Linux under Iptables forbidden ports and open ports

Source: Internet
Author: User
Tags ftp connection domain server nslookup

1. Close all INPUT FORWARD OUTPUT only for certain ports.
Here is the command implementation:

Iptables-p INPUT dropiptables-p FORWARD dropiptables-p OUTPUT DROP

Re-use the command

Iptables-l-N

Check to see if it's all set up.

Such a setup, we are only temporary, restart the server or will restore the original not set the state
and save with service Iptables save

Service Iptables Save

See information firewall rules Firewall rule is actually saved in/etc/sysconfig/iptables

can open File View Vi/etc/sysconfig/iptables

2, below I only open 22 port, see how I operate, is the following 2 statements

Iptables-a input-p TCP--dport 22-j acceptiptables-a output-p tcp--sport 22-j ACCEPT

To see if the next Iptables-l-N is added, see added

Chain INPUT (Policy DROP) target     prot opt source               destinationaccept     TCP--0.0.0.0/0            0.0.0.0/0           TCP Dpt:22chain FORWARD (Policy drop) target     prot opt source               destinationchain OUTPUT (Policy drop) target     prot Opt source               destinationaccept     TCP--0.0.0.0/0            0.0.0.0/0           TCP spt:22

Now the Linux server only opened 22 ports, with Putty.exe test whether you can link up.
Can be linked up, stating that there is no problem.

Finally, don't forget to save your firewall settings
Save by Command: Service iptables save

Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT

Do some explaining to these 2 commands.
The-a parameter is considered a rule to add an INPUT
-p Specifies what protocol we commonly use for the TCP protocol, and of course there are UDP such as 53-port DNS
By the time we're going to configure DNS for Port 53, you'll find that using the UDP protocol
And--dport is the target port when the data goes from outside to the server as the destination port
Conversely, data from the server is used for the data source port--sport
-J is designated as accept or DROP not receive

3. Prohibit an IP access
1 Linux servers, 2 Windows XP operating systems access
Linux Server ip:192.168.1.99
XP1 ip:192.168.1.2
XP2 ip:192.168.1.8

Let's take a look at 2 XP-accessible

192.168.1.2 This is what XP1 can access,
192.168.1.8 XP2 is also available for normal access.

So now I'm going to ban 192.168.1.2 xp1 access, XP2 normal access,
Here's a look at the demo

by command

Iptables-a input-p tcp-s 192.168.1.2-j DROP

This means that the-A is the addition of new rules, what are the rules? As we visit the website using TCP,

We use-p TCP, if it is UDP to write UDP, here with TCP,-S is the source of meaning,
IP comes from 192.168.1.2,-j How do we reject it here should be DROP

Well, look at the effect. Good to add success. Verify that the following is in effect

The wait state has been present for the last time the page cannot be displayed, this is 192.168.1.2 XP1 's access was denied.

Then see if another XP can be accessed, is the normal access to the 192.168.1.8 is able to access the normal


4. How to delete a rule
First of all we need to know the number of this rule, each rule has a number

Rules and relative numbers can be displayed by Iptables-l-N--line-number

123456 iptables -L -n --line-numbernum target     prot opt sourcedestination1    DROP       tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:33062    DROP       tcp -- 0.0.0.0/00.0.0.0/0tcp dpt:213    DROP       tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:80

More num This column so that we can see just the rule corresponds to the number 2

Then we can delete it.

Iptables-d INPUT 2

Delete the input chain number 2 rule.

Again Iptables-l-n view has been cleared.


5. Filter Invalid Packets
Suppose someone enters the server, or has a virus trojan, which can transmit data out of the 22,80 port like a server.
It's the same way as our normal access to the 22,80 port difference. It sends outward data not we request by accessing the webpage
While responding to the packet.

Now we're going to block those packets that don't respond by asking for them.

Iptables provides a parameter that is checked for status, let's configure the next 22 and 80 ports to prevent invalid packets.

Iptables-a output-p TCP--sport 22-m State--state established-j ACCEPT

Can see and we used before:

Iptables-a output-p TCP--sport 22-j ACCEPT

More of a state to judge.

Same as 80 ports, now delete the original 2 rules,

Review the rules and bring the numbers. We can just see the numbers.

Delete the corresponding rule.

The 1 here represents the first rule.

When you delete the previous rule, the number will change as well.

OK, we have removed the previous 2 rules, 22 port can also be used normally, it means that no problem.

Save it below, and don't forget, otherwise the reboot will revert back to the original look.

Service Iptables Save

To save.

Saving firewall rules to/etc/sysconfig/iptables: [OK]
In fact, the rules you just set are written to the/etc/sysconfig/iptables file.


6. DNS Port 53 settings
Let's take a look at how to set iptables to open the DNS port, which corresponds to 53

Currently only open 22 and 80 ports, I now see if I can parse the domain name.

Hostwww.google.com   

After entering this command, always wait, stating that DNS does not pass

The following prompt appears:
;; Connection timed out; No servers could be reached

Ping the domain is not a pass

[[Email protected] ~] #pingwww. Google.comping:unknown hostwww.google.com

The reason I'm here is that iptables restricts port 53.

Some servers, especially Web servers, are slowing down, and DNS is actually related and cannot be caused by sending packets to the DNS server.

Below is a demonstration of how to use iptables to set up DNS 53 for this port, if you do not know the domain Name Service port number, you

You can use the command:

grep domain/etc/services

[[email protected]] ~ #grep domain/etc/services
Domain 53/TCP # name-domain Server
Domain 53/UDP
Domaintime 9909/tcp # Domaintime
Domaintime 9909/UDP # Domaintime

See, we generally use the UDP protocol.

OK, start setting ...

Iptables-a output-p UDP--dport 53-j ACCEPT

This is our ping a domain name, the data is to go out from this machine, so we set OUTPUT first,

We follow the ping process to set.

Then the DNS server receives the package we sent out and responds with a return

Iptables-a input-p UDP--sport 53-j ACCEPT

You also set

Iptables-a input-p UDP--dport 53-j acceptiptables-a output-p UDP--sport 53-j ACCEPT

OK, below the test, you can use Iptables-l-N to view the settings, to determine that no problem can be tested

[[Email protected] ~iptables-l-N
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53

Chain FORWARD (Policy DROP)
Target Prot opt source destination

Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22 State established
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP SPT:80 State established
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53

You can test if DNS can pass iptables.

[[Email protected] ~] #hostwww. Google.comwww.google.comis an alias Forwww.l.google.com.www.l.google.comis a alias for Www-china.l.google.com.www-china.l.google.com has an address 64.233.189.104www-china.l.google.com has address 64.233.189.147www-china.l.google.com has address 64.233.189.99

Normal can resolve Google domain name.

There may be some things to set up in Ping.

Take a look at nslookup.

[[Email protected] ~] #nslookup >www.google.com server:192.168.1.1 address:192.168.1.1#53 non-authoritative Answer: Www.google.comcanonical name =www.l.google.com. www.l.google.com canonical name = www-china.l.google.com. name:www-china.l.google.com address:64.233.189.147 name:www-china.l.google.com address:64.233.189.99 Name: Www-china.l.google.com address:64.233.189.104

Note that native DNS is OK, Iptables allows access to 53 of this port.

7, Iptables to FTP settings
Now I start setting up the FTP port, according to our previous video, add ports that need to be open
The FTP connection port has 2 ports of 21 and 20, and I now add the corresponding rules.

[[email protected] root] #iptables-a input-p tcp--dport 21-j accept[[email protected] root #iptables-a input-p TCP--  Dport 20-j accept[[email protected] root] #iptables-A output-p TCP--sport 21-j accept[[email protected] root] #iptables -A Output-p TCP--sport 20-j ACCEPT

OK, this is done, we use the browser to access the FTP, there is a timeout.
So I just said that FTP is a more special port, it also has some ports are data transfer ports,
For example, directory list, upload, download files are used to these ports.
And these ports are any port ... This one is really more special.
If you do not specify a port range, iptables is difficult to open on any port,
If iptables allows any port access, that is not the same as not setting the firewall, so unrealistic.
Then our solution is to specify a range of this data port.
Let's modify the FTP configuration file.
I use vsftpd here to modify the demo, other FTP I do not know where to modify, we can look for information.

[[email protected] root] #vi/etc/vsftpd.conf

At the bottom of the configuration file, add

pasv_min_port=30001pasv_max_port=31000

Then save the exit.

The meaning of these two words tells Vsftpd that the range of ports to transmit data is transmitted within the range of 30001 to 31000.

So we can use iptables to do much better, we open 30001 to 31000 of these ports.

[[email protected] root] #iptables-a input-p tcp--dport 30001:31000-j accept[[email protected] root #iptables-a OUTPUT -P TCP--sport 30001:31000-j accept[[email protected] Root #service iptables Save

Last save, then we'll use the browser-scoped FTP. can be accessed normally

Log in with an account, there is no problem, upload some files to see.

Both uploads and downloads are normal. And look at the settings for the next iptables

[[email protected] root] #iptables-L-N

Chain INPUT (Policy DROP)
target     prot opt source                Destination
accept     TCP--0.0.0.0/0             0.0.0.0/0           TCP dpt:22
accept     TCP--0.0.0.0/0             0.0.0.0/0          TCP DPT:21
accept     TCP--0.0.0.0/0             0.0.0.0/0          TCP dpt:20
accept      TCP--0.0.0.0/0            0.0.0.0/0           TCP dpts:30001:31000

Chain FORWARD (Policy DROP)
target     prot opt source                Destination

Chain OUTPUT (Policy DROP)
target     prot opt source                Destination
accept     TCP--0.0.0.0/0             0.0.0.0/0           TCP spt:22
accept     TCP--0.0.0.0/0             0.0.0.0/0          TCP SPT:21
accept     TCP--0.0.0.0/0             0.0.0.0/0          TCP spt:20
accept      TCP--0.0.0.0/0            0.0.0.0/0           TCP spts:30001:31000

This is my simple rule to demonstrate the FTP special port, you can add some validation of the packet
such as-M state--state established,related and so on require higher authentication

Linux under Iptables forbidden ports and open ports

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.