Firewall for Linux

View the status of the current SELinux

[Email protected] ~]# Getenforce

Temporarily close SELinux

[Email protected] ~]# Setenforce 0

Permanently close SELinux

[[email protected] ~]# vim/etc/selinux/config change selinux=enforcing to selinux=disabled reboot system

Turn off Firewalld, turn on iptables

#systemctl Stop firewalld.service#systemctl disable Firewalld.service#yum install-y iptables-services#systemctl Enable Iptables.service#systemctl start Iptables.service

Iptables rules

-a adds (--append) a new rule at the end of the specified chain-D deletes (--delete) a rule in the specified chain, determines the rule to be deleted by the sequence number or content-I inserts (--insert) a new rule in the specified chain, if no insertion position is specified, Then the default in the chain of the switch Insert-R modify, replace (--replace) a new rule, by the rule ordinal or the content determines the rule to replace-l list (--list) specify all the rules in the chain to view, if the chain name is not specified, then list the contents of all chains in the table-F empty (--flush) Specifies the rule in the chain, if no chain name is specified, clears the contents of all chains in the table-n New (--new-chain) a user-defined rule chain-X deletes the user-defined rule chain in the specified table (--delete-chain)-P sets the default policy for the specified chain (--policy) -N uses digital form (--numeric) to display output results, such as displaying the IP address of the host instead of the host name-V View the rule list when displaying verbose (--verbose) Information-V View the version of the Iptables Command tool (--version) Information-H View command Help information (--HELP)--line-numbers when viewing the list of rules, the sequence number of the rule in the chain is also displayed-Z means that the packet and the traffic counter are zeroed

Rules table

The filter table contains three chain of rules: Input,forward,output.    The filter table is primarily used to filter packets and, depending on the specific rules, determine whether or not to release the NAT table for the packet, including three rule chains: Prerouting,postrouting,output.    The NAT table is mainly used to modify the IP address, port number and other information of the packet mangle table, containing five rule chains: Prerouting,postrouting,input,output,forward. The mangle table is primarily used to modify the packet's TOS (type of service, services type), TTL (Time to Live, lifetime) value, and packet settings Mark tag for QoS (Quality of service, quality services)    Apply raw tables such as adjustment and Policy routing, including two rule chains: output,prerouting. Raw tables are primarily used to determine whether packets are handled by the state tracking mechanism. Security table

Five Chains of NetFilter

Prerouting: The packet enters the routing table before input: The destination is native forward through the routing table: After routing table, the destination is not native output: generated by the native, forwarding outward postrouting: Before sending to the NIC interface

View rules for each chain in the filter table

[[email protected] ~]# iptables -t filter -nvl  // [-t  Filter] can omit chain input  (policy accept 0 packets, 0 bytes)  pkts  bytes target     prot opt in     out      source                destination           369 27373  accept     all  --  *      *        0.0.0.0/0             0.0.0.0/0            state  related,established    0     0 accept      icmp --  *      *       0.0.0.0/0             0.0.0.0/0                0     0 ACCEPT      all  --  lo     *        0.0.0.0/0            0.0.0.0/0                1    40  accept     tcp  --  *      *        0.0.0.0/0             0.0.0.0/0            state new  tcp dpt:22    5  1145 REJECT     all  --  *       *       0.0.0.0/0             0.0.0.0/0             reject-with icmp-host-prohibitedChain FORWARD  (policy accept  0 packets, 0 bytes)  pkts bytes target     prot opt  in     out     source                destination              0     0 REJECT      all  --  *      *        0.0.0.0/0            0.0.0.0/0             reject-with icmp-host-prohibitedChain OUTPUT  (policy accept  294 packets, 48378 bytes)  pkts bytes target      prot opt in     out     source                destination

Clears the rules in each chain in the filter table, and then saves the purged rules

#iptables-T Filter-f;service iptables Save

Firewall rules are saved in/etc/sysconfig/iptables

Adding and inserting rules

Add a firewall rule at the end of the input chain of the filter table

[Email protected] ~]# iptables-t filter-a input-p tcp-j ACCEPT

Insert a firewall rule in the input chain of the filter table

[Email protected] ~]# iptables-i input-p udp-j ACCEPT

Insert a firewall rule in the input chain of the filter table as the second rule in the chain

[Email protected] ~]# iptables-t filter-i INPUT 2-p icmp-j ACCEPT

View the list of rules

View all rules in the filter table input chain, showing the sequence number of each rule

[[email protected] ~]# iptables-t FILTER-NVL INPUT [#一个数字, which indicates the rules in the chain]--line-number

Delete, empty rules

Delete the 2nd rule in the input chain of the filter table

[[email protected] ~]# iptables-d INPUT 2

Clears all rules in the Filter table, Nat table, mangle chain

[Email protected] ~]# iptables-f;iptables-t nat-f;iptables-t mangle-f

Set the default policy for a rule chain

Set the default policy for the forward rule chain in the filter table to drop

[Email protected] ~]# iptables-t filter-p FORWARD DROP

Set the default policy for the output rule chain in the filter table to accept

[[email protected] ~]# iptables-t filter-p OUTPUT ACCEPT

New, delete custom rule chains

Add a custom rule chain to the raw table with the chain name Tcp_packets

[Email protected] ~]# iptables-t raw-n tcp_packets

Clears all user-defined rule chains in the raw table

[Email protected] ~]# iptables-t raw-x

General condition Matching

Protocol Matching

[[email protected] ~]# iptables-i input-p icmp-j REJECT//Deny access to all ICMP protocol packets in the firewall [[email protected] ~]# iptables-i FORW ARD! -P icmp-j Accept//Allow firewall to forward all packets except ICMP protocol

Address Matching

Refuse to forward data from 192.168.1.11 hosts, allowing the forwarding of data from the 192.168.0.0/24 network segment

[Email protected] ~]# iptables-a forward-s 192.168.1.11-j DROP [[email protected] ~]# iptables-a forward-s 192.168. 0.0/24-j ACCEPT

Network interface Matching

Drops a packet from the external interface ens33 into the firewall native source address for the private network address

[Email protected] ~]# iptables-a input-i ens33-s 192.168.0.0/16-j DROP [[email protected] ~]# iptables-a input-i en S33-s 172.16.0.0/12-j drop [[email protected] ~]# iptables-a input-i ens33-s 10.0.0.0/8-j Drop

The administrator detected a frequent scan from an IP network segment (192.168.2.0/24) on the gateway server, hoping to set the Iptables rule block IP address segment, two hours after the closure

[Email protected] ~]# iptables-i input-s 192.168.2.0/24-j DROP [[email protected] ~]# iptables-i forward-s 192.168.2 .0/24-j DROP [[email protected] ~]# at now +2 hoursat> iptables-d INPUT 1at> iptables-d FORWARD 1at> <EOT&G T;job 4 at Thu 16:43:00 2018[[email protected] ~]# atq4thu Feb 16:43:00 2018 a root

Implied condition matching

Port Matching

Allow only system administrators to telnet to the firewall host from the 192.168.221.0/24 network segment using SSH

[[email protected] ~]# iptables-a input-p tcp--dport 22-s 192.168.221.0/24-j accept[[email protected] ~]# iptables-a Input-p TCP--dport 22-j DROP

Allow native to open application services from TCP port 20-1024

[[email protected] ~]# iptables-a input-p TCP--dport 20:1024-j ACCEPT [[email protected] ~]# iptables-a output-p TCP --sport 20:1024-j ACCEPT

Allow forwarding of DNS resolution request packets from the 192.168.0.0/24 LAN segment when used as a gateway

[Email protected] ~]# iptables-a forward-s 192.168.0.0/24-p UDP--dport 53-j ACCEPT [[email protected] ~]# iptables- A forward-d 192.168.0.0/24-p UDP--sport 53-j ACCEPT

TCP tag Matching

Deny direct access to firewall native packets from the extranet interface

[Email protected] ~]# iptables-p INPUT drop[[email protected] ~]# iptables-i input-i ens33-p tcp--tcp-flags Syn,rst, ACK syn-j REJECT

ICMP type matching

Prevent other hosts from pinging the firewall host, but allow other hosts to be ping from the firewall (to allow ICMP echo data to be received)

[[email protected] ~]# iptables-a input-p ICMP--icmp-type echo-request-j drop[[email protected] ~]# iptables-a INPUT -P ICMP--icmp-type echo-reply-j accept[[email protected] ~]# iptables-a input-p ICMP--icmp-type Destination-unreachab Le-j ACCEPT

Show condition Matching

MAC address Matching

Prohibit forwarding of packets from a host with a MAC address of 00-50-56-c0-00-08

[[email protected] ~]# iptables-a forward-m mac--mac-source 00:50:56:c0:00:08-j DROP

Multi-port matching

Allow firewall native to open to TCP ports 20, 21, 25, 110, and Passive mode FTP port 1250-1280

[Email protected] ~]# iptables-a input-p tcp-m multiport--dport 20,21,25,110,1250:1280-j ACCEPT

Multiple IP address matching

Prohibit forwarding of TCP packets with a source IP address of 192.168.1.20-192.168.1.99

[Email protected] ~]# iptables-a forward-p tcp-m iprange--src-range 192.168.1.20-192.168.1.99-j DROP

Status Matching

Disallow forwarding of non---syn request packets unrelated to normal TCP connections (such as some illegal attack packets that may exist in the network)

[Email protected] ~]# iptables-a forward-m State--state new-p TCP! --syn-j DROP

New packets are denied access to the firewall, but are allowed to respond to connections or packets related to existing connections

[Email protected] ~]# iptables-a input-p tcp-m State--state new-j DROP [[email protected] ~]# iptables-a input-p t Cp-m State--state Established,related-j ACCEPT

Set the firewall policy in the server, open only the local Web service 80 port, FTP service (21, 20, 20450-20480), release the external host to the other port of the server to send the reply packet, the other inbound packets are discarded processing

[Email protected] ~]# iptables-i input-p tcp-m multiport--dport 20,21,80,20450:20480-j ACCEPT [[email protected] ~]# Iptables-i input-p tcp-m State--state established-j ACCEPT [[email protected] ~]# iptables-p INPUT DROP

Requirements: Only for the filter table, the default policy input chain drop, the other two chain accept, and then the 192.168.221.0/24 opened 22 ports, all network segments open 80 ports and 21 ports (write a script)

[email protected] sbin]# cat iptables.sh #!/bin/bash#ipt= "/usr/sbin/iptables" $ipt-f$ipt-p INPUT drop$ipt-p OUTPUT acce Pt$ipt-p FORWARD accept$ipt-a input-s 192.168.221.0/24-p tcp--dport 22-j accept$ipt-a input-p tcp-m multiport--d Port 80,21-j accept[[email protected] sbin]# sh/usr/local/sbin/iptables.sh

Initialize firewall rules on boot

#echo '/bin/sh/usr/local/sbin/iptables.sh ' >>/etc/rc.d/rc.local#chmod +x/etc/rc.d/rc.local#init 6

Firewall for Linux