Linux Configuration Firewall detailed steps (Iptables command use method)

With this tutorial, make sure you can use Linux native. If you are using SSH remote, and can not directly operate the machine, then we recommend you cautious, cautious, and then cautious!

With Iptables We can configure a dynamic firewall for our Linux servers that can specify and remember the status of the connections established for sending or receiving packets, a set of command packages to set up, maintain, and check the IP packet filtering rules of the Linux kernel. Iptables the way to define rules is more complicated, this article introduces the iptables rules of Linux firewall:

The basic format for ⑴ and iptables rules is:

Iptables [-ttable] COMMAND chain Cretiria-j ACTION

⑵, iptables rules related parameters Description:

-T Table:3 a filter NAT mangle

: Defines how rules are managed

Chain: Specify which chain your next rule is to operate on, and when defining the strategy, it can be omitted;

Cretiria: Specify matching Criteria;

-j ACTION: Specifies how the process should be handled;

⑶ and Iptables rules other wording and explanation:

Iptables-l-n-v #查看定义规则的详细信息

Iptables is the firewall configuration prerequisites on the Linux Server Setup tool, is our server security and deployment of large networks, often used in the important tools, very good grasp of iptables, can let us to the Linux server structure of the entire network a more thorough understanding, Better to master the Linux server Security configuration skills.

Let's configure a firewall for the filter table.

(1) Check the setting of this institution in Iptables

Copy CodeThe code is as follows:
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target prot opt source destination</p> <p>chain FORWARD (Policy ACCEPT)
Target prot opt source destination</p> <p>chain OUTPUT (Policy ACCEPT)
Target prot opt source destination</p> <p>chain rh-firewall-1-input (0 references)
Target Prot opt source destination
ACCEPT All--0.0.0.0/0 0.0.0.0/0
ACCEPT ICMP--0.0.0.0/0 0.0.0.0/0 ICMP type 255
ACCEPT ESP--0.0.0.0/0 0.0.0.0/0
acceptah--0.0.0.0/00.0.0.0/0
acceptudp--0.0.0.0/0224.0.0.251udpdpt:5353
acceptudp--0.0.0.0/00.0.0.0/0udpdpt:631
Acceptall--0.0.0.0/00.0.0.0/0staterelated,established
Accepttcp--0.0.0.0/00.0.0.0/0statenewtcpdpt:22
Accepttcp--0.0.0.0/00.0.0.0/0statenewtcpdpt:80
Accepttcp--0.0.0.0/00.0.0.0/0statenewtcpdpt:25
rejectall--0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited

As you can see, when I installed Linux, I chose a firewall and opened the 22,80,25 port.
If you did not choose to boot the firewall when installing Linux, this is the case

Copy CodeThe code is as follows:
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target prot opt source destination </p> <p>chain FORWARD (Policy ACCEPT)
Target prot opt source destination </p> <p>chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination

There are no rules.

(2) Clear the original rules.

Whether or not you start a firewall when you install Linux, if you want to configure your own firewall, clear all the rules for the filter now.

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-f clears all rule chain rules in the preset table filter
[[email protected] ~]# iptables-x clear Preset table rules in user-defined chains in filter

We're having a look.

Copy CodeThe code is as follows:
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target prot opt source destination </p> <p>chain FORWARD (Policy ACCEPT)
Target prot opt source destination </p> <p>chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination

Nothing at all, and we did not start the firewall when installing Linux is the same. (in advance, these configurations are like using commands to configure the IP, the restart will lose its effect), how to save.

Copy CodeThe code is as follows:
[Email protected] ~]#/etc/rc.d/init.d/iptables Save

This will allow you to write to the/etc/sysconfig/iptables file. Remember to re-start the firewall after writing to make it work.

Copy CodeThe code is as follows:
[Email protected] ~]# service iptables restart

Now that the Iptables configuration table does not have any configuration, let's start our configuration.
(3) Set preset rules

Copy CodeThe code is as follows:
[Email protected] ~]# iptables-p INPUT DROP
[[email protected] ~]# iptables-p OUTPUT ACCEPT
[Email protected] ~]# iptables-p FORWARD DROP

The above means that when the two chain rules (Input,forward) in the Iptables filter table are exceeded, the packets that are not in the two rules are handled, and that is the drop (abort). It should be said that this configuration is very safe. We want to control the incoming packets.

And for the output chain, that is, out of the package we do not have to do too much restriction, but to take the accept, that is, not in the rules of the package how to do it, that is through.

It can be seen that the Input,forward two chain uses what packets are allowed to pass through, and the output chain is not allowed by what packets pass.

This setting is quite reasonable, of course, you can also drop three chains, but I think it is not necessary, and to write the rules will increase. But if you only want a few rules that are limited, such as just Web servers. It is recommended that all three chains are drop.

Note: If you are a remote SSH login, you should drop it when you enter the first command. Because you didn't set any rules.

How to do, go to the machine operation Bai!

(4) Add a rule.

First add the input chain, the default rule of the input chain is drop, so we write the need to ACCETP (through) the chain

In order to be able to use remote SSH login, we have to turn on port 22.

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a input-p TCP--dport 22-j ACCEPT
[[email protected] ~]# iptables-a output-p TCP--sport 22-j ACCEPT

(Note: This rule, if you set the output to drop it is necessary to write this part, many people are looking at the writing of this rule resulted in, always unable to ssh. In the remote, is not good.

The other port is the same, if the Web server is turned on, output is set to drop, you also add a chain:

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a output-p TCP--sport 80-j ACCEPT

, the other same.

If you made a Web server, turn on port 80.

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a input-p TCP--dport 80-j ACCEPT

If you do a mail server, turn on port 25,110.

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a input-p TCP--dport 110-j ACCEPT
[[email protected] ~]# iptables-a input-p TCP--dport 25-j ACCEPT

If you do an FTP server, turn on port 21

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a input-p TCP--dport 21-j ACCEPT
[[email protected] ~]# iptables-a input-p TCP--dport 21-j ACCEPT

If you do a DNS server, turn on port 53

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a input-p TCP--dport 53-j ACCEPT

If you also do other servers, which port you need to open, just write it.

The main writing above is the input chain, usually not in the above rules, all drop

Allow ICMP packets to pass, that is, to allow pings,

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a output-p icmp-j ACCEPT (OUTPUT set to drop)
[[email protected] ~]# iptables-a input-p icmp-j ACCEPT (INPUT set to drop)

Allow loopback! (This may cause problems such as DNS not shutting down properly)

Copy CodeThe code is as follows:
Iptables-a input-i lo-p all-j ACCEPT (if INPUT DROP)
Iptables-a output-o lo-p all-j ACCEPT (if OUTPUT DROP)

Write the output chain below, the default rule for the output chain is accept, so we write a chain that needs drop (discard).

Reduce insecure port connections

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a output-p TCP--sport 31337-j DROP
[[email protected] ~]# iptables-a output-p TCP--dport 31337-j DROP

Some Trojans scan services on ports 31337 through 31340 (that is, the elite ports in the hacker language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chance that your network may be infected by the machine and their remote primary server for independent communication

There are other ports as well, like: 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (SMB), 2049 (NFS) port should also be banned, I write in this is not all, interested friends should go to check the relevant information.

Of course, it's safer to go in and out. You can also set the output chain to drop, then you add more rules, like the above added

Allow SSH to log in as well. Just write it.

The following is a more detailed rule, that is, to restrict to a machine

For example: We only allow SSH connection for 192.168.0.3 machines.

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-a input-s 192.168.0.3-p tcp--dport 22-j ACCEPT

If you want to allow or restrict a certain IP address, you can use 192.168.0.0/24 to represent all IPs on the 192.168.0.1-255 side.

24 indicates the number of subnet masks. But remember to delete the line in the/etc/sysconfig/iptables.

-A input-p tcp-m TCP--dport 22-j ACCEPT because it means all addresses can be logged in.

or using the command mode:

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-d input-p TCP--dport 22-j ACCEPT

And then save, I say one side, the reverse is the way of the command, only at the time of entry into force, if you want to restart the role, it should be saved. Write to the/etc/sysconfig/iptables file.

Copy CodeThe code is as follows:
[Email protected] ~]#/etc/rc.d/init.d/iptables Save

This write!192.168.0.3 indicates that the IP address except the 192.168.0.3

Other regular connections are set up as well.

In the following is the forward chain, the default rule of the forward chain is drop, so we write the need to ACCETP (through) the chain, the monitoring of the forwarding chain.

Turn on forwarding, (when doing NAT, forward default rule is drop, must be done)

Copy CodeThe code is as follows:
[Email protected] ~]# iptables-a forward-i eth0-o eth1-m State--state related,established-j ACCEPT
[Email protected] ~]# iptables-a forward-i eth1-o eh0-j ACCEPT

Discard Bad TCP packets

Copy CodeThe code is as follows:
[[Email protected] ~] #iptables-A forward-p TCP! --syn-m State--state New-j DROP

Handle the number of IP fragments, prevent attacks, allow 100 per second

Copy CodeThe code is as follows:
[[Email protected] ~] #iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packets per second, limiting the trigger condition to 10 packets.

Copy CodeThe code is as follows:
[[Email protected] ~] #iptables-A forward-p icmp-m limit--limit 1/s--limit-burst 10-j ACCEPT

I'm in front only so allow ICMP packets to pass because I have restrictions here.

Two, configure a NAT table to fire the wall

1. View the settings of this agency on NAT

Copy CodeThe code is as follows:
[Email protected] rc.d]# iptables-t nat-l
Chain prerouting (Policy ACCEPT)
Target Prot opt source destination
Chain postrouting (Policy ACCEPT)
Target Prot opt source destination
SNAT All-192.168.0.0/24 anywhere to:211.101.46.235
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination

My NAT has been configured (just to provide the simplest proxy Internet access, and no firewall rules have been added). about how to configure NAT, refer to my other article

Of course you don't have to clear the rules if you haven't configured NAT, because Nat doesn't have anything by default.

If you want to clear, the command is

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-f-t NAT
[[email protected] ~]# Iptables-x-t NAT
[[email protected] ~]# Iptables-z-t NAT

2, adding rules

Add basic NAT Address translation (see my other article on how to configure NAT),

To add a rule, we only add the drop chain. Because the default chain is all accept.

Prevention of intranet IP spoofing for external network

Copy CodeThe code is as follows:
[Email protected] sysconfig]# iptables-t nat-a prerouting-i eth0-s 10.0.0.0/8-j DROP
[Email protected] sysconfig]# iptables-t nat-a prerouting-i eth0-s 172.16.0.0/12-j DROP
[Email protected] sysconfig]# iptables-t nat-a prerouting-i eth0-s 192.168.0.0/16-j DROP

If we want to, for example, stop MSN,QQ,BT and so on, need to find the port or IP they use, (personally think not too much necessary)

Cases:

Prohibit all connections to the 211.101.46.253

Copy CodeThe code is as follows:
[Email protected] ~]# iptables-t nat-a prerouting-d 211.101.46.253-j DROP

Disabling the FTP (21) port

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-t nat-a prerouting-p tcp--dport 21-j DROP

The scope of the writing is so large that we can define it more precisely.

Copy CodeThe code is as follows:
[[email protected] ~]# iptables-t nat-a prerouting-p tcp--dport 21-d 211.101.46.253-j DROP

This disables only FTP connections for 211.101.46.253 addresses, and other connections are available. such as Web (80 port) connections.

As I wrote, you just have to find the IP address of other software such as QQ,MSN, and the port, and based on what protocol, just write it.

At last:

Drop Illegal Connection

Copy CodeThe code is as follows:
[Email protected] ~]# iptables-a input-m State--state invalid-j DROP
[Email protected] ~]# iptables-a output-m State--state invalid-j DROP
[Email protected] ~]# iptables-a forward-m State--state invalid-j DROP

Allow all established and related connections

Copy CodeThe code is as follows:
[Email protected] ~]# iptables-a input-m State--state established,related-j ACCEPT
[Email protected] ~]# iptables-a output-m State--state established,related-j ACCEPT
[Email protected] ~]#/etc/rc.d/init.d/iptables Save

This will allow you to write to the/etc/sysconfig/iptables file. Remember to re-start the firewall after writing to make it work.

Copy CodeThe code is as follows:
[Email protected] ~]# service iptables restart

Do not forget to save, do not write a save once. You can save, experiment and see if it meets your requirements.

I've tried all the rules above, no problem.

Linux Configuration Firewall detailed steps (Iptables command use method)