Linux Learning Notes Firewall iptables use detailed

First, Iptables introduction

The Linux packet filtering function, the Linux firewall, consists of two components, NetFilter and iptables.

The NetFilter component, also known as kernel space, is part of the kernel and consists of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering processing.

The Iptables component is a tool, also known as user space, that makes it easy to insert, modify, and remove rules from the packet filtering table.

II. Structure of Iptables

Iptables-> Tables-> chains-> Rules

Tables are made up of chains, and chains are made up of rules. Iptables default has four table filter, NAT, mangle, Raw.

Third, iptables format

iptables [-t table name] command options [chain name] [conditional match] [-j target action or jump]

1, table name

Filter, NAT, mangle, Raw

Filter for packet filtering function, do not fill default for filter

2. Command options

3, Chain name

You can determine which chain to use according to the flow of data, and the use in filter is as follows:

Input chain-processing data from external  output chain-processing outgoing data  ForWord chain-forwarding data to other network card devices on this machine

4. Conditional matching

Conditional matching is divided into basic matching and extended matching, and extended matching is divided into implicit extension and display extension.

A, basic matching:

b, Implicit extension:

C, display extension

5. Target value

The data packet control method includes 4 kinds

ACCEPT: Allow packets to  drop: drop packets directly, without giving any response information  REJECT: Reject packets passing, and send a response message to the data when necessary  LOG: in/var/log/ Log information in the messages file, and then pass the packet to the next rule  QUEUE: Firewall handing packets to user space  return: The firewall stops executing subsequent rules in the current chain and returns to the call chain

Iv. iptables Common Commands

1. Delete existing rules

Iptables-f

2. View existing rules

Iptables-l (Iptables-l-v-n)

3. Add a rule to the end

Iptables-a input-i eth0-p TCP--dport 80-m State--state New,established-j

4, add a rule to the specified location

Iptables-i INPUT 2-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT

5. Delete a rule

Iptables-d INPUT 2

6. Modify a rule

Iptables-r INPUT 3-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT

7, set the default policy

Iptables-p INPUT DROP

8, allow the remote host SSH connection

Iptables-a input-i eth0-p TCP--dport 22-m State--state new,established-j ACCEPT iptables-a output-o eth0-p  t CP--sport 22-m State--state established-j ACCEPT

9, allow the local host to SSH connection

Iptables-a output-o eth0-p TCP--sport 22-m State--state new,established-j ACCEPT iptables-a input-i eth0-p  t CP--dport 22-m State--state established-j ACCEPT

10. Allow HTTP requests

Iptables-a input-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT iptables-a output-o eth0-p  t CP--sport 80-m State--state established-j ACCEPT

11, to limit the number of ping a host of packets, the average 2/s, up to no more than 3

Iptables-a input-i eth0-d xx.xx.xx.xx-p ICMP--icmp-type 8-m limit--limit 2/second--limit-burst 3-j ACCEPT

12. Limit SSH Connection rate

Iptables-i input 1-p tcp--dport 22-d xx.xx.xx.xx-m State--state established-j ACCEPT iptables-i  INPUT 2-p TCP --dport 22-d xx.xx.xx.xx-m limit--limit 2/minute--limit-burst 2-m State--state New-j

Five, iptables configuration

1. Delete existing rules

Iptables-f

2, configure the default chain policy

Iptables-p INPUT Drop  iptables-p FORWARD drop  iptables-p OUTPUT drop

3, allow remote and local host SSH (reference above 8, 9 points)

4. Allow HTTP requests (refer to 10 above)

Vi. iptables against common attacks

1. Prevent SYN attacks (limit the maximum number of SYN connections for a single IP)

Iptables–a input–i eth0–p tcp--syn-m connlimit--connlimit-above 15-j DROP

2. Prevent Dos attacks

A, using the recent module to protect against Dos attacks

Iptables-i input-p tcp-dport 22-m connlimit--connlimit-above DROP

B, single IP pair multi-Connection 3 sessions

Iptables-i input-p TCP--dport 22-m the state--state new-m recent--set--name SSH

C, as long as the new connection request, it is added to the SSH list

You've tried 3 times in 5 minutes, and you're refusing to provide this IP service in the SSH list. 5 minutes to recover.

Iptables-i input-p TCP--dport 22-m State new-m recent--update--seconds---hitcount 3--name ssh-j DROP

3, prevent a single IP traffic too large

Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above DROP

4. Prevent ping attack

Iptables-a input-p ICMP--icmp-type echo-request-m limit--limit 1/m-j ACCEPT