Iptables entry: simple email server protection

This document is intended for beginners of iptables. If you have just learned the principles and basic syntax of iptables, but you still do not know how to actually use this tool in the online server environment, read this article.

Two main work modes of iptables

For iptables data packets, there are several flows:

PREROUTING → FORWARD → POSTROUTING

PREROUTING → INPUT → local → OUTPUT → POSTROUTING

You can pay attention to the following two types of data packet flows: one is the NAT router, and the other is the host firewall.

For details about iptables data inflows and outflows, refer:

Figure iptables flowchart of inbound and outbound data packets

Iptables uses different rule tables based on different data packet processing functions. It includes the following three tables: filter, nat, and mangle.

• Filter is the default table that contains the real firewall filter rules. The built-in rule chains include INPUT, OUTPUT, and FORWARD.
• The nat table contains the rules used for source and destination address and port conversion. The built-in rule chains include PREROUTING, OUTPUT, and POSTROUTING.
• The mangle table contains rules used to set special packet routing labels, which are subsequently checked by the rules in the filter table. The built-in rule chains include PREROUTING, INPUT, FORWARD, POSTROUTING, and OUTPUT.

The related rule chain functions of the table are as follows:

• INPUT chain: when a data packet is determined as a local Linux system by the route calculation in the kernel, it will pass the INPUT chain check.
• OUTPUT chain: the data packet generated by the system.
• FORWARD chain: Packets routed through the Linux system. That is, when the iptables firewall is used to connect two networks, the packets between the two networks must flow through the firewall ).
• PREROUTING chain: used to modify the destination address DNAT ).
• POSTROUTING chain: used to modify the source address SNAT ).

The detailed Syntax of iptables is as follows:

Iptables [-t table name] <-A | I | D | R> chain name [Rule number] [-I | o Nic name] [-p protocol type] [-s source IP address | source subnet] [-- sport source port number] [-d destination IP address | destination subnet] [-- dport destination port number] <-j action>

Note: This syntax rule is detailed and logic is clear. We recommend that you use this formula to remember it. When writing iptables rules at the beginning, we should develop good habits and use formulas to standardize scripts, which will be of great help to our future work.

In this section, we compile a simple iptables syntax rule for mail host protection. The network topology is very simple. the IP address of the iptables machine is 192.168.1.101/24, and the IP address of the other machine is 192.168.1.102.

Common email host protection script

The normal mail host protection script is easy to implement. The mail host mainly opens two ports: 80 and 25, while the other ports are closed. In addition, because there is not much function involved here, the module loading is very simple, only the Filter table is involved, the initialization of the script is also very simple.

We can write scripts in the order of iptables writing. The script content is as follows:

Note: The server is placed in its own data center. Therefore, port 22 is not open. You can directly debug the server in the data center. For remote operations, open port 22 .)

#/bin/bashiptables -Fiptables -Xiptables -Z modprobe ip_tablesmodprobe iptable_natmodprobe ip_nat_ftpmodprobe ip_conntrack iptables -P INPUT DROPiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT  iptables -A INPUT -p tcp -m multiport --dports 25,80 -j ACCEPTiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Note:

You can initialize iptables in the first three items.

Modprobe is the process of manually Loading modules. Generally, if you use service iptables start to start iptables, many unnecessary modules will be loaded, so here we use manual loading. The ip_conntrack module can be enabled in the usual test and learning environment to track the flow of data packets. However, in the production environment, I do not recommend that you enable this module to increase the server load.

The two ports below the default rule are used to enable the system loop port to avoid unnecessary troubles. What are the specific troubles? You can think about it first. The answer will be provided at the end of this article.

The last one is to allow connections in the RELATED and ESTABLISHED statuses to pass through iptables. The reason for this setting will also be answered at the end of the article.

After the iptables script is enabled, run the following command to view the result:

iptables -nv -L

The command displays the following results:

Chain INPUT (policy DROP 13539 packets, 763K bytes) pkts bytes target     prot opt in     out     source               destination             0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0             480 32744 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 25,80    13  1411 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target     prot opt in     out     source               destination          Chain OUTPUT (policy ACCEPT 472 packets, 52779 bytes) pkts bytes target     prot opt in     out     source               destination             0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0   

Port 80 and port 25 are hidden by iptables. For example, we try nmap to scan this server on another machine:

nmap -sT 192.168.1.101

The command displays the following results:

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-05-25 00:46 CSTInteresting ports on 192.168.1.101:Not shown: 1678 filtered portsPORT   STATE SERVICE25/tcp open  ssh80/tcp open  httpMAC Address: 00:E0:62:12:7B:65 (Host Engineering) Nmap finished: 1 IP address (1 host up) scanned in 37.721 seconds

The result indicates that iptables takes effect.

In addition, I would like to provide a suggestion to my friends who have just learned iptables. One easy mistake to make when you start playing iptables is to lock yourself out of the server. In this case, we can compile a crontab scheduled task to close the firewall every five minutes and close the crontab task after the complete debugging:

vim /etc/crontab*/5 * * * * /etc/init.d/iptables stop

The above is only a preliminary protection script. As for other SYN and Ping attacks and other attacks, you can add them on the basis of this script after you are familiar with the principles.

The following are the answers to the two questions mentioned above:

I. Why do I need to enable the system loop interface?

By default, a Linux system will have a loopback network interface named lo, and the real Nic is generally recognized by the Linux system as a network interface such as eth0 and eth1.

Generally, the IP address of the lo interface is 127.0.0.1.

When you send data packets to yourself from a linux host, the actual data packets are sent and accepted through the Virtual lo interface, rather than through your physical Nic eth0/eth1.

If the lo interface is blocked, ping/telnet/ssh local domain name, localhost, and 127.0.0.1 may fail, which may cause some trouble for debugging.

2. Why should I set RELATED and ESTABLISHED status detection?

Compared with pure IP address filtering, status firewalls are more intelligent and more efficient. This is suitable for FTP servers. For information about the status mechanism of iptables, see this article: http:// OS .51cto.com/art/201108/285209.htm