How to use iptables to build your own firewall

The purpose of this article is to give readers a quick introduction to the iptables, not to delve into the iptables, so that readers can use the Iptables firewall on their Linux after reading. Installation can be installed using RPM or using Apt-get install iptables in Debian, it is not difficult to compile and install, download the latest version, and then./configure--prifix=/some/path/&& make && make install on it. This article focuses on how to step through the step resume one of your own iptables firewalls.

First, use the iptables before typing two commands

> Iptables-f #这句话的意思是清空所有的链

> Iptables-x #这句话的意思是清空所有自定义的链

The above two meaning you can simply think is iptables initialization command, need not go deep.

Now we're going to start building a iptables firewall. Our approach is that all the data is discarded by default, unless I think it is acceptable for me to meet the conditions, there is no doubt that it is safe to open the port that we need. The following two sentences can be defined by default all dropped packets:

> Iptables-p INPUT DROP

> Iptables-p OUTPUT DROP

The-p parameter means policy, translating into strategy ~ then these two words are good to understand.

The first sentence means:

The input (input) packet default policy (-p) is discarded (drop)

The second sentence means:

The output packet Default policy (-P) is the drop

In fact, here is already a useful firewall, but, there is no meaning, and unplug the concept of cable is no different.

First write down these 6 sentences:

Iptables-a input-p ICMP--icmp-type any-j ACCEPT

Allow ICMP packets to enter

Iptables-a input-s localhost-d localhost-j ACCEPT

Allow local packets

Iptables-a input-m State--state established,related-j ACCEPT

Allow access to already established and associated packets

Iptables-a output-p ICMP--icmp any-j ACCEPT

Allow ICMP packets to go out

Iptables-a output-s localhost-d localhost-j ACCEPT

Allow local packets

Iptables-a output-m State--state established,related-j ACCEPT

Allow already established and associated data packets to go out

Explain, these 6 sentences are basically to want.

If my computer is a Web server, there is no way for others to access, how can I let others access my web? Quite simply, open port 80.

> iptables-a input-p tcp--dport 80-j ACCEPT

But in this case, others still have no way to visit me, ask what? Because output is turned off, no packets can go out, then you need the following sentence:

> iptables-a output-m State--state established,related-j ACCEPT

So that people can access your web.

But what if you want to visit someone else's web? Open the 80 port!

> iptables-a output-p tcp-m State--state NEW--dport 80-j

The same words still don't work, we need to open the packets that others come in.

> iptables-a input-m State--state established,related-j ACCEPT

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/

Is it okay? Try it or not??? Why??? By the way, you may have thought that the DNS port is not open how to access the domain name server? Let's open the DNS port now!

> iptables-a output-p UDP--dport 53-j ACCEPT

OK, this will be able to access other people's Web site, but if you want to visit the HTTPS site, open 443 port, I will not write here, you can try it yourself, hint, in output write.

In order to facilitate management, we may also often ssh to this server up, then open port 22nd bar!

> iptables-a iput-p tcp-dport 22-j ACCEPT

Or we might need to use this computer to SSH to another computer.

> iptables-a output-p tcp--dport 22-j ACCEPT

But what if I only allow a fixed IP to ssh to my server? Change the sentence into:

> iptables-a input-p tcp--dport 22-s 192.168.1.10-j ACCEPT

The previous sentence means that only 192.168.1.1 users are allowed to enter the server via SSH. But this is still not safe, we can also bind the visitor's Mac, so much safer!

> iptables-a input-p tcp--dport 22-m mac--mac 00:18:de:a5:83:c7-s 192.168.1.10-j ACCEPT

Final scripting words:

#!/bin/bash

#DEFINE VARIABLES

Http_port=80

secure_http_port=443

Allowed_mac=00:18:de:a5:83:c7

Ssh_port=22

dns_port=53

allowed_ip=192.168.1.10

#FLUSH IPTABLES

Iptables-f

Iptables-x

#DEFINE DEFAULT ACTION

Iptables-p INPUT DROP

Iptables-p OUTPUT DROP

#DEFINE INPUT Chains

Iptables-a input-p ICMP--icmp-type any-j ACCEPT

Iptables-a input-s localhost-d localhost-j ACCEPT

Iptables-a input-m State--state established,related-j ACCEPT

Iptables-a input-p TCP--dport $SSH _port-j ACCEPT

Diptables-a input-p TCP--dport 22-m mac--mac $ALLOWED _mac-s $ALLOWED _ip-j ACCEPT

#DEFINE OUTPUT Chains

Iptables-a output-p ICMP--icmp any-j ACCEPT

Iptables-a output-s localhost-d localhost-j ACCEPT

Iptables-a output-m State--state established,related-j ACCEPT

Iptables-a output-p tcp-m State--state NEW--dport $HTTP _port-j ACCEPT

Iptables-a output-p TCP--dport $SECURE _http_port-j ACCEPT

Iptables-a output-p UDP--dport $DNS _port-j ACCEPT

Iptables-a output-p TCP--dport $SSH _port-j ACCEPT

Here a simple iptables can be used, write very simple, but we can understand the basic implementation of iptables, write iptables is to know what kind of requirements you want, what program is not important, what is important to use the port, Write the appropriate input and output rules on the port.

If you have any questions, please give me a message or email me, hope to make progress together!