Iptables common rule settings

The iptables command can be used to configure Linux packet filtering rules. it is often used to implement firewall and NAT. The configuration of iptables is complex. after you have mastered the rules, it is not difficult to use iptables to complete the specified task. next we will learn more about iptables through specific instances... the iptables command can be used to configure Linux packet filtering rules. it is often used to implement firewall and NAT. The configuration of iptables is complex. after mastering the rules, it is not difficult to use iptables to complete the specified task. next we will learn the detailed usage of iptables through specific instances. 1. when you delete an existing rule and set a new iptables rule, make sure that the old rule is cleared. run the following command to clear the old rule: iptables-F (or iptables -- flush) 2. set the chain policy for the filter table. the default chain policy is ACCEPT. we can use the following command to modify the chain policy: the command configuration above iptables-p input DROPiptables-p forward DROPiptables-p output drop discards the received, forwarded, and sent packets, and implements strict packet management. Because both the receiving and sending packets are discarded, when configuring other rules, you must configure the INPUT and OUTPUT rules separately. Of course, if you trust this machine to send packets out, you do not need to configure the third rule. 3. shielding a specified ip address sometimes we find that an ip address keeps sending packets to the server. in this case, we can use the following command to discard the packets sent from the specified ip address: BLOCK_THIS_IP = "x. x. x. x "iptables-a input-I eth0-p tcp-s" $ BLOCK_THIS_IP "-j DROP the above command settings will be set by x. x. x. the tcp packet sent from x ip to the eth0 port is discarded. 4. using iptables to configure service items, we can manage the security of service items that are commonly used. for example, we can only specify the network segment and connect the local machine through SSH through the specified network port: iptables-a input-I eth0-p tcp-s 192.168.100.0/24 -- dport 22-m state -- state NEW, ESTABLESHED-j ACCEPTiptables-a output-o eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT, because a connection is established on the local port, you also need to set the following rules: iptables-a input-I eth0-p tcp-s 192.168.100.0/24 -- dport 22-m state -- state ESTABLESHED-j ACC EPTiptables-a output-o eth0-p tcp -- sport 22-m state -- state NEW, ESTABLISHED-j ACCEPT is similar, for HTTP/HTTPS (80/443), pop3 (110), rsync (873), MySQL (3306) and other services based on tcp connections, you can also refer to the above command configuration. Run the following command to enable the udp-based dns service: iptables-a output-p udp-o eth0 -- dport 53-j ACCEPTiptables-a input-p udp-I eth0 -- sport 53-j ACCEPT 5. for a server used as a firewall or gateway, a network port is connected to the public network, and packets from other network ports are forwarded to this network port for intranet communication to the public network. assume that eth0 is connected to the intranet and eth1 is connected to the public network, the configuration rules are as follows: iptables-a forward-I eth0-o eth1-j ACCEPT 6. port forwarding configuration for the port, we can also use iptables to complete the forwarding configuration: iptables-t nat-a prerouting-p tcp-d 192.168.102.37 -- dport 422-j DNAT -- to 192.168.102.37: 22 The above command forwards the packet from Port 422 to port 22, so SSH connection can be performed through Port 422. of course, for Port 422, we also need. configure the rules that support connection establishment in the same way as in the "configure service Items" section. 7. doS attack prevention uses the extended module limit. we can also configure iptables rules to prevent DoS attacks: iptables-a input-p-tcp -- dport 80-m limit -- limit 25/minute -- limit-burst 100-j ACCEPT -- litmit 25/minute indicates that the maximum number of connections per minute is 25 -- litmit-burst 100 indicates that when the total number of connections exceeds 100, start litmit/minute limit 8. to configure web traffic balancing, we can use a server as the front-end server to distribute traffic using iptables. the configuration method is as follows: iptables-a prerouting-I eth0-p tcp -- dport 80-m state -- state NEW-m nth -- counter 0 -- every 3 -- packet 0-j DN AT -- to-destination 192.168.1.101: 80 iptables-a prerouting-I eth0-p tcp -- dport 80-m state -- state NEW-m nth -- counter 0 -- every 3 -- packet 0-j DNAT -- to-destination 192.168.1.102: 80 iptables-a prerouting-I eth0-p tcp -- dport 80-m state -- state NEW-m nth -- counter 0 -- every 3 -- packet 0-j DNAT -- to-destination 192.168.1.103: the nth extension module is used to configure rules over port 80 to balance the traffic on port 80 to three servers. 9. LOG the discarded packets to the LOG target and syslog service. we can record the packets sent and received under a certain port of a protocol. For example, you can use the following method to record packet loss. First, define A chain: iptables-n logging. then, import all the received packets to the LOGGING chain: iptables-a input-j LOGGING. Then, set the log prefix and log level: iptables-a logging-m limit -- limit 2/min-j LOG -- log-prefix "IPTables Packet Dropped:" -- log-level 7 finally drops the Packet, discard: iptables-a logging-j DROP. you can also configure syslog. conf file, which specifies the log output of iptables.