Iptables firewall usage notes and iptables firewall notes
I. background
When a WEB project goes online, you always need to install the environment. You can configure a firewall to allow Internet access. In the past, I used to search for a tutorial on the Internet. I don't need to worry about opening the port 80 command after I click it. In the spirit of learning, I plan to study the iptables configuration and take notes for later viewing. You just need to understand the principle.
Note: The default firewall for centos7 is firewall instead of iptables.
Ii. Quick Response
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
If you don't want to go down, you can simply write down this command to enable port 80. to open other ports, you only need to replace port 80 (such as 3306 ). But if the problem persists, you have to take a good look at the rule definition.
3. What is iptables?
Iptables implements network access control in the form of a rule list. However, iptables and firewall are two concepts. This is what we call it online.
4. View iptables rules
iptables -L
Additional sub-commands
-N: the ip address is displayed in numbers. The ip address is displayed directly. If-n is not added, the ip address is resolved to the host name.
-V: displays details.Example of a rule list
[root@sstest ~]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT)target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT)target prot opt source destination
1. iptables has three rule chains ). They are INPUT (packet inbound), FORWARD (FORWARD), and OUTPUT (packet outbound ). When defining any rule, you must specify which rule is used.
2. iptables has two policies: one is the "pass" policy, the other is the "Block" policy, and the other is the "pass" policy. By default, the door is closed. You must define who can enter the policy. The blocking policy is that the door is open, but you must have identity authentication; otherwise, you cannot enter. In the preceding example, (policy ACCEPT) indicates that all policies can pass by default. Similarly, the opposite is DROP.
The Policy Modification command is
iptables -P chain (DROP|ACCEPT)
3. The order of rules is critical. The stricter the rules, the more advanced the rules should be placed. When checking rules, they should be checked from top to bottom. Therefore, you must pay attention to the order of addition. Generally, the rule is invalid because of this situation.
5. how to add and delete iptables rules
First, add, delete, and modify commands. As for the rule order, there are two parameters added.
-A: append. Add A rule at the end of the current chain.
-I num: insert the number of the current rule.
-I 3: insert the third entry
-R num: Replays replacement/modification rules
Format: iptables-R 3 ............
-D num: delete. specify the number of rules to be deleted.
Then, we need to add matching criteria.
-S: Specifies the source address match. The host name cannot be specified here. It must be an IP address.IP | IP/MASK | 0.0.0.0/0.0.0.0In addition, the address can be reversed by adding "!". Indicates the IP address other
-D: Indicates matching the target address.
-P: Used to match the Protocol (TCP/UDP/ICMP)
-I eth0: Incoming data from this Nic
Inbound traffic is generally used on INPUT and PREROUTING.
-O eth0: Data outflow from this Nic
The outbound traffic is generally on the OUTPUT and POSTROUTING.
Among them, protocol matching (-p) has some implicit parameters.
-P tcp:
-- Dport XX-XX: Specifies the destination port, cannot specify multiple non-contiguous ports, can only specify a single port
-- Sport: Specifies the source port.
-- Tcp-fiags: TCP flag (SYN, ACK, FIN, PSH, RST, URG)
-P udp:
-- Dport
-- Sport
-P icmp:
-- Icmp-type:
Echo-request (request echo), usually expressed in 8
So -- icmp-type 8 matches the request ECHO packet
Echo-reply (response packet) is generally expressed as 0.
The matching criteria are met, and finally the ACTION is executed)
-J ACTION: common actions include DROP (quietly discarded), REJECT (explicitly rejected), and ACCEPT (accepted)
After learning about these command parameters, the meaning of the command to add Port 80 in the previous article will be clearly understood)
Vi. Summary
Iptables is a very important tool, which is essential for almost every server. Of course, iptables has far more functions than that. This article is only intended for reference.