Linux iptables firewall Settings Learning notes

The following summary from Bird Brother's Linux private dish-Server (third edition), while the students like Linux are recommended to learn to read.

For Linux Kernel 2.6+

I. Schematic firewall

Diagram Firewall

The diagram above is very complicated. But basically you can still see that our iptables can control the flow of three kinds of packets:

Packet access to the Linux host use resources (path A): After the routing decision is determined to the Linux host to require data packets, the main will be through the INPUT chain to control the filter;

Packets are transmitted via a Linux host, no host resource is used, but the back-end host flows (path B): After a revision of the header before routing is determined, it is found that the packet is going to the back end through the firewall, and the packet will run through path B. In other words, the package is not intended for our Linux native. The main passing chain is the FORWARD of filter and the postrouting of Nat, prerouting. The packet flow of this path B is used, and we will give you a brief introduction to the 9.5 sections of this chapter.

Packets are sent by Linux native (path C): For example, in response to client requirements, or Linux native unsolicited packets, are run through the path C. First, through the routing decision, determine the output path, and then through the filter's output chain to transmit! Eventually, of course, it will pass through the postrouting chain of Nat.

Ii. graphical firewalls (hide infrequently used mangle)

III. Firewall Operations

Iv. Firewall Instance 1

[Root@www ~]# Vim bin/firewall.sh
#!/bin/bash
Path=/sbin:/bin:/usr/sbin:/usr/bin; Export PATH

# 1. Purge rule
Iptables-f
Iptables-x
Iptables-z

# 2. Set policy
Iptables-p INPUT DROP
Iptables-p OUTPUT ACCEPT
Iptables-p FORWARD ACCEPT

# 3~5. The development of rules
Iptables-a input-i lo-j ACCEPT
Iptables-a input-i eth0-m State--state related,established-j ACCEPT
#iptables-A input-i eth0-s 192.168.1.0/24-j ACCEPT

# 6. Write Firewall rule configuration file

/etc/init.d/iptables Save

[Root@www ~]# SH bin/firewall.sh
iptables:saving firewall rules to/etc/sysconfig/iptables:[OK]
V. Firewall Instance 2

[Root@www ~]# mkdir-p/usr/local/virus/iptables
[Root@www ~]# Cd/usr/local/virus/iptables
[Root@www iptables]# Vim Iptables.rule
#!/bin/bash

# Please enter your relevant parameters, do not enter the wrong!
Extif= "Eth0" # This is a network interface that can be connected to the public IP
Inif= "Eth1" # The connection interface of the internal LAN; If nothing is written inif= ""
Innet= "192.168.100.0/24" # if no internal domain interface, please fill in the innet= ""
Export Extif inif innet

# The first part of the firewall set for this machine! ##########################################
# 1. Set the core network function first:
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
For I In/proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; Todo
echo "1" > $i
Done
For I in/proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,\
Send_redirects}; Todo
echo "0" > $i
Done

Practical application of VPS Security firewall settings

Iptables is a core based firewall, very powerful, iptables built-in Filter,nat and mangle three tables.

Filter is responsible for filtering packets, including the chain of rules, input,output and forward;

NAT is concerned with network address translation, including the rule chain, prerouting,postrouting and output;

Mangle table is mainly used to modify the contents of the packet, used to do traffic shaping, the default chain of rules are: input,output,nat,postrouting,prerouting;

Input matching destination IP is the local packet;
Forward matching packets flowing through the machine;
Prerouting used to modify the destination address to do dnat;
Postrouting is used to modify the source address to do snat.

I. Iptables's Grammar

Iptables-a input-j ACCEPT
-A--append # Adds a rule to the chain of rules, which is added to the end by default
iptables-d input-j ACCEPT
-D--delete # Strip rule chain

-a adds a rule to the chain of rules, which is added to the end by default
-t specifies the table to be manipulated, the default is filter
-D Deletes a rule from the chain of rules, specifying an ordinal or matching rule to remove
-R for rule substitution
-I inserts a rule that is inserted into the header by default
-F clears the selected chain and resumes after reboot
-N Create a custom rule chain for a user
-X Delete user-defined rule chains
-P is used to specify that the protocol can be a tcp,udp,icmp or a number protocol number,
-s Specifies the source address
-D Specify Destination Address
-I Access interface
-O Outflow interface
-j take the action, Accept,drop,snat,dnat,masquerade
--sport Source Port
--dport destination port, port must be used in conjunction with protocol

-P defines a preset rule (Policy)

Syntax: iptables-p [Input,output,forward] [Accept,drop]

Iptables-p INPUT DROP
Iptables-p OUTPUT ACCEPT
Iptables-p FORWARD DROP

Ii. iptables Common operations

Iptables-l #列出iptables规则
Iptables-f #清除iptables内置规则
Iptables-x #清除iptables自定义规则
# can join-n view

/etc/rc.d/init.d/iptables Save # Saves the rule and restarts the machine only after saving the rule.
/etc/init.d/iptables Status # View rules
/etc/init.d/iptables Stop # Disable firewall
Chkconfig–level iptables off # Stop Firewall service
Iii. checking whether the iptables is effective

# detect if 22 ports are turned on
Telnet www.phpgao.com 22
# return Telnet:connect to address 104.224.144.xxx:connection refused
Iv. Export and restore of iptables rules

Iptables-save > Somefile
Iptables-restore < Somefile
V. Recommended rules

*filter

# Allow all loopback (lo0) Traffic and drop all traffic to 127/8 this doesn ' t use Lo0
-A input-i lo-j ACCEPT
#-a Output-o lo-j ACCEPT
-A INPUT! -I lo-d 127.0.0.0/8-j REJECT

# Accept all established inbound connections
-A input-m state--state established,related-j ACCEPT
#-a output-m State--state established,related-j ACCEPT

# Allow All Outbound traffic-you can modify this to only Allow certain traffic
-A output-j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A Input-p TCP--dport 80-j ACCEPT
-A Input-p TCP--dport 443-j ACCEPT

# DNS (not need this rule, as we only accept the input with [established,related])
#-a input-p UDP--dport 53-j ACCEPT
# DNS
#-a output-p UDP--dport 53-j ACCEPT

# Allow ports for testing
#-a input-p TCP--dport 8080:8090-j ACCEPT

# Allow ports for MOSH (mobile shell)
#-a input-p UDP--dport 60000:61000-j ACCEPT

# Allow SSH Connections
# The-dport number should be the same port number for your set in Sshd_config
-A input-p tcp-m state--state NEW--dport xxx-j ACCEPT

# Allow Ping
-A input-p icmp-m ICMP--icmp-type 8-j ACCEPT
#-a output-p ICMP--icmp-type echo-request-j ACCEPT
#-a output-p ICMP--icmp-type echo-request-j ACCEPT

# DDoS
-A Input-p TCP--dport 80-m limit--limit 25/minute--limit-burst 100-j ACCEPT

# Log
-A input-m limit--limit 5/min-j LOG--log-prefix "iptables denied:"--log-level 7
-A output-m limit--limit 5/min-j LOG--log-prefix "iptables denied:"--log-level 7

# Log Iptables denied calls
#-A input-m limit--limit 5/min-j LOG--log-prefix "iptables denied:"--log-level 7

# Allow Shadowsocks Connections
# The-dport number should be the same port number for your set in Config.json
-A Input-p TCP--dport xxx-j ACCEPT

# Reject all other inbound-default deny unless explicitly allowed policy
-A input-j REJECT
-A forward-j REJECT
#-a output-j DROP