Linux Network Service firewall iptables setting tutorial, linuxiptables
Tutorial on setting firewall iptables for Linux Network Services
1. Super fire wall Management
View Software yumsearchiptables
Yumlistiptables-services.x86_64
Install the software yuminstalliptables-y
Close common fire wall systemctlstopfirewalld
Systemctlmaskfirewalld
Systemctlstartiptables. service
Systemctlenableiptables. service
Do not parse list fire wall settings iptables-nL // n do not parse, L list
Configuration File vim/etc/sysconfig/iptables
Refresh and temporarily clear iptables-F
Clear>/etc/sysconfig/iptables
Method 2: serviceiptablessave Save settings after temporary clearing
Add firewall policy settings iptables-AINPUT-jACCEPT
Policy to save serviceiptablessave
[Experiment]
[Root @ server103 ~] # Yumsearchiptables
Iptables-services.x86_64
[Root @ server103 ~] # Yumlistiptables-services.x86_64
[Root @ server103 ~] # Systemctlstopfirewalld
[Root @ server103 ~] # Systemctlmaskfirewalld
Ln-s '/dev/null''/etc/systemd/system/firewalld. service'
[Root @ server103 ~] # Systemctlstartiptables. service
[Root @ server103 ~] # Systemctlenableiptables. service
Ln-s '/usr/lib/systemd/system/iptables. service'/etc/systemd/system/basic.tar get. wants/iptables. Service'
[Root @ server103 ~] # Iptables-nL
[Root @ server103 ~] # Vim/etc/sysconfig/iptables
[Root @ server103 ~] # Iptables-F
[Root @ server103 ~] # Iptables-nL
[Root @ server103 ~] # Iptables-F
[Root @ server103 ~] # Iptables-nL // It is temporary at this time, and it becomes invalid after restart
[Root @ server103 ~] # Systemctlrestartiptables. service
[Root @ server103 ~] # Iptables-nL
[Root @ server103 ~] #>/Etc/sysconfig/iptables // clear
[Root @ server103 ~] # Iptables-F
[Root @ server103 ~] # Iptables-nL
[Root @ server103 ~] # Systemctlrestartiptables. service
[Root @ server103 ~] # Iptables-nL
Add firewall policy settings
[Root @ server103 ~] # Iptables-AINPUT-jACCEPT
[Root @ server103 ~] # Iptables-nL
[Root @ server103 ~] # Serviceiptablessave // Save the policy
Iptables: Savingfirewallrulesto/etc/sysconfig/iptables: [OK]
2. iptables settings
View help manipitables
-T specifies the table name filter-s source sorce-I matched port eg:-I lo loopback interface
-A Add-d destination-o Port
-I insert INPUT-p mode port -- dport port
-D Delete-j action ACCEPT | REJECT | DROP
Filter all data passing through the Local Kernel
Nat data from the local machine does not pass through the kernel
Iptables-tfilter-AINPUT-ilo-jACCEPT
Iptables-tfilter-AINPUT-s172.25.254.3-jACCEPT
[Experiment]
View three tables
[Root @ server103 ~] # Iptables-tnat-nL
[Root @ server103 ~] # Iptables-tfilter-nL
[Root @ server103 ~] # Iptables-tmangle-nL
Set port settings
[Root @ server103 ~] # Iptables-tfilter-AINPUT-ilo-jACCEPT
[Root @ server103 ~] # Iptables-tfilter-AINPUT-s172.25.254.3-jACCEPT
[Root @ server103 ~] # Iptables-nL
[Root @ server103 ~] # Iptables-AINPUT-jREJECT
[Root @ server103 ~] # Iptables-DINPUT1
[Root @ server103 ~] # Iptables-DINPUT2
[Root @ brief top203westos] # sshroot@172.25.254.103 // cannot be connected at this time
Ssh: connecttohost172.25.254.103port22: Connectionrefused
[Root @ server103 ~] # Iptables-AINPUT-s172.25.254.203-ptcp -- dport22-jACCEPT
[Root @ server103 ~] # Iptables-nL
ACCEPTtcp -- 172.25.254.2030.0.0.0/0 tcpdpt: 22
Insert
[Root @ server103 ~] # Iptables-IINPUT1-s172.25.254.20-ptcp -- dport22-jACCEPT
[Root @ server103 ~] # Iptables-nL
ACCEPTtcp -- 172.25.254.200.0.0.0/0 tcpdpt: 22
ACCEPTtcp -- 172.25.254.2030.0.0.0/0 tcpdpt: 22
[Root @ server103 ~] # Systemctlstartsmb
[Root @ shorttop203westos] # smbclient-L // 172.25.254.103
Enterroot 'spassword:
Connectionto172.25.254.103failed (ErrorNT_STATUS_CONNECTION_REFUSED)
In this case, port 139 and port 445 must be enabled.
[Root @ server103 ~] # Iptables-IINPUT1-s172.25.254.203-ptcp -- dport139-jACCEPT
[Root @ server103 ~] # Iptables-IINPUT1-s172.25.254.203-ptcp -- dport445-jACCEPT
[Root @ shorttop203westos] # smbclient-L // 172.25.254.103
Enterroot 'spassword:
Domain = [WESTOS_SERVER103] OS = [Unix] Server = [Samba4.1.1]
SharenameTypeComment
--------------------
DATADisklocalsambadir
SYSTEMCTLDATADisk/mnt
IPC $ IPCIPCService (helloworld103)
Domain = [WESTOS_SERVER103] OS = [Unix] Server = [Samba4.1.1]
ServerComment
----------------
WorkgroupMaster
----------------
!!!!!!!!!!!!!!!!
Iptables-nL is executed from top to bottom, pay attention to the order
7. iptables policy setting 2
-R: Modify Policy Information
-P (uppercase): Change the default Policy. By default, only ACCEPT and DROP are allowed.
-N add
-E rename
-X Delete
[Experiment]
[Root @ server103 ~] # Iptables-RINPUT2-s172.25.254.203-ptcp -- dport53-jACCEPT
[Root @ server103 ~] # Iptables-nL
ACCEPTtcp -- 172.25.254.2030.0.0.0/0 tcpdpt: 53
[Root @ server103 ~] # Iptables-PINPUTDROP
[Root @ server103 ~] # Iptables-nL
ChainINPUT (policyDROP)
[Root @ server103 ~] # Iptables-PINPUTACCEPT
[Root @ server103 ~] # Iptables-tfilter-Nwestos
[Root @ server103 ~] # Iptables-nL
Chainwestos (0 references)
Targetprotoptsourcedestination
[Root @ server103 ~] # Iptables-tfilter-EwestosWESTOS
[Root @ server103 ~] # Iptables-nL
ChainWESTOS (0 references)
[Root @ server103 ~] # Iptables-tfilter-XWESTOS
[Root @ server103 ~] # Iptables-nL
At this time, the WESTOS disappears.
8. Optimization of the superfire Wall
Iptables-F
Netstat-antlupe
-M
Iptables-AINPUT-mstate -- stateNEW-ilo-jACCEPT // allow access to the loop interface
Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport22-jACCEPT // allows ssh interface access
Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport53-jACCEPT // allows dns interface access
Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport139-jACCEPT // allows smb interface access
Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport445-jACCEPT // allows smb interface access
Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport80-jACCEPT // allows http interface access
Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport443-jACCEPT // allow https interface access
Iptables-AINPUT! -S172.25.254.3-jACCEPT // access from machines not 3 is not allowed. Only machines 3 or above can be connected.
Iptables-nL
Serviceiptablessave // save
// The port previously accessed by RELATED. The historical port exists.
// The port in progress of ESTABLISHED
[Experiment]
[Root @ server103 ~] # Iptables-F
[Root @ server103 ~] # Iptables-nL
[Root @ server103 ~] # Netstat-antlupe
Tcp00172.25.254.103: 22172.25.254.3: 40876ESTABLISHED0989205720/sshd: root @ pts
[Root @ server103 ~] # Iptables-AINPUT-mstate -- stateNEW-ilo-jACCEPT [root @ server103 ~] # Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport22-jACCEPT
[Root @ server103 ~] # Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport53-jACCEPT
[Root @ server103 ~] # Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport80-jACCEPT
[Root @ server103 ~] # Iptables-AINPUT-mstate -- stateNEW-ptcp -- dport443-jACCEPT
[Root @ server103 ~] # Iptables-AINPUT! -S172.25.254.3-jACCEPT
[Root @ server103 ~] # Iptables-nL
// The port previously accessed by RELATED. The historical port exists.
// The port in progress of ESTABLISHED
[Root @ server103 ~] # Serviceiptablessave
Iptables: Savingfirewallrulesto/etc/sysconfig/iptables: [OK]
10. Configure source address translation for NAT
[Preparation]
Virt-manager Virtual Machine manager
Add a NIC to the server and set it to 192.168.0.103.
Set a single desktop Nic to 192.168.0.203
Desktop ping Detection Method
Route-n detection gateway settings
Ifconfig detection ipsettings
Iptables-tnat-APOSTROUTING-oeth0-jSNAT to-source172.25.254.103
Convert the data packet source sent from 192.168.0.203 to 172.25.254.103.
Add the gateway 192.168.0.103 to the desktop, and restart the network route-n to view
[Experiment]
[Root @ server103 ~] # Iptables-tnat-nL // View
ChainPOSTROUTING (policyACCEPT) // After the route
[Root @ server103 ~] # Iptables-tnat-APOSTROUTING-oeth0-jSNAT -- to-source172.25.254.103 // SNAT source address conversion
[Root @ server103 ~] # Iptables-tnat-nL
ChainPOSTROUTING (policyACCEPT)
Targetprotoptsourcedestination
SNATall -- 0.0.0.0/00.0.0.0/0to: 172.25.254.103
Add the gateway 192.168.0.103 to the desktop, and restart the network route-n to view ping172.25.254.103 detection (accessible)
Ping172.25.254.3 disconnected
------------> Cause: the kernel function is not enabled (route)
[Root @ server103 ~] # Sysctl-a | grepip_forward
Net. ipv4.ip _ forward = 0
[Root @ server103 ~] # Vim/etc/sysctl. conf
5net. ipv4.ip _ forward = 1
[Root @ server103 ~] # Sysctl-p
Net. ipv4.ip _ forward = 1
In this case, the desktop client ping172.25.254.3 can be used.
Detection:
Use 192.168.0.203sshroot@172.25.254.3
Then use w to view the accessed Data Source
[Root @ server103 ~] # Iptables-tnat-APREROUTING-ieth0-jDNAT -- to-dest192.168.0.203 //-iinput Data Entry eth1 cannot be seen, eth1 cannot be used
[Root @ server103 ~] # Iptables-nL
[Root @ server103 ~] # Iptables-nL-tnat