Linux iptable firewall block and open ports
Source: http://hi.baidu.com/zplllm/item/f910cb26b621db57c38d5983
Evaluation:
1, close all the INPUT FORWARD OUTPUT only to some ports open.
Here is the command implementation:
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP
Then use the command iptables-l-N to see if it's set up and look good to all DROP
This setting is OK, we are only temporary, restart the server or will restore the original did not set the state
You will also use the service iptables save for saving
See information firewall rules firewalls are actually stored in the/etc/sysconfig/iptables
You can open a file to view Vi/etc/sysconfig/iptables
2,
I'll just open port 22 to see how I'm doing it, which is the following 2 statements
Now that the Linux server has only 22 ports open, test with Putty.exe to see if it can be linked up.
Can be linked up, indicating that there is no problem.
Finally, don't forget to save the settings for the firewall
By command: Service iptables save
Restart Iptables
Service iptables Save && service iptables restart
Shutdown firewall
Chkconfig iptables off && service iptables stop
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT
Explain some of these 2 commands.
The-a parameter is considered as a rule to add an INPUT
-p Specifies what protocol we commonly use for TCP protocols, and of course there are UDP such as 53-port DNS
We're going to configure DNS to use port 53, and everyone will find the UDP protocol
And--dport is the target port. When data is entered from the outside into the server as the target port
Conversely, data from the server is used for the data source port--sport
-j is to specify that ACCEPT receive or DROP not receive
3, prohibit an IP access
1 Linux servers, 2 Windows XP operating systems for access
Linux Server IP 192.168.1.99
XP1 ip:192.168.1.2
XP2 ip:192.168.1.8
Here's a look at 2 XP I can access
192.168.1.2 This is what XP1 can access,
192.168.1.8 XP2 is also available for normal access.
So now I'm going to ban 192.168.1.2 xp1 access, XP2 normal access,
Here's a look at the demo
Iptables-a input-p tcp-s 192.168.1.2-j DROP by command
The idea here is that-a is to add new rules and rules. Because we visit the site using TCP,
We use-p TCP, if it is UDP to write UDP, here on TCP,-S is the source meaning,
IP from 192.168.1.2,-j How do we reject it here should be DROP
Okay, look at the effect. Good to add success. Check to see if it takes effect
The wait state is always present the page cannot be displayed, and this is 192.168.1.2 XP1 's visit was denied.
To see if another XP can be accessed, is a normal access to the 192.168.1.8 is a normal access
4. How to delete rules
First we need to know the number of this rule, each rule has a number
The rules and corresponding numbers can be displayed by Iptables-l-N--line-number
Num Target prot opt source destination
1 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:3306
2 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21
3 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
More num This column, so we can see just the rules corresponding to the number 2
Then we can delete it.
Iptables-d INPUT 2
Delete the rule with input chain number 2.
Then Iptables-l-N to see if it has been cleared.
5, filtering Invalid packets
Suppose someone has entered the server, or there is a virus trojan, it can through the 22,80 port like the server to send data outside.
It's this way it's different from our normal access to 22,80 ports. The data it sends out is not our request for access to the Web page
And the response of the packet.
Now we're going to bar these packets from not responding to the request, and block them all out.
Iptables provides a check state, below we will configure the next 22 and 80 ports to prevent invalid packets.
Can see and we used to:
Iptables-a output-p TCP--sport 22-j ACCEPT
One more state of judgment.
Same as 80 ports, now delete the original 2 rules,
Iptables-l-N--line-number This is a view rule and is numbered. We see the numbers, we can
Delete the corresponding rule.
iptables-d OUTPUT 1 Here 1 represents the first rule.
When you delete the previous rule, the number will change as well. See it.
OK, we've removed the previous 2 rules, and 22 ports are working properly, which means no problem.
Save the following, don't forget, otherwise reboot will revert to the original appearance.
The service iptables save.
Saving firewall rules to/etc/sysconfig/iptables: [OK]
In fact, the rules just set are written to the/etc/sysconfig/iptables file.
6, DNS port 53 settings
Let's look at how to set up iptables to open the DNS port, which corresponds to a 53
You see my situation now, only open 22 and 80 ports, I now see if I can resolve the domain name.
Host www.google.com After entering this command, has been waiting, indicating that the DNS does not pass
The following prompts appear:
;; Connection timed out; No servers could be reached
Ping the domain name is also not pass
[Root@localhost ~ping www.google.com
Ping:unknown host www.google.com
The reason I'm here is that iptables has a limit of 53 ports.
Some servers, especially the Web server, are slowing down, and DNS is actually related to the inability to send packets to the DNS server.
The following shows how to use Iptables to set DNS 53 this port, if you do not know the domain Name Service port number, you
Iptables-a output-p UDP--dport 53-j ACCEPT
This is we ping a domain name, the data is from this machine out, so we set OUTPUT first,
We follow the ping process to set up.
Then the DNS server receives the package we sent out and responds to a return
Iptables-a input-p UDP--sport 53-j ACCEPT
You also have to set the
Iptables-a input-p UDP--dport 53-j ACCEPT
Iptables-a output-p UDP--sport 53-j ACCEPT
OK, let's start with the test, you can use Iptables-l-N to see the settings, and make sure you can test it without problems.
Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22 State established
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP SPT:80 State established
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53
You can test if DNS can be passed through iptables.
[Root@localhost ~host www.google.com
Www.google.com is a alias for www.l.google.com.
Www.l.google.com is a alias for www-china.l.google.com.
Www-china.l.google.com has address 64.233.189.104
Www-china.l.google.com has address 64.233.189.147
Www-china.l.google.com has address 64.233.189.99
Non-authoritative Answer:
www.google.com Canonical name = www.l.google.com.
www.l.google.com canonical name = www-china.l.google.com.
Name:www-china.l.google.com
address:64.233.189.147
Name:www-china.l.google.com
address:64.233.189.99
Name:www-china.l.google.com
address:64.233.189.104
Indicates that native DNS is normal and iptables allows access to 53 of this port.
7, Iptables to FTP settings
Now I start on the FTP port settings, according to our previous video, add need to open the port
The FTP connection port has 2 21 and 20 ports, I now add the corresponding rule.
OK, this is done, we use the browser to access the FTP, there is a timeout.
So I just said FTP is a special port, and there are some ports are data transfer port,
such as directory listings, upload, download files to use these ports.
And these ports are any port ... This arbitrary is really more special.
If you do not specify a port range, iptables is difficult to open to any port.
If iptables allows arbitrary port access, it is no different than setting a firewall, so it is unrealistic.
So our solution is to specify a range of this data transfer port.
Let's modify the FTP configuration file below.
I use vsftpd here to modify the demo, other FTP I do not know where to modify, we can look for information.
[Root@localhost rootvi/etc/vsftpd.conf
Join at the bottom of the configuration file
pasv_min_port=30001
pasv_max_port=31000
Then save the exit.
The meaning of these two sentences tells Vsftpd that the range of ports to transmit data is transmitted within the range of 30001 to 31000.
So we're doing a lot more with iptables, and we're going to open 30001 to 31000 of these ports.
This is my simple rules for the FTP special port, you can add some validation of the packet
such as M-state--state established,related and more demanding validation
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
