Linux firewall iptables establish rules and chains

Install the boot iptables in Rhel 7.0:

yum install iptables-services                      #安装iptablessystemctl  mask firewalld.service                #屏蔽firewalld服务systemctl  enable iptables.service            # Set Boot systemctl enable ip6tables.service           #设置开机启动systemctl  stop firewalld.service                 #停止firewalld服务systemctl  start iptables.service                  #开启iptables服务systemctl  start  ip6tables.service              # Open Ip6tables Service

In general, Iptables is already included in the Linux distribution, and you can run the iptables--version command to see if the system has iptables installed. In Rhel 7.0, the iptables version is iptables-1.4.21-13. If the system does not have Iptables installed, you can download it from address: http://www.netfilter.org/.

1. View the rule set

Although the use of iptables is briefly described, it may be necessary to know more complete information in the real world. Can run:

Iptables--help

To see quick help. To view the existing iptables planning set in the system, you can execute the following command:

sudo iptables--list

2. Add rules

As an example, the rules in the example will block packets from a specific IP address range because the IP address range is suspected by the administrator to have a large number of malicious attackers active.

Iptables-t filter-a input-s xxx.xxx.xxx.0/24-j DROP

It is also easy to block all packets that flow to an attacker's IP address, and the command is only slightly different:

Iptables-t filter-a output-d xxx.xxx.xxx.0/24-j DROP

3. Delete a rule

Malicious attackers on the network are constantly changing, so they also have to continually change the IP address. If a network attacker moves to a new IP address, and its old IP address is assigned to a few innocent users, then these users ' packets will not pass through the network. In this case, you can use the command with the-d option to delete the existing rule:

Iptables-t filter-d output-d xxx.xxx.xxx.0/24-j DROP

4. Default Policy

It takes a lot of time to create a rule that is flexible and can withstand a variety of unexpected events. The following sets the default rules for each chain. Example:

Iptables-p INPUT dropiptables-p FORWARD dropiptables-p OUTPUT ACCEPT

Option-P is used to set the policy for the chain, only 3 built-in chains have policy. example, these policies can cause information to flow without restriction, but not allow information to flow in. If you need to receive external information, you can use the following command, example:

Iptables-t filter-a input-s 123.456.789.0/24-j ACCEPT

Here is just a simple to say, difficult I have not done, as a developer, to understand a bit better!

Linux firewall iptables establish rules and chains