Linux iptable Firewall forbidden and open ports

Source: Internet
Author: User
Tags ftp connection domain server nslookup

Linux iptable Firewall forbidden and open ports
Source: http://hi.baidu.com/zplllm/item/f910cb26b621db57c38d5983
Evaluation:


1. Close all INPUT FORWARD OUTPUT only for certain ports.
Here is the command implementation:

Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP

Then use the command iptables-l-N to see if it's set up, good-looking to all DROP
Such a setup, we are only temporary, restart the server or will restore the original not set the state
and save with service Iptables save
See information firewall rules Firewall rule is actually saved in/etc/sysconfig/iptables
can open File View Vi/etc/sysconfig/iptables
2.
Below I only open 22 port, see how I operate, is the following 2 statements

Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT

To see if the next Iptables-l-N is added, see added

Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22

Now the Linux server only opened 22 ports, with Putty.exe test whether you can link up.
Can be linked up, stating that there is no problem.

Finally, don't forget to save your firewall settings
Save by Command: Service iptables save
Restart Iptables
Service iptables Save && service iptables restart
Shutting down the firewall
Chkconfig iptables off && service iptables stop


Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT
Do some explaining to these 2 commands.
The-a parameter is considered a rule to add an INPUT
-p Specifies what protocol we commonly use for the TCP protocol, and of course there are UDP such as 53-port DNS
By the time we're going to configure DNS for Port 53, you'll find that using the UDP protocol

And--dport is the target port when the data goes from outside to the server as the destination port
Conversely, data from the server is used for the data source port--sport

-J is designated as accept or DROP not receive
3. Prohibit an IP access
1 Linux servers, 2 Windows XP operating systems access
Linux Server IP 192.168.1.99
XP1 ip:192.168.1.2
XP2 ip:192.168.1.8

Let's take a look at the 2 XP I can access.

192.168.1.2 This is what XP1 can access,
192.168.1.8 XP2 is also available for normal access.

So now I'm going to ban 192.168.1.2 xp1 access, XP2 normal access,
Here's a look at the demo

by command iptables-a input-p tcp-s 192.168.1.2-j DROP
This means that the-A is the addition of new rules, what are the rules? As we visit the website using TCP,
We use-p TCP, if it is UDP to write UDP, here with TCP,-S is the source of meaning,
IP comes from 192.168.1.2,-j How do we reject it here should be DROP

Well, look at the effect. Good to add success. Verify that the following is in effect

The wait state has been present for the last time the page cannot be displayed, this is 192.168.1.2 XP1 's access was denied.

Then see if another XP can be accessed, is the normal access to the 192.168.1.8 is able to access the normal
4. How to delete a rule
First of all we need to know the number of this rule, each rule has a number

Rules and relative numbers can be displayed by Iptables-l-N--line-number
Num Target prot opt source destination
1 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:3306
2 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21
3 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
More num This column so that we can see just the rule corresponds to the number 2

Then we can delete it.
Iptables-d INPUT 2
Delete the input chain number 2 rule.

Again Iptables-l-n view has been cleared.
5. Filter Invalid Packets
Suppose someone enters the server, or has a virus trojan, which can transmit data out of the 22,80 port like a server.
It's the same way as our normal access to the 22,80 port difference. It sends outward data not we request by accessing the webpage
While responding to the packet.

Now we're going to block those packets that don't respond by asking for them.

Iptables provides a parameter that is checked for status, let's configure the next 22 and 80 ports to prevent invalid packets.

Iptables-a output-p TCP--sport 22-m State--state established-j ACCEPT

Can see and we used before:
Iptables-a output-p TCP--sport 22-j ACCEPT
More of a state to judge.

Same as 80 ports, now delete the original 2 rules,
Iptables-l-N--line-number This is to view the rules and bring the numbers. We can just see the numbers.
Delete the corresponding rule.

iptables-d OUTPUT 1 Here 1 represents the first rule.

When you delete the previous rule, the number will change as well. See it.

OK, we have removed the previous 2 rules, 22 port can also be used normally, it means that no problem.

Save it below, and don't forget, otherwise the reboot will revert back to the original look.

The service iptables save.

Saving firewall rules to/etc/sysconfig/iptables: [OK]
In fact, the rules you just set are written to the/etc/sysconfig/iptables file.
6. DNS Port 53 settings
Let's take a look at how to set iptables to open the DNS port, which corresponds to 53

You see my situation now, only open 22 and 80 ports, I now see if I can resolve the domain name.

Host www.google.com After entering this command, has been waiting, indicating that the DNS does not pass

The following prompt appears:
;; Connection timed out; No servers could be reached

Ping the domain is not a pass
[Email protected] ~ping www.google.com
Ping:unknown host www.google.com

The reason I'm here is that iptables restricts port 53.

Some servers, especially Web servers, are slowing down, and DNS is actually related and cannot be caused by sending packets to the DNS server.

Below is a demonstration of how to use iptables to set up DNS 53 for this port, if you do not know the domain Name Service port number, you

You can use the command: grep domain/etc/services

[Email protected] ~grep domain/etc/services
Domain 53/TCP # name-domain Server
Domain 53/UDP
Domaintime 9909/tcp # Domaintime
Domaintime 9909/UDP # Domaintime

See, we generally use the UDP protocol.

OK, start setting ...

Iptables-a output-p UDP--dport 53-j ACCEPT
This is our ping a domain name, the data is to go out from this machine, so we set OUTPUT first,
We follow the ping process to set.

Then the DNS server receives the package we sent out and responds with a return
Iptables-a input-p UDP--sport 53-j ACCEPT

You also set
Iptables-a input-p UDP--dport 53-j ACCEPT
Iptables-a output-p UDP--sport 53-j ACCEPT

OK, below the test, you can use Iptables-l-N to view the settings, to determine that no problem can be tested

[[Email protected] ~iptables-l-N
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22 State established
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP SPT:80 State established
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53

You can test if DNS can pass iptables.

[Email protected] ~host www.google.com
Www.google.com is a alias for www.l.google.com.
Www.l.google.com is a alias for www-china.l.google.com.
Www-china.l.google.com has address 64.233.189.104
Www-china.l.google.com has address 64.233.189.147
Www-china.l.google.com has address 64.233.189.99

Normal can resolve Google domain name.

There may be some things to set up in Ping.

Take a look at nslookup.

[Email protected] ~nslookup
> www.google.com
server:192.168.1.1
address:192.168.1.1#53

Non-authoritative Answer:
www.google.com Canonical name = www.l.google.com.
www.l.google.com canonical name = www-china.l.google.com.
Name:www-china.l.google.com
address:64.233.189.147
Name:www-china.l.google.com
address:64.233.189.99
Name:www-china.l.google.com
address:64.233.189.104

Note that native DNS is OK, Iptables allows access to 53 of this port.
7, Iptables to FTP settings
Now I start setting up the FTP port, according to our previous video, add ports that need to be open
The FTP connection port has 2 ports of 21 and 20, and I now add the corresponding rules.

[[email protected] rootiptables-a input-p TCP--dport 21-j ACCEPT
[[email protected] rootiptables-a input-p TCP--dport 20-j ACCEPT
[[email protected] rootiptables-a output-p TCP--sport 21-j ACCEPT
[[email protected] rootiptables-a output-p TCP--sport 20-j ACCEPT

OK, this is done, we use the browser to access the FTP, there is a timeout.

So I just said that FTP is a more special port, it also has some ports are data transfer ports,
For example, directory list, upload, download files are used to these ports.

And these ports are any port ... This one is really more special.

If you do not specify a port range, iptables is difficult to open on any port,
If iptables allows any port access, that is not the same as not setting the firewall, so unrealistic.

Then our solution is to specify a range of this data port.

Let's modify the FTP configuration file.

I use vsftpd here to modify the demo, other FTP I do not know where to modify, we can look for information.

[Email protected] rootvi/etc/vsftpd.conf

At the bottom of the configuration file, add

pasv_min_port=30001
pasv_max_port=31000

Then save the exit.

The meaning of these two words tells Vsftpd that the range of ports to transmit data is transmitted within the range of 30001 to 31000.

So we can use iptables to do much better, we open 30001 to 31000 of these ports.

[[email protected] rootiptables-a input-p TCP--dport 30001:31000-j ACCEPT
[[email protected] rootiptables-a output-p TCP--sport 30001:31000-j ACCEPT

[Email protected] Rootservice iptables Save

Last save, then we'll use the browser-scoped FTP. can be accessed normally

Log in with an account, there is no problem, upload some files to see.

See, upload and download are normal. And look at the settings for the next iptables

[[Email protected] rootiptables-l-N
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:20
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpts:30001:31000

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:21
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:20
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spts:30001:31000

This is my simple rule to demonstrate the FTP special port, you can add some validation of the packet
such as-M state--state established,related and so on require higher authentication

Linux iptable Firewall disable and open ports (RPM)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.