Linux (10) ___ iptables firewall, linux ___ iptables
I. Functions of the firewall
Iii. Classification of firewalls
III. Basic iptables Syntax:
Table:
Filters are commonly used. nat is used for address ing conversion.
Configuration file:
/Etc/sysconfig/iptables
Filter table information
,
View iptables status
Service iptables status
Command (note that all parameters must be capitalized ):
-L: view rules
Iptables-L view policy information
Iptables-L-n View address information
Iptables-L-n -- line-number: display the row number
-P: Modify the default rule
Iptables-p input drop sets the default target for the chain (DROP is allowed and ACCEPT is disabled) and is executed as the last rule.
Iptables-L: the INPUT policy is changed.
However, this configuration is only temporary and will not be changed in the configuration file.
About chain
INPUT from outside to host
FORWARD for other devices
OUTPUT from the host
-A: append A rule.
-F: clear rules
Not recommended
-D: Delete rule-R: Modify rule
Matching condition:
1. Programming by Network Interface
We execute the first limit on outbound traffic and do not allow the current host to access any external machine. Of course, the external machine cannot access the Host:
Iptables-a output-o eno16777736-j DROP
In this case, putty remote logon is disabled and ping operations fail.
Delete it again:
2. Match by address
3. Match by protocol type
4. Match by port
First, check whether the remote connection tool telnet exists.
Rpm-qa | grep telnet generally does not seem to be installed by default in linux
Yum install telnet
Yum install telnet-server
After installation, you can use:
In putty:
Telnet 192.168.8.129 22
Now you can access port 22 normally
Iptables-a input-s 192.168.8.1-p tcp -- dport 22-j DROP
In this way, the specified remote device cannot access port 22.
Port 80 restrictions:
First install the web Server httpd
Yum install httpd
After the installation is complete, you can view the process and status information of port 80.
Ps-ef | grep httpd
Netstat-apn | grep 80
Access the Server ip address in the browser to view the test page.
In this case, we disable access to port 80 from the specified ip address.
Iptables-a input-s 172. ********-p tcp -- dport 80-j DROP
Processing Method:
ACCEPT
DROP
Rule Matching Method
If you want to permanently apply the rule:
1. Set in/etc/sysconfig/iptables
2. Use service iptables save to save the settings of the current command to the file.