Iptables firewall practical tutorial

Three tables are created: natmangle and filterfilter preset rule tables, there are three rule chains: INPUT, FORWARD, and OUTPUT. INPUT enters the FORWARD forwarding OUTPUT and goes out. ACCEPT releases the REJECT to block the packet. DROP the discarded packet. the packet is not processed.-A in the selected chain (such as INPUT) add one or more rules at the end-D delete One-E modify-p

Create three tables: natmangle and filter

Filter preset rule table, which has three rule chains: INPUT, FORWARD, and OUTPUT.

INPUT

FORWARD

OUTPUT

ACCEPT releases packets

REJECT blocks this packet

DROP discarded packets are not processed

-A adds one or more rules at the end of the selected chain (INPUT, etc.)

-D. delete a record.

-E modify

-P tcp, udp, and icmp 0 are equivalent to all! Invert

-P: set the default policy (this policy is mandatory if it does not match all links)

-S IP/mask (IP/24) host name, network name, and clear IP address! Invert

-J: The dedicated built-in goal that decides the fate of the package immediately

-I: enter the (network) interface [name] eth0

-O output interface [name]

-M module

-- Sport source port

-- Dport target Port

# Configuration file

Vi/etc/sysconfig/Iptables

# Clear rule entries in the firewall

Iptables-F

# Note: iptables-PINPUTACCEPT

# Importing firewall rules

Iptables-restore <规则文件< p>

# Save firewall settings

/Etc/init. d/iptablessave

# Restart the firewall service

/Etc/init. d/iptablesrestart

# View rules

Iptables-L-n

Iptables-L-n -- line-numbers

# Deleting a rule from a rule chain

Iptables-DINPUT -- dport80-jDROP

Iptables-DINPUT8

# Replacing existing rules

Iptables-RINPUT8-s192.168.0.1-jDROP

# Insert a rule

Iptables-IINPUT8 dport80-jACCEPT

# View forwarding

Iptables-tnat-nL

# Enable ip forwarding in the kernel

Echo1>/proc/sys/net/ipv4/ip_forward

##################################

# Allow local loopback

Iptables-AINPUT-s127.0.0.1-ptcp-jACCEPT

# Allow established or related connections

Iptables-AINPUT-mstate -- stateESTABLISHED, RELATED-jACCEPT

# Open external access

Iptables-POUTPUTACCEPT

# Specify a port that is open to IP addresses

Iptables-AINPUT-s192.168.10.37-ptcp dport22-jACCEPT

# Allowed IP address or IP address segment access

Iptables-AINPUT-s192.168.10.37-ptcp-jACCEPT

# Open external ports

Iptables-AINPUT-ptcp -- dport80-jACCEPT

# Close the portal

Iptables-PINPUTDROP

# Disable forwarding

Iptables-PFORWARDDROP

##################################

Iptables rule file

# Generatedbyiptables-savev1.2.11onFriFeb 912: 10: 372007

* Filter

: INPUTDROP [637: 58967]

: FORWARDDROP [0: 0]

: OUTPUTACCEPT [5091: 1301533]

# Allowed IP address or IP address segment access

AINPUT-s127.0.0.1-ptcp-jACCEPT

-AINPUT-s192.168.0.0/255.255.0.0-ptcp-jACCEPT

# Open external ports

-AINPUT-ptcp -- dport80-jACCEPT

# Specify a port that is open to IP addresses

-AINPUT-s192.168.10.37-ptcp-dport22-jACCEPT

# Deny all protocols (where INPUT permits)

#-AINPUT-ptcp-mtcp -- tcp-flagsFIN, SYN, RST, PSH, URGRST-jDROP

# Allow established or related connections

Iptables-AINPUT-mstate -- stateESTABLISHED, RELATED-jACCEPT

# Reject ping

-AINPUT-ptcp-mtcp-jREJECT -- reject-withicmp-port-unreachable

COMMIT

# CompletedonFriFeb 912: 10: 372007

##################################

Common instances

# Allow access to a specified port from an IP address

Iptables-AINPUT-s192.168.62.1-ptcp dport22-jACCEPT

# Disabling a port

Iptables-AINPUT-ptcp -- dport22-jDROP

Iptables-AINPUT-ptcp -- dport31-jREJECT

# Prohibit QQ ports

Iptables-DFORWARD-pudp -- dport8000-jREJECT

# Disabling icmp ports

# Prohibit others from pinging my host except 192.168.62.1

Iptables-AINPUT-ieth0-s192.168.62.1/32-picmp-micmp -- icmp-type8-jACCEPT

Iptables-AINPUT-ieth0-picmp-micmp icmp-type8-jDROP

# Not allowed in other cases

Iptables-AINPUT-ieth0-jDROP

# Disabling access from a specified IP address

Iptables-AINPUT-ptcp-sIP-jDROP

# Disabling specified IP access ports

Iptables-AINPUT-ptcp-sIP -- dportport-jDROP

# Block all TCP connections that are not authorized by your system

Iptables-tfilter-AINPUT-ieth0-ptcp -- syn-jDROP

# Add CIDR block forwarding

Iptables-tnat-APOSTROUTING-s10.8.0.0/24-jMASQUERADE

# IP packet traffic limit

Iptables-AINPUT-f-mlimit -- limit100/s -- limit-burst100-jACCEPT

Iptables-AINPUT-ieth0-picmp-jDROP

# Port ing

Iptables-tnat-APREROUTING-ieth0-ptcp-s192.168.62.0/24 -- dport80-jREDIRECT -- to-ports

3128

# List all rules in a rule chain

Iptables-LINPUT

# Delete a rule chain without adding a rule chain. clear all non-built rules.

Iptables-Xallowed

# Return the packet counter to zero

Iptables-ZINPUT

# Define a new rule chain

Iptables-Nallowed

# Define a filter policy

Iptables-PINPUTDROP

# Modifying the name of a custom rule chain

Iptables-Ealloweddisallowed

# Check whether the communication protocol type is consistent

#-P! Udp and icmp are excluded from tcp. -Pall all types

Iptables-AINPUT-ptcp

# Compare the source IP address of the packet

#192.168.0.0/24! Reverse comparison

Iptables-AINPUT-s192.168.1.1

# Compare the destination IP address of the packet

Iptables-AINPUT-d192.168.1.1

# From which network card the package enters

# Eth + indicates all NICs

Iptables-AINPUT-ieth0

# Compare the network card from which the packet is sent

Iptables-AFORWARD-oeth0

# Compare the average traffic of packets within a certain period of time

# The example is used to compare whether the average traffic per hour exceeds three packets at a time. Besides the average times per hour

Second, minute, or average every day. the default value is average every hour. parameters such as "/second", "/minute", and "/day" are displayed.

In addition to comparing the number of mails, Setting this parameter will also suspend the packet comparison when the condition is reached to avoid

Hackers use the flood attack method to block services.

Iptables-AINPUT-mlimit -- limit3/hour

# Compare the quantity of large packets in an instant

# The example is used to compare whether there are more than five incoming packets at the same time (this is the default value). packets exceeding this limit will be sent directly.

Dropped. The usage effect is the same as that.

Iptables-AINPUT-mlimit -- limit-burst5

# Compare packets from the local machine

# Whether it is generated by a specific user. This prevents the server from sending sensitive data using root or other identities,

It can reduce the loss of the system. Unfortunately, this function cannot compare the packets from other hosts.

Iptables-AOUTPUT-mowner -- uid-owner500

# Compare packets from the local machine

Iptables-AOUTPUT-mowner -- gid-owner0

Iptables-AOUTPUT-mowner -- pid-owner78

Iptables-AOUTPUT-mowner -- sid-owner100

# Used to compare the online status

Iptables-AINPUT-mstate -- stateRELATED, ESTABLISHED

There are four online statuses: INVALID, ESTABLISHED, NEW, and RELATED.

# The-j parameter specifies the processing actions, including ACCEPT, REJECT, DROP, REDIRECT,

Description:

Iptables-AFORWARD-pTCP -- dport22-jREJECT -- reject-withtcp-reset

# You can choose ICMPport-unreachable, ICMPecho-reply, or tcp-reset.

REDIRECT redirects packets to another port (PNAT)

Iptables-tnat-APREROUTING-ptcp -- dport80-jREDIRECT -- to-ports8080

MASQUERADE rewrite the source IP address of the packet to the firewall NICIP

Iptables-tnat-APOSTROUTING-pTCP-jMASQUERADE -- to-ports1024-31000

LOG records packets related information in/var/log

Iptables-AINPUT-ptcp-jLOG -- log-prefix "INPUTpackets"

SNAT rewrite the source IP address of the packet to a specific IP address or IP address range

Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT -- to-source

194.236.50.155-194.236.50.160: 1024-32000.

DNAT rewrite the IP address of the packet destination to a specific IP address or IP address range

Iptables-t nat-a prerouting-p tcp-d 15.45.23.67 -- dport 80-j DNAT -- to-destination

192.168.1.1-192.168.1.10: 80-100

MIRROR package

QUEUE interrupt filtering program

RETURN ends the filtering program in the current rule refining

MARK the package with a code

##################################

Iptables configuration instance

Allow a certain IP address to access any port

Iptables-AINPUT-s192.168.0.3/24-ptcp-jACCEPT

Set preset rules (deny all data packets and then allow the required rules, for example, to only use WEB servers, or to recommend that all three links are

DROP)

Iptables-PINPUTDROP

Iptables-PFORWARDDROP

Iptables-POUTPUTACCEPT

(Note: it is intended to directly set the three items to be dropped)

Enable port 22

Iptables-AINPUT-ptcp -- dport22-jACCEPT

If the OUTPUT is set to DROP, write the following

Iptables-AOUTPUT-ptcp -- sport22-jACCEPT

(Note: If the OUTPUT is set to DROP, SSH cannot be created because SSH is disabled. if the OUTPUT is set to DROP, a chain must be added)

If the web server is enabled and the OUTPUT is set to DROP, a chain must also be added.

Iptables-AOUTPUT-ptcp -- sport80-jACCEPT

Enable port 80 as a WEB server.

Iptables-AINPUT-ptcp -- dport80-jACCEPT

As an email server, enable Port 25,110

Iptables-AINPUT-ptcp -- dport110-jACCEPT

Iptables-AINPUT-ptcp -- dport25-jACCEPT

Allow icmp packets to pass and ping

Iptables-AOUTPUT-picmp-jACCEPT (if OUTPUT is set to DROP)

Iptables-AINPUT-picmp-jACCEPT (if INPUT is set to DROP)

Allow loopback! (Otherwise, DNS may fail to be shut down normally)

IPTABLES-AINPUT-ilo-pall-jACCEPT (if it is INPUTDROP)

IPTABLES-AOUTPUT-olo-pall-jACCEPT (if it is OUTPUTDROP)

========================================================== ======================================