Linux Firewall iptables and linuxiptables

Source: Internet
Author: User
Tags inif network function wrappers

Linux Firewall iptables and linuxiptables
Introduction to Linux Firewall: first, network packets need to enter your host through the firewall, server software program (Verification account), SELinux and File System (permission rwx, etc. Main firewall categories: 1, Netfilter (packet filtering mechanism), 2, TCP Wrappers (program control), 3, Proxy (Proxy server ). What Netfilter can do: 1. refuse to allow Internet packets to enter some port ports of the host; 2. REJECT packets from some source IP addresses. 3. REJECT packets with some special flag labels. 4. Analyze the hardware address (MAC) to determine whether the packets are online or not.
TCP Wrappers: Through/etc/hosts. allow,/etc/hosts. deny is a firewall-like mechanism managed by the two babies, but not all software can be controlled through these two files, only the software below can manage firewall rules through these two files: 1. services managed by super daemon (xinetd); 2. Support for libwrap. so module service.

Netfilter: iptables Mechanism
Because iptables is more widely used, we will only detail Netfilter: iptables firewall here. For the other two, please refer to Baidu for more information.
Iptables Introduction: Note: Before a network packet enters the host, it will first check through NetFilter, which is the iptables rule. If the check succeeds, ACCEPT (ACCEPT) enters the local machine to obtain the resource. If the check fails, it may be dropped )! The main purpose is to tell you: "The rules are ordered 』! For example, when the network packet enters the comparison of Rule 1, if the comparison result matches Rule 1, the network packet will perform Action 1 instead of the subsequent Rule 2, rule 3 .... and other rules.

Linux iptables has at least three tables, including filter for local access and backend host Management (other computers inside the firewall) nat, manage the mangle used by the special flag (rarely used ). Here I will only introduce filter: 1. INPUT: mainly related to the packets that want to enter our Linux host; 2. OUTPUT: mainly related to the packets to be sent from our Linux host; 3. FORWARD: this stuff has nothing to do with the Linux machine. It can "transfer packets" to the back-end computer, and has a high correlation with nat table.
Iptables Syntax: Observe and clear rules:

[Root @ www ~] # Iptables [-t tables] [-L] [-nv] Options and parameters:-t: Followed by a table, such as nat or filter. If this item is omitted, use the default filter-L: to list the current table rules-n: do not check the IP address and HOSTNAME, the display speed will be much faster! -V: lists more information, including the total number of packets and related network interfaces.

For example, the iptables-L-n iptables-save command can also observe firewall rules.
[Root @ www ~] # Iptables [-t tables] [-FXZ] Options and parameters:-F: Clear all predefined rules;-X: kill all user-defined chains (tables).-Z: returns the count and traffic statistics of all chains to zero.

Define preset policies ):
[Root @ www ~] # Iptables [-t nat]-P [INPUT, OUTPUT, FORWARD] [ACCEPT, DROP] Options and parameters:-P: define Policy ). Note: P is in uppercase! ACCEPT: This packet can accept drop: the packet is directly discarded, so that the client does not know why it is discarded.
In the local preset policy, if you have confidence in internal users, the INPUT chain in the filter can be defined more strictly, while FORWARD and OUTPUT can be set loosely!
Example: Set the INPUT of the Local Machine to DROP, and the other to ACCEPT [root @ www ~]. # Iptables-p input drop [root @ www ~] # Iptables-p output accept [root @ www ~] # Iptables-P FORWARD ACCEPT

Basic packet comparison: IP, domain, and interface device:
[Root @ www ~] # Iptables [-AI chain name] [-io network interface] [-p Protocol] [-s source IP/domain] [-d target IP/domain]-j [ACCEPT | DROP | REJECT | LOG] Options and parameters: -AI chain name: "insert" or "accumulate"-A: adds A rule to the end of the original rule. For example, if you already have four rules, use-A to add the Fifth rule! -I: Insert a rule. If the sequence of the rule is not specified, insert is the first rule by default. For example, if there are four rules, use-I to change the rule to the first one, and the original four rules to the second one ~ Chain 5: There are INPUT, OUTPUT, FORWARD, etc. The chain name is related to-io, please refer to below. -I/O network interface: Set the packet inbound and outbound interface specification-I: the network interface that the packet enters, such as eth0 and lo. -O: the network interface sent out by the packet. It must be used with the OUTPUT chain.-p protocol: this rule is applicable to the following packet formats: tcp, udp, icmp, and all. -S source IP/domain: Set the source project of the packet for this rule. You can specify a pure IP address or a domain, for example, IP: domain:,192.168 .0.0/ If the rule is "not allowed", add it! -S! indicates that no packet source of is allowed;-d target IP Address/domain: Same as-s, but here it refers to the target IP address or domain. -J: The following actions: ACCEPT, DROP, REJECT, and LOG)

Comparison of TCP and UDP rules: for port settings:
[Root @ www ~] # Iptables [-AI chain] [-io network interface] [-p tcp, udp] [-s source IP/domain] [-- sport port range] [-d target IP/domain] [-- dport port range]-j [ACCEPT | DROP | REJECT] Option and parameters: -- sport port range: Specifies the port number of the source port. The port number can be continuous, for example, 1024: 65535 -- dport range: Specifies the port number of the target port.
Note: Because only tcp and udp packets have ports, you must add the-p tcp or-p udp parameter when you want to use -- dport and -- sport.

Iptables plug-in module: mac and state:
[Root @ www ~] # Iptables-a input [-m state] [-- state] Options and parameters:-m: Some plug-ins of iptables, including: state: Status Module -- state: the status of some packets mainly includes: INVALID Packets, for example, the status of the damaged data package ESTABLISHED: the online status of the online success; NEW: the status of the packets to be ESTABLISHED online; RELATED: This is the most common one! This indicates that the packet is related to the packet sent from our host. mac: hardware address of the network card (hardware address) -- mac-source: the MAC of the source host!

ICMP packet rule comparison: designed for ping response:
TIPS: we know many ICMP protocol types, and many ICMP packets are used for network detection! So it is best not to discard all ICMP packets! If it is not used as a router host, we usually remove ICMP type 8 (echo request), so that the remote host does not know whether or not we exist and does not accept the ping response.
[Root @ www ~] # Iptables-a input [-p icmp] [-- icmp-type]-j ACCEPT options and parameters: -- icmp-type: the type of the packet that must be followed by ICMP, you can also use the Code. For example, 8 indicates the meaning of echo request.

Core IPv4 management functions:/proc/sys/net/ipv4 /*
Echo "1"> one of the methods of/proc/sys/net/ipv4/tcp_syncookies blocking service (DoS) attack, it is achieved by using the SYN three-way handshake principle of TCP packets. This method is called SYN Flooding. The above command is to enable the core SYN Cookie module to prevent this situation.
Echo "1">/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts enables the core to automatically cancel the ping response. Icmp_echo_ignore_broadcasts in/proc/sys/net/ipv4 (the ping response is canceled only when the broadcast address is pinged) and icmp_echo_ignore_all (all ping requests do not respond ).

/Proc/sys/net/ipv4/conf/Network Interface /*
Rp_filter: Reverse Path Filtering. You can analyze whether the packet is reasonable by analyzing the route information of the network interface and the source address of the packet. For example, you have two NICs, eth0 is, and eth1 is public IP. If a packet claimed to be from eth1 but its IP source is, the packet is unreasonable and should be discarded. We recommend that you start this setting.
Log_martians: The set data can be used to start an invalid IP source for the record, for example, the source is, 127. x. x. x, and Class e ip sources, because these source IP addresses should not be applied to the Internet. The recorded data is stored in the logon file/var/log/messages of the core by default.
Accept_redirects: when you set up a router in the same physical domain, but this physical domain has two IP domains, such as,192.168 .1.0/24. At this time, when your wants to send a message to, the router may send an ICMP redirect packet to inform to directly send data to, instead of using the router. Because and are indeed on the same physical line (the two can communicate directly), the router will inform the source IP address to transmit data using the shortest path. However, the two hosts cannot actually transmit messages in different IP segments! This setting may also cause some minor security risks, so we recommend that you disable it.
Send_redirects: similar to the previous one, but this value is used to send an ICMP redirect packet. We recommend that you disable it.

The example below is based on a server with the system centos7:
#! /Bin/bash # Nic information, environment Variable EXTIF = "eno1" # public network interface INIF = "eno16777736" # Internal LAN interface INNET = "" # Intranet FILEDIR = "/usr/local/erdangjiade/iptables /"# Storage path of allow and deny files export extif inif innet filedir # Set the core network function echo" 1 ">/proc/sys/net/ipv4/tcp_syncookiesecho" 1 "> /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsfor I in/proc/sys/net/ipv4/conf/*/{rp_filter, log_martians}; doecho "1"> $ idonefor I in/proc/sys/net/ipv4/conf/*/{accept_source_route, accept_redirects, send_redirects }; doecho "0"> $ idone # Set the rule PATH =/sbin:/usr/sbin:/bin:/usr/local/sbin: /usr/local/bin; export PATHiptables-Fiptables-Xiptables-Ziptables-p input DROPiptables-p output ACCEPTiptables-p forward ACCEPTiptables-a input-I lo-j ACCEPTiptables-A INPUT-p TCP-m state -- state NEW-I $ INIF-j ACCEPTiptables-A INPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT # Allow Intranet pingiptables-a input-I $ INIF-p icmp-j ACCEPT # individually set if [-f $ {FILEDIR} iptables. deny]; thensh $ {FILEDIR} iptables. denyfiif [-f $ {FILEDIR} iptables. allow]; thensh $ {FILEDIR} iptables. allowfi # prevent large volumes of ping # AICMP = "0 3 3/4 4 11 12 14 16 18" # for tyicmp in $ AICMP # do # iptables-a input-I $ EXTIF-p icmp -- icmp-type $ tyicmp-j ACCEPT # done # open ports for certain services # SSHiptables-a input-p TCP-I $ EXTIF -- dport 22 -- sport 1024: 65534-j ACCEPT # WWWiptables-a input-p TCP-I $ EXTIF -- dport 80 -- sport 1024: 65534-j ACCEPT # save the preceding modification service iptables save
If you want to set the firewall of the above case to start up, you can write the path of the case document to/etc/rc. d/rc. local (you only need to write the path and do not add bash to execute it). Note: rc. local is not executable by default. You need to enable it: chmod + x/etc/rc. d/rc. local

Reference: laruence's private kitchen, Server
Reprinted please indicate the original source:

How to Set iptables firewall in linux

Iptable-A Input-p Tcp-d IP address B -- dPort port-J Reject

RedHat Machine
* Filter
: Input accept [10276: 1578052]
: Forward accept [0: 0]
: Output accept [13784: 16761487]
-A input-s eth1-j DROP
-A input-s DROP
-A input-s eth1-j DROP # eth1 is interface to internet
# Anti Sync Flood
-A forward-p tcp-m tcp -- tcp-flags SYN, RST, ack syn-m limit -- limit 1/sec-j ACCEPT
# Anti some port scan
-A forward-p tcp-m tcp -- tcp-flags FIN, SYN, RST, ack rst-m limit -- limit 1/sec-j ACCEPT
# Anti ping of death
-A forward-p icmp-m icmp -- icmp-type 8-m limit -- limit 1/sec-j ACCEPT

Chkconfig iptables on
After iptables is started, the configuration file (/etc/sysconfig/iptables) will be automatically read)
Auto Start
Or manually start/etc/rc. d/init. d/iptables start
/Etc/rc. d/init. d/iptables stop manual stop

Set up a firewall in LINUX

With the popularity of the Internet, people's daily work is also closely related, so more and more organizations have opened Internet proxy services for employees. However, when an enterprise's internal network is connected to the Internet, its internal resources are like the lambs to be sold, therefore, in addition to computer viruses and System Robustness among other internal reasons, system security mainly prevents illegal user intrusion through the Internet. At present, the prevention measures mainly rely on the firewall technology.

1. What is firewall?
Firewall (firewall) refers to a combination of software or hardware devices. It is located between an enterprise or a network group computer and an external channel (Internet, restrict external users from accessing the internal network and managing the permissions of internal users to access the external network. It mainly controls the round-trip access to the protected network (that is, the outlets), so that the connection points can be checked and evaluated.

From its birth to the present, the firewall has gone through four stages of development: a router-based firewall, a user-based firewall tool set, a firewall built on a general operating system, and a firewall with a secure operating system. At present, most of the Firewall vendors provide a combination of software and hardware for secure operating systems, such as NETEYE, NETSCREEN, and TALENTIT. There are also a lot of Firewall software on the LINUX operating system. Apart from the IPCHAINS which we will introduce below, there are also many, such as: Sinus Firewall, Jfwadm... the rest of the full text>

For LINUX Firewall iptables Problems

This setting will be affected during setup. If the firewall is disabled in your previous setup, if you have made many policies and saved them to/etc/sysconfig/iptables. At this time, use setup to enable the firewall. All your defined policies will disappear, and the firewall will generate some default policies for initialization; therefore, we recommend that you do not use setup to change the status after configuring the policy.
In addition, other operations will basically not affect the policy configuration you saved.

An overview of iptables storage policies:
The rules created by the iptables command are temporarily stored in the memory. If the system restarts before permanently saving these rules, all the rules will be lost. If you want the rules set by iptables to take effect after the system is restarted next time, you need to permanently save these rules and run them as root:
/Sbin/service iptables save
This operation runs the iptables initialization script, which runs the/sbin/iptables-save program and updates the current iptables configuration file/etc/sysconfig/iptables.
The original configuration file is saved as iptables. save. The next time the system starts, the iptables initialization script will use the/sbin/iptables-restore command to re-read the content of the/etc/sysconfig/iptables file.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.