Iptables getting started

Source: Internet
Author: User

0x00 iptables Introduction

The package filtering function of linux is the linux firewall, which consists of netfilter and iptables.

The netfilter component, also known as the kernel space, is a part of the kernel. It consists of information packet filtering tables that contain the rule set used by the kernel to control information packet filtering.

The iptables component is a tool, also known as a user space, which makes it easy to insert, modify, and remove rules from the information packet filtering table.

 

0x01 iptables Structure

Structure of iptables:

iptables -> Tables -> Chains -> Rules

In short, tables is composed of chains, which are also composed of rules. By default, iptables has four tables: Filter, NAT, Mangle, and Raw.

0x02 iptables Workflow

0x03 filter table description 1. In iptables, the filter table filters data packets. It has the following three built-in links:
INPUT chain-process external data. OUTPUT chain-process data that is sent out. FORWARD chain-FORWARD data to other Nic devices on the local machine.
2. Data Flow scenarios

Access the local machine: filter the INPUT chain

Local external access: filtering on the OUTPUT chain

Access other hosts through the Local Machine: filter on the FORWARD chain

3. Basic Iptables operations

Start iptables: service iptables start

Disable iptables: service iptables stop

Restart iptables: service iptables restart

View iptables status: service iptables status

Save iptables configuration: service iptables save

Iptables service configuration file:/etc/sysconfig/iptables-config

Iptables rule SAVING file:/etc/sysconfig/iptables

Enable iptables forwarding: echo "1">/proc/sys/net/ipv4/ip_forward

0x04 iptables command reference

Command:

Iptables [-t table name] Command Option [Chain name] [condition match] [-j target action or jump]
1. Table Name

Table Name: Filter, NAT, Mangle, Raw

The filtering function of the starting package is the table Filter, which can be left blank. If not specified, the default value is Filter.

2. Command Options
Option name Functions and features
- Add (-- append) a new rule at the end of the specified chain
-D Delete a rule in a specified chain, and determine the rule to be deleted according to the rule sequence number or content
-I Insert (-- insert) a new rule in the specified chain. It is inserted at the beginning of the chain by default.
-R Modify or replace a rule in a chain, which is determined by the rule sequence number or content.
-L Lists all the rules in a specified chain. By default, all links in the table are listed.
-F Clear (-- flush) All rules in the specified chain. By default, all links in the table are cleared.
-N Create (-- new-chain) a custom rule chain
-X Delete a custom rule chain (-- delete-chain) in a specified table)
-P Set the Default policy of the specified chain (-- policy)
-N Display the output result in numeric format (-- numeric). If the IP address of the host is displayed instead of the Host Name
-P Set the Default policy of the specified chain (-- policy)
-V View detailed information (-- verbose) in the rule list
-V View the Version of the iptables command tool
-H View Command help information (-- help)
-- Line-number When you view the rule list, the sequence number of the rule in the chain is displayed.
3. Chain name

You can determine which chain to use based on the data stream. The usage of Filter is as follows:

INPUT chain-process external data. OUTPUT chain-process data that is sent out. FORWARD chain-FORWARD data to other Nic devices on the local machine.
4. Condition matching

Conditional matching includes basic matching and extended matching, and extended matching includes implicit extension and display extension.

A) Basic matching includes:

Matching Parameters Description
-P Specify the rule protocol, such as tcp, udp, and icmp. You can use all to specify all protocols.
-S Specify the source address parameter of the data packet to enable the IP address, network address, and host name
-D Destination Address
-I Input Interface
-O Output interface

B) Implicit extensions include:

C) Common explicit Scaling

5. Target value

Data Packet control methods include:

ACCEPT: Allow data packets to pass. DROP: directly discards data packets without any response information. REJECT: REJECT data packet passing. If necessary, a response message is sent to the data sender. LOG: record the log information in the/var/LOG/messages file, and then pass the data packet to the next rule. QUEUE: the firewall transfers data packets to the user space. RETURN: the Firewall stops executing the subsequent Rules in the current chain and returns to the call chain)
0x05 common Iptables commands

A) 1. delete an existing iptables rule

iptables –F 

B) 2. View iptables rules

iptables –L(iptables –L –v -n) 

C) 3. Add a rule to the end

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 

D) 4. Add a rule to the specified location

iptables -I INPUT 2 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 

E) 5. delete a rule

iptabels -D INPUT 2 

F) 6. modify a rule

iptables -R INPUT 3 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT 

G) 7. Set the Default policy

iptables -P INPUT DROP 

H) 8. Allow SSH connection to the remote host

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 

I) 9. Allow SSH connection to the local host

iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INTPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 

J) 10. allow HTTP requests

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT 

K) 11. restrict the number of packets sent to the ping 192.168.146.3 host. The average number is 2/s, and the maximum number is 3.

iptables -A INPUT -i eth0 -d 192.168.146.3 -p icmp --icmp-type 8 -m limit --limit 2/second --limit-burst 3 -j ACCEPT 

L) 12. Restrict the SSH connection rate (the Default policy is DROP)

iptables -I INPUT 1 -p tcp --dport 22 -d 192.168.146.3 -m state --state ESTABLISHED -j ACCEPT  iptables -I INPUT 2 -p tcp --dport 22 -d 192.168.146.3 -m limit --limit 2/minute --limit-burst 2 -m state --state NEW -j ACCEPT 
0x06 How to correctly configure iptables

A) 1. delete an existing rule

Iptables-F

B) 2. Configure the default link policy

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP 

C) 3. Allow SSH connections to remote hosts

iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT 

D) 4. Allow SSH connection to the local host

iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT 

E) 5. allow HTTP requests

iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT 
0x07 use iptables to defend against common attacks 1. Prevent syn Attacks

Train of Thought 1: Limit the request speed of syn (This method requires a reasonable speed value, otherwise it will affect normal user requests)

iptables -N syn-flood iptables -A INPUT -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP 

Train of Thought 2: Limit the maximum number of syn connections of a single ip Address

iptables –A INPUT –i eth0 –p tcp --syn -m connlimit --connlimit-above 15 -j DROP 
2. Prevent DOS Attacks

Use the recent module to defend against DOS Attacks

iptables -I INPUT -p tcp -dport 22 -m connlimit --connlimit-above 3 -j DROP 

A single IP can connect up to three sessions.

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH  

Add a new connection request to the SSH list.

Iptables -I INPUT -p tcp --dport 22 -m state NEW -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP  

If you try three times in five minutes, the IP address service in the SSH list is denied. The access can be restored after 5 minutes.

3. prevent excessive access to a single ip Address
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 30 -j DROP 
4. Trojan Rebound
iptables –A OUTPUT –m state --state NEW –j DROP 
5. Prevent ping attacks
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/m -j ACCEPT 

Personal Opinion, correction of deficiencies

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.