Linux under Iptables configuration (Firewall command)

Source: Internet
Author: User

Linux under Iptables configuration detailed -A rh-firewall-1-input-p tcp-m State--state new-m TCP--dport 24000-j ACCEPT
-A rh-firewall-1-input-s 121.10.120.24-p tcp-m tcp--dport 18612-j ACCEPT
If your iptables basic knowledge is not yet known, it is recommended to take a look first. Start Configuration Let's configure a firewall for the filter table. (1) Check the setting of this institution in Iptables[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target prot opt source destination Chain FORWARD (policy ACCEPT)
Target prot opt source destination Chain OUTPUT (policy ACCEPT)
Target prot opt source destination Chain rh-firewall-1-input (0 references)
Target Prot opt source destination
ACCEPT All--0.0.0.0/0 0.0.0.0/0
ACCEPT ICMP--0.0.0.0/0 0.0.0.0/0 ICMP type 255
ACCEPT ESP--0.0.0.0/0 0.0.0.0/0
ACCEPT AH--0.0.0.0/0 0.0.0.0/0
ACCEPT UDP--0.0.0.0/0 224.0.0.251 UDP dpt:5353
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:631
ACCEPT All – 0.0.0.0/0 0.0.0.0/0 State related,established
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:80
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:25
REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
As you can see, when I installed Linux, I chose a firewall and opened the 22,80,25 port. If you do not have the option to boot the firewall when you install Linux [email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target prot opt source destination Chain FORWARD (policy ACCEPT)
Target prot opt source destination Chain OUTPUT (policy ACCEPT)
Target prot opt source destination none of the rules. (2) clear the original rules.Whether or not you start a firewall when you install Linux, if you want to configure your own firewall, clear all the rules for the filter now. [[email protected] ~]# iptables-f clears all rule chain rules in the preset table filter
[[email protected] ~]# iptables-x clear Preset table rules in user-defined chains in filter we're just looking. [email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target prot opt source destination Chain FORWARD (policy ACCEPT)
Target prot opt source destination Chain OUTPUT (policy ACCEPT)
Target prot opt source destination Nothing at all, it's the same as when we installed Linux without a boot firewall. (in advance, these configurations are like using commands to configure the IP, the restart will lose its effect), how to save. [[email protected] ~]#/etc/rc.d/init.d/iptables save so it can be written in the/etc/sysconfig/iptables file. After writing, remember to restart the firewall before it works. [[Email protected] ~]# service iptables Restart now the Iptables configuration table What configuration is gone, let's start our configuration. (3) Set preset rules[[email protected] ~]# iptables-p INPUT drop[[email protected] ~]# iptables-p OUTPUT accept[[email protected] ~]# iptabl Es-p FORWARD DROP
the above means that when the two chain rules (Input,forward) in the Iptables filter table are exceeded, the packets that are not in the two rules are handled, and that is the drop (abort). It should be said that this configuration is very safe. We want to control the incoming packets. and for the output chain, that is, out of the package we do not have to do too much restriction, but to take the accept, that is, not in the rules of the package how to do it, that is through. It can be seen that the Input,forward two chain uses what packets are allowed to pass through, and the output chain is not allowed by what packets pass. This setting is quite reasonable, of course, you can also drop three chains, but I think it is not necessary, and to write the rules will increase. But if you only want a few rules that are limited, such as just Web servers. It is recommended that all three chains are drop.Note: If you are a remote SSH login, you should drop it when you enter the first command. Because you didn't set any rules. What to do, go to the machine operation Bai! (4) Add a rule. first add the input chain, the default rule of the input chain is drop, so we write the need to ACCETP (through) the chain in order to be able to use remote SSH login, we have to turn on port 22.[[email protected] ~]# iptables-a input-p TCP--dport 22-j accept[[email protected] ~]# iptables-a output-p TCP--spo RT 22-j ACCEPT (Note: This rule, if you set the output to drop it is necessary to write this part, many people are looking at the writing of this rule resulted in, always unable to ssh. In the remote, is not good. the other port is the same, if the Web server is turned on, output is set to drop, you also add a chain:[[email protected] ~]# iptables-a output-p TCP--sport 80-j ACCEPT, other similarly.) If you made a Web server, turn on port 80.[[email protected] ~]# iptables-a input-p TCP--dport 80-j ACCEPT
If you do a mail server, turn on port 25,110.[[email protected] ~]# iptables-a input-p TCP--dport 110-j ACCEPT
[[email protected] ~]# iptables-a input-p TCP--dport 25-j ACCEPT
If you do an FTP server, turn on port 21[[email protected] ~]# iptables-a input-p TCP--dport 21-j accept[[email protected] ~]# iptables-a input-p TCP--dpor T 20-j ACCEPT If you do a DNS server, turn on port 53[[email protected] ~]# iptables-a input-p TCP--dport 53-j Accept if you also do other servers, which port you need to open, just write it. The main write is the INPUT chain, which is not in the rules above , all drop. allow ICMP packets to pass, that is, to allow pings,[Email protected] ~]# iptables-a output-p icmp-j ACCEPT (OUTPUT set to drop) [[email protected] ~]# iptables-a input-p i Cmp-j ACCEPT (input set to drop) Allow loopback! (This may cause problems such as DNS not shutting down properly)Iptables-a input-i lo-p all-j ACCEPT (if INPUT DROP)
Iptables-a Output-o lo-p All-j Accept (if an output DROP) below writes the output chain, the default rule for the output chain is ACCEPT, so we write a chain that needs to drop (discard). reduce insecure port connections[[email protected] ~]# iptables-a output-p TCP--sport 31337-j drop[[email protected] ~]# iptables-a output-p TCP--d Port 31337-j Drop some Trojan horses scan services on ports 31337 through 31340 (that is, the elite port in the hacker language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chance that your network may be infected by the machine and their remote primary server for independent communication and other ports as well, such as: 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (SMB), 2049 (NFS) port should also be banned, I write in this is not all, interested friends should go to check the relevant information. of course, it's safer to go in and out. You can also set the output chain to drop, then you add more rules, like the above added allow SSH to log in as well. Just write it . The following is a more detailed rule, that is, to restrict to a machine For example: We only allow SSH connection for 192.168.0.3 machines.[[email protected] ~]# iptables-a input-s 192.168.0.3-p TCP--dport 22-j Accept if you want to allow or limit the amount of IP addresses available 192.168.0.0/24 represents 192. All ip.24 on the 168.0.1-255 side represent the number of subnet masks. But remember to delete this line from the/etc/sysconfig/iptables.-A input-p tcp-m TCP--dport 22-j ACCEPT because it means all addresses can be Login. Or use the command mode: [[email protected] ~]# iptables-d input-p TCP--dport 22-j accept and then save, I say one side, the reverse is the way of the command, only in effect at that time, if you want to restart, it also works, it To save. Write to the/etc/sysconfig/iptables file. [[email protected] ~]#/etc/rc.d/init.d/iptables Save so write!192.168.0.3 that the other rule connections except the 192.168.0.3 IP address are set as well. in the following is the forward chain, the default rule of the forward chain is drop, so we write the need to ACCETP (through) the chain, the monitoring of the forwarding chain. Turn on forwarding, (when doing NAT, forward default rule is drop, must be done)[Email protected] ~]# iptables-a forward-i eth0-o eth1-m State--state related,established-j accept[[email protected ] ~]# iptables-a forward-i eth1-o eh0-j ACCEPT Discard bad TCP packets[[Email protected] ~] #iptables-A forward-p TCP! --syn-m State--state New-j DROP handle the number of IP fragments, prevent attacks, allow 100 per second[[Email protected] ~] #iptables-A forward-f-M limit--limit 100/s--limit-burst 100-j ACCEPT set ICMP packet filtering to allow 1 packets per second, limiting the trigger condition to 10 packets.[[Email protected] ~] #iptables-A forward-p icmp-m limit--limit 1/s--limit-burst 10-j accept me in front only so allow ICMP packets to pass because I'm here There are restrictions. two. Configure a NAT table to fire the wall 1. View the settings of this agency on Nat [email protected] rc.d]# iptables-t nat-l
Chain prerouting (Policy ACCEPT)
Target prot opt source destination Chain postrouting (policy ACCEPT)
Target Prot opt source destination
SNAT All-192.168.0.0/24 anywhere to:211.101.46.235chain OUTPUT (policy ACCEPT)
Target prot opt source destination My NAT has been configured (just to provide the simplest proxy Internet functionality, and no firewall rules have been added). about how to configure NAT, refer to my other article of course if you haven't If you configure NAT, you don't have to clear the rules, because Nat doesn't have anything by default. If you want to clear, the command is[[email protected] ~]# iptables-f-t nat[[email protected] ~]# iptables-x-t nat[[email protected] ~]# iptables-z-t NA T 2, adding rules add basic NAT address translation (see my other article on how to configure NAT), to add a rule, we only add the drop chain. Because the default chain is all accept. Prevention of intranet IP spoofing for external network[Email protected] sysconfig]# iptables-t nat-a prerouting-i eth0-s 10.0.0.0/8-j DROP
[Email protected] sysconfig]# iptables-t nat-a prerouting-i eth0-s 172.16.0.0/12-j DROP
[Email protected] sysconfig]# iptables-t nat-a prerouting-i eth0-s 192.168.0.0/16-j DROP
if we want to, for example, stop MSN,QQ,BT and so on, need to find the port or IP they use, (personally think not too much necessary) Example: prohibit all connections to the 211.101.46.253[Email protected] ~]# iptables-t nat-a prerouting-d 211.101.46.253-j DROP Disabling the FTP (21) Port[[email protected] ~]# iptables-t nat-a prerouting-p tcp--dport 21-j DROP The scope of the writing is so large that we can define it more precisely.[[email protected] ~]# iptables-t nat-a prerouting-p tcp--dport 21-d 211.101.46.253-j DROP This disables only FTP connections for 211.101.46.253 addresses, and other connections are available. such as Web (80 port) connections. As I wrote, you just have to find the IP address of other software such as QQ,MSN, and the port, and based on what protocol, just write it. finally: Drop Illegal Connection
[Email protected] ~]# iptables-a input-m State--state invalid-j DROP
[Email protected] ~]# iptables-a output-m State--state invalid-j DROP
[Email protected] ~]# iptables-a forward-m State--state invalid-j DROP
allow all established and related connections
[Email protected] ~]# iptables-a input-m State--state established,related-j ACCEPT
[Email protected] ~]# iptables-a output-m State--state established,related-j ACCEPT

[Email protected] ~]#/etc/rc.d/init.d/iptables Save

This will allow you to write to the/etc/sysconfig/iptables file. Remember to re-start the firewall after writing to make it work.

[Email protected] ~]# service iptables restart


do not forget to save, do not write a save once. You can save, experiment and see if it meets your requirements . I've tried all the rules above, no problem. It took me nearly 1 months to write this article. Look for information, do your own experiments, I hope to help you. If there is incomplete and imperfect place also please raise. because this article is configuration-oriented. The basic knowledge of iptables and instructions for command and instruction I will send it as soon as possible, of course, you can go online search, or a lot of.Linux Firewall Iptables Learning note One, overview
1. Firewall classification
The ① packet filtering firewall (pack filtering) selects packets at the network layer and uses access control lists to check the source address, destination address, source and destination port, and IP information of the data stream.
② Proxy-Server firewall
2, Iptables Foundation
① rules: Predefined conditions for network administrators
② Chain (Chains): Is the path of packet propagation
③ table (Tables): Built-in 3 Table Filter table, NAT table, mangle table are used to implement packet filtering network address translation and package refactoring functions
The ④filter table is the system default, input table (incoming package), ForWord (forwarded packet), OUTPUT (processing locally generated packages), and the filter table can only accepting and discard the package.
⑤nat table (network address translation), prerouting (modifies upcoming packets), OUTPUT (modifies packets generated locally before routing), postrouting (modifies outgoing packets)
⑥mangle table, Prerouting,output,forword,postrouting,input
3. Other
Iptables is to read the rules in sequence
Configuration recommendations for firewall rules
Ⅰ rules to be simple
The order of the Ⅱ rules is important
Ⅲ try to optimize the rules
Ⅳ Take notes
Second, the configuration
1. iptables command format
iptables [-t table]-command matching operation (case sensitive)
Action Options
Accept Receive Packets
Drop Drop Packet
REDIRECT the packet back to one of the ports on the local or another host, usually with the ability to implement transparent proxies or to open some services in the intranet
SNAT Source Address Translation
DNAT Destination Address Translation
Masquerade IP Spoofing
Log logging feature
2. Define Rules
① rejects all packets before allowing the required packets
Iptalbes-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT ACCEPT
② View the list of rules for all chains of a NAT table
Iptables-t nat-l
③ Add, insert, delete, and replace rules
iptables [-t table name] <-a| i| d| r> chain name [rule number] [-i|o NIC name] [-P protocol type] [-s source ip| source subnet] [--sport source port number] [-D destination ip| target subnet] [--dport target port number] [-j action]
Parameter:-A increase
-I Insertion
-D Delete
-R Replacement

Iii. examples
①iptables-t filter-a input-s 192.168.1.5-i eth0-j DROP
Disable IP-192.168.1.5 hosts from eth0 access native ②iptables-t filter-i INPUT 2-s 192.168.5.0/24-p tcp--dport 80-j DROP
Disable subnet 192.168.5.0 Access Web service ③iptables-t filter-i INPUT 2-s 192.168.7.9-p tcp--dport ftp-j DROP
Disable IP access to FTP service for 192.168.7.9
④iptables-t filter-l INPUT
To view the rules of the input chain in the filter table
⑤iptables-t nat-f
Remove all rules from the NAT table
⑥iptables-i forward-d wwww.playboy.com-j DROP
Disable access to the Www.playboy.com website
⑦iptables-i forward-s 192.168.5.23-j DROP
Prohibit 192.168.5.23 Internet reference website: https://i.cnblogs.com/EditPosts.aspx?opt=1

Linux under Iptables configuration (Firewall command)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.