Ubuntu under Iptables usage record

Ubuntu under Iptables usage record

Here is a reference to the Baidu Encyclopedia and Ubuntu Forum Http://wiki.ubuntu.org.cn/UbuntuHelp:IptablesHowTo/zh

Here is a reference to the blogger Just_young Big Wet article Http://blog.csdn.net/just_young

1. View Iptables table Entries

sudo iptables-l-V

By default, iptables under Ubuntu allows arbitrary traffic to enter. So at first you'll see the following table entries.

Explained under Target, the firewall rules specify the characteristics of the checked package, and the target. If the package does not match, it is sent to the next rule check in the chain, and if it matches, the following rule is determined by the target value. The target value can be a user-defined chain name,

Or a dedicated value, such as accept[by],drop[delete],queue[queue], or return[return]. Chain is the meaning of the chain, the input chain represents into the traffic.

2. Allow the SSH protocol to enter the server via the SSH port of the Eth0 network card (default is 22)

sudo iptables-a input-p tcp-i eth0--dport ssh-j ACCEPT

Explain the command according to my understanding:

(1)-A should be append meaning that the table entry is added at the end of the Iptables filter table entry;

(2) input refers to the traffic entering the server;

(3)-P represents the protocol, i.e. the Agreement;

(4)-I specify the rules to apply the network card;

(5)--dport specifies the port that the rule applies to;

(6)-j on behalf of the target jump

ACCEPT means let this package pass. Drop indicates that the package is discarded. The queue indicates that the package is passed to the user space. Return means to stop the matching of this chain and start the rule again to the previous chain. If a built-in chain is reached (the end), or if the rule that encounters the built-in chain is return, the fate of the package is determined by the goal specified by the chain criteria.

3. Allow the TCP protocol to enter the server via the 80 port of the eth0 NIC

sudo iptables-a input-p tcp-i eth0--dport 80-j ACCEPT

4. Allow the LO protocol to loop

sudo iptables-a input-i lo-j ACCEPT

sudo iptables-a input-p tcp-i eth1--dport 2181-j DROP (disable 2181, and Nic is eth1)

5. Blocking other traffic

6. Iptables can be conveniently configured with multiple ports. It can be divided into continuous port configuration and discontinuous port configuration according to the continuity of the port.

1. Continuous port configuration

Such as:

sudo iptables-a input-p tcp–dport 21:25-j DROP

Note: Here is the colon in the English state.

2. Use the multiport parameter to configure the discontinuous port

Such as:

sudo iptables-a input-p tcp-m multiport–dport 21:25,135:139-j DROP

sudo iptables-a input-p tcp-m multiport-i eth1--dport 2181:2183,18087,56370:56480-j DROP

sudo iptables-a input-i eth0-j DROP

The IP packets that have been eth0 into the server except for the above rules are discarded here.

You can view our list of iptables as shown below, where packets represents the number of IP packets received, Bytes is the number of bytes.

6. Inserting rules into the iptables

Iptables is a rule match from the previous one, and if there is a rule match it will not match the following rule. So if we add the drop rule and we find that we have to accept the new rule, we need to insert it.

The rule to allow HTTPS protocol is inserted as follows, which allows IP packets to go through the eth0 NIC and 443 ports to enter the server

sudo iptables-i INPUT 3-p tcp-i eth0--dport 443-j ACCEPT

7. Insert ICMP protocol pass rule, which allows ping of the host

sudo iptables-i INPUT 3-p icmp-i eth0-j ACCEPT

8. Use the following command to save the iptables configuration

When the machine restarts, the configured Iptables table entries will be emptied, so to save, or the next bad recovery, you can use the following command to save the operation.

sudo iptables-save > ~/iptables.up.rules

Use VI to view the file as follows:

Then modify the/etc/network/interfaces file and add the last line of code to

Auto Eth0

Iface eth0 inet DHCP

Pre-up Iptables-restore < ~/iptables.up.rules

9. Delete a iptables rule

The following command can be used to view the current iptables rules, as shown below, with a single line of Num, in a moment you can specify the rule to delete by Num.

sudo iptables-l-v--line-number

Then use the following command to delete the rule you want to delete, here I delete the first rule

sudo iptables-d INPUT 1

10. Allow DNS Requests

Use the following command to allow DNS query requests and results to pass iptables filtering rules.

sudo iptables-i INPUT 1-p udp-i eth0--sport 53-j ACCEPT

sudo iptables-i INPUT 1-p udp-i eth0--dport 53-j ACCEPT

DNS can sometimes use TCP to add the following two commands

sudo iptables-i INPUT 1-p tcp-i eth0--sport 53-j ACCEPT

sudo iptables-i INPUT 1-p tcp-i eth0--dport 53-j ACCEPT

11. Allow native access to Http/https/ssh

sudo iptables-i INPUT 7-i eth0-p tcp-m multiport--sports 22,80,443-j ACCEPT

This statement means that the remote host port number 22, 80, and 443 requests pass through the filtering rules.

This article is from the "Faint Tears" blog, please be sure to keep this source http://lijuntao.blog.51cto.com/11691147/1949731

Ubuntu under Iptables usage record