Linux firewall iptables Getting Started tutorial _linux

First, about Iptables

Iptables is a command-line-based firewall tool that uses rule chains to allow/block network traffic. When a network connection attempts to build on your system, iptables finds its corresponding matching rule. If it is not found, iptables will take a default action on it.
Almost all Linux distributions are pre-loaded with iptables. The commands for updating/installing iptables in Ubuntu/debian are:

Copy Code code as follows:

sudo apt-get install iptables

Some of the existing graphical interface software can also replace iptables, such as Firestarter. But Iptables is not difficult to use. Be particularly careful when configuring iptables rules, especially when you are remotely logged on to the server. Because an error at this point may cause you and the server to lose the connection permanently, and you have to go to the server before you can solve it.

second, the type of iptables rule chain

Iptables's rule chain is divided into three types: input, forwarding and output.
1. Input -This link is used to filter the destination address to the local connection. For example, if a user attempts to use SSH to log on to your pc/server, Iptables will first match its IP address and port to the iptables input chain rule.

2. Forwarding -This link is used to filter the destination address and the source address is not a native connection. For example, the large number of data that routers receive must be forwarded to other hosts. If your system does not turn on a router-like feature, such as nating, you don't need to use this chain.
There is a safe and reliable way to detect if your system needs a forwarding chain:

Copy Code code as follows:

Iptables-l-V

The image above is a screenshot of a server that has been running for several weeks. This server does not have any restrictions on input and output. As you can see, the input chain and the output chain have processed the 11GB and 17GB data separately, while the forwarding chain does not process any data. This is because the server does not have forwarding capabilities that are similar to routers.
3. Output--this link is used to filter the source address to the local connection. For example, when you try to ping howtogeek.com, Iptables examines the rules associated with Ping and howtogeek.com in the output chain and then decides to allow or reject your connection request.
Note:When you ping an external host, it looks as if the output chain is working. However, keep in mind that the data returned by the external host is filtered through the input chain. When configuring Iptables rules, keep in mind that many protocols require two-way communication, so you need to configure both the input and output chains. When configuring SSH, people often forget to configure it in both the input and output chains.
Third, the chain's default behavior

Before you configure specific rules, you may want to configure the default behavior of these chains. In other words, what you want it to do when iptables cannot match the existing rules.
You can run the following command to display the current Iptables default action for a connection that cannot be matched:

Copy Code code as follows:

Iptables-l

As shown above, we can use grep to make the results of the output more concise. In the screenshot above, all links are accepted by default for all connections. Typically, you will want your system to receive all of your network data by default. This setting is also the default configuration for iptables. The configuration commands for receiving network connections are: Copy Code code as follows: Iptables--policy INPUT ACCEPT Iptables--policy OUTPUT ACCEPT Iptables--policy FORWARD ACCEPT You can also use the default configuration to add commands to filter specific IP addresses or port numbers. We'll introduce these commands later in this article. If you want to deny all network connections by default, and then add the allowed IP address or port number on the basis, you can change the accept in the default configuration to drop, as shown in the following figure. This is extremely useful for some servers that contain sensitive data. Typically, these servers allow only specific IP addresses to access them. Copy Code code as follows: Iptables--policy INPUT DROP Iptables--policy OUTPUT DROP Iptables--policy FORWARD DROP Iv. Configuration of specific connections Let's take a look at how to set a specific IP address or port. This article mainly introduces three kinds of most basic and common settings. accept– receives all the data. drop– Discard data. Scenario: When you don't want the source address of the data to be aware of your system's existence (the best way to handle it). reject– is not allowed to establish a connection, but returns an error response. Scenario: When you don't want an IP address to access your system, but want to let them know that your firewall is blocking access. To visually differentiate the above three scenarios, we use a PC to ping a Linux computer with a iptables configuration: Allow access Discard Access Access Denied

V. Allow or block specific connections After you have configured the basic chain of rules, you can configure Iptables to allow or block specific IP addresses or ports. Note: In these examples, we use IPTABLES-A to add additional rules to the existing chain. Iptables when a match is performed, the search begins at the top of the list. You can use Iptables-i [chain] [number] to insert new rules into the list at the specified location. Connections from the same IP address The following example shows how to block all connections from IP addresses to 10.10.10.10. Copy Code code as follows: Iptables-a input-s 10.10.10.10-j DROP connections from a set of IP addresses The following example shows how to block connections from any IP address within the subnet 10.10.10.0/24. You can use a subnet mask or a standard/symbol to indicate a subnet: Copy Code code as follows: Iptables-a input-s 10.10.10.0/24-j DROP Or Copy Code code as follows: Iptables-a input-s 10.10.10.0/255.255.255.0-j DROP connection to a specific port This example shows how to block SSH connections from 10.10.10.10. Copy Code code as follows: Iptables-a input-p TCP--dport ssh-s 10.10.10.10-j DROP You can replace "ssh" with any other protocol or port number. The-p TCP in the above command tells Iptables what protocol the connection is using. The following example shows how to block SSH connections from any IP address. Copy Code code as follows: Iptables-a input-p TCP--dport ssh-j DROP Vi. Connection Status As we mentioned before, many protocols require two-way communication. For example, if you intend to allow SSH connections, you must configure both the input and output chains. But what if you only want to allow SSH requests from outside? The following example shows how to allow an SSH connection where the source IP address is 10.10.10.10 while blocking the destination address for 10.10.10.10: Copy Code code as follows: Iptables-a input-p TCP--dport ssh-s 10.10.10.10-m State--state New,established-j Iptables-a output-p TCP--sport 22-d 10.10.10.10-m State--state Established-j Seven, save changes The changes made by the above method to the Iptables rule are temporary. If you want to permanently save these changes, you will need to run additional commands (the Save commands under different Linux distributions are not the same): Ubuntu: Copy Code code as follows: Sudo/sbin/iptables-save Red Hat/centos: Copy Code code as follows: /sbin/service iptables Save Or Copy Code code as follows: /etc/init.d/iptables Save

Viii. Other Orders

Lists the current configurations for iptables:

Copy Code code as follows:

Iptables-l

Use the-V option to display packet and byte information, and use the-N option to list the information in digital form, that is, not to resolve the IP address to a domain name.
In other words, the host name, protocol, and network are all listed in digital form.
clears all current configuration rules:

Copy Code code as follows:

Iptables-f