Home > Cloud Computing > Cloud Security

Iptables getting started

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

0x00 iptables Introduction

The package filtering function of linux is the linux firewall, which consists of netfilter and iptables.

The netfilter component, also known as the kernel space, is a part of the kernel. It consists of information packet filtering tables that contain the rule set used by the kernel to control information packet filtering.

The iptables component is a tool, also known as a user space, which makes it easy to insert, modify, and remove rules from the information packet filtering table.

 

0x01 iptables Structure

Structure of iptables:

iptables -> Tables -> Chains -> Rules

In short, tables is composed of chains, which are also composed of rules. By default, iptables has four tables: Filter, NAT, Mangle, and Raw.

0x02 iptables Workflow

0x03 filter table description 1. In iptables, the filter table filters data packets. It has the following three built-in links: 
INPUT chain-process external data. OUTPUT chain-process data that is sent out. FORWARD chain-FORWARD data to other Nic devices on the local machine.
2. Data Flow scenarios

Access the local machine: filter the INPUT chain

Local external access: filtering on the OUTPUT chain

Access other hosts through the Local Machine: filter on the FORWARD chain

3. Basic Iptables operations

Start iptables: service iptables start

Disable iptables: service iptables stop

Restart iptables: service iptables restart

View iptables status: service iptables status

Save iptables configuration: service iptables save

Iptables service configuration file:/etc/sysconfig/iptables-config

Iptables rule SAVING file:/etc/sysconfig/iptables

Enable iptables forwarding: echo "1">/proc/sys/net/ipv4/ip_forward

0x04 iptables command reference

Command:

Iptables [-t table name] Command Option [Chain name] [condition match] [-j target action or jump]
1. Table Name

Table Name: Filter, NAT, Mangle, Raw

The filtering function of the starting package is the table Filter, which can be left blank. If not specified, the default value is Filter.

2. Command Options
Option name Functions and features
- Add (-- append) a new rule at the end of the specified chain
-D Delete a rule in a specified chain, and determine the rule to be deleted according to the rule sequence number or content
-I Insert (-- insert) a new rule in the specified chain. It is inserted at the beginning of the chain by default.
-R Modify or replace a rule in a chain, which is determined by the rule sequence number or content.
-L Lists all the rules in a specified chain. By default, all links in the table are listed.
-F Clear (-- flush) All rules in the specified chain. By default, all links in the table are cleared.
-N Create (-- new-chain) a custom rule chain
-X Delete a custom rule chain (-- delete-chain) in a specified table)
-P Set the Default policy of the specified chain (-- policy)
-N Display the output result in numeric format (-- numeric). If the IP address of the host is displayed instead of the Host Name
-P Set the Default policy of the specified chain (-- policy)
-V View detailed information (-- verbose) in the rule list
-V View the Version of the iptables command tool
-H View Command help information (-- help)
-- Line-number When you view the rule list, the sequence number of the rule in the chain is displayed.
3. Chain name

You can determine which chain to use based on the data stream. The usage of Filter is as follows:

INPUT chain-process external data. OUTPUT chain-process data that is sent out. FORWARD chain-FORWARD data to other Nic devices on the local machine.
4. Condition matching

Conditional matching includes basic matching and extended matching, and extended matching includes implicit extension and display extension.

A) Basic matching includes:

Matching Parameters Description
-P Specify the rule protocol, such as tcp, udp, and icmp. You can use all to specify all protocols.
-S Specify the source address parameter of the data packet to enable the IP address, network address, and host name
-D Destination Address
-I Input Interface
-O Output interface

B) Implicit extensions include:

C) Common explicit Scaling

5. Target value

Data Packet control methods include:

ACCEPT: Allow data packets to pass. DROP: directly discards data packets without any response information. REJECT: REJECT data packet passing. If necessary, a response message is sent to the data sender. LOG: record the log information in the/var/LOG/messages file, and then pass the data packet to the next rule. QUEUE: the firewall transfers data packets to the user space. RETURN: the Firewall stops executing the subsequent Rules in the current chain and returns to the call chain)
0x05 common Iptables commands

A) 1. delete an existing iptables rule

iptables –F

B) 2. View iptables rules

iptables –L(iptables –L –v -n)

C) 3. Add a rule to the end

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

D) 4. Add a rule to the specified location

iptables -I INPUT 2 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

E) 5. delete a rule

iptabels -D INPUT 2

F) 6. modify a rule

iptables -R INPUT 3 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

G) 7. Set the Default policy

iptables -P INPUT DROP

H) 8. Allow SSH connection to the remote host

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

I) 9. Allow SSH connection to the local host

iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INTPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

J) 10. allow HTTP requests

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

K) 11. restrict the number of packets sent to the ping 192.168.146.3 host. The average number is 2/s, and the maximum number is 3.

iptables -A INPUT -i eth0 -d 192.168.146.3 -p icmp --icmp-type 8 -m limit --limit 2/second --limit-burst 3 -j ACCEPT

L) 12. Restrict the SSH connection rate (the Default policy is DROP)

iptables -I INPUT 1 -p tcp --dport 22 -d 192.168.146.3 -m state --state ESTABLISHED -j ACCEPT  iptables -I INPUT 2 -p tcp --dport 22 -d 192.168.146.3 -m limit --limit 2/minute --limit-burst 2 -m state --state NEW -j ACCEPT
0x06 How to correctly configure iptables

A) 1. delete an existing rule

Iptables-F

B) 2. Configure the default link policy

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

C) 3. Allow SSH connections to remote hosts

iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

D) 4. Allow SSH connection to the local host

iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

E) 5. allow HTTP requests

iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT
0x07 use iptables to defend against common attacks 1. Prevent syn Attacks

Train of Thought 1: Limit the request speed of syn (This method requires a reasonable speed value, otherwise it will affect normal user requests)

iptables -N syn-flood iptables -A INPUT -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP

Train of Thought 2: Limit the maximum number of syn connections of a single ip Address

iptables –A INPUT –i eth0 –p tcp --syn -m connlimit --connlimit-above 15 -j DROP
2. Prevent DOS Attacks

Use the recent module to defend against DOS Attacks

iptables -I INPUT -p tcp -dport 22 -m connlimit --connlimit-above 3 -j DROP

A single IP can connect up to three sessions.

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH 

Add a new connection request to the SSH list.

Iptables -I INPUT -p tcp --dport 22 -m state NEW -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP 

If you try three times in five minutes, the IP address service in the SSH list is denied. The access can be restored after 5 minutes.

3. prevent excessive access to a single ip Address 
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 30 -j DROP
4. Trojan Rebound 
iptables –A OUTPUT –m state --state NEW –j DROP
5. Prevent ping attacks 
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/m -j ACCEPT

Personal Opinion, correction of deficiencies

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
getting started with firebase chrome getting started wildfly getting started getting started manual mongodb windows getting started bbb getting started cakephp getting started
Related Article
How does personal cloud security guarantee data security?
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More