iptables command
-T
|
Specify Table name
|
DROP
|
Discarded
|
-N
|
No parsing.
|
-N
|
Add Chain
|
-L
|
List policies for a specified table
|
-E
|
Modify Chain Name
|
-A
|
Add Policy
|
-X
|
Delete Chain
|
--dport
|
Port
|
-D
|
Delete the specified policy
|
-S
|
Data sources
|
-I.
|
Insert
|
-j
|
Action
|
-R
|
Modify Policy
|
ACCEPT
|
Allow
|
-P (uppercase)
|
Modify the default Policy
|
REJECT
|
Refused
|
-P (lowercase)
|
Port |
For example, the following basic Operations command
iptables -t filter -nl #查看filter表中的策略iptable -F #刷掉filter表中的所有策略, When the table name is not specified with-T, the default is filterservice iptables save #保存当前策略iptables - a input -i lo -j accept #允许loiptables -A INPUT -p tcp --dport 22 -j accept # #允许访问22端口iptables -A input -s 172.25.254.231 -j accept # #允许250主机访问本机所有端口iptables -a input -j reject # #拒绝所有主机的数据来源iptables -N redhat # #增加链redhatiptables -E redhat westos # #改变链名称iptables -x westos # #删除westos链iptable -d input 2 # #删除INPUT链中的第二条策略iptables -i input -p tcp --dport 80 -j reject # #插入策略到INPUT中的第一条iptables -R INPUT 1 -p tcp --dport 80 -j accept # #修改第一条策略iptable -P INPUT DROP # #把INPUT表中的默认策略改为drop
2.iptables Firewall Strategy
2.1 Speed up data transfer
That is, when the first data transfer is received by the server, after the same type, then for the related and established two types, the following is a simple example of this firewall strategy.
Related: Second time
Established: The connection is being established
Iptables-a input-m State--state related,established-j acceptiptables-a input-i lo-m State--state new-j ACCEPT IP Tables-a input-p TCP--dport 22-m State--state new-j acceptiptables-a input-p TCP--dport 80-m State--state NEW- J acceptiptables-a input-p TCP--dport 443-m State--state new-j acceptiptables-a input-p TCP--dport 53-m State-- State new-j acceptiptables-a Input-j REJECT
2.2 SANT Firewall strategy
Sant is the equivalent of a leaky function, which is to use the server as a bridge. Quite different from the intranet (client) and the external network, there is a drain (server) can be connected to the external network (that is, the 172.25.254 in the following network segment)
Make the following configuration on the server
Configure the server's NIC with two blocks, one for the private segment: Eth0:172.25.254.231eth1:172.25.31.231[[email protected] ~]# sysctl-a | grep Forwardnet.ipv4.ip_forward = 0# This is the leakage function of the host, write the following statement to/etc/sysctl.conf, equivalent to open the host's leakage function [[email protected] ~]# echo " Net.ipv4.ip_forward = 1 ">>/etc/sysctl.conf[[email protected] ~]# sysctl-p[[email protected] ~]# iptables-t nat-a Postrouting-o eth1-j SNAT--to-source 172.25.254.231
Make the following configuration on the client
The NIC with the client adds a gateway to the private segment for 172.25.31.131:172.25.31.231
Test: When you do not make this firewall strategy, you ping does not pass 172.25.254 this network segment. In addition to the IP of the server.
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/00/2D/wKiom1mYE-KikJycAACot95VCVo920.png "title=" Screenshot from 2017-08-19 09-41-32.png "width=" "height=" 94 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px; height:94px; "alt=" Wkiom1mye-kikjycaacot95vcvo920.png "/>
After you finish the Snat strategy you can ping the network segment of the IP of the 172.25.254 network segment, and you can see that he is out of 172.25.254.231.
650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/9E/DD/wKioL1mYFCjgJiTJAACqCHMmPcY636.png "title=" Screenshot from 2017-08-19 10-04-49.png "width=", "height=" border= "0" hspace= "0" vspace= "0" style= "width:500px; height:87px; "alt=" Wkiol1myfcjgjitjaacqchmmpcy636.png "/>
When you connect 172.25.254.31 with your client, you will be shown that you are connecting with 172.25.254.231, not your client.
650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M01/9E/DD/wKioL1mYFLqyRkfwAAHqpt1c5ZE438.png "title=" Screenshot from 2017-08-19 10-08-05.png "width=" "height=" 174 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px; height:174px; "alt=" Wkiol1myflqyrkfwaahqpt1c5ze438.png "/>
2.3 DNAT Firewall Strategy
Dnat is when someone connects to your host, if you do not want him to connect, you can directly connect to other hosts, that is, the target address of the request to the other destination address
Iptables-t nat-a prerouting-i eth0-j DNAT--to-dest 172.25.31.131# that is when someone connects me to the server above eth0 I let him connect my client.
Connect your server with 172.25.254.31, and he will connect to 172.25.31.131, which is your client.
650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/9E/DD/wKioL1mYFemSBrRqAAGELrCrgss248.png "title=" Screenshot from 2017-08-19 10-10-45.png "width=" "height=" 171 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px; height:171px; "alt=" Wkiol1myfemsbrrqaagelrcrgss248.png "/>
2.firewall Firewall Strategy
Classification of Zone of 2.1 firewall
Drop |
Discard all incoming packets without giving any response
|
Block |
Deny all externally initiated connections, allow internally initiated connections |
Public
|
Allows the specified entry connection
|
External
|
Out of the IPv4 network connection is spoofed and forwarded through this zone and only accepts SSH service connections
|
Dmz
|
Accept SSH Service Connections only
|
Work
|
Generally used in the work area, only ssh ipp-client Samba-client are accepted dhcpv6-client
|
Home
|
Ditto, similar for home networking
|
Internal
|
Ditto, similar, for internal networks |
Trusted
|
Trust all connections |
2.2 Files Add a basic Firewall strategy
The/etc/firewalld/zones/public.xml in the file is the service you open with the firewall, such as the following example
[[email protected] ~]# firewall-cmd --list-allpublic (default, active) interfaces: eth0 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: #这时我们查看/etc/firewalld/zones/public.xml The contents of this file [[email protected] ~]# cat /etc/firewalld/zones/public.xml<?xml version= "1.0" encoding= "Utf-8" ? ><zone> <short>public</short> <description>for use in public areas. You do not trust the other computers On networks to not harm your computer. only selected incoming connections are accepted.</description> <service name= "Dhcpv6-client" /> <service&nbsP;name= "ssh"/> #这里就只允许ssh服务, if we add a service, HTTP writes this directly to this file <service name= "http"/ ></zone>
If we turn on the HTTP service, firewall will load the file in this directory love.
In the /usr/lib/firewalld/services/directory there are a lot of service configuration files, here is not listed, with HTTP as an example [[email protected] ~]# ll /usr/lib/firewalld/services/ |grep http-rw-r-----. 1 root root 448 feb 28 2014 https.xml-rw-r-----. 1 root root 353 Feb 28 2014 http.xml-rw-r-----. 1 root root 310 Feb 28 2014 wbem-https.xml[[email protected] ~]# cat /usr/lib/firewalld/services/http.xml <?xml version= "1.0" encoding= "Utf-8"?><service> <short>www (HTTP) </short> <description>http is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. this option is not Required for viewing&nBsp;pages locally or developing web pages.</description> <port protocol= "TCP" port= "/></service>" #这里面指明了http的端口和所使用的通信协议.
[[email protected] ~]# firewall-cmd --get-zonesrol block dmz drop external home internal public trusted work# View Firewall's zone[[email protected] ~]# firewall-cmd --set-default-zone=trustedsuccess# Modify the default firewall zone[[email protected] ~]# firewall-cmd --list-alltrusted (default, active) interfaces: eth0 sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: # View firewall's firewall policy [[email protected] ~]# firewall-cmd --reload success# Reload Firewall's firewall policy [[email protected] ~]# firewall-cmd --complete-reload success# He is also reloading the firewall strategy, that is, he is in immediate effect.] [[email protected] ~]# firewall-cmd --permanent --add-port=8080/tcpsuccess# The TCP protocol's 8080 port is permanently added to the firewall policy #--permanent is permanently modified to mean [[Email protected] ~]# firewall-cmd --permanent --add-source=172.25.254.231 --zone =trustedsuccess all requests for #接受来自172.25.254.231 [[email protected] ~]# firewall-cmd -- permanent --add-interface=eth0 --zone=publicsuccess# permanently modifies the zone type of the eth0 NIC to the public type [[email Protected] ~]# firewall-cmd --permanent --remove-rich-rule= "rule family= Ipv4 source address=172.25.254.31 forward-port port=22 protocol=tcp to-port=22 to-addr=172.25.254.131 "#永久删除一条rich rule strategy
2.4 Firewall Direct Rules tool Add Firewall policy
[Email protected] ~]# firewall-cmd--permanent--direct--add-rule IPv4 filter INPUT 0! -S 172.25.254.231-p TCP--dport 22-j acceptsuccess# accepts all TCP protocol requests from Port 22, except for the host from 172.25.254.231, but does not deny this host, # This strategy doesn't matter to him.
2.4 Firewall's rich Rules (that is, Iptables's Snat and Dnat are no longer spoken here)
[Email protected] ~]# firewall-cmd--permanent--add-rich-rule= ' rule Family=ipv4 source address=172.25.254.231 Masquerade ' success# to get all the nets into the client out of 172.25.254.231 [[email protected] ~]# firewall-cmd--permanent--add-rich-rule= " Rule Family=ipv4 Source address=172.25.254.31 forward-port port=22 protocol=tcp to-port=22 to-addr=172.25.254.131 " success# the TCP protocol request from the 22 port of 172.25.254.31来, forward this request to TCP for 172.25.254.131 22 port.
This article is from the "13122323" blog, please be sure to keep this source http://13132323.blog.51cto.com/13122323/1957669
Linux firewall strategy