Iptables configuration application example

Last Update:2014-05-27 Source: Internet

Author: User

Tags ssh port

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Commands in iptables must be case sensitive. The main syntax differences between ipchains and iptables are as follows: 1. in ipchains, for example, the input chain uses lower-case chains. in iptables, use upper-case INPUT instead. 2. in iptables, specify the rule to be applied to that rule table ( IptablesThe commands in must be case sensitive.
The main syntax differences between ipchains and iptables are as follows:
1. in ipchains, for example, the input chain uses a lowercase name. in iptables, use uppercase INPUT instead.
2. in iptables, you must specify the rule to be applied to that rule table (use-t to specify, such as-t nat). If this parameter is not specified, the default value is used to filter the table.
3. in ipchains,-I refers to the interface, but in iptables,-I refers to the inbound direction, and more-o represents the outbound direction.
4. in iptables, the source port should use the keyword -- sport or -- source-port.
5. in iptables, the destination port uses the keyword -- dport or -- destination-port.
6. in iptables, the disposal action of "discard" will no longer use the target DENY, and use DROP instead.
7. the ipchains record file function-l has been changed to the target-jLOG, and the title of the record file can be specified.
8. the flag-y in ipchains can be -- syn or -- tcp-flag SYN, ACK, fin syn in iptables.
9. in iptables, The imcp messages type should be added with the keyword -- icmp-type, such:
Iptables-a output-o eth0-p icmp-s $ FW_IP -- icmp-type 8-d any/0-j ACCEPT
Iptables sample used
When setting iptables packet filtering rules, there are several sample actions. if you are familiar with them, you can apply them later, you can enter this world.
Observe the current settings
The procedure is as follows:
Iptables-L-n
Iptablse-t nat-L-n
Definition variable
FW_IP = "163.26.197.8"
Enable the core forward function
The procedure is as follows:
###-----------------------------------------------------###
# Enable the forward function
###-----------------------------------------------------###
Echo "1">/proc/sys/net/ipv4/ip_forward
Clear all rules
In the first step, you must clear all rules and start again to prevent the old rules from affecting the new settings. The procedure is as follows:
###-----------------------------------------------------###
# Clear previous settings
###-----------------------------------------------------###
# Clear all rules in the rule chain in the filter of the preset table
Iptables-F
# Clear the rules in the user-defined chain in the filter of the preset table
Iptables-X
# Clear all rules in the rule chain in the mangle table
Iptables-F-t mangle
# Clear the rules in the custom link in the mangle table
Iptables-t mangle-X
# Clear all rules in the rule chain in the nat table
Iptables-F-t nat
# Clear the rules in the user-defined link in the nat table
Iptables-t nat-X
Select preset policies
Next, we need to select different rule chains and the predefined policies. The procedure is as follows:
Default discard all:
###-----------------------------------------------------###
# Set the filter table preset policy
###-----------------------------------------------------###
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP
Or accept all by default:
###-----------------------------------------------------###
# Set the filter table preset policy
###-----------------------------------------------------###
Iptables-P INPUT ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT
The preset policies of each rule chain can be set independently without being affected by other chains.
In the following example, if the target is DROP, set policy to ACCEPT. if the target is ACCEPT, set policy to DROP to see the effect.
Open an interface
The procedure is as follows:
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Note: The packet flow of IPFW or Netfilter does not pass through the FORWARD Chain,
Therefore, lo serves only the INPUT and OUTPUT chains.
Iptables-a input-I eth1-j ACCEPT
Iptables-a output-o eth1-j ACCEPT
Iptables-a forward-I eth1-jACCEPT
Iptables-a forward-o eth1-jACCEPT
IP camouflage
After the packets in the internal network are disguised, the external eth0 Nic is used as the representative number for external connection. The procedure is as follows:
###-----------------------------------------------------###
# Start internal external address transfer
###-----------------------------------------------------###
Iptables-t nat-a postrouting-o eth0-s 172.16.0.0/16-j SNAT -- to-source $ FW_IP
The preceding command indicates that the network segment 172.16.0.0/16 is disguised as $ FW_IP.
Virtual host
By means of address and port forwarding, packets from the external network can be sent to the servo host in the internal network, which is also known as a virtual host. This method can protect most of the ports of the servo host from external access, and only open public service channels (such as Web Server port 80), so the security is very high.
The procedure is as follows:
###-----------------------------------------------------###
# Start external address translation
###-----------------------------------------------------###
# Anyone connected to $ FW_IP: 80 will be directed to 172.16.255.2: 80
Iptables-t nat-a prerouting-I eth0-ptcp-d $ FW_IP -- dport 80-j DNAT -- to-destination172.16.255.2: 80
Enable the internal host to telnet to the external host
Open the internal network and telnet to the external host.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open external host telnet port 23
###-----------------------------------------------------###
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 23-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 23-d $ FW_IP -- dport 1024: 65535-j ACCEPT
Mail transfer channel
Open any Mail host to send a packet to your Mail Server, and your MailServer can also send the packet.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open SMTP port 25
###-----------------------------------------------------###
# The following is a message that someone else can send to you:
Iptables-a input-I eth0-p tcp-sany/0 -- sport 1024: 65535-d $ FW_IP -- dport 25-j ACCEPT
Iptables-a output-o eth0-p tcp! -- Syn-s $ FW_IP -- sport 25-d any/0 -- dport 1024: 65535-jACCEPT
# You can send emails to others.
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 25-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 25-d $ FW_IP -- dport 1024: 65525-j ACCEPT
Open channels for offline mailing downloads
An open internal network can receive emails from the POP3 server of an external network.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open POP3 port 110 for external hosts
###-----------------------------------------------------###
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 110-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 110-d $ FW_IP -- dport 1024: 65535-j ACCEPT
Open webpage viewing Channel
Open the internal network to view the website of the external network.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open HTTP port 80 for external hosts
###-----------------------------------------------------###
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 80-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 80-d $ FW_IP -- dport 1024: 65535-j ACCEPT
Enable DNS host query for external networks
Open the internal network to query any DNS host on the external network.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open DNS port 53
###-----------------------------------------------------###
# Udp packets will be used for the first query
Iptables-a output-o eth0-p udp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 53-j ACCEPT
Iptables-a input-I eth0-p udp-sany/0 -- sport 53-d $ FW_IP -- dport 1024: 65535-j ACCEPT
# If an error occurs, tcp packets are used for query.
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 53-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 53-d $ FW_IP -- dport 1024: 65535-j ACCEPT
# Enable interaction between DNS on this host and external DNS host: use udp
Iptables-a output-o eth0-p udp-s $ FW_IP -- sport 53-d any/0 -- dport 53-j ACCEPT
Iptables-a input-I eth0-p udp-sany/0 -- sport 53-d $ FW_IP -- dport 53-j ACCEPT
# Enable interactive query between DNS on this host and external DNS host: use tcp
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 53-d any/0 -- dport 53-j ACCEPT
Iptables-a input-I eth0-p tcp! -Y-sany/0 -- sport 53-d $ FW_IP -- dport 53-j ACCEPT
Open internal hosts to ssh to external hosts
Open the internal network and ssh can be used to connect to external hosts.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open external host ssh port 22
###-----------------------------------------------------###
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 22-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 22-d $ FW_IP -- dport 1024: 65535-j ACCEPT
# The following are differences between ssh protocols:
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1020:1023-d any/0 -- dport 22-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 22-d $ FW_IP -- dport 1020:1023-j ACCEPT
Enable internal hosts to ftp to external hosts
Open the internal network and ftp to external hosts.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open to external host ftp port 21
###-----------------------------------------------------###
# Open the command channel 21
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 21-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 21-d $ FW_IP -- dport 1024: 65535-j ACCEPT
# Open channel 20
Iptables-a input-I eth0-p tcp-sany/0 -- sport 20-d $ FW_IP -- dport 1024: 65535-j ACCEPT
Iptables-a output-o eth0-p tcp! -- Syn-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 20-jACCEPT
# Open the passive mode FTP data channel
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 1024: 65535-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 1024: 65535-d $ FW_IP -- dport 1024: 65535-jACCEPT
Open ping
You can ping any host externally.
The procedure is as follows: (the default policy is DROP)
Iptables-a output-o eth0-p icmp-s $ FW_IP -- icmp-type 8-d any/0-j ACCEPT
Iptables-a input-I eth0-p icm-sany/0 -- icmp-type 0-d $ FW_IP-j ACCEPT
Before configuring IPTABLES, you must ensure that the local DNS and route are configured, and the local machine can access the internet normally. Otherwise, do not start IPTABLES.
Iptables configuration
The purpose of iptables configuration is to prevent Internet intrusion, and to allow internet peers to access the Internet. Before the configuration is unavailable, only the local machine can access the Internet.
There is a "security level" in "system settings" of Rh8.0. it is mainly for the local machine and cannot be used to configure iptables. Open "security level" and assign it to "no firewall" level.
For ease of configuration and testing, you can use "KWrite" to compile a "script" and copy and paste all the statements into the "terminal" for execution. This makes it easy to modify the test.
Open "other "? In the "auxiliary facilities", "KWrite" will input or paste the following sample into it (where eth0 and eth1 are external and internal NICs respectively ):
Echo "Enable IP Forwarding ..."
Echo 1>/proc/sys/net/ipv4/ip_forward
Echo "Starting iptables rules ..."
/Sbin/modprobe iptable_filter
/Sbin/modprobe ip_tables
/Sbin/modprobe iptable_nat
/Sbin/modprobe ip_nat_ftp; supports Passive FTP
/Sbin/modprobe ip_conntrack_ftp;
/Sbin/modprobe ip_conntrack_h323; support for NETMEETING
/Sbin/modprobe ip_nat_h323;
Iptables-F INPUT
Iptables-F FORWARD
Iptables-F OUTPUT
Iptables-f postrouting-t nat
Iptables-f prerouting-t nat
Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT ACCEPT
Iptables-a input-I lo-j ACCEPT
Iptables-a input-I eth1-j ACCEPT
Iptables-a input-I eth0-m state

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More