Iptables basic Commands
Before we introduce the complex firewall rules, let's start with some simple materials, so that we can have some simple understanding of Iptables's most basic commands.
The first thing to note is that the iptables command must run as root, which means you need to log in as root or have permission to use Su or sudo-i to get the root Shell. We use sudo in the following, which is also the preferred method on Ubuntu systems.
The best starting point is to see all the iptables rules for the current system through the "-L" parameter:
sudo iptables-l
We can see 3 common default chains (INPUT, output, and forward) in Linux, as well as the default policy for each chain (which is accepted by the default policy for each chain), where we can see that no default rule set has been added to Ubuntu.
If you want to see the default rules for each chain through commands, you can use the "-S" parameter:
sudo iptables-s
If you see that there are rules in iptables and you want to re-configure the rules after you cancel them, you can use the "-F" parameter to empty the existing rule set:
sudo iptables-f
Although the "-F" parameter can empty and refresh all existing rule sets in the chain, it does not change the default policy for the chain. Therefore, if you are changing the remote VPS Firewall policy, you will need to restore the default policy of input and output chain to accept before "-F" clears all rules, so that SSH connections are blocked after the rule is emptied. To do this, execute the following command:
sudo iptables-p INPUT acceptsudo iptables-p OUTPUT acceptsudo iptables-f
After you have configured the Allow SSH connection (described below), change the default rule for input and output chains to drop.
Create your own iptables rule
Now it's time to start creating custom firewall rules for our VPS, as mentioned in the previous article, because the input chain handles all inbound packets connected to the server, so all of our operations are related to the input chain. Now let's configure the server to allow SSH connections.
The complete command should look like this:
--ctstate established,related-j ACCEPT
Most of our friends may find it so complicated, let's break it down.
- -A Input : Indicates that we want to append this rule to the end of a chain, because we want to manipulate the INPUT link, so write.
- - m conntrack : iptables There are only some useful extensions and modules in addition to their core functions, this parameter indicates the ability to add Conntrack modules. (The Conntrack module can determine the relationship between packets based on previous connections)
- –ctstate : This parameter is provided by the Conntrack module, which determines how the current packet can be used to match the previously obtained packet. The established value will automatically allow the existing connected packets, and the related value will allow related packets that have been established for the connection. (This matches the SSH session feature)
- -j ACCEPT : This parameter specifies the target of the matching packet. It is used here to accept and allow packets that meet the above criteria to pass.
When configured, let's look at:
sudo iptables-l
Now, you should already know the basic grammar of iptables, below we continue to add rules to play strange, in order to upgrade as a master as soon as possible.
Accept other necessary connections
Everyone's VPS on the general SSH Service 22 port, Web server 80 port and MySQL 3306 Port are need to open, otherwise how to provide services to the outside. So we also need to open these ports in iptables with the following command:
--dport 3306-j ACCEPT
To ensure that our VPS is functioning properly, we also need to add an allow rule. Typically, services on a computer send network packets to maintain communication with one another. This communication uses a pseudo network card called Loopback to direct traffic back to itself. Therefore, we also need to add an allow rule for the loopback NIC.
1-I lo-j ACCEPT
- -I INPUT 1 : Unlike "-A", it can specify where to add the rule to the chain.
Implementing the Drop Rule
The above is actually based on a premise hypothesis, but in advance we need to first the firewall 2 common patterns to explain. One is to explicitly define the rules that are allowed through the firewall, and the mismatches are discarded. The other is a clear definition of the rules that are denied through the firewall, and the rest are allowed. Our premise assumes the first approach, which is relatively simple to configure, less regular, and more secure.
We have already defined some allow rules for the input link, but the default input chain is to allow all packages, so we now need to change the default rule of the input chain to "drop" and discard. Complete the changes with the following command:
sudo iptables-p INPUT DROP
viewing and saving configurations
Iptables configuration is immediately effective, the previous has been introduced, after the configuration we can directly use "-L" parameter to view, here add another "–line-numbers" parameter, it is mainly used to display the number of rows, for more rules when the view is very convenient.
--line-numbers
Although the iptables command will take effect immediately after execution, the process is actually temporary, and the system will be lost after a reboot. Therefore, we also need to add these configurations to the configuration file to ensure that the system will automatically load our iptables firewall rules after the next reboot.
Updatesudo apt-Install iptables-persistent
After the command script is downloaded, you will be asked if we want to save the iptables configuration, or "yes" if determined. The next reboot will not cause the configuration to be lost after saving.
Iptables Series: How to configure the Iptables firewall in Ubuntu 14.04