Fedora system iptables firewall configuration tutorial
Source: Internet
Author: User
A firewall is a combination of components set between different networks or network security domains. it enhances the security of the internal network of an organization. It uses the access control mechanism to determine which internal services allow external access and which external requests are allowed to access internal services. It determines whether a P packet can be transmitted to or from the Intranet based on the network transmission type. A fire firewall is a combination of components set between different networks or network security domains. it enhances the security of the internal network of the organization. It uses the access control mechanism to determine which internal services allow external access and which external requests are allowed to access internal services. It determines whether a P packet can be transmitted to or from the Intranet based on the network transmission type.
The firewall checks every data packet that passes through the review to determine whether it has matched filtering rules, and compares them one by one based on the rule sequence until one of the rules is met, then, the corresponding action is made based on the control mechanism. If none of the above conditions are met, data packets are discarded to protect network security.
**************************************** *****************************
IptablesThe command format is complex. the general format is as follows:
**************************************
Iptables [-t table]-command matching operation
**************************************** *****************************
1. table options
***********
The table option is used to specify the iptables built-in command to apply.
Table. iptables includes the filter table, nat table, and mangle table.
**************************************** *****************************
2. command options
***********
Command description
-P or -- policy <链名> Define default policy
-L or -- list <链名> View the iptables rule list
-A or-append <链名> Add one rule at the end of the rule list
-I or -- insert <链名> Insert 1 rule at the specified position
-D or -- delete <链名> Delete a rule from the rule list
-R or -- replace <链名> Replace a rule in the rule list
-F or -- flush <链名> Delete all rules in the table
-Z or -- zero <链名> Returns the data packet counter and traffic counter in the table to zero.
**************************************** *****************************
3. matching options
**********
Matching Description
-I or -- in-interface <网络接口名> Specify the port from which the data packet enters, such as ppp0, eth0, and eth1.
-O or -- out-interface <网络接口名> Specify the network interface from which data packets are output, such as ppp0, eth0, and eth1.
-P or --- proto protocol type <specifies the Protocol for Packet matching, such as TCP, UDP, and ICMP
-S or -- source <源地址或子网> SOURCE address of the specified data packet matching
-- Sport <源端口号> Specify the source port number that the data packet matches. you can use the "start Port: end port number" format to specify a port range.
-D or -- destination <目标地址或子网> Specify the target address for packet matching
-- Dport: specifies the target port number that the data packet matches. you can use the format of "starting port: ending port number" to specify a port range.
**************************************** * **************************** 4. action options
**********
Action description
ACCEPT data packets
DROP dropped data packets
REDIRECT redirects data packets back to a port on the local machine or another host. it usually uses the function to implement transparent proxy or open some internal network services.
SNAT source address conversion, that is, changing the source address of the data packet
DNAT destination address translation: changes the destination address of the data packet.
MASQUERADEIP disguise is often referred to as the NAT technology. MASQUERADE can only be used for IP spoofing of dial-up Internet access such as ADSL, that is, the IP address of the host is dynamically allocated by the ISP; if the IP address of the host is static and fixed, use SNAT
LOG function, which records information about data packets that comply with the rules in logs for administrator analysis and troubleshooting.
I. Installation
[Root @ localhost ~] # Rpm-qa iptables
Iptables-1.3.8-5.fc8
II. define default policies
*************
Define default policy
**************
When a packet does not comply with any rule in the chain, iptables pre-defines
The default policy is used to process data packets. the format defined by the default policy is as follows.
Iptables [-t table name] <-p> <链名> <动作>
Parameters are described as follows:
? [-T table name]: the table to which the default policy applies. filter, nat, and mangle can be used. If no table is specified, iptables uses the filter table by default.
? <-P>: defines the default policy.
? <链名> : The chain to which the default policy applies. INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING can be used.
? <动作> : Action to process data packets. you can use ACCEPT (ACCEPT data packets) and DROP (discard data packets ).
**************************************** *********
Example 1. define the default policy of the INPUT chain of the filte table as accept data packets.
[Root @ localhost ~] # Iptables-P INPUT ACCEPT
Example 2. define the default policy of the nat table OUTPUT chain as discarding data packets.
[Root @ localhost ~] # Iptables-t nat-P OUTPUT DROP
**************************************** *****************************
3. View iptables rules
*****************
View iptables rules
*****************
The command format for viewing iptables rules is:
Iptables [-t table name] <-l> [chain name]
The parameters are described as follows.
? [-T table name]: lists the rules of a table. you can use filter, nat, and mangle to list the rules. If no table is specified, iptables displays the rule list of the filter table by default.
? <-L>: view the list of rules for the specified table and chain.
? [Chain name]: it refers to the list of chain rules in a specified table. INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING can be used. If no chain is specified, the rule list of all links in a table is displayed.
**************************************** ********
Example 3: view the rule table of all links in the filter table
[Root @ localhost ~] # Iptables-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
REJECT all -- anywhere reject-withicmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
Target prot opt source destination
ACCEPT all -- anywhere
ACCEPT icmp -- anywhere icmp any
ACCEPT esp -- anywhere
ACCEPT ah -- anywhere
ACCEPT udp -- anywhere 224.0.0.20.udp dpt: mdns
ACCEPT udp -- anywhere udp dpt: ipp
ACCEPT tcp -- anywhere tcp dpt: ipp
ACCEPT all -- anywhere state RELATED, ESTABLISHED
ACCEPT tcp -- anywhere state NEW tcp dpt: ssh
REJECT all -- anywhere reject-withicmp-host-prohibited
Example 4: view the rule table of all links in the nat table
[Root @ localhost ~] # Iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Example 5. view the rule list of all links in the mangle table
[Root @ localhost ~] # Iptables-t mangle-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain INPUT (policy ACCEPT)
Target prot opt source destination
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
**************************************** *****************************
4. add, insert, delete, and replace rules
***********************
The rules are defined in the following format:
***********************
Iptables [-t table name] <-a | I | D | R> chain name [rule number] [-I | o Nic name] [-p protocol type] [-s source IP address | source subnet] [-- sport source port number] [-d destination IP address | destination subnet] [-- dport destination port number] <-j action>
The parameters are described as follows.
? [-T table name]: defines the table to which the default policy applies. filter, nat, and mangle can be used. If no table is specified, iptables uses the filter table by default.
? -A: A new rule is added to the last row of the rule list. rule numbers cannot be used for this parameter.
? -I: insert a rule. rules at the specified position will be moved in sequence. If no rule number is specified, insert the rule before the first rule.
? -D: Delete a rule from the rule list. you can enter a complete rule or specify a rule number to delete it.
? -R: If a rule is replaced, the sequence is not changed. you must specify the number of the rule to be replaced.
? <链名> : Specifies the chain rule list in the specified table. INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING can be used.
? [Rule number]: The rule number is used to insert, delete, and replace rules. The number is arranged in the order of the rule list. the number of the first rule in the rule list is 1.
? [-I | o Nic name]: I indicates the NIC from which the data packet enters, and o indicates the NIC from which the data packet is output. You can use ppp0, eth0, and eth1 Nic names.
? [-P protocol type]: you can specify the protocol applied by the rule, including TCP, UDP, and ICMP.
? [-S source IP address | source subnet]: IP address or subnet address of the source host.
? [-- Sport source port number]: source port number of the IP address of the data packet.
? [-D Target IP address | target subnet]: IP address or subnet address of the target host.
? [-- Dport destination port number]: Destination port number of the IP address of the data packet.
? <-J action>: Action to process data packets
**************************************** *************
Example 6: add a rule for the INPUT chain of the filter table. The rule content is to discard all data packets from the host whose IP address is 192.168.1.200, and then view the INPUT chain rule list of the filter table.
[Root @ localhost ~] # Iptables-t filter-a input-s 192.168.1.200-jDROP
[Root @ localhost ~] # Iptables-t filter-L INPUT
Chain INPUT (policy ACCEPT)
Target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere
DROP all -- 192.168.1.200 anywhere
Example 7: add a rule for the INPUT chain of the filter table. The rule content is to accept data packets from the host 192.168.1.200, and then view the INPUT chain rule list of the filter table.
[Root @ localhost ~] # Iptables-t filter-a input-s 192.168.1.200-jACCEPT
[Root @ localhost ~] # Iptables-t filter-L INPUT
Chain INPUT (policy ACCEPT)
Target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere
DROP all -- 192.168.1.200 anywhere
ACCEPT all -- 192.168.1.200 anywhere
Example 8. insert a rule before the first rule in the INPUT chain rule list of the filter table. The rule prohibits all hosts in the 192.168.2.0 subnet from accessing port 80 of the TCP protocol, then, view the INPUT chain rule list of the filter table.
[Root @ localhost ~] # Iptables-t filter-I INPUT-s 192.168.2.0/24-p tcp -- dport 80-j DROP
[Root @ localhost ~] # Iptables-t filter-L INPUT
Chain INPUT (policy ACCEPT)
Target prot opt source destination
DROP tcp -- 192.168.2.0/24 anywhere tcp dpt: http
RH-Firewall-1-INPUT all -- anywhere
DROP all -- 192.168.1.200 anywhere
ACCEPT all -- 192.168.1.200 anywhere
Example 9. delete the 3rd rules in the INPUT chain rule list of the filter table, and then view the INPUT chain rule list of the filter table.
[Root @ localhost ~] # Iptables-t filter-d input 3
[Root @ localhost ~] # Iptables-t filter-L INPUT
Chain INPUT (policy ACCEPT)
Target prot opt source destination
DROP tcp -- 192.168.2.0/24 anywhere tcp dpt: http
RH-Firewall-1-INPUT all -- anywhere
ACCEPT all -- 192.168.1.200 anywhere
Example 10. replace the 2nd rules in the INPUT chain rule list of the filter table to disable all hosts in the subnet 192.168.3.0 from accessing port 80 of the TCP protocol, and then view the INPUT chain rule list of the filter table.
[Root @ localhost ~] # Iptables-t filter-r input 2-s 192.168.3.0/24-p tcp -- dport 80-j DROP
[Root @ localhost ~] # Iptables-t filter-L INPUT
Chain INPUT (policy ACCEPT)
Target prot opt source destination
DROP tcp -- 192.168.2.0/24 anywhere tcp dpt: http
DROP tcp -- 192.168.3.0/24 anywhere tcp dpt: http
ACCEPT all -- 192.168.1.200 anywhere
**************************************** *****************************
5. clear rules and counters
****************
Clear rules and counters
****************
When creating rules, you often need to clear the original and old rules to avoid affecting them.
New rules. If there are many rules, it will be very troublesome to delete them one by one,
In this case, you can use the clearing rule parameter provided by iptables to quickly delete all rules.
. The format of the defined parameters is:
Iptables [-t table name] <-f | Z>
The parameters are described as follows.
? [-T table name]: specifies the table to which the default policy applies. filter, nat, and mangle can be used. If no table is specified, iptables uses the filter table by default.
? -F: delete all rules in the specified table.
? -Z: returns the data packet counter and traffic counter in the specified table to zero.
**************************************** *****
Example 11. delete all rules in the filter table
[Root @ localhost ~] # Iptables-F
Example 12. set the data packet counter and traffic counter in the filter table to zero.
[Root @ localhost ~] # Iptables-Z
Example 13. delete all rules in the nat table
[Root @ localhost ~] # Iptables-t nat-F
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.