Iptables command parameters

I. entry to iptables there are many ways for hackers to intrude into computers today, among which port-based intrusions are common. In particular, it is the simplest and most commonly used method to defend against hacker intrusions to shut down unnecessary ports on servers. Use Linux as the server operating system, and use iptables provided by Linux to implement this function. 1. View 1

I,IptablesGetting started

Today, hackers intrude into computers in many ways, among which port-based intrusions are common. In particular, it is the simplest and most commonly used method to defend against hacker intrusions to shut down unnecessary ports on servers. Use Linux as the server operating system, and use iptables provided by Linux to implement this function.

1. check the composition of iptables policies.

[Root @ localhost ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination

Chain FORWARD (policy ACCEPT)
Target prot opt source destination

Chain OUTPUT (policy ACCEPT)
Target prot opt source destination

The iptables policy consists of three parts: INPUT, FORWARD, and OUTPUT.

A. INPUT network packet flow to the server

B. OUTPUT network packet outflow from the server

C. FORWARD network data packets are routed by the server

2. close the policy

Disabling all input forward output is only open to some ports.

# Iptables-P INPUT DROP
# Iptables-P FORWARD DROP
# Iptables-P OUTPUT DROP

Run iptables-L-n to view the result:

[Root @ localhost ~] # Iptables-L-n
Chain INPUT (policy DROP)
Target prot opt source destination

Chain FORWARD (policy DROP)
Target prot opt source destination

Chain OUTPUT (policy DROP)
Target prot opt source destination

This setting is only temporary. restarting the server will still restore the policy ACCEPT that was not set. to restart the server, you need

When you use service iptables save to save, a message is displayed, indicating that the information is saved to/etc/sysconfig/iptables. Therefore, you can open the file to view vi/etc/sysconfig/iptables.

DROP can be understood as follows:

When INPUT = DROP, it indicates that the firewall does not accept data and does not allow it to enter the server.

When OUTPUT = DROP, the firewall blocks data flowing out from the server.

When FORWARD = DROP, the server cannot be routed by the server

3. enable the INPUT policy
# Iptables-P INPUT ACCEPT

# Iptables-P FORWARD ACCEPT

# Iptables-P OUTPUT ACCEPT

2. only enable a port
When configuring a server, you usually only open a specific port (the port required by the service) and close unnecessary ports to improve the security of the server.

The following uses port 22 as an example to show how to allow access from port 22 only. All other ports cannot be accessed (port 22 is the port used to access Linux through ssh ).

A. Check whether the current server port is enabled:

Use netstat-tnl to check which ports are opened on the current server

[Root @ localhost ~] # Netstat-tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 0 127.0.0.1: 2208 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 673 0.0.0.0: * LISTEN
Tcp 0 0 0.0.0.0: 111 0.0.0.0: * LISTEN
Tcp 0 0 127.0.0.1: 631 0.0.0.0: * LISTEN
Tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN
Tcp 0 0 127.0.0.1: 2207 0.0.0.0: * LISTEN
Tcp 0 0: 22: * LISTEN
Tcp 0 0: 1: 631: * LISTEN

There are many opened ports, and port 22 (ssh) is also enabled.

B. View firewall settings

Run the command iptables-L-n to check whether the three parts of the firewall input forward output are ACCEPT, that is, no restrictions are imposed.

You can successfully connect to the server by using SSH software.

C. close all ports

# Iptables-P INPUT DROP
# Iptables-P FORWARD DROP
# Iptables-P OUTPUT DROP

Wait and you will find that the SSH link is disconnected, indicating that the port has been closed.

D. open port 22 only

# Iptables-a input-p tcp -- dport 22-j ACCEPT
# Iptables-a output-p tcp -- sport 22-j ACCEPT

Iptables-L-n to check whether it is added,

Chain INPUT (policy DROP)
Target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22

Chain FORWARD (policy DROP)
Target prot opt source destination

Chain OUTPUT (policy DROP)
Target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt: 22

Now the Linux server only opens port 22 and uses SSH to test the connection.
Run the command: service iptables save to save

Note:

# Iptables-a input-p tcp -- dport 22-j ACCEPT
# Iptables-a output-p tcp -- sport 22-j ACCEPT
-A: add an INPUT rule.
-P: specifies what protocol is commonly used as the tcp protocol. of course, there are also udp, such as the DNS of port 53.

-- Dport: The target Port. when data enters the server from outside, the target port is used.
Otherwise, the data is exported from the server and the data source port uses -- sport.

-J: specifies that ACCEPT is received or DROP is not received.