Iptables-static firewall instance tutorial

Source: Internet
Author: User
Iptables Introduction

Iptables is complex and integrated into the Linux kernel. You can use iptables to filter data packets that come in and out of your computer. Use the iptables command to set your rules to keep your computer network secure-what data is allowed to pass, what cannot pass, and what data is recorded (log ). Next, I will show you how to set your own rules, from now on.

2. Initialization

Enter

Iptables-F

Iptables-x

Iptables-T nat-F

Iptables-T nat-x

Each of the preceding commands has its exact meaning. Before setting your iptables, we need to clear all previously set rules and call them initialization. Although it does not do anything in many cases, be careful when you are out of warranty! If you are using RedHat or fedora, you have a simpler method.

Service iptables stop

3. Start setting rules:

Next, set your rules.

Iptables-P input drop

This command will build a very "secure" firewall for you. It is hard to imagine which hacker can break such a machine, because it drops all data from the network into your machine. This is of course too secure. At this time, your machine will be equivalent to no network. If you ping localhost, you will find that the screen is always there, because Ping cannot receive any response.

4. Add Rules

Run the following command:

Iptables-A input-I! Ppp0-J accept

This rule means accepting all data from the network interface ppp0.

Assume that you have two network interfaces, eth0 is connected to the LAN, and loop is the back-to-Loop Network (localhost ). Ppp0 is an Internet interface for Internet access through ADSL. If you are not using this method, it may be eth1. Assume that you are using ADSL to access the Internet and your Internet interface is ppp0.

In this case, you are allowed to access the LAN, and you can also access the localhost

Then enter the command Ping localhost. Will the result be the same as that in the previous step?

At this point, we cannot access www or mail. Let's take a look.

5. I want to access www

Iptables-A input-I ppp0-P TCP-sport 80-J accept

Allow data from the network interface ppp0 (Internet interface) and the source port is 80 to enter your computer.
Port 80 is the port used by the WWW Service.

Now you can view the webpage. But can you see it?

If you enter www.baidu.com in the browser address, can you see the webpage?

The result is: the host www.baidu.com cannot be found.

However, if you enter 220.181.27.5, you can still access the Baidu webpage.

Why? If you know DNS, you must know the reason.

If you enter www.baidu.com, your computer cannot obtain the IP address 220.181.27.5 that can be used by the name www.baidu.com. If you do remember this IP address, you can still access www. Of course, you can only access www by IP address. If you want to challenge your memory, ^ _ ^, of course, we want to open DNS.

6. Open the DNS port

Open your DNS port and enter the following command:

Iptables-A input-I ppp0-P UDP-sport 53-J accept

This command accepts all data from port 53 of the network interface ppp0 and UPD. 53 is the famous DNS port.

In this case, test whether you can access www by host name? Can you access www through an IP address?

Yes, of course!

7. view the Firewall

Now you can view your firewall.

Iptables-l

If you only want to access www, you can only access www. But don't worry, just summarize the content above and write it as a script.

#! /Bin/bash

# This is a script

# Edit by Liwei

# Establish static Firewall

Iptables-F

Iptables-x

Iptables-T nat-F

Iptables-T nat-x

Iptables-P input drop

Iptables-A input-I! Ppp0-J accept

Iptables-A input-I ppp0-P TCP -- Sport 80-J accept

Iptables-A input-I ppp0-P UDP -- Sport 53-J accept

8. is it complicated? By now, iptables can filter packets according to your requirements. You can set some ports to allow your machine to access these ports. In this way, you may not be able to access QQ, or play online games. It may be good or bad, or it depends on your own. By the way, QQ is really difficult to control. The connection between the user and the server seems to be port 8888, while friends send messages to each other on QQ are using UDP port 4444 (it is not clear whether it is 4444 ). QQ can also use port 80 of WWW to log on and send messages. It seems that there is no end to learning. Do you really want to control this guy? Let's go to our topic.

What if your machine is a server?

9. If your machine is a server and you need to provide WWW Service. Obviously, the above scripts cannot meet our requirements. But as long as you hold on to the rules and make some modifications, it can also work well. Add a sentence at the end

Iptables-A input-I ppp0-P TCP -- dport 80-J accept

This is to open port 80 on your machine to the outside, so that other people on the internet can access your www. Of course, you have to work on the WWW server. If your machine is an SMTP or POP3 server at the same time, add two statements to change the 80 after -- dport to 25 and 110. If you still have an FTP server, what if you want to open port 100 ......

Our work seems to be repeating similar statements, and you may think of it yourself. I can use a loop statement to complete it. Right, the shell script function can be effectively used here, it also allows you to experience the power of shell scripting. See the following:

10. Use a script to simplify your work. Read the following script.

#! /Bin/bash

# This is a script

# Edit by Liwei

# Establish a static Firewall

# Define const here

Open_ports = "80 25 110 10" # open ports on your own machine

Allow_ports = "53 80 20 21" # Internet data can enter the port of your machine

# Init

Iptables-F

Iptables-x

Iptables-T nat-F

Iptables-T nat-x

Iptables-P input drop # We can use another method to instead it

Iptables-A input-I! Ppp0-J accept

# Define ruler so that some data can come in.

For port in "allow_ports"; do

Iptables-A input-I ppp0-P TCP-sport accept $ port-J accept

Iptables-A input-I ppp0-P UDP-sport accept $ port-J accept

Done

For port in "open_ports"; do

Iptables-A input-I ppp0-P TCP-dport accept $ port-J accept

Iptables-A input-I ppp0-P UDP-dport accept $ port-J accept

Done

This script has three parts (the first part is the comment, not included in the three parts)

The first part is to define some ports: access the data on the "open_ports" Port of your machine and allow access. The source is the data on the "allow_ports" port.

The second part is the initialization of iptables, and the third part is the specific operation on the defined port.

If our requirements change in the future, for example, if you add an FTP server to your machine, add ports 20 and 21 corresponding to FTP. Well, you must have realized the powerful scalability of the script function, but the script capability is far more than that!

11. Improve Your Firewall

Look at the last sentence of the init part of the above script.

Iptables-P input drop

This is to set the default rules for the firewall. When the data entering our computer does not match any of our conditions, the default rule is used to process the data ---- drop, and no response is sent to the sender.

That is to say, if you ping your host from another computer on the Internet, the Ping will stop there without responding.

If a hacker uses the NAMP tool to scan the port of your computer, it will prompt the hacker that your computer is under firewall protection. I don't want hackers to know too much about my computer. What should I do? If we change drop to another action, we may be able to cheat this hacker.

How to change it? Remove the previous sentence (iptables-P input drop) and add it to the end of the script.

Iptables-A input-I ppp0-P TCP-J reject -- reject-with TCP-Reset

Iptables-A input-I ppp0-P UDP-J reject -- reject-with ICMP-Port-unreachable

This is much better. Although hackers can scan open ports, it is hard to know that our machines are under firewall protection. If you only run FTP and only access the Intranet, it is difficult for you to know whether FTP is running. Here we give data that should not enter our machine, a fraudulent answer, instead of dropping it and then ignore it. This function is particularly useful in designing stateful firewalls (static firewalls I am talking about here.

You can perform this operation in person to see how the results of the modification are different from those obtained by using NAMP scan?

12. This tutorial is over. Many of the things are not mentioned here, such as IP camouflage, port forwarding, and packet recording. Another important thing is the process of iptables processing data packets. here, I want to tell you that the order of the filtering rules you set is very important and should not be described in detail here, because in this way, this tutorial will stick to the details.

Iptables is complex. I have read a lot of tutorials on linuxsir. They are often numerous and complete, but they are daunting. I hope this tutorial will help you get started. Come on!

Finally, I write the complete script as follows. You only need to modify the definition of a constant to demonstrate great scalability. ^_^

#! /Bin/bash

# This is a script

# Edit by Liwei

# Establish a static Firewall

# Define const here

Open_ports = "80 25 110 10" # open ports on your own machine

Allow_ports = "53 80 20 21" # Internet data can enter the port of your machine

# Init

Iptables-F

Iptables-x

Iptables-T nat-F

Iptables-T nat-x

# The follow is comment, for make it better
# Iptables-P input drop

Iptables-A input-I! Ppp0-J accept

# Define ruler so that some data can come in.

For port in "allow_ports"; do
Ptables-A input-I ppp0-P TCP-sport accept $ port-J accept
Iptables-A input-I ppp0-P UDP-sport accept $ port-J accept
Done

For port in "open_ports"; do
Iptables-A input-I ppp0-P TCP-dport accept $ port-J accept
Iptables-A input-I ppp0-P UDP-dport accept $ port-J accept
Done

# This is the last rter, it can make you firewall better
Iptables-A input-I ppp0-P TCP-J reject -- reject-with TCP-Reset
Iptables-A input-I ppp0-P UDP-J reject -- reject-with ICMP-Port-unreachable

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.