Disable ports and open specified ports through iptables

Source: Internet
Author: User
Tags ftp connection domain server nslookup
1. disable all INPUTFORWARDOUTPUT to open only some ports. The following is the command implementation: iptables-PINPUTDROPiptables-PFORWARDDROPiptables-POUTPUTDROP and then use the command iptables-L-n to check whether the settings are correct. then, we can see that all the settings have been dropped, 1. disable all input forward output and only open it to some ports.
The following is a command implementation:

Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT DROP

Run the command iptables-L-n to check whether the settings are correct.
After the settings are completed, we only need to temporarily restart the server to restore the previously unconfigured status.
Also useService iptables saveSave
The firewall rules are saved in/etc/sysconfig/iptables.
You can open a file to viewVi/etc/sysconfig/iptables
2,
Below I only open port 22 to see how I operate, that is, the following two statements

Iptables-a input-p tcp -- dport 22-j ACCEPT
Iptables-a output-p tcp -- sport 22-jACCEPT

Check whether iptables-L-n is added.

Chain INPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22

Chain FORWARD (policy DROP)
Target prot optsource destination

Chain OUTPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcp spt: 22

Now the linuxserver only opens the 22nd port, and uses putty.exe to test whether the link can be connected.
The link is available, indicating no problem.

Finally, do not forget to save the firewall settings.
Run the following command:Service iptables saveSave

Iptables-a input-p tcp -- dport 22-jACCEPT
Iptables-a output-p tcp -- sport 22-jACCEPT
Let's explain the two commands.
-The parameter is treated as a rule for adding an INPUT.
-PSpecify what protocol we commonly use tcp protocol, of course there are also udp such as 53 Port DNS
Now we need to configure DNS to use port 53, and we will find that the udp protocol is used.

While-- DportIt is the target Port. when data enters the server from outside, it is the target port.
Otherwise, the data is used as the data source port-- Sport

-J indicates that ACCEPT or DROP does not receive
3. prohibit access from an IP address
One Linux server and two windows xp operating systems
Linux server ip address 192.168.1.99
Xp1 ip: 192.168.1.2
Xp2 ip: 192.168.1.8

Next let's take a look at what I can access on both xp servers.

192.168.1.2 this is accessible by xp1,
192.168.1.8 xp2 is also accessible.

Now I want to disable access to 192.168.1.2 xp1, and access to xp2 is normal,
Next let's take a look at the demo

Use commandsIptables-a input-p tcp-s192.168.1.2-j DROP
Here it means-A is to add A new rule. what kind of rule? Because we use tcp to access the website,
We use-p tcp. if it is udp, we write udp. here we use tcp, and-s is the source,
The ip address comes from 192.168.1.2.-j should be DROP.

Okay. check the effect. Add successfully. Verify whether the configuration takes effect.

The page cannot be displayed after the wait state appears. this is because access to 192.168.1.2 xp1 is denied.

Check whether another xp instance can be accessed. if it is 192.168.1.8, it can be accessed normally.
4. how to delete a rule
First, we need to know the number of this rule. each rule has a number.

PassIptables-L-n -- line-numberDisplays rules and corresponding numbers.
Num target protoptsource destination
1 DROP tcp? 0.0.0.0/0 0.0.0.0/0 tcp dpt: 3306
2 DROP tcp? 0.0.0.0/0 0.0.0.0/0 tcp dpt: 21
3 DROP tcp? 0.0.0.0/0 0.0.0.0/0 tcp dpt: 80
With the num column added, we can see that the rule corresponds to number 2.

Then we can delete it.
Iptables-d input 2
Delete the rule with INPUT chain number 2.

Click iptables-L-n to check whether it has been cleared.
5. filter invalid data packets
Assume that someone enters the server or has a virus Trojan program, it can transmit data outside the server through Port.
This method is different from the normal access to port 22 and 80. The data it sends to the external server is not sent by visiting the webpage.
The response packet.

We will disable all the packets that are not responded through the request and block them.

Iptables provides a parameter to check the status. next we will configure ports 22 and 80 to prevent invalid data packets.

Iptables-a output-p tcp? Sport 22-m state? State ESTABLISHED-j ACCEPT

We can see the following:
Iptables-a output-p tcp? Sport 22-jACCEPT

An additional status judgment is provided.

The same is true for port 80. now, the original two rules are deleted,
Iptables-L-n -- line-numberThis is a view rule with a number. We can see the number.
The rule is deleted.

Iptables-D OUTPUT11 indicates the first rule.

When you delete the preceding rule, the number also changes. See it.

Okay. we have deleted the first two rules, and port 22 can still be used properly. it indicates there is no problem.

Save it as follows. do not forget it. Otherwise, it will be restored after restart.

Service iptablessaveSave.

Saving firewall rules to/etc/sysconfig/iptables: [OK]
In fact, the rules just set are written to the/etc/sysconfig/iptables file.
6. DNS Port 53 settings
Next let's take a look at how to set iptables to open the DNS Port. the DNS Port corresponds to 53.

As you can see, I only open ports 22 and 80. now let's see if I can resolve the domain name.

Host www.google.com has been waiting after entering this command, indicating that DNS is not available

The following prompt is displayed:
; Connection timed out; no servers cocould bereached

Ping the domain name.
[Root @ localhost ~Pingwww.google.com
Ping: unknown host www.google.com

The reason here is that iptables limits Port 53.

Some servers, especially Web servers, are slowing down and DNS is also related, resulting in the failure to send packets to DNS servers.

The following shows how to use iptables to set the DNS 53 Port. if you do not know the domain name service port number

You can run the following command:Grep domain/etc/services

[Root @ localhost ~ Grep domain/etc/services
Domain 53/tcp # name-domain server
Domain 53/udp
Domaintime 9909/tcp # domaintime
Domaintime 9909/udp # domaintime

As you can see, we generally use udp.

Okay. start setting...

Iptables-a output-p udp? Dport 53-j ACCEPT
We ping a domain name, and the data is sent from the local machine. Therefore, we first set the OUTPUT,
We can set it according to the ping process.

Then the DNS server receives the packet we sent and responds to it.
Iptables-a input-p udp? Sport 53-jACCEPT

You must also set
Iptables-a input-p udp? Dport 53-jACCEPT
Iptables-a output-p udp? Sport 53-jACCEPT

Now, let's start the test. you can use iptables-L-n to check the settings. if there is no problem, you can test the settings.

[Root @ localhost ~Iptables-L-n
Chain INPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcp dpt: 80
ACCEPT udp? 0.0.0.0/0 0.0.0.0/0 udp spt: 53
ACCEPT udp? 0.0.0.0/0 0.0.0.0/0 udp dpt: 53

Chain FORWARD (policy DROP)
Target prot optsource destination

Chain OUTPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcp spt: 22 state ESTABLISHED
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcp spt: 80 state ESTABLISHED
ACCEPT udp? 0.0.0.0/0 0.0.0.0/0 udp dpt: 53
ACCEPT udp? 0.0.0.0/0 0.0.0.0/0 udp spt: 53

You can test whether DNS can pass iptables.

[Root @ localhost ~Hostwww.google.com
Www.google.com is an alias forwww.l.google.com.
Www.l.google.com is an alias forwww-china.l.google.com.
Www-china.l.google.com has address64.233.189.104
Www-china.l.google.com has address64.233.189.147
Www-china.l.google.com has address64.233.189.99

Google domain names can be resolved normally.

You may need to set something for ping.

Use nslookup

[Root @ localhost ~Nslookup
> Www.google.com
Server: 192.168.1.1
Address: 192.168.1.1 #53

Non-authoritative answer:
Www.google.com canonical name = www.l.google.com.
Www.l.google.com canonical name = www-china.l.google.com.
Name: www-china.l.google.com
Address: 64.233.189.147
Name: www-china.l.google.com
Address: 64.233.189.99
Name: www-china.l.google.com
Address: 64.233.189.104

This indicates that the local DNS is normal, and iptables allows access to the port 53.
7. iptables ftp settings
Now I start setting the ftp port. Add the port to be opened according to our previous video.
The ftp connection port has two ports 21 and 20. now I add the corresponding rules.

[Root @ localhost rootIptables-a input-p tcp? Dport 21-j ACCEPT
[Root @ localhost rootIptables-a input-ptcp? Dport 20-j ACCEPT
[Root @ localhost rootIptables-a output-p tcp? Sport 21-j ACCEPT
[Root @ localhost rootIptables-a output-p tcp? Sport 20-j ACCEPT

Okay, so we can use a browser to access the ftp, and there is a timeout.

So I just mentioned that ftp is a special port, and some of its ports are data transmission ports,
Such as directory list, upload, and download all use these ports.

And these ports are arbitrary ports... This is really special.

If no port range is specified, iptables is hard to open to any port,
If iptables allows access from any port, it is no different from not setting a firewall, so it is unrealistic.

The solution is to specify a range of the data transmission port.

Next, modify the ftp configuration file.

Here I use vsftpd to modify the demo. I don't know where to modify other ftp files. you can look for information.

[Root @ localhost rootVi/etc/vsftpd. conf

Add at the bottom of the configuration file

Pasv_min_port = 30001
Pasvanderbilt max_port = 31000

Save and exit.

The meaning of these two statements tells vsftpd that the port range for data transmission is between 30001 and 31000.

In this way, we can use iptables more easily, and we can open ports 30001 to 31000.

[Root @ localhost rootIptables-a input-p tcp? Dport 30001: 31000-j ACCEPT
[Root @ localhost rootIptables-a output-p tcp? Sport 30001: 31000-j ACCEPT

[Root @ localhost rootService iptablessave

Save the file, and use ftp in the browser. Normal access

You can log in with an account, and there is no problem. Upload some files and check them.

You can see that the upload and download operations are normal .. Check the iptables settings.

[Root @ localhost rootIptables-L-n
Chain INPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcpdpt: 22
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcpdpt: 21
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcpdpt: 20
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcpdpts: 30001: 31000

Chain FORWARD (policy DROP)
Target prot optsource destination

Chain OUTPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcpspt: 22
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcpspt: 21
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcpspt: 20
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcpspts: 30001: 31000

This is a simple rule to demonstrate the special ftp port. you can add some data packet verification rules.
For example-M state? State

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.