Basic Knowledge
The NetFilter firewall mechanism is built into the Linux system kernel. NetFilter (packet filtering mechanism), so-called packet filtering, is to analyze the network packets into the host, the data packet header data extracted for analysis, in order to decide the connection as a release or blocking mechanism. NetFilter provides a command to iptables this program as a firewall packet filter. NetFilter is built-in and highly efficient.
We can use the Iptables command to set the NetFilter filtering mechanism.
There are 3 sheets in iptables:
> filter, which is the default table for packets entering Linux native.
> NAT (address translation), which is independent of Linux native, is mainly related to the computer in the LAN after the Linux host.
> Mangle (the Destruction), this table is mainly related to the routing flags of special packets (usually not involving the modification of this table, the modification of this table is very destructive, change it carefully).
There are several strands in each table:
Filter:input, OUTPUT, FORWARD
Nat:prerouting, Postrouting, OUTPUT
Mangle:prerouting, OUTPUT, INPUT, FORWARD
Use of the iptables command
Basic format: iptables [-t table]-cmd chain Cretiria-j ACTION
-T Table:3 one of the filter, Nat, mangle in the table, if not specified, the default is filter.
CMD: Operation command. View, add, replace, delete, and more.
Chain: Chain. Specifies which chain in the table is to be manipulated, such as the input chain in the filter table.
Cretiria: Match mode. Describe the packets to be filtered
Action: operation. Accept, reject, discard, etc.
Example:
① add
Format: iptables [-t table]-A chain Cretiria-j ACTION
Add a new rule to the last position of the chain chain of the tables table (default filter)
② Insertion
Format: iptables [-t table]-I chain POS cretiria-j ACTION
Inserts a new rule into the table table (default filter) for the POS location of the chain chain. The rules behind the original are pushed backwards. The valid range for POS is: 1 ~ num+1
③ replacement
Format: iptables [-T table]-R chain POS cretiria-j ACTION
Replace the table table (default filter) with the new rule for the POS position of the chain chain. The valid range for POS is: 1 ~ num
④ Delete
Format: iptables [-t table]-D chain POS
Remove the rule for the POS location of the table table (default filter) chain chain. The valid range for POS is: 1 ~ num
⑤ Package Matching (cretiria)
Describes the rules of Cretiria. Package matching is a special field used to describe packet headers that need to be filtered.
Specify the network port:
-I: The network interface to which the packet is entered, such as eth0, lo, etc., to be mated to the input chain
-O: The network interface that the packet is sent out to match the output chain
Specify the protocol:
-P:TCP, UDP, ICMP, or all, such as the ICMP protocol used by pings that often use test network connectivity.
Because the rules of each protocol are not quite the same , when you do not understand, don't forget,--help. Like what:
Iptables-p ICMP--help
Iptables-p TCP--help
For TCP,UDP protocol, because these protocols have many ports, when you want to open some services, open the corresponding port. For example:
SSH service:-p TCP--dport 22;
Telnet Service:-p TCP--dport 23;
PostgreSQL Service:-P TCP--dport 5432;
Web service:-p TCP--dport 80;
Of course, these are just the default ports, and the actual port numbers need to be set in the actual process.
Specify the IP network:
-S: Source network. can be IP or network
ip:192.168.0.100
Network: 192.168.0.0/24 or 192.168.0.0/255.255.255.0 are available
Can be added in front! Represents an inverse
-D: Target grid. Same-S
Specify the port:
--sport: Specifies the source port. Can be a single port, or it can be a contiguous port, for example: 1024:65,535.
--dport: Specifies the destination port. With--sport
Note: The TCP or UDP protocol is not valid until you specify it.
Specify MAC Address:
-M Mac--mac-source Aa:bb:cc:dd:ee:ff
Specify the Status:
-M State--state STATUS
The status can be:
> INVALID, Invalid Package
> Established, Connection status has been successfully connected
> new, want to connect the packet
> Related, this packet is related to packets sent out by the host (most commonly used)
For example, an illegal packet is discarded whenever a connection has been established or a packet related to a request has been made.
-M State--state related,established
⑥ operation (Action)
Drop, discard
Accept, acceptance
REJECT, Reject
log, trace record, write access record to/var/log/messages
⑦ Save Configuration
Save the newly set rules to a file
Format: iptables-save [-t table]
Save the current configuration to/etc/sysconfig/iptables
⑧ Clear Rules
Format: iptables [-t table] [-FXZ]
-F: Please remove all rules that have been established
-X: Eliminate all user "custom" chain
-Z: Clear all statistical values by 0
Linux under Iptables configuration detailed
① View the setting of this institution in Iptables[email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target prot opt source destination Chain FORWARD (policy ACCEPT)
Target prot opt source destination Chain OUTPUT (policy ACCEPT)
Target prot opt source destination Chain rh-firewall-1-input (0 references)
Target Prot opt source destination
ACCEPT All--0.0.0.0/0 0.0.0.0/0
ACCEPT ICMP--0.0.0.0/0 0.0.0.0/0 ICMP type 255
ACCEPT ESP--0.0.0.0/0 0.0.0.0/0
ACCEPT AH--0.0.0.0/0 0.0.0.0/0
ACCEPT UDP--0.0.0.0/0 224.0.0.251 UDP dpt:5353
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:631
ACCEPT All – 0.0.0.0/0 0.0.0.0/0 State related,established
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:80
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:25
REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
As you can see, when I installed Linux, I chose a firewall and opened the 22,80,25 port. If you didn't choose to boot the firewall when installing Linux, yes
② Clear the original rule.Whether or not you start a firewall when you install Linux, if you want to configure your own firewall, clear all the rules for the filter now.[email protected] ~]# iptables-fClears the rules for all rule chains in the preset table filter
[email protected] ~]# iptables-xClear preset table rules in user-defined chains in filter we're just looking.[email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target prot opt source destination Chain FORWARD (policy ACCEPT)
Target prot opt source destination Chain OUTPUT (policy ACCEPT)
Target prot opt source destination Nothing at all, it's the same as when we installed Linux without a boot firewall. (in advance, these configurations are like using commands to configure the IP, the restart will lose its effect), how to save. [email protected] ~]# /etc/rc.d/init.d/iptables SaveThis will allow you to write to the/etc/sysconfig/iptables file. Remember to re-start the firewall after writing to make it work.
③ Set preset rules (what policy to take, such as drop by default, or accept)[email protected] ~]# iptables-p INPUT DROP[[email protected] ~]# iptables-p OUTPUT ACCEPT[email protected] ~]# iptables-p FORWARD DROP
Meaning:
when the two chain rules (Input,forward) in the Iptables filter table are exceeded, the drop (discard) is not in the two rules. It should be said that this configuration is very safe. We want to control the incoming packets.
for the output chain, that is, out of the package we do not have to do too much restriction, but to take the accept, that is, not in the rules of the package is passed.
that is: The Input,forward two chain uses what the package is allowed to pass through, and the output chain is not allowed by what package passes.
This setting is quite reasonable, of course, you can also drop three chains, but I think it is not necessary, and to write the rules will increase. But if you only want a few rules that are limited, such as just Web servers. It is recommended that all three chains are drop.
④ Adding rules
first add the input chain, the default rule of the input chain is drop, so we write the need to ACCETP (through) the chain
in order to be able to use remote SSH login, we have to turn on port 22.[[email protected] ~]# iptables-a input-p tcp--dport 22-j ACCEPT[[email protected] ~]# iptables-a output-p tcp--sport 22-j ACCEPT
(Note: This rule, if you set the output to drop it is necessary to write this part, many people are looking at the writing of this rule resulted in, always unable to ssh. In the remote, is not good.
the other port is the same, if the Web server is turned on, output is set to drop, you also add a chain:[[email protected] ~]# iptables-a output-p TCP--sport 80-j ACCEPT, other similarly.)
If you made a Web server, turn on port 80.[[email protected] ~]# iptables-a input-p tcp--dport 80-j ACCEPT
If you do a mail server, turn on port 25,110.[[email protected] ~]# iptables-a input-p TCP--dport 110-j ACCEPT
[[email protected] ~]# iptables-a input-p tcp--dport 25-j ACCEPT
If you do an FTP server, turn on port 21[[email protected] ~]# iptables-a input-p tcp--dport 21-j ACCEPT[[email protected] ~]# iptables-a input-p tcp--dport 20-j ACCEPT
If you do a DNS server, turn on port 53[[email protected] ~]# iptables-a input-p tcp--dport 53-j ACCEPTIf you also do other servers, which port you need to open, just write it. The main write is the input chain, which is not in the above rules, all drop
allow ICMP packets to pass, that is, to allow pings,[[email protected] ~]# iptables-a output-p icmp-j ACCEPT (OUTPUT set to drop)[[email protected] ~]# iptables-a input-p icmp-j ACCEPT (INPUT set to drop)
Allow loopback! (This may cause problems such as DNS not shutting down properly)iptables-a input-i lo-p all-j ACCEPT (if INPUT DROP)
Iptables-a output-o lo-p all-j ACCEPT (if OUTPUT DROP)
Write the output chain below, the default rule for the output chain is accept, so we write a chain that needs drop (discard).
reduce insecure port connections[[email protected] ~]# iptables-a output-p tcp--sport 31337-j DROP[[email protected] ~]# iptables-a output-p tcp--dport 31337-j DROPSome Trojans scan services on ports 31337 through 31340 (that is, the elite ports in the hacker language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chance that your network may be infected by the machine and their remote primary server for independent communicationThere are other ports as well, like: 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (SMB), 2049 (NFS) port should also be banned, I write in this is not all, interested friends should go to check the relevant information.
of course, it's safer to go in and out. You can also set the output chain to drop, then you add more rules, like the above added
allow SSH to log in as well. Just write it .
The following is a more detailed rule, that is, to restrict to a machine
For example: We only allow SSH connection for 192.168.0.3 machines.[[email protected] ~]# iptables-a input-s 192.168.0.3-p tcp--dport 22-j ACCEPTIf you want to allow, or restrict, a certain IP address, 192.168.0.0/24 represents the number of subnet masks for all ip.24 on the 192.168.0.1-255 side. But remember to delete this line of/etc/sysconfig/iptables.-A Input-p Tcp-m TCP--dport 22-j ACCEPT because it means that all addresses can be logged in. or by command mode:[[email protected] ~]# iptables-d input-p tcp--dport 22-j ACCEPTAnd then save, I say one side, the reverse is the way of the command, only at the time of entry into force, if you want to restart the role, it should be saved. Write to the/etc/sysconfig/iptables file. [email protected] ~]# /etc/rc.d/init.d/iptables SaveThis write!192.168.0.3 indicates that the other rule connection is set up in addition to the 192.168.0.3 IP address.
in the following is the forward chain, the default rule of the forward chain is drop, so we write the need to ACCETP (through) the chain, the monitoring of the forwarding chain.
Turn on forwarding, (when doing NAT, forward default rule is drop, must be done)[email protected] ~]# iptables-a forward-i eth0-o eth1-m State--state related,established-j ACCEPT[email protected] ~]# iptables-a forward-i eth1-o eh0-j ACCEPT
Discard bad TCP packets[[Email protected] ~] #iptables-A forward-p TCP! --syn-m State--state New-j DROP
handle the number of IP fragments, prevent attacks, allow 100 per second[[email protected] ~] #iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT
set ICMP packet filtering to allow 1 packets per second, limiting the trigger condition to 10 packets.[[email protected] ~] #iptables-A forward-p icmp-m limit--limit 1/s--limit-burst 10-j ACCEPTI'm in front only so allow ICMP packets to pass because I have restrictions here.
Linux System Settings-firewalls