
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination

My NAT has been configured (only the simplest proxy Internet access function is provided, and no firewall rules have been added). for how to configure NAT, refer to my other article.

Of course, if you have not configured NAT, you do not need to clear the rules, because NAT does not have anything by default.

If you want to clear, the command is

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-F-t nat
[Root @ tp ~] # Iptables-X-t nat
[Root @ tp ~] # Iptables-Z-t nat

2. add rules

Add basic NAT address translation (see my other article on how to configure NAT ),

To add rules, we only add DROP links. because the default links are all ACCEPT.

Prevent internet spoofing using intranet IP addresses

Copy codeThe code is as follows:
[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s 10.0.0.0/8-j DROP
[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s 172.16.0.0/12-j DROP
[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s 192.168.0.0/16-j DROP

If we want to, for example, block MSN, QQ, BT, etc., we need to find the port or IP address they use (I think it is not necessary)

Example:

Disable all connections to 211.101.46.253

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-t nat-a prerouting-d 211.101.46.253-j DROP

Disable FTP (21) Port

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-j DROP

In this way, the write range is too large, so we can define it more accurately.

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-d 211.101.46.253-j DROP

In this way, only the FTP connection of the 211.101.46.253 address is disabled. Other connections can also be. for example, web (port 80) connections.

According to what I wrote, you only need to find the IP addresses, ports, and protocols of other software such as QQ and MSN.

Finally:

Drop illegal connection

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a input-m state -- state INVALID-j DROP
[Root @ tp ~] # Iptables-a output-m state -- state INVALID-j DROP
[Root @ tp ~] # Iptables-a forward-m state -- state INVALID-j DROP

Allow all established and related connections

Copy codeThe code is as follows:
[Root @ tp ~] # Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
[Root @ tp ~] # Iptables-a output-m state -- state ESTABLISHED, RELATED-j ACCEPT
[Root @ tp ~] #/Etc/rc. d/init. d/iptables save

In this way, you can write it to the/etc/sysconfig/iptables file. remember to repeat the firewall after writing it to make it take effect.

Copy codeThe code is as follows:
[Root @ tp ~] # Service iptables restart

Don't forget to save it. if you can't save it, write it once. you can save it while doing experiments to see if it meets your requirements,

I have tried all the rules above and there is no problem