Iptables getting started

Iptables entry 1. iptables entry there are many ways for hackers to intrude into computers today, among which port-based intrusions are common. In particular, it is the simplest and most commonly used method to defend against hacker intrusions to shut down unnecessary ports on servers. Using Linux as a service... getting started with iptables 1. Getting started with iptables there are many ways for hackers to intrude into computers, among which port intrusion is common. In particular, it is the simplest and most commonly used method to defend against hacker intrusions to shut down unnecessary ports on servers. Use Linux as the server operating system, and use iptables provided by Linux to implement this function. Www.2cto.com 1. check the composition of iptables policies [root @ localhost ~] # Iptables-L-nChain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination, the iptables policy consists of three parts: INPUT, FORWARD, and OUTPUTa. INPUT network packet flow to server B. OUTPUT network data packets flow out from the server c. FORWARD network data packets are routed to www.2cto.com on the server. disable the policy to close all input forward output files and only open them to some ports. # Iptables-p input drop # iptables-p forward drop # iptables-p output drop use the command iptables-L-n to view the result. [root @ localhost ~] # Iptables-L-nChain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) the target prot opt source destination setting is temporary. restarting the server will still restore the policy ACCEPT. to restart the server, you need to use service iptables save to save the settings, you will be prompted to save the information to/etc/sysconfig/iptables, so we can open the file to view vi/etc/sysconfig/iptables DROP. this can be understood as follows: when INPUT = DROP, indicates that the firewall does not accept data and does not accept it. When OUTPUT = DROP is sent to the server, the firewall blocks data flowing out from the server. when FORWARD = DROP, indicates that the server is not allowed to route through the server. 3. enable the INPUT policy # iptables-p input accept # iptables-p forward accept # iptables-p output accept www.2cto.com. 2. enable only a port on the server. time, generally, only a specific port (the port required by the service) is opened, and unnecessary ports are closed to improve server security. The following uses port 22 as an example to show how to allow access from port 22 only. All other ports cannot be accessed (port 22 is the port used to access Linux through ssh ). A. Check whether the current server port is enabled: use netstat-tnl to check which ports are opened on the current server [root @ localhost ~] # Netstat-tnlActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1: 2208 0.0.0.0: * LISTEN tcp 0 0 0.0.0.0: 673 0.0.0.0: * LISTEN tcp 0 0 0.0.0.0: 111 0.0.0.0: * LISTEN tcp 0 0 127.0.0.1: 631 0.0.0.0: * LISTEN tcp 0 0 127.0.0.1: 25 0.0.0.0: * LISTEN tcp 0 0 127.0.0.1: 2207 0.0.0.0: * LISTEN tcp 0 0: 22: * LISTEN tcp 0: 1: 631: * enabled end of LISTEN Port 22 (ssh) is also enabled. run the command iptables-L-n to view firewall settings, it is known that the three parts of the firewall input forward output are all ACCEPT, that is, there is no restriction to connect to the server through SSH software, and the connection can be successful. C. close all ports # iptables-p input drop # iptables-p forward drop # iptables-p output drop. wait and you will find that the SSH link is disconnected, indicating that the port has been closed. D. open port 22 only # iptables-a input-p tcp -- dport 22-j ACCEPT # iptables-a output-p tcp -- sport 22-j ACCEPT iptables-L-n to view add, www.2cto.com Chain INPUT (policy DROP) target prot opt source destinationACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 22 Chain FORWARD (policy DROP) target prot opt source destinationChain OUTPUT (policy DROP) target prot opt source destinationACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 Tcp spt: 22 now the Linux server only opens port 22, and you can use SSH to test the connection. Run the command: service iptables save note: # iptables-a input-p tcp -- dport 22-j ACCEPT # iptables-a output-p tcp -- sport 22-j ACCEPT-A: add an INPUT rule-p: specify what protocol we commonly use tcp protocol, of course, there are also udp such as 53 Port DNS -- dport: target Port: when data enters from the external server, the target port is used; otherwise, the data goes out from the server, the data source port is used -- sport-j: specified to be ACCEPT received or DROP not received