CentOS firewall iptables usage details

1. Introduction: CentOS? What is the shortest margin of the dual ship ?? Powerful Fire Prevention ??, It is collectively referred to as iptables, but the more correct name is iptables/netfilter. Iptables is a usage? Which region accounts? ?? Why? Too many? The Pu core fades u ??? Why ?? Put the rule into the default table ?. Netfilter is a core module? Rong Miao? Group crisp school ??

1. Introduction

CentOS? What is the shortest margin of the dual ship ?? Powerful Fire Prevention ??, Collectively referred toIptablesBut the more correct name isIptables/Netfilter. Iptables is a usage? Which region accounts? ?? Why? Too many? The Pu core fades u ??? Why ?? Put the rule into the default table ?. Netfilter is a core module? Rong Miao? Group crisp school ?? ? Shu? Does ptables have many prefix Image interfaces for use? Why ??? Why are our elders suffering from Alimama? Pu Xie Xin Yi Pu Yu ?? Ant easy? ? Are you sure you want? Why? Command line interface of iptables.

Before we officially deal with iptables, we must have a basic understanding of its operation. Iptables uses the concepts of IP addresses, protocols (tcp, udp, and icmp), and ports. We don't need to be experts in these areas (because we can find the information we need), but a general understanding of them will help.

Iptables puts rules into the default rule chain (INPUT, OUTPUT, and FORWARD), and all traffic (IP compression) will be checked by the relevant rule chain, determine how to deal with each compression according to the rules, such as accept OR? G ?? It. These actions are called targets, and the two most common default targets are DROP? G ?? Compression; or ACCEPT to ACCEPT compression.

Rule chain

Can we filter the three default rule chains in the table? How is it? Create? U? Why? Owe? E is:

* INPUT-compression of all host-based data.
* OUTPUT-compression of all source hosts.
* FORWARD-the destination or source of the compression is not the host, but the path is routed to the host (it is chosen ). If your host is a vro, this rule chain will be applied.

We will spend the most time processing the INPUT rule chain to filter the compression into our machine-that is, to reject the bad guys.

A rule is added to each rule chain in the form of a list. Each compression will be checked by the first rule before the last one. If the compression matches one of the rules, the corresponding action will be executed, for example, ACCEPT or? G ?? (DROP) compression. Once there is a matching rule, this compression will be handled according to the rule, instead of being linked by the rule? Magpie sodium? Too many? Why ?? Why? Ring? Hello, Wei? Que Na Wei, I am confused and confused? 《? Why? Are you sure you want to recover the green onion? ? Why? Treasure pomelo dream? Yousang? CCEPT) or? G ?? (DROP) compression.

The concept of rule chain having default policies brings about two basic possibilities, and we must consider them before we can? Q. How should we organize fire prevention ??.

1. can we use a default policy? G ?? (DROP) all compression, and then deliberately add rules to ACCEPT (ACCEPT) compression from trusted IP addresses, or open the ports that provide services, such: bittorrent, FTP server, web server, Samba file server, etc.

Or,

2. we can use a policy by default to ACCEPT (ACCEPT) all compression, and then deliberately add rules to intercept (DROP) compression from problematic IP addresses or series, or, it can prevent the compression from entering or leaving the port for private purposes only or for the port that does not provide services.

Is it common ?, The first method is mostly used in the INPUT rule chain, because we want to control what can access our machine. The second method is mostly used in the OUTPUT rule chain, because most of us trust the compression that leaves (from) our machines.

2 .? Hour binding?

Using iptables on the command line requires the root permission. Therefore, you must use iptables as the root user? Taobaoyu

[Attachment: ArtWork/WikiDesign/icon-admonition-attention.png]

Note: we will disable iptables and reset your fire ?? Rules, so if you rely on your Linux firewall ?? As the first defense ?, Please? E. pay attention to this.

Iptables should be installed on all CentOS 3.x, 4.x, and 5.x by default. You can do this? Whether yongalcohol iptables has been installed on your system:

$ Rpm-q iptables
Iptables-1.3.5-1.2.1

Do you want to know if iptables is in operation? can we check whether the iptables module has been loaded ,? K uses the-L option to view the activity rules:

# Lsmod | grep ip_tables
Ip_tables 29288 1 iptable_filter
X_tables 29192 6ip6t_REJECT, ip6_tables, ipt_REJECT, xt_state, xt_tcpudp, ip_tables

# Iptables-L
Chain INPUT (policy ACCEPT)
Target prot optsource destination
RH-Firewall-1-INPUT all -- anywhere
Chain FORWARD (policy ACCEPT)
Target prot optsource destination
RH-Firewall-1-INPUT all -- anywhere
Chain OUTPUT (policy ACCEPT)
Target prot optsource destination
Chain RH-Firewall-1-INPUT (2 references)
Target prot optsource destination
ACCEPT all -- anywhere
ACCEPT icmp -- anywhere icmp any
ACCEPT esp -- anywhere
ACCEPT ah -- anywhere
ACCEPT udp -- anywhere 224.0.0.20.udpdpt: mdns
ACCEPT udp -- anywhere udp dpt: ipp
ACCEPT tcp -- anywhere tcp dpt: ipp
ACCEPT all -- anywhere state RELATED, ESTABLISHED
ACCEPT tcp -- anywhere state NEW tcp dpt: ssh
REJECT all -- anywhere reject-with icmp-host-prohibited

From the above we can see the default rules and the rules used to access the SSH service.

If iptables? K is not executed. can you do this ?? Why?

# System-config-securitylevel

3. create a simple set of rules

[Attachment: ArtWork/WikiDesign/icon-admonition-attention.png]

Note: At this moment, we will clear the default rule set. If you remotely connect to a server through SSH for learning, you may reject yourself from this server. You must change the default input policy to accept before clearing the existing rules. then, you must add a rule that allows you to access the machine by yourself, prevent yourself from being blocked.

Will we? Why ??? Different instructions for the pompeon bed iptables. In the first example, we will create a simple set of rules to set a "status compression test" (SPI) for fire prevention ??, Allow external connections but block all useless? Bustling? Sakura

# Iptables-P INPUT ACCEPT
# Iptables-F
# Iptables-a input-I lo-j ACCEPT
# Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
# Iptables-a input-p tcp -- dport 22-j ACCEPT
# Iptables-P INPUT DROP
# Iptables-P FORWARD DROP
# Iptables-P OUTPUT ACCEPT
# Iptables-L-v

Should you get this? Neon running

Chain INPUT (policy DROP 0 packets, 0 bytes)
Pkts bytes target prot optin out source destination
0 0 ACCEPT all -- lo any anywhere
0 0 ACCEPT all -- any anywhere state RELATED, ESTABLISHED
0 0 ACCEPT tcp -- any anywhere tcp dpt: ssh
Chain FORWARD (policy DROP 0 packets, 0 bytes)
Pkts bytes target prot optin out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
Pkts bytes target prot optin out source destination

Now let's look at the above eight commands one by one ,? K understands what we actually do? :

1.

Iptables-p input accept if the remote connection is used, we must temporarily change the default policy of the INPUT chain to ACCEPT. otherwise, when we clear the existing rule set, we will block ourselves out of the server.
2.

Iptables-F we use the-F option to clear all existing rules so that we can? Why are you feeling bored? ? Br/> 3.

Iptables-a input-I lo-j ACCEPT now it is time to add some rules. We use the-A option to attach (add) rules to A chain? It refers to the INPUT chain. Then we use the-I option (interface "interface") to specify the compression that matches or from the lo (localhost, 127.0.0.1) interface. Finally, we-j (jump "jump to") target action that complies with this rule: here? Is ACCEPT. So this rule will cause all the pairs that go to the localhost interface? Gu Fan's R talk about the media's umbrella. this is necessary because many software products are expected? Localhost adapter communication.
4.

Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT: this is the rule that handles most of the work, and we add it again (-A) to the INPUT chain? We use the-m option to mount a module (state ). Can the state module? Why? K determines whether the status is NEW, ESTABLISHED, or RELATED. NEW refers? Ran? Difficult to care about? Why? ? What does STABLISHED and RELATED mean? Ran? Gu Wei 'belongs to an existing connection or is related to the existing connection.
5.

Iptables-a input-p tcp -- dport22-j ACCEPT Now we add A rule to allow SSH to connect through tcp port 22. This? Young and? How about Yake Yade? All of them are frozen, and SSH connections to low-speed vehicles are accidentally closed. We will explain this rule in more detail later.
6.

Iptables-p input drop this-P option sets the default policy on a rule chain. Now we can change the default policy of the INPUT chain to DROP. Which means that the rule does not comply with any rules? Gu Yu? Why? G ??. What if we connect remotely through SSH?] After adding a rule, we will be blocked from the system.
7.

Iptables-p forward drop is the same? Yong Wu? When else e, we set the default policy of the FORWARD chain to DROP, because we? K does not use a computer as a router, so why?] There is any compression path through it.
8.

Iptables-p output accept. Finally, we set the default policy of the OUTPUT chain to ACCEPT, because we want to allow all external traffic (because we trust our use? Why ?? Br/> 9.

At the end of iptables-L-v, we can list the rules just added (-L ,? K. check whether they are correctly loaded.

The last thing we need to do is to store our rules so that they will be automatically reloaded at next boot:

#/Sbin/service iptables save

This? The init of the ipiptables? , It will execute/sbin/iptables-ave? K. write the existing iptables settings into/etc/sysconfig/iptables. Iptables init? We will re-run the command "/sbin/iptables-restore" to store data in/etc/sysconfig/iptables? Magpie tomb

Obviously, in the command ?? How long is it? Which of the following methods does zookeeper iptables do? . Can you input the preceding command to your favorite text editor ?? K is stored as myfirewall, for example:

#! /Bin/bash
#
# Iptables sample settings? Ben
#
# Clear iptables? Taobaoshi holding the tomb? Br/> #
Iptables-F
#
# Connect SSH to tcp port 22
# Do you need to connect to the server remotely through SSH? Are you sure you want to take a nap? Low disconnection? Br/> #
Iptables-a input-p tcp -- dport 22-j ACCEPT
#
# Set default policies for INPUT, FORWARD, and OUTPUT chains
#
Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT ACCEPT
#
# Setting access permissions for localhost
#
Iptables-a input-I lo-j ACCEPT
#
# Accept compression for existing and related connections
#
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
#
# Storage Settings
#
/Sbin/service iptables save
#
# List rules
#
Iptables-L-v

? : We can? Ben? Burning Youyu] let's remind you what you are doing ?.

Now order? This can be executed:

# Chmod + x myfirewall

Can we edit this now? Ben ,? K is in the instruction ?? Are you sure you want to get rid of the yundun wheel?

#./Myfirewall

4. Interface

In the previous template, we can see how to accept all the compression from a specific interface, that is, the localhost interface:

Iptables-a input-I lo-j ACCEPT

Suppose we have two independent interfaces? E is connecting us? Bustling ?? Eth0 and the ppp0 dial-up modem (or eth1 adapter) connected to the external Internet ). We may want to accept all? Bustling ?? Mu? Guyl ?? Corridor? Four-slice, vinegar, and Yao ?? Why N? Youxiao

Iptables-a input-I lo-j ACCEPT
Iptables-a input-I eth0-j ACCEPT

Let's? E note-if you accept all the compression requests from the internet interface (for example, ppp0 dial-up modem:

Iptables-a input-I ppp0-j ACCEPT

You are equivalent to disabling our fire prevention ??!

5. IP address

Open the entire interface? Magpie is difficult to care about the problem? What does a Shard have ?? Are you sure you want to continue? Why is it difficult? Q Is it acceptable? And reject? What ?. Now suppose we have a group? Hosts 192.168.0.x private network computers. Can we enable fire prevention ?? To a trusted IP address (for example, 192.168.0.4? Guyl

# Accept compression from trusted IP addresses
Iptables-a input-s 192.168.0.4-j ACCEPT # change the IP addressas appropriate

To break down this command, we first attach A rule (-A) to the INPUT chain, specifying that compression of the source (-s) IP address is 192.168.0.4 should be accepted (ACCEPT) (Please also pay attention to how we use the # symbol to explain us? Because # all subsequent texts are considered? Release ).

However, if we want to accept the compression from a series of IP addresses, we can add a rule for each IP address that is bitwise? What about youshanna? ? Gou ne? Why? Hi Huai? It is relatively simple to use the IP address of uguanqiang. Want this? Young man? Yi qiexiao? What is the oil? Too many tasks? Real male? The description specifies the IP address range. For example ?, If we want to fire ?? Open to the compression from the whole range of 192.168.0.x (where x = 1 to 254), we can use one of the following methods to achieve the goal:

# Accept compression from trusted IP addresses
Iptables-a input-s 192.168.0.0/24-j ACCEPT # usingstandard slash notation
Iptables-a input-s 192.168.0.0/255.255.255.0-j ACCEPT # using asubnet mask

In addition to filtering a single IP address, we can also pair the MAC address of the device. To do this, we need to mount an allowed filter MAC