Iptables firewall,

Iptables firewall,
1. Introduction

Iptables is an open-source package-based firewall tool that comes with linux/unix. It is a service integrated in the kernel because it is flexible to use and does not require high hardware resources, it mainly works on Layer 2, Layer 3, and Layer 4 of OSI.

Terms:

Netfilter: is a table container table: chain container chain: Rule container rules: iptables a series of criteria and specific methods for filtering information

Workflow:

Client request data ------ iptables Filter ------- get the host service (directly Drop)

Data Packet ---- Filtering Rule 1 ---- Filtering Rule 2 ---- Drop ---------------------------------------- the Rules following the Drop action do not match ---- Drop -------------- the first two rules do not match when the Rules following the Drop action do not work ----- filter by default rules

The firewall filters data packets layer by layer. Packet matching rules match data packets sequentially from top to bottom ), explicitly pass or block, and finally hand it over to the firewall's default rules for handling

2. Introduction to common tables

Common tables include filter, nat, and mangle.

Complete process:

1. Packet entry ---- through nat prerouting ---- through FORWARD--FILTER INPUT----NAT OUTPUT---FILTER OUTPUT----NAT POSTROUTING is mainly used for NAT or port ing

2. Packet passing through ---- through FORWARD--FILTER FORWARD----NAT POSTROUTING is mainly used for filtering

3. Help Information

[Root @ VM_0_7_centos ~] # Iptables-hiptables v1.4.7Usage: iptables-[ACD] chain rule-specification [options] iptables-I chain [rulenum] rule-specification [options] iptables-R chain rulenum rule-specification [options] iptables-D chain rulenum [options] iptables-[LS] [chain [rulenum] [options] iptables-[FZ] [chain] [options] iptables-[NX] chain iptables-E old- chain-name new-chain-name iptables-P chain target [op Tions] iptables-h (print this help information) Commands: Either long or short options are allowed. -- append-A chainAppend to chain add rules to the end of the chain -- check-C chainCheck for the existence of a rule -- delete-D chainDelete matching rule from chain delete matching rules from the chain -- delete-D chain rulenumDelete rule rulenum (1 = first) from chain -- insert-I chain [rulenum] Insert in chain as rulenum (default 1 = first) Add the rule to the chain -- Replace-R chain rulenumReplace rule rulenum (1 = first) in chain -- list-L [chain [rulenum] List the rules in a chain or all chains # view in list form -- list-rules-S [chain [rulenum] Print the rules in a chain or all chains -- flush-F [chain] Delete all rules in chain or all chains # Clear all rules -- zero-Z [chain [rulenum] Zero counters in chain or all chains # clear counter -- new-N chainCreate a new user-defined c Hain # view in number format -- delete-chain-X [chain] Delete a user-defined chain # CLEAR user-defined chain -- policy-P chain targetChange policy on chain to target # change the chain policy to the target -- rename-chain-E old-chain new-chainChange chain name, (moving any references) Options: [!] -- Proto-p protoprotocol: by number or name, eg. 'tcp 'specifies the port type, such as tcp and udp [!] -- Source-s address [/mask] [...] source specification Original rule (-s followed by IP address) [!] -- Destination-d address [/mask] [...] destination specification [!] -- In-interface-I input name [+] network interface name ([+] for wildcard) network interface name (followed by network interface, such as eth0) -- jump-j targettarget for rule (may load target extension) target rule -- goto-g chain jump to chain with no return -- match-m matchextended match (may load extension) -- numeric-nnumeric output of addresses and ports # digital output of ports and addresses [!] -- Out-interface-o output name [+] network interface name ([+] for wildcard) network interface name (the name of the output network interface, which is different from-I) -- table-t tabletable to manipulate (default: 'filter') # specify the table -- verbose-vverbose mode -- line-numbersprint line numbers when listing -- exact-xexpand numbers (display exact values) [!] -- Fragment-fmatch second or further fragments only -- modprobe = <command> try to insert modules using this command -- set-counters PKTS BYTESset the counter during insert/append [!] -- Version-Vprint package version.

[Root @ VM_0_7_centos ~] #/Etc/init. d/iptables status view the running status of iptables Table: filterChain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination [root @ VM_0_7_centos ~] # Iptables-L-n view the table list and port address Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

Clear rules

[Root @ VM_0_7_centos ~] # Iptables-F clear iptables rules [root @ VM_0_7_centos ~] # Iptables-LChain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

Clear the specified iptablers-F-t table name

[root@VM_0_7_centos ~]# iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

Because the default filter table is used, it is the same as iptables-F.

Before configuring the firewall, it is best to write a scheduled task to close the firewall for every long time, so as to prevent remote login failure.

-A adds the rule to the end of the chain.

-I: add the rule to the beginning of the chain.

[root@VM_0_7_centos ~]# iptables -t filter -A INPUT -p tcp --dport 9001 -j DROP[root@VM_0_7_centos ~]# iptables -t filter -A INPUT -p tcp --dport 9002 -j DROP[root@VM_0_7_centos ~]# /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)num  target     prot opt source               destination         1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9001 2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9002 Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination         [root@VM_0_7_centos ~]# iptables -L -nChain INPUT (policy ACCEPT)target     prot opt source               destination         DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9001 DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9002 Chain FORWARD (policy ACCEPT)target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)target     prot opt source               destination         

In actual enterprise applications, if the default rule is allowed, but I have to disable an application or service, the-I parameter will be used to put the rule at the beginning, for example, if you find a website frequently accessed by an IP address, you can use it to disable it.

[root@VM_0_7_centos ~]# iptables -t filter -I INPUT -p tcp -s 10.0.100.1 --dport 9003 -j ACCEPT[root@VM_0_7_centos ~]# /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)num  target     prot opt source               destination         1    ACCEPT     tcp  --  10.0.100.1           0.0.0.0/0           tcp dpt:9003 2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9001 3    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9002 Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination         

Delete a rule row

[root@VM_0_7_centos ~]# /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)num  target     prot opt source               destination         1    ACCEPT     tcp  --  10.0.100.1           0.0.0.0/0           tcp dpt:9003 2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9001 3    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9002 Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination         [root@VM_0_7_centos ~]# iptables -D INPUT 3[root@VM_0_7_centos ~]# /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)num  target     prot opt source               destination         1    ACCEPT     tcp  --  10.0.100.1           0.0.0.0/0           tcp dpt:9003 2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9001 Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination         

Disable traffic of a network segment

[Root @ VM_0_7_centos ~] # Iptables-a input-I eth0-s 10.0.0.0/24-j DROP

[root@VM_0_7_centos ~]# /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)num  target     prot opt source               destination         1    ACCEPT     tcp  --  10.0.100.1           0.0.0.0/0           tcp dpt:9003 2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9001 3    DROP       all  --  10.0.0.0/24          0.0.0.0/0           Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination         

Iptables enterprise-level application configuration

Clear rules

[root@VM_0_7_centos ~]# iptables -F[root@VM_0_7_centos ~]# iptables -X[root@VM_0_7_centos ~]# iptables -Z[root@VM_0_7_centos ~]# /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)num  target     prot opt source               destination         Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination         

Configure rules to make intranet users available

[root@VM_0_7_centos ~]# iptables -A INPUT -s 100.1.3.9/24 -j ACCEPT[root@VM_0_7_centos ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT[root@VM_0_7_centos ~]# iptables -A INPUT -i lo -j ACCEPT[root@VM_0_7_centos ~]# iptables -A OUTPUT -o lo -j ACCEPT

Set rules (default rules)

[root@VM_0_7_centos ~]# iptables -P INPUT DROP[root@VM_0_7_centos ~]# iptables -P FORWARD DROP[root@VM_0_7_centos ~]# iptables -P OUTPUT DROP　　

Configure the user to access the web page (this cannot be disabled because the website is open to global users)

[root@VM_0_7_centos ~]# iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT[root@VM_0_7_centos ~]# /etc/init.d/iptables statusTable: filterChain INPUT (policy ACCEPT)num  target     prot opt source               destination         1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination        

Because all iptables commands are stored in the memory, restarting the computer will become invalid.

[Root @ VM_0_7_centos ~] # Cp/etc/sysconfig/iptables. bak [root @ VM_0_7_centos ~] #/Etc/init. d/iptables saveiptables: Saving firewall rules to/etc/sysconfig/iptables: [OK] iptables rules are successfully saved

Maintain iptables Firewall

[root@VM_0_7_centos ~]# vim /etc/sysconfig/iptables# Generated by iptables-save v1.4.7 on Fri Mar 23 11:13:52 2018*filter:INPUT ACCEPT [938:61166]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [872:82030]-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT COMMIT# Completed on Fri Mar 23 11:13:52 2018