Enable and disable iptables firewall

1. start and close iptables. iptables will be officially used to create a firewall. The method for starting and disabling iptables depends on the Linux release version in use. you can first view the documentation of the Linux version in use. Generally, iptables is included in the Linux release. run iptables -- version to check whether iptables is installed in the system. 1. start and closeIptables
The following section uses iptables to create a firewall. The method for starting and disabling iptables depends on the Linux release version in use. you can first view the documentation of the Linux version in use.
Generally, iptables is included in the Linux release. run iptables -- version to check whether iptables is installed in the system. In Red Hat 9.0, the installed version is iptablesv1.2.7a. If the system does not install iptables, you can download it from the netfilter official website.
2. View rule sets
The above is only a brief introduction to iptables usage. you can run maniptables to view the complete introduction of all commands and options, or run iptables-help to view a quick help. To view the existing iptables planning set in the system, run the following command:
Iptables -- list
The following figure shows the iptables when no planning is defined:
Chain INPUT (policy ACCEPT)
Target prot opt source destination
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
As shown in the preceding example, each data packet is sent through one of the three built-in chains (INPUT, OUTPUT, and FORWARD.
Filters are the most commonly used tables. The three most commonly used targets in filter tables are ACCEPT, DROP, and REJECT. DROP discards the data packet and does not process it any more. The REJECT will send the error message to the host that sends the data packet.
498) this. width = 498; "onmousewheel =" javascript: return big (this) "alt =" iptables/Start/close "src =" http://upload.server110.com/image/20130905/0Z11M922-0.gif "/>
Security setting GUI tool in Red Hat 9.0
In Red Hat9.0, a GUI program is provided to allow users to easily configure the system installation level. The tool can be started through the main menu → System Settings → security tools (as shown in ). Set the security level to "advanced" and select to use the default firewall rules. Click "OK" and then use iptables-list to display it. it is found that iptables is very different from that before no rule is defined, as shown below:
　
[Root @ workstation root] # iptables -- list
Chain INPUT (policy ACCEPT)
Target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
......
In reality, this GUI tool is generally not used because it has limited functions and is not transparent. In comparison, the corresponding configuration tool in SuSE9.0 is much better. it can perform more detailed configuration on the firewall in the GUI (for example, adding the configuration of IP forwarding and camouflage functions ). In this case, you can add or delete rules by yourself.
498) this. width = 498; "onmousewheel =" javascript: return big (this) "alt =" IPtables/Start/close "src =" http://upload.server110.com/image/20130905/0Z11L311-1.gif "/>
Firewall settings in YaST configuration tool in SuSE 9.0
3. add rules
In this example, the rules will block data packets from a specific IP address range, because the IP address range is suspected by administrators that a large number of malicious attackers are active:
# Iptables-t filter-a input-s 123.456.789.0/24-j DROP
It can also easily block all data packets flowing to the attacker's IP address. This command is slightly different:
# Iptables-t filter-a output-d 123.456.789.0/24-j DROP
Note that option A here is used to add rules for existing chains, as described earlier.
4. delete a rule
Malicious attackers on the network are always changing, so the IP address needs to be constantly changed. Assume that an online attacker has moved to a new IP address, and the old IP address is assigned to some innocent users, the packets of these users cannot pass through your network. In this case, you can use a command with the-D option to delete an existing rule:
# Iptables-t filter-d output-d 123.456.789.0/24-j DROP
5. default policy
It takes a lot of time to create a rule that is flexible and can withstand various unexpected events. For those who do not have time to do so, the most basic principle is "deny all the packets first and then allow the requests ". Next, we will set the default rules for each chain:
# Iptables-P INPUT DROP
# Iptables-P FORWARD DROP
# Iptables-P OUTPUT ACCEPT
Here, option-P is used to set the Chain Policy. only three built-in chains have a policy. These policies allow information to flow out without restrictions, but do not allow information to flow in. To receive external information, run the following command:
# Iptables-t filter-a input-s 123.456.789.0/24-j ACCEPT
6. Use of SYN
You cannot close all ports or specify only some ports that are in the open state. Therefore, you can set a valid rule to allow normal users to pass the rule normally, can they prevent malicious attackers from accessing the network?
People who are using iptables at the beginning can take full advantage of the syn mark to prevent unauthorized access. Iptables only detects the packet header. In fact, many other useful packet analysis methods except iptables are based on the header. For example, when a request is sent from your PC to a Web server in other places during Web surfing, the server will respond to the request and return a data packet, get a temporary port on your system. Different from the response request, the server does not care about the transmitted content. You can use this feature to set rules to prevent all TCP connections that are not authorized by your system:
# Iptables-t filter-a input-I eth0-p tcp -- syn-j DROP
Here-I refers to the NIC,-p refers to the protocol, and -- syn indicates the TCP packet with the syn flag. SYN is used to initialize a TCP connection. If no server is running on your machine, no SYN packet will be sent to you.
7. stateful packet detection
In the example of the front edge, each data packet is regarded as independent, rather than interrelated, relying on the header information of the data packet. Iptables checks the source and destination IP addresses of data packets, the source and destination ports, the sequence numbers of inbound data packets, the TCP sequence information, and the status of header tags (SYN, ACK, FIN, RST, etc, that is, it tracks the entire connection session, so that the entire filtering process is correlated.
8. share an Internet connection
Both network address translation and IP disguise allow multiple hosts to share an Internet connection. This LAN can be a multi-system Lan consisting of Linux and Windows systems. Assume that there is a machine with two NICs, eth0 is a "public" Nic and eth1 is a "private" Nic, that is, eth0 is assigned a static and routable IP address, however, eth1 is assigned a private IP address that cannot be routed. the IP address belongs to the LAN subnet. To implement the above functions, you need to add some links to the nat and filter tables:
# Iptables-t nat-a postrouting-o eth0-j MASQUERADE
# Iptables-t filter-a forward-I eth0-o eth1-m state -- state RELATED, ESTABLISHED-j ACCEPT
# Iptables-t filter-a forward-I eth1-o eth0-j ACCEPT
This shows the value of stateful packet detection. Note that inbound data packets are allowed only when they belong to an existing connection, and all inbound data packets from the Lan are allowed to pass. The first rule makes all outgoing information appear from the firewall machine, and does not show that there is a LAN behind the firewall.
The following command sets the default policies for the FORWARD and POSTROUTING chains. when using camouflage, a default POSTROUTINGDROP policy is very important, otherwise, a malicious user may break through the gateway and pretend to be his/her identity.
# Iptables-t filter-P FORWARD DROP
# Iptables-t nat-P POSTROUTING DROP
The following command configures the dial-up connection. it can dynamically allocate IP addresses:
# Iptables-t nat-a postrouting-o ppp0-j MASQUERADE
9. server running status
Sometimes the server is placed behind the firewall. in this case, iptables needs to know where to pass the data packet. The settings are as follows:
# Iptables-t nat-a prerouting-I eth0-p tcp-dport 80-j DNAT-to 192.168.0.10: 80
# Iptables-t nat-a prerouting-I eth0-p tcp-dport 25-j DNAT-to 192.168.0.11: 25
10. Save the rule
So far, all examples have been carried out in the command line. This is a good way to test new rules, but once the test results are satisfactory, they can be saved as scripts. You can use the iptables-save command to achieve this:
$ Iptables-save> iptables-script
All rules in the information packet filtering table are saved in the file iptables-script. You can use the iptables-restore command to restore the rule set from the script file to the information packet filtering table at any time. The recovery command is as follows:
$ Iptables-restore iptables-script
If you are willing to automatically restore the rule set every time you boot the system, you can put the command specified above in any initialization Shell script.
The following example is not a complete script. it only describes how to use variables and provides some additional rule samples.
#! /Bin/sh
# Assign values to variables
IPTABLES =/sbin/iptables
LAN_NET = "192.168.1.0/24"
IFACE = "eth0"
LO_IFACE = "lo"
LO_IP = "127.0.0.1"
# Load the required kernel
/Sbin/modprobe ip_conntrack
/Sbin/modprobe iptable_nat
# By default, IP forwarding is unavailable and set to available:
Echo "1">/proc/sys/net/ipv4/ip_forward
# Make the dynamic IP address allocation function available
Echo "1">/proc/sys/net/ipv4/ip_dynaddr
# It is best to clear the previous rules every time this script is restarted.
$ IPTABLES-P INPUT DROP
$ IPTABLES-F INPUT
$ IPTABLES-P OUTPUT ACCEPT
$ IPTABLES-F OUTPUT
$ IPTABLES-P FORWARD DROP
$ IPTABLES-F FORWARD
$ IPTABLES-F-t nat
# Only allow SSH connection in LAN
$ IPTABLES-a input-s LAN_NET-p tcp -- destination-port ssh-jACCEPT
# Allow loopback!
$ IPTABLES-a input-I lo-p all-j ACCEPT
$ IPTABLES-a output-o lo-p all-j ACCEPT
# Discard the incoming packets that claim to be from the local machine
# Discard the outgoing packets not from the local machine
$ IPTABLES-a input-I $ IFACE-s $ LAN_NET-j DROP
$ IPTABLES-a output-o $ IFACE-s! $ LAN_NET-j DROP
# Restrict outgoing information
 
Here is the introduction of iptables startup and shutdown.