Iptables firewall rule settings

Source: Internet
Author: User
The method for starting and stopping iptables depends on the Linux release version in use. you can view the documentation of the Linux version in use. In RedHat, start iptables with: # serviceiptablesstart. generally, iptables is already included in the Linux release. you can run iptables -- version to check whether iptabl is installed in the system.

Start and stopIptablesThe method depends on the Linux release version used. you can view the documentation of the Linux version used. In RedHat, startIptablesUsage:

# Service iptables start

Generally, iptables is included in the Linux release. you can run iptables -- version to check whether iptables is installed in the system. In my Ora Core 1, the installed version is iptablesv1.2.8. If your system does not have iptables installed, you can download it from the following address:


View rule sets

Although the usage of iptables is briefly described above, we may need to know more complete information in reality. in this case, we can run maniptables to view the complete introduction of all commands and options, you can also run iptableshelp to view a quick help. To view the existing iptables planning set in the system, run the following command:

Iptables list

The following figure shows the iptables when no planning is defined:

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

As shown in the preceding example, each data packet must pass one of the three built-in chains (INPUT, OUTPUT, and FORWARD. Filter is the most commonly used table. the basic syntax for setting all the table rules is as follows: iptables [-t table] command [match] [target].

In reality, it is not necessary to use all the options listed here, nor necessarily in this order. Of course, this is a convention, because the rules are generally relatively long. for clarity, it is best to follow this order.

If no rule table is specified, a time-saving filter table is missing. The three most common targets in the filter table are ACCEPT, DROP, and REJECT. DROP discards the data packet and does not process it any more. The REJECT will send the error message to the host that sends the data packet. Although there are sometimes unexpected effects, it is still very useful in many cases.

Add rules

In this example, the rules will block data packets from a specific IP address range, because the IP address range is suspected by administrators that a large number of malicious attackers are active:

# Iptables-t filter-a input-s123.456.789.0/24-j DROP

To learn more about iptables parameters and command formats, use maniptables. It can be said that we have already hated malicious attackers on the Internet, but in any case, we cannot simply retaliate against them in the same way because we hate them, at least this kind of thing cannot happen on your network. Therefore, we can easily block all data packets that flow to the attacker's IP address. This command is slightly different:

# Iptables-t filter-a output-d123.456.789.0/24-j DROP

Note that option A here is used to add rules for existing chains, as described earlier.

Delete rule

Malicious attackers on the network are always changing, so we need to constantly change the IP address. Assume that an online attacker is transferred to a new IP address, and the old IP address is assigned to some innocent users, in this case, the user data packets cannot pass through your network. In this case, we can use the command with the-D option to delete the existing rule:

# Iptables-t filter-d output-d123.456.789.0/24-j DROP

Default policy

It takes a lot of time to create a rule that is flexible and can withstand various unexpected events. For those who do not want to do this, the most basic principle is "deny all the packets first and then allow the required packets ". Next we will set the default rules for each chain:

# Iptables-P INPUT DROP



Here, option-P is used to set the Chain Policy. only three built-in chains have a policy. These policies allow information to flow out without restrictions, but do not allow information to flow in. However, in many cases, we still need to receive external information. Use the following command:

# Iptables-t filter-a input-s123.456.789.0/24-j ACCEPT

SYN usage

We cannot close all ports, so we will be completely isolated from each other ". We cannot specify only some ports in the open state, because we cannot predict which port will be used. In fact, simply allowing data streams destined for a specific port to pass will be meaningless in preventing malicious attacks. So how can we set an effective rule that allows normal users to pass normally and prevents malicious attackers from accessing our network?

For those who are using iptables at the beginning, we can fully use the syn mark to block unauthorized access. Because iptables only detects the packet header, it does not increase the load. In fact, many other useful packet analysis methods except iptables are based on headers.

For example, when a Web surfing request is sent from your PC to a Web server in another place, the server then responds to the request and sends you a packet, and get a temporary port on your system. Different from the response request, the server does not care about the content you send. You can use this feature to set a rule to prevent all TCP connections that are not authorized by your system:

# Iptables-t filter-a input-I eth0-p tcp -- syn-j DROP

Here-I refers to the NIC,-p refers to the protocol, and -- syn indicates the TCP packet with the syn flag. We can see that the understanding of TCP/IP is very helpful for maintaining network security. SYN is used to initialize a TCP connection. if you do not run any server on your machine, others will naturally not send SYN packets to you.

In this regard, some people will say: why is it so troublesome? Indeed, we have a simpler way to create a firewall, and there are a lot of good software that can help us build our own rule set, but we should be clear, the simplest way, it is often not the best method. Since we have a better method, why not use it?

Share an Internet connection

Both network address translation and IP disguise allow multiple hosts to share an Internet connection, which can be a multi-system Lan consisting of Linux and Windows systems. Assume that one machine has two NICs, eth0 is a public Nic and eth1 is a private Nic.

In other words, eth0 is assigned a static and routable IP address, while eth1 is assigned a private IP address that cannot be routed, that is to say, the IP belongs to the LAN subnet. To implement the above functions, we need to add some links to the nat and filter tables:

# Iptables-t nat-a postrouting-oeth0-j MASQUERADE

# Iptables-t filter-a forward-ieth0-o eth1-m state -- state


# Iptables-t filter-a forward-ieth1-o eth0-j ACCEPT

This shows the value of stateful packet detection. Please note that the inbound data packets are allowed only when they belong to an existing connection, and all data packets from the inbound data packets from the Lan are allowed to pass (note: here, the filter is the default table, but it is not required ). The first rule makes all outgoing information appear from the firewall machine, and does not show that there is a LAN behind the firewall.

The following example Sets a default policy for the FORWARD and POSTROUTING chains. when using camouflage, a default POSTROUTINGDROP policy is very important. otherwise, there may be malicious users who break through the gateway and disguise their identities.

# Iptables-t filter-P FORWARDDROP

# Iptables-t nat-P POSTROUTINGDROP

The following example is set for a dial-up connection. it can dynamically allocate IP addresses:

# Iptables-t nat-a postrouting-oppp0-j MASQUERADE

Save rule

The problem with changing rules using scripts is that the command iptables must be called to change each rule, and iptables must be extracted from the entire rule set in the netfilter kernel space for each call, insert or append the rule set, or make other changes. at last, it takes a lot of time to insert the new rule set from its memory space to the kernel space.

To solve this problem, you can use the command iptables-save and restore. Iptables-save is used to save the rule set to a text file in a special format, while iptables-restore is used to reload the file into the kernel space.

The best thing about these two commands is that you can load and save the rule set after one call, instead of calling iptables once for every rule in the script.

Iptables-save can extract the entire rule set from the kernel and save it to the file once it runs, while iptables-restore loads a rule table each time. In other words, for a large rule set, if you set it with a script, these rules will be uninstalled and installed multiple times repeatedly, now we can save the entire rule set once and install it as a table, which saves a lot of time. Therefore, once the test results are satisfactory, you can save them as scripts:

# Iptables-save> iptables-script

Now, all the rules in the information packet filtering table are saved in the file iptables-script. You can use the iptables-restore command to restore the rule set from the script file to the information packet filtering table at any time. the recovery command is as follows:

# Iptables-restore iptables-script

If you are willing to automatically restore the rule set every time you boot the system, you can put the command specified above in any initialization shell script.

In fact, most releases provide users with a file that can be automatically loaded, allowing users to edit rule sets, and most releases have a pre-configured firewall. The configuration files of different releases vary in different locations. you can use the locateiptables command to find the configuration file. For Red Hat or FedoraCore, this configuration file is located in/etc/sysconfig/iptables. The initial content of this file is as follows:

1 # Firewall configuration

2 * filter

3: INPUT [0: 0]

4: FORWARD [0: 0]

5: OUTPUT [0: 0]


7 # your rules here



We recommend that you change the basic framework to the following:

1 * filter

2: input drop [0: 0]

3: forward drop [0: 0]

4: output accept [0: 0]


6 # allow local loopback connections

7-a input-I lo-j ACCEPT


9 # drop INVALID connections

10-a input-m state -- state INVALID-jDROP

11-a output-m state -- state INVALID-jDROP

12-a forward-m state -- state INVALID-j DROP


14 # allow all established andrelated

15-a input-m state -- stateESTABLISHED, RELATED-j ACCEPT


17 # add anymore rules here



**************************************** ***************************

Firewall basics (iptable)


Author: linux (http://www.linuxmine.com)

From: linux inventory (http://www.linuxmine.com)

Existing: http://www.linuxmine.com/1613.html

Contact: linuxmine # gmail.com

Do not understand? Welcome

Linux Forum for http://bbs.linuxmine.com)

Join the discussion!

We know that access from the Internet enters the host system through TCP/IP packets. In linux, the ip filter mechanism is used to implement the first layer of protection. if the layer of protection is passed, the next layer of protection is used to check the TCP_Wrappers function.

IP Filter ):

Packet filtering is the first firewall provided by linux! But different core versions have different packet filtering mechanisms! Linux with 2.2.xx as the core mainly uses ipchains as the filter mechanism. for the latest version of 2.4.xx, iptables is used as the filter mechanism! OK! Since our Red Hat 7.1, 7.2, and 7.3 are kernel 2.4.xx, iptables is used to defend against IP attacks! Because the TCP packet contains IP addresses and ports, it is easy to defend against source IP addresses or their own ports! Currently, you only need to know that iptables can be analyzed through the TCP package table investment materials. for example, if it is included with the rules, otherwise, discard it to prevent non-compliant people from entering your computer.

For Packet protection, TCP_Wrappers can be used.

You should always go to the/var/log/messages and/var/log/secure files! All are logon records.

To protect the host, the first step is to establish sound password rules! This is often the first step for cracker to try to intrude! You must set up the host password rules. you can try to use chattr to make the/etc/passwd and/etc/shadow files unchangeable! Safer!

Do a good job in security

1. upgrade and Fix Kit vulnerabilities and remove dangerous kits:

2. security settings for each system service

3. basic fire prevention setting of TCP_Wrappers

4. set iptables fire prevention rules

5. host resource detection system (MRTG)

6. log on to the file analysis system:


Iptables is the main IP address filtering mechanism for linux Kernel 2.4.xx and later versions! Its biggest function is to filter out unwanted TCP packets! Of course, there are more functions than that. It can also be used for IP camouflage to achieve NAT host functions! The operation direction of iptables must be analyzed in the order of rules. let's briefly talk about several concepts of iptables:

There are several tables:

Unlike the previous version of ipchains, iptables can define new tables rules! It makes firewall rules easier to manage! Basically, the original iptable has at least two tables. one is filter (the default table is filter when tables is not entered), and the other is a very important nat table. Among them, filter can be used to manage the security of the host, as for nat, it is used to process NAT!

Clear rules:

The iptables setting method is actually very simple, that is, using the command column method. its basic syntax is as follows when clearing rules:

[Root @ test/root] #/sbin/iptables [-FXZ]

Parameter description:

-F: clear all predefined rules;

-X: Kill the chain created by all users (tables should be said );

-Z: returns the count and traffic statistics of all chains to zero.


[Root @ test/root] #/sbin/iptables-F

[Root @ test/root] #/sbin/iptables-X

[Root @ test/root] #/sbin/iptables-Z

Please note that if you are remotely connected, "these three commands must be executed consecutively using scripts." otherwise, you will surely be blocked by the host !』

Define Policy ):

After the rules are cleared, the next step is to set the rule policy! This so-called Policy refers to "when your package is not in your rules, the pass of the package will be subject to the Policy setting", for example: you have set ten rules, but when there is a packet, these ten rules are not applicable. at this time, this package will be subject to Policy rules to determine whether the firewall can be used. Generally, this policy can be defined more strictly in terms of INPUT, while FORWARD and OUTPUT can be set more loosely!

[Root @ test/root] #/sbin/iptables [-ttables] [-P] [INPUT, OUTPUT, FORWARD | PREROUTING, OUTPUT, POSTROUTING] [ACCEPT, DROP]

Parameter description:

-T: define table!

Tables: table name, such as nat!

-P: defines the Policy ).

INPUT: the packet is the direction of the INPUT host;

OUTPUT: the direction of the OUTPUT host;

FORWARD: The direction in which packets are transmitted outside the host;

PREROUTING: work performed before the route entry;

OUTPUT: the direction of the OUTPUT host;

POSTROUTING: work performed after entering the route.


[Root @ test/root] #/sbin/iptables-PINPUT ACCEPT

[Root @ test/root] #/sbin/iptables-POUTPUT ACCEPT

[Root @ test/root] #/sbin/iptables-PFORWARD ACCEPT

[Root @ test/root] #/sbin/iptables-tnat-P PREROUTING ACCEPT

[Root @ test/root] #/sbin/iptables-tnat-P OUTPUT ACCEPT

[Root @ test/root] #/sbin/iptables-tnat-P POSTROUTING ACCEPT

Define all preset policies as acceptable!

Add and insert rules:

Next, we need to define rules! We should observe it from the host perspective first! You can set it like this!

[Root @ test/root] #/sbin/iptables [-AI] [INPUT, OUTPUT, FORWARD] [-io interface] [-p TCP, UDP] [-s IP/network] [-- sport ports] [-d IP/network] [-- dport ports]-j [ACCEPT, DROP]

Parameter description:

-A: Adds A rule to the last row;

-I: add the first rule;

INPUT: the packet is the direction of the INPUT host;

OUTPUT: the direction of the OUTPUT host;

FORWARD: The direction in which packets are transmitted outside the host;

-I: inbound Nic interface

-O: outbound Nic interface

Interface: network card interface, such as ppp0, eth0, eth1 ....

-P: Please note that this is in lower case! Packet protocol!

TCP: a TCP packet;

UDP: UDP packets;

-S: the IP address or Network (domain) of the source packet );

-- Sport: port number of the source packet;

-D: IP address or Network (domain) of the target host );

-- Dport: the port number of the target host;

-J: action. you can perform the following actions;

ACCEPT: ACCEPT this packet

DROP: discard packets


[Root @ test/root] #/sbin/iptables-AINPUT-I lo-j ACCEPT

All packets from the lo interface are accepted.

[Root @ test/root] #/sbin/iptables-AINPUT-I eth0-p TCP-s ACCEPT

Packets from the IP address are accepted.

[Root @ test/root] #/sbin/iptables-AINPUT-I eth0-p TCP-s ACCEPT

Any computer from the domain of the C Class will accept it!

[Root @ test/root] #/sbin/iptables-AINPUT-I eth0-p TCP-s DROP

Packets from are discarded directly!

[Root @ test/root] #/sbin/iptables-AINPUT-I eth0-p TCP -- dport 21-j DROP

If you want to enter the port 21 package, discard it!

[Root @ test/root] #/sbin/iptables-AINPUT-I eth0-p TCP-s -- dport 22-j ACCEPT

Host from if you want to reach port 22, accept it!

Note: The firewall rules are checked in sequence in one row. if any rule is met, the firewall will act (accept or discard). Otherwise, the firewall will continue to check to the last one.


This TCP_Wrappers is really a simple setup job, because it only needs to set/etc/hosts. allow and/etc/hosts. deny! Basically, it checks TCP through the/usr/sbin/tcpd program! The test method is set by/etc/hosts. allow and/etc/hosts. deny! The inspection process is to first use the/etc/hosts. allow file. after the inspection, search for/etc/hosts. deny! Okay. how can I set hosts. allow?


Note that the network can use, but not!

[Root @ test/root] # vi/etc/hosts. allow

In. telnetd: allow

In. ftpd: allow

Telnet and ftp enabled for on the local machine!

[Root @ test/root] # vi/etc/hosts. deny

In. telnetd: deny

Disable the telnet service of!

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.