Iptables summary and application experiences

Source: Internet
Author: User
Tags dedicated ip ssh access

IptablesI have been using it all the time. I have some iptables experiences and small summaries to share with you!

Linux Kernel has a powerful networking subsystem netfilter. The netfilter sub-system provides stateful or stateless grouping and filtering, as well as NAT and IP disguised services. Netfilter also provides the ability to change the mangle IP header information for advanced routing and connection status management. Netfilter is controlled by IPTables.

IPTables Overview

The powerful functions and flexibility of netfilter are achieved through the IPTables interface. This command line tool is similar to the syntax of its predecessor, IPChains. However, IPTables uses the netfilter subsystem to improve network connection, validation, and processing capabilities; IPChains uses a complex set of rules to filter the Source and Destination routes and their connection ports. IPTables only includes more advanced recording methods on the command line interface, pre-selection and post-selection operations, network address translation, and port forwarding.

7.2. Use IPTables

The first step to use IPTables is to start the IPTables service. Run the following command:

Service iptables start


Use the following command to disable the IP6Tables service:

Service ip6tables stop

Chkconfig ip6tables off

To enable IPTables to be started by default during system boot, you must use chkconfig to change the running status of the service.

Chkconfig -- level 345 iptables on

The syntax of IPTables is divided into several layers. The main level is chain ). "Chain" specifies the status of the processing group. Its usage is:

Iptables-A chain-j target

-A adds A rule to the existing rule set. Chain is the name of the "chain" where the rule is located. IPTables has three built-in chains (that is, the chain that affects each group in the Network): INPUT, OUTPUT, and FORWARD. These links are permanent and cannot be deleted.


When creating an IPTables rule set, it is crucial to remember the order of the rules. For example, if a chain specifies any group from the local subnet, it should be abandoned, and then a group from (within the subnet range of the group to be abandoned before) if the chain of the group is supplemented after the rule (-A), the rule that is supplemented after the rule is ignored. You must first set a rule that allows and then discard the rule.

You need to insert a rule anywhere in the existing rule chain, use-I, followed by the name of the chain you want to insert the rule, and then the location number (1, 2, 3 ,..., n ). For example:

Iptables-I input 1-I lo-p all-j ACCEPT

This rule is inserted as the first rule of the INPUT chain, which allows traffic on the local device.

7.2.1. basic firewall policies

Some basic policies established at the beginning laid the foundation for the construction of more detailed user-defined rules. IPTables uses policy (-P) to create default rules. Administrators who are sensitive to security generally want to discard all groups and only allow specified groups one by one. The following rules block all inbound and outbound groups on the network.



In addition, we recommend that you reject all forwarding groups (forwarded packets)-network traffic to be routed from the firewall to its target node-to restrict internal customers from being exposed to the Internet. To achieve this goal, use the following rules:



When processing the added rules, the actions of the REJECT (REJECT) target and the DROP (discard) target are different. REJECT rejects the entry of the target group and returns a connection refused error message to the user attempting to connect to the service. DROP will discard the group and give no warning to the telnet user. However, we recommend that you use the REJECT target to avoid connection attempts that may cause the user to be confused.

After a policy chain is set, you need to create new rules for your specific network and security. The following sections describe the rules that you may implement when constructing an IPTables firewall.

7.2.2. Save and restore IPTables rules

Firewall Rules are valid only when the computer is enabled. If the system is rebooted, these rules are automatically cleared and reset. To save the rules for future loading, run the following command:

/Sbin/service iptables save

Rules saved in the/etc/sysconfig/iptables file will be applied when the service is started or restarted (including when the machine is rebooted.

Common iptables Filtering

Rejecting remote attackers from the "LAN" is an important aspect of network security. The integrity of the LAN should be protected by the use of strict firewall rules against deliberate remote users. However, if the Default policy is set to block all inbound, outbound, and forwarded groups, communication between firewall/gateway and internal LAN users cannot be performed. To allow users to perform network-related functions and use networked applications, the Administrator must open some ports for communication.

For example, to allow communication to port 80 on the firewall, add the following rules:

Iptables-a input-p tcp-m tcp -- sport 80-j ACCEPT

Iptables-a output-p tcp-m tcp -- dport 80-j ACCEPT

This allows you to browse websites that communicate through port 80. To allow access to secure websites such as https://www.example.com/, you must also open port 443.

Iptables-a input-p tcp-m tcp -- sport 443-j ACCEPT

Iptables-a output-p tcp-m tcp -- dport 443-j ACCEPT

Sometimes, you may need to remotely access the LAN from outside the LAN. Security services such as SSH and CIPE can be used to encrypt remote connections to LAN services. For administrators with PPP-based resources (such as modem pools or batch ISP accounts), dial-up access can be used to safely avoid firewalls because modem connections are directly connected, usually after the Firewall/gateway. However, for remote users with broadband connections, you need to develop special rules. You can configure IPTables to accept connections from remote SSH and CIPE clients. For example, to allow remote SSH access, you can use the following rules:

Iptables-a input-p tcp -- dport 22-j ACCEPT

Iptables-a output-p udp -- sport 22-j ACCEPT

You can use the following command to accept external CIPE connection requests (replace x with your device number ):

Iptables-a input-p udp-I cipcbx-j ACCEPT

7.4. FORWARD and NAT rules

Most organizations obtain a limited number of public IP addresses from their ISPs. In view of this limit, administrators must create and actively seek to share Internet services without assigning rare IP addresses to each machine on the LAN. Using a private IP address is a common method that allows all machines on the LAN to correctly use internal and external network services. Edge Routers (such as firewalls) can receive incoming traffic from the Internet and route these groups to the LAN nodes they intend to send. At the same time, the firewall/gateway can also route output requests from LAN nodes to remote Internet services. This kind of traffic forwarding behavior is sometimes very dangerous, especially with the emergence of modern attack tools that can impersonate internal IP addresses and make remote attackers machine a node on your LAN. To prevent such events, iptables provides routing and forwarding policies. You can implement these policies to prevent disguised exploitation of network resources.

The FORWARD policy allows administrators to control the locations on which groups can be routed to the LAN. For example, to allow the forwarding of the entire LAN (assuming that the Firewall/gateway has an internal IP address on eth1), you can set the following rules:

Iptables-a forward-I eth1-j ACCEPT

Iptables-a forward-o eth1-j ACCEPT


According to the default settings, the IPv4 policy in the Red Hat Enterprise Linux kernel disables support for IP Forwarding, which prevents machines running Red Hat Enterprise Linux from becoming dedicated edge routers. To enable IP Forwarding, run the following command:

Sysctl-w net. ipv4.ip _ forward = 1

If the command is run through the shell prompt, the setting will not be saved after the reboot. You can permanently set forwarding by editing the/etc/sysctl. conf file. Find and edit the following lines and change 0 to 1:

Net. ipv4.ip _ forward = 0

Run the following command to enable changes in the sysctl. conf file:

Sysctl-p/etc/sysctl. conf

This allows LAN nodes to communicate with each other; however, they are not allowed to communicate with the outside world (such as the Internet. To allow LAN nodes with a dedicated IP address to communicate with external public networks, configure the IP address mask of the firewall (IP masquerading ), this will disguise requests from LAN nodes as the IP address of the firewall's external device (eth0 in this example.

Iptables-t nat-a postrouting-o eth0-j MASQUERADE

7.5. DMZ and iptables

You can also set rules for routing traffic to certain machines (such as dedicated HTTP or FTP servers), preferably in the de-militarized zone (DMZ) and the internal network. To set a rule to send all incoming HTTP requests to a dedicated HTTP server whose IP address is and port is 80 (out of the range of LAN, NAT calls the PREROUTING table to forward these groups to the appropriate destination:

Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-j DNAT \

-- To-destination 80

With this command, all HTTP connections from outside the LAN to port 80 will be routed to an HTTP server on another network separated from the internal network. This network segment is safer than allowing HTTP connections to machines in the internal network. If the HTTP server is configured to accept secure connections, port 443 must also be forwarded.

Virus and counterfeit IP addresses

You can design more rules to control access to the specified subnet in the LAN, or even access to the specified machine. You can also restrict suspicious services such as Trojan horses, worms, and other customer/Server viruses to their servers. For example, some Trojans scan services from ports 31337 to 31340 (elite ports in hacker languages. Since legal services do not use these non-standard ports for communication, blocking these ports can effectively reduce the chances of independent communication between machines that may be infected on your network and their remote master servers.

Iptables-a output-o eth0-p tcp -- dport 31337 -- sport 31337-j DROP

Iptables-a forward-o eth0-p tcp -- dport 31337 -- sport 31337-j DROP

You can also block connections that attempt to impersonate the private IP address of your LAN. For example, if your LAN uses the range of, network devices (such as eth0) for the Internet) you can set a rule to discard the IP Range of the device that uses your LAN. Because the Default policy is to reject forwarding groups, all counterfeit IP addresses of devices (eth0) that are directed to the outside world will be automatically rejected.

Iptables-a forward-s eth0-j DROP


The emergence of next-generation Internet Protocol IPv6 breaks through the 32-bit address limit of IPv4 (or IP. IPv6 supports 128-bit addresses. Therefore, an IPv6 carrier network can have more optional addresses than IPv4.

Red Hat Enterprise Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and IP6Tables command. The first step to use IP6Tables is to start the IP6Tables service. It can be performed using the following command:

Service ip6tables start


You must disable the IPTables service to use the IP6Tables service:

Service iptables stop

Chkconfig iptables off

To enable IP6Tables to be started by default during system boot, use chkconfig to change the running status of the service.

Chkconfig -- level 345 ip6tables on

Its syntax is the same as IPTables in all aspects, except that IPTables supports 128-bit addresses. For example, you can use the following rules to enable SSH connections on the IPv6 network server:

Ip6tables-a input-I eth0-p tcp-s 3ffe: ffff: 100: 1/128 -- dport 22-j ACCEPT

For more information about IPv6 networking, see the IPv6 information page: http://www.20.6.org /.

Iptables-a output-p udp-o cipcbx-j ACCEPT

CIPE uses its own virtual device that transmits datagram (UDP) groups. Therefore, this rule allows access connections on the cipcb interface, instead of specifying the source or target ports (although they can be used to replace the device options ). For more information about how to use CIPE, see Chapter 6th.

You may also want to define rules for other services. For complete information about IPTables and its various options, see Red Hat Enterprise Linux reference guide.

These rules allow access to conventional and security services on the firewall; however, they do not allow machines after the firewall to use these services. To allow LAN to use these services, you can use NAT with IPTables filter rules.

Through this article, I hope you will like it!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.