Linux iptable Firewall disable and open port __linux

Source: Internet
Author: User
Tags ftp connection domain server iptables nslookup
Linux iptable firewall block and open ports
Source: http://hi.baidu.com/zplllm/item/f910cb26b621db57c38d5983
Evaluation:


1, close all the INPUT FORWARD OUTPUT only to some ports open.
Here is the command implementation:

Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP

Then use the command iptables-l-N to see if it's set up and look good to all DROP
This setting is OK, we are only temporary, restart the server or will restore the original did not set the state
You will also use the service iptables save for saving
See information firewall rules firewalls are actually stored in the/etc/sysconfig/iptables
You can open a file to view Vi/etc/sysconfig/iptables
2,
I'll just open port 22 to see how I'm doing it, which is the following 2 statements

Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT

And then see if the next Iptables-l-N is added up and see the added

Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22

Now that the Linux server has only 22 ports open, test with Putty.exe to see if it can be linked up.
Can be linked up, indicating that there is no problem.

Finally, don't forget to save the settings for the firewall
By command: Service iptables save
Restart Iptables
Service iptables Save && service iptables restart
Shutdown firewall
Chkconfig iptables off && service iptables stop


Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT
Explain some of these 2 commands.
The-a parameter is considered as a rule to add an INPUT
-p Specifies what protocol we commonly use for TCP protocols, and of course there are UDP such as 53-port DNS
We're going to configure DNS to use port 53, and everyone will find the UDP protocol

And--dport is the target port. When data is entered from the outside into the server as the target port
Conversely, data from the server is used for the data source port--sport

-j is to specify that ACCEPT receive or DROP not receive
3, prohibit an IP access
1 Linux servers, 2 Windows XP operating systems for access
Linux Server IP 192.168.1.99
XP1 ip:192.168.1.2
XP2 ip:192.168.1.8

Here's a look at 2 XP I can access

192.168.1.2 This is what XP1 can access,
192.168.1.8 XP2 is also available for normal access.

So now I'm going to ban 192.168.1.2 xp1 access, XP2 normal access,
Here's a look at the demo

Iptables-a input-p tcp-s 192.168.1.2-j DROP by command
The idea here is that-a is to add new rules and rules. Because we visit the site using TCP,
We use-p TCP, if it is UDP to write UDP, here on TCP,-S is the source meaning,
IP from 192.168.1.2,-j How do we reject it here should be DROP

Okay, look at the effect. Good to add success. Check to see if it takes effect

The wait state is always present the page cannot be displayed, and this is 192.168.1.2 XP1 's visit was denied.

To see if another XP can be accessed, is a normal access to the 192.168.1.8 is a normal access
4. How to delete rules
First we need to know the number of this rule, each rule has a number

The rules and corresponding numbers can be displayed by Iptables-l-N--line-number
Num Target prot opt source destination
1 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:3306
2 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21
3 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
More num This column, so we can see just the rules corresponding to the number 2

Then we can delete it.
Iptables-d INPUT 2
Delete the rule with input chain number 2.

Then Iptables-l-N to see if it has been cleared.
5, filtering Invalid packets
Suppose someone has entered the server, or there is a virus trojan, it can through the 22,80 port like the server to send data outside.
It's this way it's different from our normal access to 22,80 ports. The data it sends out is not our request for access to the Web page
And the response of the packet.

Now we're going to bar these packets from not responding to the request, and block them all out.

Iptables provides a check state, below we will configure the next 22 and 80 ports to prevent invalid packets.

Iptables-a output-p TCP--sport 22-m State--state Established-j

Can see and we used to:
Iptables-a output-p TCP--sport 22-j ACCEPT
One more state of judgment.

Same as 80 ports, now delete the original 2 rules,
Iptables-l-N--line-number This is a view rule and is numbered. We see the numbers, we can
Delete the corresponding rule.

iptables-d OUTPUT 1 Here 1 represents the first rule.

When you delete the previous rule, the number will change as well. See it.

OK, we've removed the previous 2 rules, and 22 ports are working properly, which means no problem.

Save the following, don't forget, otherwise reboot will revert to the original appearance.

The service iptables save.

Saving firewall rules to/etc/sysconfig/iptables: [OK]
In fact, the rules just set are written to the/etc/sysconfig/iptables file.
6, DNS port 53 settings
Let's look at how to set up iptables to open the DNS port, which corresponds to a 53

You see my situation now, only open 22 and 80 ports, I now see if I can resolve the domain name.

Host www.google.com After entering this command, has been waiting, indicating that the DNS does not pass

The following prompts appear:
;; Connection timed out; No servers could be reached

Ping the domain name is also not pass
[Root@localhost ~ping www.google.com
Ping:unknown host www.google.com

The reason I'm here is that iptables has a limit of 53 ports.

Some servers, especially the Web server, are slowing down, and DNS is actually related to the inability to send packets to the DNS server.

The following shows how to use Iptables to set DNS 53 this port, if you do not know the domain Name Service port number, you

You can use the command: grep domain/etc/services

[Root@localhost ~grep Domain/etc/services
Domain 53/TCP # name-domain Server
Domain 53/UDP
Domaintime 9909/tcp # Domaintime
Domaintime 9909/UDP # Domaintime

See, we generally use the UDP protocol.

OK, start setting ...

Iptables-a output-p UDP--dport 53-j ACCEPT
This is we ping a domain name, the data is from this machine out, so we set OUTPUT first,
We follow the ping process to set up.

Then the DNS server receives the package we sent out and responds to a return
Iptables-a input-p UDP--sport 53-j ACCEPT

You also have to set the
Iptables-a input-p UDP--dport 53-j ACCEPT
Iptables-a output-p UDP--sport 53-j ACCEPT

OK, let's start with the test, you can use Iptables-l-N to see the settings, and make sure you can test it without problems.

[Root@localhost ~iptables-l-N
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22 State established
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP SPT:80 State established
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53

You can test if DNS can be passed through iptables.

[Root@localhost ~host www.google.com
Www.google.com is a alias for www.l.google.com.
Www.l.google.com is a alias for www-china.l.google.com.
Www-china.l.google.com has address 64.233.189.104
Www-china.l.google.com has address 64.233.189.147
Www-china.l.google.com has address 64.233.189.99

Normal can parse Google domain name.

There may be something to be set up in the ping.

Take a look at nslookup.

[Root@localhost ~nslookup
> www.google.com
server:192.168.1.1
address:192.168.1.1#53

Non-authoritative Answer:
www.google.com Canonical name = www.l.google.com.
www.l.google.com canonical name = www-china.l.google.com.
Name:www-china.l.google.com
address:64.233.189.147
Name:www-china.l.google.com
address:64.233.189.99
Name:www-china.l.google.com
address:64.233.189.104

Indicates that native DNS is normal and iptables allows access to 53 of this port.
7, Iptables to FTP settings
Now I start on the FTP port settings, according to our previous video, add need to open the port
The FTP connection port has 2 21 and 20 ports, I now add the corresponding rule.

[Root@localhost rootiptables-a input-p TCP--dport 21-j ACCEPT
[Root@localhost rootiptables-a input-p TCP--dport 20-j ACCEPT
[Root@localhost rootiptables-a output-p TCP--sport 21-j ACCEPT
[Root@localhost rootiptables-a output-p TCP--sport 20-j ACCEPT

OK, this is done, we use the browser to access the FTP, there is a timeout.

So I just said FTP is a special port, and there are some ports are data transfer port,
such as directory listings, upload, download files to use these ports.

And these ports are any port ... This arbitrary is really more special.

If you do not specify a port range, iptables is difficult to open to any port.
If iptables allows arbitrary port access, it is no different than setting a firewall, so it is unrealistic.

So our solution is to specify a range of this data transfer port.

Let's modify the FTP configuration file below.

I use vsftpd here to modify the demo, other FTP I do not know where to modify, we can look for information.

[Root@localhost rootvi/etc/vsftpd.conf

Join at the bottom of the configuration file

pasv_min_port=30001
pasv_max_port=31000

Then save the exit.

The meaning of these two sentences tells Vsftpd that the range of ports to transmit data is transmitted within the range of 30001 to 31000.

So we're doing a lot more with iptables, and we're going to open 30001 to 31000 of these ports.

[Root@localhost rootiptables-a input-p TCP--dport 30001:31000-j ACCEPT
[Root@localhost rootiptables-a output-p TCP--sport 30001:31000-j ACCEPT

[Root@localhost rootservice iptables Save

Finally save, then we use the browser range of FTP. can be accessed normally

Log on with an account, there is no problem, upload some documents to see.

See, upload and download are normal. Then look at the settings for the next iptables

[Root@localhost rootiptables-l-N
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:21
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:20
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpts:30001:31000

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:21
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:20
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spts:30001:31000

This is my simple rules for the FTP special port, you can add some validation of the packet
such as M-state--state established,related and more demanding validation
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.