Linux iptables firewall basic application tutorial, linuxiptables

Source: Internet
Author: User

Linux iptables firewall basic application tutorial, linuxiptables

Iptables is a common firewall software in Linux, the following describes how to install and clear iptables rules. iptables only supports the specified port. iptables shields basic applications of iptables, such as specified ip addresses, ip segments, unblocking, and deleting added iptables rules..

1. Install iptables Firewall

If iptables is not installed, install it first,CentOS execution:

Yum install iptables

Run Debian/Ubuntu:

Apt-get install iptables2, clear existing iptables rules iptables-F
Iptables-X
Iptables-Z3: Open the specified port # Allow the local loopback interface (that is, run the local machine to access the local machine)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Allow established or related connections
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
# Allow external access from all hosts
Iptables-a output-j ACCEPT
# Allow access to port 22
Iptables-a input-p tcp -- dport 22-j ACCEPT
# Allow access to port 80
Iptables-a input-p tcp -- dport 80-j ACCEPT
# Allow port 21 and Port 20 of the FTP service
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 20-j ACCEPT
# If there are other ports, the rule is similar. Just modify the preceding statement slightly.
# Prohibit access by other unpermitted rules
Iptables-a input-j REJECT (Note: if port 22 is not added with the permit rule, the SSH link will be disconnected directly .)
Iptables-a forward-j REJECT4, blocked IP # If you only want to shield the IP, you can skip "3. Open the specified port.
# The command to shield a single IP address is
Iptables-I INPUT-s 123.45.6.7-j DROP
# The command for sealing the entire segment from 123.0.0.1 to 123.20.255.254
Iptables-I INPUT-s 123.0.0.0/8-j DROP
# An IP address segment is a command from 123.45.0.1 to 123.45.255.254.
Iptables-I INPUT-s 124.45.0.0/16-j DROP
# The command from 123.45.6.1 to 123.45.6.254 is
Iptables-I INPUT-s 123.45.6.0/24-j DROP4, view the added iptables rules iptables-L-n

V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: Disable Automatic unit conversion (K, M) vps Detection Based on v.
N: only the ip address and port number are displayed, and the ip address is not resolved as a domain name.

5. Delete the added iptables rule

Display All iptables with serial numbers. Run the following command:

Iptables-L-n -- line-numbers

For example, to delete the rule with serial number 8 in INPUT, execute:

Iptables-d input 86, iptables startup and rule saving

After iptables is installed on CentOS, iptables does not start automatically after it is started. You can execute the following command:

Chkconfig -- level 345 iptables on

Add it to startup.

On CentOS, you can run the: service iptables save rule.

In addition, iptables On Debian/Ubuntu does not save rules.

To disable the NIC, follow these steps: Save iptables rules and load iptables rules at startup:

Create the/etc/network/if-post-down.d/iptables file and add the following:

#! /Bin/bash
Iptables-save>/etc/iptables. rules

Run: chmod + x/etc/network/if-post-down.d/iptables to add execution permissions.

Create the/etc/network/if-pre-up.d/iptables file and add the following:

#! /Bin/bash
Iptables-restore </etc/iptables. rules

Run: chmod + x/etc/network/if-pre-up.d/iptables to add execution permissions.

For more instructions on iptables, run iptables -- help or search for iptables parameters online.


Urgent !!! Issues related to implementing the linux firewall using iptables

View by yourself:
What is Iptables?

Iptables is a packet filtering management tool based on the netfilter architecture. It is mainly used for firewall or transparent proxy. Iptables has evolved from ipchains and is more powerful. Iptables provides three functions: packet filtering, NAT (Network Address Translation), and general pre-route packet mangling. Package filtering: used to filter packets without modifying the content of the package. Compared with ipchians, Iptables provides faster and more convenient packet filtering. NAT: NAT can be divided into source address NAT and destination address NAT.

Iptables can append, insert, or delete packet filtering rules. In fact, netfilter and its related modules (such as the iptables module and nat module) actually execute these excessive rules ). Netfilter is a general architecture at the core of Linux. It provides a series of "tables". Each table is composed of several "chains, each chain can contain one or more "rules.

The default table is "filter", which contains three links: INPUT, FORWARD, and OUTPUT.

There can be one or several rules in each chain, and each rule is defined as follows: if the data packet header meets this condition, it will process the data packet. When a packet arrives at a chain, the system checks from the first rule to see if it meets the conditions defined by the rule: if yes, the system processes the data packet according to the method defined by the rule. If the data packet does not meet the requirements, the system checks the next rule. Finally, if the packet does not comply with any rule in the chain, the system will process the packet according to the pre-defined policy of the chain.

? Table, chain, rule

Iptables can manipulate three tables: filter table, nat table, and mangle table.

NAT and general mangle use the-t parameter to specify which table to operate. Filter is the default table. If the-t parameter is not set, the filter table is operated by default.

Rule rules: filter rules and port forwarding rules. For example, if any machine is prohibited from pinging our server, you can set a Rule on the server:

Iptables-a input-s! 127.0.0.1-p icmp-j DROP

Starting from-s, it is a rule. Before-j, It is the condition of the rule, and-j is the behavior (Purpose) of the rule ). The entire command is interpreted as inserting a rule in the INPUT rule chain of the filter table. All icmp packets whose source address is not 127.0.0.1 are discarded.

Chain rule chain: It is composed of a series of rules, each of which passes through each rule in the Chain sequentially. Chain is divided into system chain and user-created chain. The following describes the system chain.

System chain of the filter table: INPUT, FORWAD, OUTPUT

System chain of the nat table: PREROUTING, POSTROUTING, OUTPUT

System chain of the mangle table: PREROUTING, OUTPUT

Each system chain is checked at a specific position. For example, in packet filtering, If the destination address is a local package, it will enter the INPUT rule chain, and the package going out from the local will enter the OUTPUT rule chain.

All tables and chains are empty when they are started. The iptables setting method is to add corresponding rules to the appropriate table and system chain.

---------------------------------------------- ...... The remaining full text>

How to Set iptables firewall in linux

Iptable-A Input-p Tcp-d IP address B -- dPort port-J Reject

RedHat Machine
Cat/etc/sysconfig/iptables
* Filter
: Input accept [10276: 1578052]
: Forward accept [0: 0]
: Output accept [13784: 16761487]
-A input-s 10.0.0.0/255.0.0.0-I eth1-j DROP
-A input-s 172.16.0.0/255.240.0.0-j DROP
-A input-s 192.168.0.0/255.255.0.0-I eth1-j DROP # eth1 is interface to internet
# Anti Sync Flood
-A forward-p tcp-m tcp -- tcp-flags SYN, RST, ack syn-m limit -- limit 1/sec-j ACCEPT
# Anti some port scan
-A forward-p tcp-m tcp -- tcp-flags FIN, SYN, RST, ack rst-m limit -- limit 1/sec-j ACCEPT
# Anti ping of death
-A forward-p icmp-m icmp -- icmp-type 8-m limit -- limit 1/sec-j ACCEPT
COMMIT

Chkconfig iptables on
After iptables is started, the configuration file (/etc/sysconfig/iptables) will be automatically read)
Auto Start
Or manually start/etc/rc. d/init. d/iptables start
/Etc/rc. d/init. d/iptables stop manual stop

Set up a firewall in LINUX

Linuxbird
With the popularity of the Internet, people's daily work is also closely related, so more and more organizations have opened Internet proxy services for employees. However, when an enterprise's internal network is connected to the Internet, its internal resources are like the lambs to be sold, therefore, in addition to computer viruses and System Robustness among other internal reasons, system security mainly prevents illegal user intrusion through the Internet. At present, the prevention measures mainly rely on the firewall technology.

1. What is firewall?
Firewall (firewall) refers to a combination of software or hardware devices. It is located between an enterprise or a network group computer and an external channel (Internet, restrict external users from accessing the internal network and managing the permissions of internal users to access the external network. It mainly controls the round-trip access to the protected network (that is, the outlets), so that the connection points can be checked and evaluated.

From its birth to the present, the firewall has gone through four stages of development: a router-based firewall, a user-based firewall tool set, a firewall built on a general operating system, and a firewall with a secure operating system. At present, most of the Firewall vendors provide a combination of software and hardware for secure operating systems, such as NETEYE, NETSCREEN, and TALENTIT. There are also a lot of Firewall software on the LINUX operating system. Apart from the IPCHAINS which we will introduce below, there are also many, such as: Sinus Firewall, Jfwadm... the rest of the full text>

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.