Linux iptables firewall setting FAQ

========================================================== =
========================================================== =

Common iptables firewall configuration problems:

Author: kenduest)

Last Updated: 8/18/2006

========================================================== =
========================================================== =

Title List project: (generally, the firewall configuration problem on the local machine)

1. How can I query my current iptables configuration settings?
2. How do I disable the firewall configuration of Linux distro and disable clearing rules?
3. About firewall configuration of RedHat 9, fedora and RHEL
4. How do I manually clear and reset iptables firewall rule?
5. What is the flowchart of iptables firewall packet comparison and judgment?
6. What are the rules for iptables firewall packet comparison?
7. Why is the host itself unable to access external hosts due to the use of-P input drop?
8. is the use of-P input drop limiting access to services on the local machine?
9. The network access caused by the use of-P input drop is normal, but the FTP connection fails?
10. What is the network failure caused by the use of-P output drop?
11. Is it recommended that the Firewall Service of the local machine be only open to external projects, and other prohibited configuration methods?

Title List project: (NAT service configuration issues)

1. What is the configuration Syntax of a single purified NAT service?
2. What is the ftp connection Access Error for an internal ip host that accesses the Internet through NAT?
3. How can I configure a connection to an external Port on the NAT host to be transferred to an internal host?
4. What is the difference between using-j MASQUERADE and-j SNAT for NAT?

========================================================== =

Firewall configuration problems on the local machine

=====

1. How can I query my current iptables configuration settings?

Iptables provides the iptables-save program file. After running the file, you can view the current configuration.

[Copy to clipboard] [-]

CODE:

Iptables-save

If you use iptables, you can use the-L option to list the rules. However, because iptables filtering can be performed on different tables, input-t can be used to view the specified table. If it is not specified, the filter table project is used by default. General Usage:

[Copy to clipboard] [-]

CODE:

Iptables-l
Iptables-T nat-l

However, iptables will reverse query and parse the host name when there is an ip address item in the rule. This also often results in time-consuming re-query, which leads to the failure to operate when listing the rule, therefore, the input-n option is usually used together to indicate that the host name result after reverse lookup is not displayed.

[Copy to clipboard] [-]

CODE:

Iptables-l-N
Iptables-T nat-l-N

Of course, for more detailed information, you can use the-v option.

[Copy to clipboard] [-]

CODE:

Iptables-l-N-V
Iptables-T nat-l-N-V

=====

2. How do I disable the firewall configuration of Linux Distro and disable clearing rules?

Each release version provides its own firewall script to automatically bring in the setting rules at startup, so there is no unified approach.

--

In RHEL and Fedora Linux, the boot script itself is/etc/init. d/iptables. Therefore, you can manually disable the script:

[Copy to clipboard] [-]

CODE:

/Etc/init. d/iptables stop

You can use chkconfig to disable this service item if it is enabled each time.

[Copy to clipboard] [-]

CODE:

Chkconfig iptables off

--
If SLES is used, modify the/etc/sysconfig/network/config configuration, which can be found in:

[Copy to clipboard] [-]

CODE:

# With this variable you can determine if the susefirewall when enabled
# Shocould get started when network interfaces are starte
Firewall = "Yes | no"

This allows you to set whether to enable the firewall configuration each time you start the network.

=====

3. About firewall configuration of RedHat 9, Fedora and RHEL

The system itself provides the firewall configuration mode. In the text mode, you can run the setup program. After the Firewall project enters, you can choose to add relevant rules. Finally, the allowed configurations are stored in the/etc/sysconfig/iptables file.

When/etc/init. d/iptables start or service iptables start is used, firewall is enabled Based on the configuration set in/etc/sysconfig/iptables.

In the format of/etc/sysconfig/iptables, you can use the iptables-restore program to enable it after reading standard input. Simply put, the service is actually enabled:

[Copy to clipboard] [-]

CODE:

Iptables-Restore </etc/sysconfig/iptables

Run/etc/init. d/iptables save can store the rules that are currently being executed by the system to the/etc/sysconfig/iptables file. The underlying layer is actually called the iptables-save program to achieve this result. Simply put:

[Copy to clipboard] [-]

CODE:

Iptables-save>/etc/sysconfig/iptables

Only the rules contained in/etc/sysconfig/iptables for firewall rule are described, and no iptables-related kernel module is included in the loading configuration, to load additional modules, modify/etc/sysconfig/iptables-config.

/Etc/sysconfig/iptables-config itself or read and use the script file/etc/ini. d/iptables. Based on this content, the variables can be defined to specify the necessary module project to be loaded:

[Copy to clipboard] [-]

CODE:

# Load additional iptables modules (NAT helpers)
# Default:-None-
# Space separated list of NAT helpers (e.g. 'IP _ nat_ftp ip_nat_irc '),
# Which are loaded after the firewall rules are applied. Options
# The helpers are stored in/etc/modprobe. conf.
Iptables_modules = ""

=====

4. How do I manually clear and reset iptables firewall rule?

If all rule settings are cleared manually, the following methods can be used:

[Copy to clipboard] [-]

CODE:

Iptables-F # If-t is not added to the specified table,-t filter is used by default.
Iptables-X

Iptables-F-t nat
Iptables-X-t nat

Iptables-F-t mangle
Iptables-X-t mangle

-F indicates clearing the rule list settings for all chain projects in the specified table. -X indicates that the user-defined chain project is deleted.

In addition to cleanup, we recommend that you set the pre-configured policy for filtering to accept, that is, the transmission of any packets is not blocked.

[Copy to clipboard] [-]

Code:

Iptables-p input accept #-t is not added to specify the table.-t filter is used by default.
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT

Iptables-T nat-P output accept
Iptables-T nat-P prerouting accept
Iptables-T nat-P postrouting accept

Iptables-T mangle-P prerouting accept
Iptables-T mangle-P postrouting accept
Iptables-T mangle-P input accept
Iptables-T mangle-P output accept
Iptables-T mangle-P forward accept

At the same time, this technique should also be used when you create iptables firewall rule manually in the future, that is, to clear the previous rules first, including changing all preset policies to accept, in this way, the configuration of firewall rules will not be messy.

=====

5. What is the flowchart of iptables firewall packet comparison and judgment?

For details, refer to this table:

[Copy to clipboard] [-]

Code:

Http://ebtables.sourceforge.net/br_fw_ia/bridge3b.png

CTRL + mouse wheel to zoom in/out "src =" http://ebtables.sourceforge.net/br_fw_ia/bridge3b.png "width =" 716 "onLoad =" If (this. width> screen. width * 0.7) {This. resized = true; this. width = screen. width * 0.7; this. alt = 'click here to open new window/nctrl + mouse wheel to zoom in/out';} "border =" 0 "resized =" true ">

=====

6. What are the rules for iptables firewall packet comparison?

This should be divided into several points to explain:

1) The general saying is that first match, that is, the rule will not go down after it complies with the rule description.

For example:

[Copy to clipboard] [-]

Code:

Iptables-P INPUT ACCEPT
Iptables-a input-s 192.168.1.1-j ACCEPT
Iptables-a input-s 192.168.1.0/24-j DROP

In 192.168.1.0/24, only 192.168.1.1 is allowed for access, and other IP addresses of 192.168.1.0/24 are not allowed for access.

Common incorrect ideas are as follows:

[Copy to clipboard] [-]

Code:

Iptables-P INPUT ACCEPT
Iptables-a input-j ACCEPT
Iptables-A input-s 192.168.1.0/24-J Drop

Why is access allowed in 1921.68.1.0/24 disabled? This means that the matching results will not proceed.

However, it must be noted that the-J log and-J mark rules will continue to be compared, which is different from the-J accept and-J Drop rules.

2) when none of the matching rules are met, the final result depends on the preset policy settings.

[Copy to clipboard] [-]

Code:

Iptables-P input accept
Iptables-A input-s 192.168.1.0/24-J Drop
......

For the above rules, it indicates that all the preset packets are allowed to be connected to access. Only 192.168.1.0/24 is forbidden. That is to say, after the comparison process rules are completed, there is no matching description. Finally, access is allowed.

[Copy to clipboard] [-]

Code:

Iptables-P input drop
Iptables-A input-s 192.168.1.0/24-J accept
......

In terms of the above rules, it indicates that the default packets are not allowed to be connected to access. Only 192.168.1.0/24 is allowed. That is to say, after the comparison process rules are completed, there is no matching description, and finally the prohibition is allowed.

To adjust the preset policy to drop, you need to pay attention to a lot of procedures. The following sections will discuss the precautions for this section. In general, it is recommended that you do not rashly configure and use the default access unless you clearly set the default access to the result of drop. For this reason, it is said that only 192.168.1.0/24 can be opened for access, however, this server can only access the host of the network segment 192.168.1.0/24, and other purposes are prohibited.

=====

7. Why is the host itself unable to access external hosts due to the use of-P input drop?

For more stringent firewall access restrictions, this configuration is generally used by beginners:

[Copy to clipboard] [-]

Code:

Iptables-P input drop
Iptables-A input-p tcp -- dport 22-J accept

That is, the host only wants to open the SSH service to provide external access.

At first glance, it seems to be very correct, but after the configuration, the port 22 service can be rolled out, but the problem may be caused by a problem in the future, that is to say, "If the host needs to be set up outside of the host, it will be disabled ". For example, this server cannot use SSH to log on to the terminal master, or use the browser to view the HTTP server of port 80 of other hosts.

Why? TCP/IP itself is bidirectional, that is, inbound and outbound. This rule is not taken into account.

When the host needs to establish external connections, the other party must also respond to packets sent to the original host, so the response packets must be allowed. However, this problem is not taken into account in this configuration. As a result, the response packet is discarded, so the connection fails to be established.

Therefore, when setting-P input drop, the correct method should be to allow the host itself to respond to the package project when it is out of service, that is:

[Copy to clipboard] [-]

Code:

Iptables-P input drop
Iptables-A input-M state -- State established-J accept
Iptables-A input-p tcp -- dport 22-J accept

-M state -- State established plays a very important role, that is, the packets that the host of the other Party responds to after the connection is allowed.

=====

8. is the use of-P input drop limiting access to services on the local machine?

[Copy to clipboard] [-]

Code:

Iptables-P input drop
Iptables-A input-M state -- State established-J accept
Iptables-A input-p tcp -- dport 22-J accept

However, the above rules should generally consider that the host itself only provides the SSH service that can be linked to access port 22, but if the host has services such as port 80 and port 25, this configuration also limits access to your host services.

Based on this problem, it is generally recommended that the loopback interface be blocked because it is not restricted by the firewall configuration. It is generally recommended to change it:

[Copy to clipboard] [-]

Code:

Iptables-P INPUT DROP
Iptables-a input-I lo-j ACCEPT
Iptables-a input-m state -- state ESTABLISHED-j ACCEPT
Iptables-a input-p tcp -- dport 22-j ACCEPT

=====

9. The network access caused by the use of-P input drop is normal, but the FTP connection fails?

According to the method described above, only the ftp port 21 service is enabled. If other services are disabled, it is generally configured to use:

[Copy to clipboard] [-]

Code:

Iptables-P INPUT DROP
Iptables-a input-m state -- state ESTABLISHED-j ACCEPT
Iptables-a input-p tcp -- dport 21-j ACCEPT

In this configuration, it is confirmed that the FTP client can be connected to the FTP host and the welcome login screen is displayed. However, an error will occur when viewing the file directory list and file capturing in the future...

The ftp protocol itself can also distinguish between the active mode and passive mode in the data channnel mode. In the passive mode, finally, the Protocol allows the ftp client to connect to the ftp server itself, which is specified to transfer data to a port greater than 1024 port.

In this way, the configuration may work normally during ftp transmission, but the passive mode is incorrect, the reason is that the firewall rule configuration of the host does not allow the ftp client to be connected to the port specified by the ftp server.

To solve this problem, in iptables, a helper with the name ip_conntrack_ftp can intercept the communication between the ftp protocol commands with the connection port 21 and the external destination port 21, you can configure firwewall rules for iptables. Open practices:

[Copy to clipboard] [-]

CODE:

Modprobe ip_conntrack_ftp

Iptables-P INPUT DROP
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
Iptables-a input-I lo-j ACCEPT
Iptables-a input-p tcp -- dport 21-j ACCEPT

Among them, the-m state part has another RELATED project, which is the packet in the active state, however, it is because the connection architecture like existing ftp will lead to additional active projects.

However, if the ftp service on the host is not port 21, make the following adjustments:

[Copy to clipboard] [-]

CODE:

Modprobe ip_conntrack_ftp ports = 21,30000

Iptables-P INPUT DROP
Iptables-A input-M state -- State established, related-J accept
Iptables-A input-I lo-J accept
Iptables-A input-p tcp -- dport 21-J accept
Iptables-A input-p tcp -- dport 30000-J accept

That is, the FTP service provided by the host is on port 21 and port 30000 respectively, so that the FTP helper ip_conntrack_ftp can normally provide the FTP client with passive mode access without any problems.

=====

10. What is the network failure caused by the use of-P output drop?

Let's take a look at the configuration snippet description:

[Copy to clipboard] [-]

Code:

Iptables-P INPUT ACCEPT
Iptables-P OUTPUT DROP

In this configuration, it seems that the host is completely open to the outside world and there is no restriction on inbound connections. However, the host itself is limited to external connections, but the result is that it cannot be connected regardless of the outside.

This problem is the same as the configuration problem with-P input drop mentioned above. This also does not take into account the TCP/IP itself as a two-way communication problem.

Consider the items that the host will respond to after the packet is connected. It also needs to be included with the-M State to provide the items that allow the response to the packet. The whole part is described as follows:

[Copy to clipboard] [-]

Code:

Iptables-P OUTPUT DROP
Iptables-A output-M state -- State established, related-J accept
Iptables-A output-O lo-J accept

In this way, the result is that the host itself can connect to its own host services, but access to external links will be disabled.

But do you need to configure-P output drop? To be honest, I feel that this is usually the case, because the actual application does not limit the external connection function of my host.

However, if you insist on setting-p output drop, you should consider that the subsequent open description of active external connections may be more... for example:

[Copy to clipboard] [-]

CODE:

Iptables-P output drop
Iptables-A output-M state -- State established, related-J accept
Iptables-A output-O lo-J accept
Iptables-A output-p tcp -- dport 25-J accept
Iptables-A output-p udp -- dport 53-J accept
Iptables-A output-p tcp -- dport 80-J accept

Is it a bit difficult to find yourself?

Therefore, the conclusion is that, unless you do not want your host to have active connections, you should set the preset policy of the OUTPUT chain to DROP. Otherwise, do not use this configuration.

=====

11. Is it recommended that the firewall Service of the local machine be only open to external projects, and other prohibited configuration methods?

Based on the process mentioned above, if the preset INPUT access is disabled, the following configuration references are provided:

[Copy to clipboard] [-]

CODE:

Modprobe ip_conntrack_ftp

Iptables-P INPUT DROP
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
Iptables-a input-I lo-j ACCEPT
Iptables-a input-p tcp -- dport 21-j ACCEPT
Iptables-a input-p tcp -- dport 22-j ACCEPT

If the preset INPUT access is allowed, provide the following configuration reference:

[Copy to clipboard] [-]

CODE:

Modprobe ip_conntrack_ftp

Iptables-P INPUT ACCEPT
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
Iptables-a input-I lo-j ACCEPT
Iptables-A input-p tcp -- dport 21-J accept
Iptables-A input-p tcp -- dport 22-J accept
Iptables-A input-M state -- state new, invalid-J Drop

If you want to allow the host to receive a Ping program to test whether the host can be accessed, use the following command:

[Copy to clipboard] [-]

Code:

Iptables-A input-p icmp -- ICMP-type echo-request-J accept

Of course, please note that use-F and-X to clear the pre-existing rule first to avoid
Rule is mixed together to affect each other.

=====

NAT service configuration problems

=====

1. What is the configuration Syntax of a single purified NAT service?

Assume that the external interface is eth0 and the internal interface is eth1. The IP address range of the internal network segment is 192.168.1.0/24.

If the preset forward chain itself is accept, the configuration syntax is as follows:

[Copy to clipboard] [-]

Code:

Iptables-A postrouting-T nat-s 192.168.1.0/24-O eth0-J Masquerade

Echo 1>/proc/sys/NET/IPv4/ip_forward

If the preset forward chain is drop, the configuration syntax is as follows:

[Copy to clipboard] [-]

Code:

Iptables-A postrouting-T nat-s 192.168.1.0/24-O eth0-J Masquerade
Iptables-a forward-M state -- State established, related-J accept
Iptables-a forward-s 192.168.1.0/24-J accept

Echo 1>/proc/sys/NET/IPv4/ip_forward

Of course, do not forget the topics mentioned above, that is, use the-F and-x projects first. If the preset forward chain is drop, consider whether ICMP protocol packets such as ECHO-request can be transmitted from the Intranet segment.

=====

2. What is the FTP connection Access Error for an internal IP host that accesses the Internet through Nat?

This issue is related to the FTP issue and the use of-M state -- state related configuration. Because the tracing function of FTP connections under Nat is required, the module must be mounted with ip_nat_ftp to provide the Tracing Mechanism correctly.

Therefore, if the preset forward chain itself is accept, the configuration syntax is as follows:

[Copy to clipboard] [-]

Code:

Modprobe ip_nat_ftp

Iptables-A postrouting-T nat-O eth0-s 192.168.1.0/24-J Masquerade
Iptables-a forward-M state -- State established, related-J accept

Echo 1>/proc/sys/NET/IPv4/ip_forward

After ip_nat_ftp module is used together, the related parameter used in the forward chain will be useful.

=====

3. How can I configure a connection to an external port on the NAT host to be transferred to an internal host?

General syntax Configuration:

[Copy to clipboard] [-]

Code:

Iptables-A prerouting-T nat-D 210.1.1.1-p tcp 80-j dnat -- to-destination 192.168.1.1: 80

Assume that the NAT host's external IP address is 210.1.1.1. When the external link is set to access port 80 of the IP address, the packet is forwarded to port 80 of 192.168.1.1.

However, when someone connects port 80 of port 210.1.1.1 on the Intranet segment of 192.168.1.0/24, they cannot browse the actual service project 192.168.1.1: 80.

This issue involves icmp re-import, and does not occur in the Development of netfilter iptables. If there are still problems, consider the following Configuration:

[Copy to clipboard] [-]

CODE:

Iptables-T Nat-A postrouting-D 192.168.1.1 -- dport 80-s 192.168.1.0/24-j snat -- To 192.168.1.254

192.168.1.254 is the internal ip address of the NAT host, so that the access source of 192.168.1.1 is 192.168.1.254.

=====

4. What is the difference between using-j MASQUERADE and-j SNAT for NAT?

Assume that the external interface of the NAT host is eth0, the odd ip address is 210.1.1.1, and the internal interface is eth1. The ip address range of the internal network segment is 192.168.1.0/24.

Generally, you can choose to provide the NAT service so that the internal privae ip Address can access the internet. The configuration methods include:

[Copy to clipboard] [-]

CODE:

Iptables-A postrouting-T nat-s 192.168.1.0/24-J Masquerade

Echo 1>/proc/sys/net/ipv4/ip_forward

Another method:

[Copy to clipboard] [-]

CODE:

Iptables-A postrouting-T nat-s 192.168.1.0/24-j snat -- To 210.1.1.1

Echo 1>/proc/sys/net/ipv4/ip_forward

Basically, the final result can fulfill the requirement, but the general difference is:

1) using-j SNAT is generally better than using-j MASQUERADE, because it involves the comparison problem when packets are transmitted through the relevant interface.

2) If the external ip address is not fixed, that is, the dial-to-get interface will be non-fixed, and the use of-j MASQUERADE will be easier to use.

=====