Iptables enhances System Security

My goal is to disable all external service ports and only allow port 22 of the SSH service to accept external requests.

First, enter the root permission on my test server, and then use the following command to view iptables

root@host2:~# iptables -vnL --line-numbersChain INPUT (policy ACCEPT 105 packets, 10480 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:532        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:533        0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:674        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     state RELATED,ESTABLISHED2        0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           3        0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           4        0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable5        0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachableChain OUTPUT (policy ACCEPT 25 packets, 3380 bytes)num   pkts bytes target     prot opt in     out     source               destination  

-V is the output details.

-N indicates the display address and port number.

-L indicates the rules in the display chain.

The -- line-number parameter is used to display the row number. It is useful when deleted.

From the above results, we can see that the policy allows all input connections.

Delete all rules first, so they are not necessarily used in case of prevention.

Iptables-F

Then, close all access requests in the policy.

Iptables-P input drop

Add access support for SSH ports

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Try the link from another machine. There is no problem with SSH Login, except to wait for a while.

Note: This setting will prevent you from connecting to the Internet from this machine. There are two solutions:

1. For absolute security, you can manually open the policy temporarily and close it after it is used up.

Iptables-P input accept

// Do something

Iptables-P input drop

2. Add a rule to allow data received by established connections

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

The connection is initiated from the local machine. Our rules are not limited. After the connection is established, data can be pulled from the external network.

Add other ports as needed.

If you want to restrict a limited number of machines to initiate requests to the server, you can use the-S parameter, for example:

iptables -A INPUT -p tcp -s 10.112.18.0/0 --dport 27017 -j ACCEPT

Only machines in the 10.112.18.0/0 network segment can connect to port 27017 of the local machine.

For detailed iptables operations under Ubuntu, refer:

Https://help.ubuntu.com/community/IptablesHowTo

How to save rules? Two steps,

1. Install

Apt-Get install iptables-persistent

2. Save the rule File

service iptables-persistent save

Restart.

Iptables-persistent is a boot script, which can be viewed in the/etc/init. d/directory if you are interested.