Iptables firewall Details (iii) export, import, and write firewall scripts for rules

In the previous article we have learned how to write some simple firewall rules, but these rules only take effect temporarily, when the firewall is shut down or the server shuts down, all the rules will be emptied after the reboot. So I need to save the written firewall rules so that after the firewall shuts down or restarts the system, the firewall rules can be used without having to write again.

The derivation of the iptables rule and the guide person

A batch backup of firewall rules, which requires two commands Iptables-save, Iptables-restore, to be saved and restored, respectively.

1, Backup iptables rules

The Iptables-save command is used to bulk export iptables firewall rules, and when you execute iptables-save directly, all of the rules that are currently enabled are displayed, listed in the order of raw, mangle, NAT, and filter tables If you want to display only one table, add "-t table name" as the command option, and then redirect the output to a file in conjunction with the redirected input ">".

Columns such as: Back up the rules for all tables, as follows:

[Root@localhost/] #iptables-save >/opt/iprules_all.txt

Or

[Root@localhost/] #service iptables Save

The latter saves all rules by default to the "/etc/sysconfig/iptables" file.

2, restore iptables rules

The Iptables-retore command is used to bulk import Linux firewall rules, and if you already have a backup file exported using the Iptable-save command, the process of restoring the rule is instantaneous. As opposed to the Iptables-save command, the Iptables-restore command should specify the location of the backup file in conjunction with the redirected input.

Columns such as: Restore the rules that were backed up to Iptables, as follows:

[Root@localhost/] #iptables-restore </opt/iprules_all.txt

Or

[Root@localhost/] #service iptables start

The latter, by default, loads the contents of the "/etc/sysconfig/iptables" file into iptables, which means that if the backup uses the service iptables save, it should use the service Iptables start ".

Using the Iptables service

Turn the Iptables service on or off using the following command

[Root@localhost/] #service iptables start//Open Iptables Service

[Root@localhost/] #service iptables stop//close iptables service

The former opens the Iptables service, defaults to the rules in "/etc/sysconfig/iptables", the latter closes the Iptables service, and the default clears all iptables rules.

Writing Firewall scripts

In a production environment, I rarely write iptables rules in one piece, the most common way is to write them to a shell script for one-time processing. Common firewall scripts typically include variable definitions, module loading,/proc tuning, rule settings, and more, and some simple firewall scripts may include only the Rule Settings section. Here we have a "network" firewall script instance to learn how to write a firewall script.

[Root@loaclhost/] #vim/opt/myipfw.sh

#!/bin/bash

# 1. Define BASIC variables

inet_if= "eth0"//Extranet interface

inet_ip= "218.29.30.31"//Extranet interface Address

lan_if= "eth1"//Intranet interface

lan_ip= "192.168.1.1"//Intranet interface address

lan_net= "192.168.1.0/24"//Intranet network segment

Lan_www_ip= the internal address of the "192.168.1.7"//Web server

Ipt= the path to the "/sbin/iptables"//iptables command

Mod= the path to the "/sbin/modprobe"//modprode command

Ctl= the path to the "/sbin/sysctl"//sysctl command

# 2. Load kernel module

$MOD ip_tables//iptables Basic Modules

$MOD Ip_conntrack//Connection Tracking module

$MOD Ipt_reject//Reject action module

$MOD Ipt_log//logging module

$MOD Ipt_iprange//support IP range matching

$MOD XT_TCPUDP//Support TCP, UDP protocol

$MOD xt_state//Support status matching

$MOD Xt_multiport//Support multiport matching

$MOD Xt_mac//Support MAC address matching

$MOD IP_NAT_FTP//support for TFP address translation

$MOD ip_conntrack_ftp//Support TFP connection tracking

# 3. Adjust/PORC parameters

$CTL-W net.ipv4.ip_forward=1//Turn on routing forwarding

$CTL-W net.ipv4.ip_default_ttl=128//Modify ICMP response timeout

$CTL-W net.ipv4.icmp_echo_ignore_all=1//Reject response to ICMP request

$CTL-W net.ipv4.icmp_echo_ignore_broadcasts//Reject response to ICMP broadcast

$CTL-W Net.ipv4.tcp_syncookies=1//enable SYN cookie mechanism

$CTL-W net.ipv4.tcp_syn_retries=3//MAX SYN Request retry count

$CTL-W net.ipv4.tcp_synack_retries=3//Maximum ACK acknowledgement number of retries

$CTL-W net.ipv4.tcp_fin_timeout=60//tcp connection wait timeout

$CTL-W net.ipv4.tcp_max_syn_backlog=3200//syn requested queue length

# 4. Set specific firewall rules

# 4.1 Delete a custom chain, empty existing rules

$IPT-T filter-x//Empty the chain defined in each table

$IPT-T Nat-x

$IPT-T Mangel-x

$IPT-T Raw-x

$IPT-T filter-f//clear existing rules in each table

$IPT-T Nat-f

$IPT-T Mangel-f

$IPT-T Raw-f

# 4.2 Defining Default Rules

$IPT-P INPUT DROP

$IPT-P FORWARD DROP

$IPT-P OUTPUT accetp

# 4.3 Set various policies in the NAT table

$IPT-T nat-a postrouting-s $LAN _nat-o $INET _if-j SNAT--to-source $INET _ip

$IPT-T nat-a prerouting-i $INET _if-d $INET _ip-p tcp--dport 80-j dnat--to-destination $LAN _www_ip

# 4.4 Setting various rules in the filter table

$IPT-A input-m State established,related-j ACCEPT

$IPT-A forward-s $LAN _net-o $INET _if-p UDP--dport 53-j ACCEPT

$IPT-A forward-s $LAN _net-o $INET _if-p tcp-m multiport--dport 20,21,25,80,110,143,443-j

$IPT-A forward-d $LAN _net-i $INET _if-m State established,related-j ACCEPT

$IPT-A forward-d $LAN _www_ip-p tcp--dport 80-j ACCEPT

$IPT-A forward-d $LAN _www_ip-p tcp--sport 80-j ACCEPT

Only some of the most basic rules are listed in the above firewall script instance. More specific rule settings depend on the actual application requirements, but also waiting for everyone in the production environment slowly to understand, gradually mastery.