How to set up iptables firewall in Linux

When a new Linux server is configured, if you need to configure iptables, you are typically configured with the following command:

　　First, install and start the firewall

[Root@linux ~]#/etc/init.d/iptables start

When we use Iptables to add rules, save, these rules to file the situation exists on disk, take CentOS as an example, the file address is/etc/sysconfig/iptables, we can through the way to add, modify, delete rules, can also directly modify/ Just etc/sysconfig/iptables this file on the line.

1. Loading module

/sbin/modprobe Ip_tables

2. View Rules

Iptables-l-n-v

3. Set rules

#清除已经存在的规则

Iptables-f

Iptables-x

Iptables-z

#默认拒绝策略 (try not to set it this way, although this is a high security configuration, it also rejects the # network interface including the LO loop, causing other problems. It is recommended that you make the appropriate configuration on the extranet interface only.

Iptables-p INPUT DROP

Iptables-p OUTPUT DROP

Iptables-p FORWARD DROP

#ssh rules

Iptables-t filter-a input-i eth0-p tcp–dport 22-j

Iptables-t filter-a output-o eth0-p tcp–sport 22-j

#本地还回及tcp握手处理

Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT

Iptables-a input-m state–state related,established-j ACCEPT

#www-dns Rules

Iptables-i input-p tcp–sport 53-j ACCEPT

Iptables-i input-p udp–sport 53-j ACCEPT

Iptables-t filter-a input-i eth0-p tcp–dport 80-j

Iptables-t filter-a output-o eth0-p tcp–sport 80-j

#ICMP rules

Iptables-a input-p icmp–icmp-type echo-request-j ACCEPT

Iptables-a input-p icmp–icmp-type echo-reply-j ACCEPT

Iptables-a output-p icmp–icmp-type echo-request-j ACCEPT

Iptables-a output-p icmp–icmp-type echo-reply-j ACCEPT

　　Second, add firewall rules

1, add the filter table

1.[root@linux ~]# iptables-a input-p tcp-m tcp--dport 21-j//Open 21 ports

I am open to export iptables-p OUTPUT ACCEPT, so the exit is not necessary to open the port.

2, add NAT table

1.[root@linux ~]# iptables-t nat-a postrouting-s 192.168.10.0/24-j

Address camouflage of a packet with a source address of 192.168.10.0/24

3,-a is inserted to the tail by default, and can be inserted into the specified position

1.[root@linux ~]# iptables-i INPUT 3-p tcp-m tcp--dport 20-j ACCEPT

2.[root@linux ~]# iptables-l-N--line-number

3.Chain INPUT (Policy DROP)

4.num Target prot opt source destination

5.1 ACCEPT All--0.0.0.0/0 0.0.0.0/0

6.2 DROP ICMP--0.0.0.0/0 0.0.0.0/0 ICMP type 8

7.3 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:20//-i specified location

8.4 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22

9.5 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80

10.6 ACCEPT All--0.0.0.0/0 0.0.0.0/0 State related,established

11.7 DROP All--0.0.0.0/0 0.0.0.0/0 State invalid,new

12.8 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21//-a default insert to Last

13.Chain FORWARD (Policy ACCEPT)

14.num Target prot opt source destination

15.Chain OUTPUT (Policy ACCEPT)

16.num Target prot opt source destination

　　Three, check the iptable rules.

1, view the filter table

1.[root@linux ~]# iptables-l-n--line-number |grep//--line-number can display the rule number, which is easier to delete

2.5 ACCEPT TCP--192.168.1.0/24 0.0.0.0/0 TCP dpt:21

If you do not add-T, the default is the filter table, view, add, delete all Yes

2, view NAT table

1.[root@linux ~]# iptables-t nat-vnl postrouting--line-number

2.Chain postrouting (Policy ACCEPT packets, 2297 bytes)

3.num pkts bytes Target prot opt in Out source destination

4.1 0 0 Masquerade All--* * 192.168.10.0/24 0.0.0.0/0

　　Iv. Modifying the Rules

1.[root@linux ~]# iptables-r INPUT 3-j drop//Change rule 3 to drop

　　Five, delete the iptables rule

1.[root@linux ~]# iptables-d Input 3//Delete input 3rd rule

2.[root@linux ~]# iptables-t nat-d postrouting 1//delete the first rule of postrouting in the NAT table

3.[root@linux ~]# iptables-f Input//Empty filter table input all rules

4.[root@linux ~]# iptables-f//Clear All rules

5.[root@linux ~]# iptables-t nat-f postrouting//Empty NAT table postrouting all rules

　　Set the default rule

1.[root@linux ~]# iptables-p Input drop//Set filter table INPUT default rule is DROP

All additions, deletions, and modifications are to be saved,/etc/init.d/iptables save. The above is just some of the most basic operations, to be flexible to use, but also a certain amount of time in the actual operation.

Iptables Configuration general mapping and soft routing

Role: Virtualization Cloud Platform Server network segment 192.168.1.0/24 through a Linux server (eth0:192.168.1.1, eth1:10.0.0.5) Soft routing achieves access to the 10.0.0.5 network and provides services through iptables NAT mapping.

NAT Map Network Port:

Effect: 10.0.0.5:2222--"192.168.1.2:22

Command: iptable-t nat-a prerouting-d 10.0.0.5-p tcp–dport 2222-j dnat–to-destination 192.168.1.2:22

Service Iptables Save

Service Iptables Restart

Note: 1. In the 192.168.1.2 network configuration needs to NAT host intranet IP namely 192.168.1.1 as the default gateway, if 10.0.0.5 has public network access rights, DNS is set to the public network corresponding DNS

2. Echo 1/proc/sys/net/ip_forward need to be turned on on a NAT host to take effect

Soft routing 192.168.1.0/24 access to extranet via 10.0.0.5:

Command: iptables-t nat-a postrouting-s 192.168.1.0/24-j snat–to-source 10.0.0.5

Service Iptables Save

Service Iptables Restart