How to configure iptables firewall in CentOS

I. basic iptables configuration 1. view the settings of IPTABLES on the local machine [root @ tp ~] # Iptables-L-nChainINPUT (policyACCEPT) targetprotoptsourcedestinationChainFORWARD (policyACCEPT) targetprotoptsourcedes 1, IptablesBasic configuration
1. view the settings of IPTABLES on the local machine.

[Root @ tp ~] # Iptables-L-n Chain INPUT (policy ACCEPT) Target prot opt source destinationChain FORWARD (policy ACCEPT) Target prot opt source destination Chain OUTPUT (policy ACCEPT) Target prot opt source destination Chain RH-Firewall-1-INPUT (0 Records) Target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.20.udp dpt: 5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 uddpt: 631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 25 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-withicmp-host-prohibited

We can see that when I installed linux, I chose to have a firewall and opened ports 22, 80, and 25.
If you do not choose to start the firewall when installing linux

[Root @ tp ~] # Iptables-L-n Chain INPUT (policy ACCEPT) Target prot opt source destinationChain FORWARD (policy ACCEPT) Target prot opt source destination Chain OUTPUT (policy ACCEPT) Target prot opt source destination

There are no rules.
2. clear the original rules.
Whether or not you have enabled the firewall when installing linux, if you want to configure your own firewall, clear all the filter rules.

[Root @ tp ~] # Iptables-F clear the rules of all rule chains in the filter of the preset table [Root @ tp ~] # Iptables-X clear the rules in the user-defined chain in the filter of the preset table

Let's take a look.

[Root @ tp ~] # Iptables-L-n Chain INPUT (policy ACCEPT) Target prot opt source destinationChain FORWARD (policy ACCEPT) Target prot opt source destination Chain OUTPUT (policy ACCEPT) Target prot opt source destination

Nothing, just like we didn't start the firewall when installing linux. (say in advance, these configurations are the same as configuring IP addresses with commands, so restarting them will lose effect.) how to save them.
Write the change to/etc/sysconfig/iptables:

[Root @ tp ~] #/Etc/rc. d/init. d/iptables save

Restart iptables:

[Root @ tp ~] # Service iptables restart

3. set preset rules

** Note that the red rule may cause your ssh connection to be disconnected. open port 22 first. Otherwise, you may only need to operate the local machine in the IDC. [Root @ tp ~] # Iptables-a input-p tcp -- dport 22-j ACCEPT [Root @ tp ~] # Iptables-P INPUT DROP [Root @ tp ~] # Iptables-P OUTPUT ACCEPT [Root @ tp ~] # Iptables-p forward drop ** Note: uppercase-P **

The above Command means: INPUT, FORWARD chain is DROP packet by default.
The default OUTPUT chain is an ACCEPT packet.
That is to say, we need to control inbound data packets, but do not impose too many restrictions on the OUTPUT chain, and adopt ACCEPT. Therefore, for the INPUT, the rule to be created for the FORWARD chain is to permit the passing of packets, and the rule to be created for the OUTPUT chain is not to allow the passing of packets.
4. add rules.
First, add the INPUT chain. the default rule of the INPUT chain is DROP, so we will write the chain that requires ACCETP ().
To enable remote SSH login, we need to enable port 22.

[Root @ tp ~] # Iptables-a input-p tcp -- dport 22-j ACCEPT [root @ tp ~] # Iptables-a output-p tcp -- sport 22-j ACCEPT ** Note: If you set OUTPUT to DROP, you need to write this step. many people forget to write this step, and SSH is always unavailable. The same applies to other ports. if the web server is enabled and the OUTPUT is set to DROP, a chain should also be added: [Root @ tp ~] # Iptables-a output-p tcp -- sport 80-j ACCEPT. WEB server, enabling port 80. [Root @ tp ~] # Iptables-a input-p tcp -- dport 80-j ACCEPT email server, enable Port 25,110. [Root @ tp ~] # Iptables-a input-p tcp -- dport 110-j ACCEPT [Root @ tp ~] # Iptables-a input-p tcp -- dport 25-j ACCEPT FTP server, enabling port 21 [Root @ tp ~] # Iptables-a input-p tcp -- dport 21-j ACCEPT [Root @ tp ~] # Iptables-a input-p tcp -- dport 20-j ACCEPT DNS server, enabling port 53 [Root @ tp ~] # Iptables-a input-p tcp -- dport 53-j ACCEPT If there are other services, just write the port you need to enable.

The above mainly writes the INPUT chain, and all those that are not in the above rules are dropped. Allow icmp packets to pass, that is, allow ping

[Root @ tp ~] # Iptables-a input-p icmp-j ACCEPT (if INPUT is set to DROP) [Root @ tp ~] # Iptables-a output-p icmp-j ACCEPT (if OUTPUT is set to DROP)

Allow loopback! (Otherwise, DNS may fail to be shut down normally)

[Root @ tp ~] # Iptables-a input-I lo-p all-j ACCEPT (if it is INPUT DROP) [Root @ tp ~] # Iptables-a output-o lo-p all-jACCEPT (if it is output drop)

The OUTPUT chain is written below. the default rule of the OUTPUT chain is ACCEPT, so we will write the chain that needs to be dropped (abandoned.

2. reduce insecure port connections
[Root @ tp ~] # Iptables-a output-p tcp -- sport 31337-j DROP
[Root @ tp ~] # Iptables-a output-p tcp -- dport 31337-j DROP some Trojans scan services on ports 31337 to 31340 (elite ports in hacking languages. Since legal services do not use these non-standard ports for communication, blocking these ports can effectively reduce the chances of independent communication between machines that may be infected on your network and their remote master servers. The same applies to other ports, such as 31335, 27444, 27665, 20034, 9704, 137-139 (smb), and 2049 (NFS, I have not written all of them here. if you are interested, you should check the relevant information.
Of course, you can set the OUTPUT chain to DROP for more secure access, so you can add more rules, just like adding the above to allow SSH login. just write it.
The more detailed rules are as follows:
For example, we only allow SSH connections to machines 192.168.0.3.

[Root @ tp ~] # Iptables-a input-s 192.168.0.3-ptcp -- dport 22-j ACCEPT

If you want to allow or restrict the availability of a certain IP address, 192.168.0.0/24 indicates all IP addresses in the range of 192.168.0.1-255. 24 indicates the number of subnet masks.
Remember to delete this line in/etc/sysconfig/iptables.

-A input-p tcp-m tcp -- dport 22-jACCEPT

Because it indicates that all addresses can be logged on.
Or use the following command:

[Root @ tp ~] # Iptables-d input-p tcp -- dport 22-j ACCEPT

Save the settings. if you want to use the command, it will only take effect at that time. if you want to restart it, you need to save it. write it to the/etc/sysconfig/iptables file.

[Root @ tp ~] #/Etc/rc. d/init. d/iptables save

Write it like this! 192.168.0.3 indicates IP address other than 192.168.0.3
The same is true for other rule connections.
FORWARD chain, the default rule of FORWARD chain is DROP, so we will write the chain requiring ACCETP (via) to monitor the ongoing forwarding chain.
Enable the forwarding function (required when the default FORWARD rule is DROP when performing NAT)

[Root @ tp ~] # Iptables-a forward-I eth0-o eth1-m state -- state RELATED, ESTABLISHED-j ACCEPT [Root @ tp ~] # Iptables-a forward-I eth1-o eh0-j ACCEPT

Discard bad TCP packets

[Root @ tp ~] # Iptables-a forward-p TCP! -- Syn-mstate -- state NEW-j DROP

Number of IP fragments processed to prevent attacks. up to 100 IP fragments are allowed per second.

[Root @ tp ~] # Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second. the trigger condition is 10 packets.

[Root @ tp ~] # Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT

I only allow ICMP packets to pass in the front, because I have restrictions here.

3. configure a NAT table firewall
1. View local NAT settings

[Root @ tp rc. d] # iptables-t nat-L Chain PREROUTING (policy ACCEPT) Target prot opt source destinationChain POSTROUTING (policy ACCEPT) Target prot opt source destination SNAT all -- 192.168.0.0/24 anywhere to: 211.101.46.235 Chain OUTPUT (policy ACCEPT) Target prot opt source destination

My NAT has been configured (only the simplest proxy Internet access function is provided, and no firewall rules have been added ).
Of course, if you have not configured NAT, you do not need to clear the rules, because NAT does not have anything by default. if you want to clear it, the command is

[Root @ tp ~] # Iptables-F-t nat [Root @ tp ~] # Iptables-X-t nat [Root @ tp ~] # Iptables-Z-t nat

2. add rules
Add basic NAT address translation (see my other article on how to configure NAT ),
To add rules, we only add DROP links. because the default links are all ACCEPT, this prevents Internet spoofing using intranet IP addresses.

[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s 10.0.0.0/8-j DROP [Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s172.16.0.0/12-j DROP [Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s192.168.0.0/16-j DROP

If we want to, for example, block MSN, QQ, BT, etc., we need to find the port or IP address they use (I personally think it is not necessary) for example:
Disable all connections to 211.101.46.253
[Root @ tp ~] # Iptables-t nat-a prerouting-d 211.101.46.253-jDROP
Disable FTP (21) Port
[Root @ tp ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-jDROP
In this way, the write range is too large, so we can define it more accurately. [root @ tp ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-d211.101.46.253-j DROP
In this way, only the FTP connection of the 211.101.46.253 address is disabled. Other connections can also be. for example, web (port 80) connections.
According to what I wrote, you only need to find the IP addresses, ports, and protocols of other software such as QQ and MSN.
Finally:
Drop illegal connection

[Root @ tp ~] # Iptables-a input-m state -- stateINVALID-j DROP [Root @ tp ~] # Iptables-a output-m state -- state INVALID-jDROP [Root @ tp ~] # Iptables-a forward-m state -- state INVALID-jDROP

Allow all established and related connections

[Root @ tp ~] # Iptables-a input-m state -- state