Iptables configuration details

Last Update:2014-09-25 Source: Internet

Author: User

Tags ftp connection

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

CAT/etc/sysconfig/iptables

* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [28: 4192]
-A input-p tcp-m tcp -- dport 22-M state -- state new, established-J accept
-A input-p tcp-m tcp -- dport 21-M state -- state new, established-J accept
-A input-p tcp-m tcp -- dport 20-M state -- state new, established-J accept
-A input-J reject -- reject-with ICMP-host-prohibited
-A forward-J reject -- reject-with ICMP-host-prohibited
Commit

Iptables-l-N -- line displays the row number

Iptables-T filter-D input 1 Delete the rule with the row number 1

Forward requests from port 80 of the Local Machine to port 8080:

Iptables-T Nat-A prerouting-p tcp -- dport 80-J redirect -- to-ports 8080

Iptables Parameters
-M state -- state <status>:
? Invalid: Invalid Packets, such as the status of damaged packets;

? Established: the online status that has been successfully online;

? New: You want to create a new package status;

? Related: This is the most common one! This indicates that the packet is related to the packet sent from our host. It may be a response packet or a transfer packet after the connection is successful! This status is often set, because after it is set, as long as the packets sent from the local machine in the future, even if we do not set the input rules of the packets, the related packets can still enter our host, which can simplify a lot of setting rules.

Bytes ---------------------------------------------------------------------------------------- Let's configure a filter table firewall. (1) view the settings of iptables on the local machine[Root [email protected] ~] # Iptables-l-N
Chain input (Policy accept)
Target prot opt source destination chain forward (Policy accept)
Target prot opt source destination chain output (Policy accept)
Target prot opt source destination chain RH-Firewall-1-INPUT (0 references)
Target prot opt source destination
Accept all -- 0.0.0.0/0 0.0.0.0/0
Accept ICMP -- 0.0.0.0/0 0.0.0.0/0 ICMP Type 255
Accept Esp -- 0.0.0.0/0 0.0.0.0/0
Accept ah -- 0.0.0.0/0 0.0.0.0/0
Accept UDP -- 0.0.0.0/0 224.0.0.20.udp DPT: 5353
Accept UDP -- 0.0.0.0/0 0.0.0.0/0 uddpt: 631
Accept all -- 0.0.0.0/0 0.0.0.0/0 state related, established
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 state New tcp dpt: 22
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 state New tcp dpt: 80
Accept TCP -- 0.0.0.0/0 0.0.0.0/0 state New tcp dpt: 25
Reject all -- 0.0.0.0/0 0.0.0.0/0 reject-with ICMP-host-prohibited
We can see that when I installed Linux, I chose to have a firewall and opened ports 22, 80, and 25. if you do not choose to start the firewall when installing Linux, [[email protected] ~] # Iptables-l-N
Chain input (Policy accept)
Target prot opt source destination chain forward (Policy accept)
Target prot opt source destination chain output (Policy accept)
Target prot opt source destination has no rules. (2) Clear the original rules.Whether or not you have enabled the firewall when installing Linux, if you want to configure your own firewall, clear all the filter rules. [[email protected] ~] # Iptables-F clear the rules of all rule chains in the filter of the preset table
[[Email protected] ~] # Iptables-x clear the rules in the User-Defined chain in the filter of the preset table. Let's take a look at [email protected] ~]. # Iptables-l-N
Chain input (Policy accept)
Target prot opt source destination chain forward (Policy accept)
Target prot opt source destination chain output (Policy accept)
Target prot opt source destination has nothing to do with. It is the same as we didn't start the firewall when installing Linux. (say in advance, these configurations are the same as configuring IP addresses with commands, so restarting them will lose effect.) How to save them. [[email protected] ~] #/Etc/rc. d/init. d/iptables save to write it to the/etc/sysconfig/iptables file. after writing, remember to repeat the firewall to make it work. [[email protected] ~] # Service iptables restart: No configuration is available in the iptables configuration table. Let's start our configuration. (3) set preset rules[[Email protected] ~] # Iptables-P input drop [[email protected] ~] # Iptables-P output accept [[email protected] ~] # Iptables-P forward dropp
The above means that when two chain rules (input and forward) in the filter table in iptables are exceeded, how can we process data packets not in these two rules, that is, drop (discard ). it should be said that the configuration is safe. we want to control inbound data packets For the output chain, that is, the outgoing package, we do not need to impose too many restrictions, but adopt accept. That is to say, what should we do if the package is not in a rule. We can see what packets are allowed to pass through the input and forward chains, and what packets are not allowed to pass through the output chain. This setting is quite reasonable. Of course you can also drop all three links, but I don't think it is necessary to do so, and the rules to be written will increase. but if you only want a limited number of rules, for example, only web servers. we recommend that all three links be drop.Note: If you log on remotely through SSH, you should drop it when you enter the first command and press enter, because you have not set any rules. What should I do? Go to the local machine and operate it! (4) Add a rule. First, add the input chain. The default rule of the input chain is drop, so we will write the chain that requires accetp (). To enable remote SSH Login, We need to enable port 22.[[Email protected] ~] # Iptables-A input-p tcp -- dport 22-J accept [[email protected] ~] # Iptables-A output-p tcp -- Sport 22-J accept (Note: If you set the output to drop, you need to write this rule. Many people are eager to write this rule, so they will never be able to ssh. Check it remotely. The same applies to other ports. If the Web server is enabled and the output is set to drop, a chain should also be added:[[Email protected] ~] # Iptables-A output-p tcp -- Sport 80-J accept .) If the Web server is configured, enable port 80.[[Email protected] ~] # Iptables-A input-p tcp -- dport 80-J accept
If the email server is configured, enable port 25,110.[[Email protected] ~] # Iptables-A input-p tcp -- dport 110-J accept
[[Email protected] ~] # Iptables-A input-p tcp -- dport 25-J accept
If the FTP server is configured, enable port 21.[[Email protected] ~] # Iptables-A input-p tcp -- dport 21-J accept [[email protected] ~] # Iptables-A input-p tcp -- dport 20-J accept If the DNS server is configured, enable port 53.[[Email protected] ~] # Iptables-A input-p tcp -- dport 53-J accept. the above mainly writes the input chain, and all the rules that are not in the above drop Allow ICMP packets to pass, that is, allow Ping,[[Email protected] ~] # Iptables-A output-p icmp-J accept (if output is set to drop) [email protected] ~] # Iptables-A input-p icmp-J accept (if input is set to drop) Allow loopback! (Otherwise, DNS may fail to be shut down normally)Iptables-A input-I lo-P all-J accept (if it is input drop)
Iptables-A output-O lo-P all-J accept (if it is output drop)
The output chain is written below. The default rule of the output chain is accept, so we will write the chain that needs to be dropped (abandoned. Reduce insecure port connections[[Email protected] ~] # Iptables-A output-p tcp -- Sport 31337-J Drop [[email protected] ~] # Iptables-A output-p tcp -- dport 31337-J Drop some Trojans scan services on ports 31337 to 31340 (elite ports in hacking languages. Since legal services do not use these non-standard ports for communication, blocking these ports can effectively reduce the chances of independent communication between infected machines on your network and their remote master servers. There are also other ports, such: ports 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (SMB), and 2049 (NFS) should also be disabled. I have not written all of them here, if you are interested, check related information. Of course, you can set the output chain to drop for more secure access, so you can add more rules, just like adding Allow SSH Login. Just write it. The more detailed rules are as follows: For example, we only allow SSH connections to machines 192.168.0.3.[[Email protected] ~] # Iptables-A input-s 192.168.0.3-p tcp -- dport 22-J accept if you want to allow, you can also restrict the number of subnet masks for a certain IP address. The value 192.168.0.0/24 indicates all IP addresses in the range of 192.168.0.1-255. but remember to delete this line in/etc/sysconfig/iptables. -A input-p tcp-m tcp -- dport 22-J accept because it indicates that all addresses can log on. or use the command: [[email protected] ~] # Iptables-D input-p tcp -- dport 22-J accept and save it. I'll talk about it again. Instead, it uses the command method and takes effect only at the time. If you want to restart it, it will also take effect, save it. write to the/etc/sysconfig/iptables file. [[email protected] ~] #/Etc/rc. d/init. d/iptables save! 192.168.0.3 indicates that other rule connections except the IP address 192.168.0.3 are also set. The following is the forward chain. The default rule of the forward chain is drop, so we will write the chain that requires accetp (VIA) to monitor the ongoing forwarding chain. Enable the forwarding function (required when the default forward rule is drop when performing Nat)[[Email protected] ~] # Iptables-a forward-I eth0-O eth1-M state -- state related, established-J accept [[email protected] ~] # Iptables-a forward-I eth1-O eh0-J accept Discard bad TCP Packets[[Email protected] ~] # Iptables-a forward-p tcp! -- Syn-M state -- state new-J Drop Number of IP fragments processed to prevent attacks. Up to 100 IP fragments are allowed per second.[[Email protected] ~] # Iptables-a forward-F-m limit -- limit 100/s -- limit-burst 100-J accept Set ICMP packet filtering to allow 1 packet per second. The trigger condition is 10 packets.[[Email protected] ~] # Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-J accept, this is because I have restrictions here. 2. configure a NAT table 1. View local Nat settings [[Email protected] rc. d] # iptables-T nat-l
Chain prerouting (Policy accept)
Target prot opt source destination chain postrouting (Policy accept)
Target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to: 211.101.46.235 chain output (Policy accept)
Target prot opt source destination my Nat has been configured (only the simplest proxy Internet access function is provided, and no firewall rules have been added ). for more information about how to configure Nat, see my other article. Of course, if you have not configured Nat, you do not need to clear the rules because Nat does not have anything by default. If you want to clear, the command is[[Email protected] ~] # Iptables-F-T Nat [[email protected] ~] # Iptables-X-T Nat [[email protected] ~] # Iptables-z-T Nat 2. Add Rules Add basic Nat address translation (see my other article on how to configure Nat ), To add rules, we only add drop links. Because the default links are all accept. Prevent Internet spoofing using Intranet IP addresses[[Email protected] sysconfig] # iptables-T Nat-A prerouting-I eth0-s 10.0.0.0/8-J Drop
[[Email protected] sysconfig] # iptables-T Nat-A prerouting-I eth0-s 172.16.0.0/12-J Drop
[[Email protected] sysconfig] # iptables-T Nat-A prerouting-I eth0-s 192.168.0.0/16-J Drop
If we want to, for example, block MSN, QQ, BT, etc., we need to find the port or IP address they use (I think it is not necessary) Example: Disable all connections to 211.101.46.253[[Email protected] ~] # Iptables-T Nat-A prerouting-D 211.101.46.253-J Drop Disable ftp (21) Port[[Email protected] ~] # Iptables-T Nat-A prerouting-p tcp -- dport 21-J Drop In this way, the write range is too large, so we can define it more accurately.[[Email protected] ~] # Iptables-T Nat-A prerouting-p tcp -- dport 21-D 211.101.46.253-J Drop In this way, only the FTP connection of the 211.101.46.253 address is disabled. Other connections can also be. For example, Web (port 80) connections. According to what I wrote, you only need to find the IP addresses, ports, and protocols of other software such as QQ and MSN. Finally: Drop illegal connection
[[Email protected] ~] # Iptables-A input-M state -- State invalid-J Drop
[[Email protected] ~] # Iptables-A output-M state -- State invalid-J Drop
[[Email protected] ~] # Iptables-a forward-M state -- State invalid-J Drop
Allow all established and related connections
[[Email protected] ~] # Iptables-A input-M state -- State established, related-J accept
[[Email protected] ~] # Iptables-A output-M state -- State established, related-J accept

[[Email protected] ~] #/Etc/rc. d/init. d/iptables save

In this way, you can write it to the/etc/sysconfig/iptables file. Remember to repeat the firewall after writing it to make it take effect.

[[Email protected] ~] # Service iptables restart

Iptables configuration details

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More