1. Close all INPUT FORWARD OUTPUT only for certain ports.
Here is the command implementation:
Iptables-p INPUT dropiptables-p FORWARD dropiptables-p OUTPUT DROP
Re-use the command
Iptables-l-N
Check to see if it's all set up.
Such a setup, we are only temporary, restart the server or will restore the original not set the state
and save with service Iptables save
Service Iptables Save
See information firewall rules Firewall rule is actually saved in/etc/sysconfig/iptables
can open File View Vi/etc/sysconfig/iptables
2, below I only open 22 port, see how I operate, is the following 2 statements
Iptables-a input-p TCP--dport 22-j acceptiptables-a output-p tcp--sport 22-j ACCEPT
To see if the next Iptables-l-N is added, see added
Chain INPUT (Policy DROP) target prot opt source destinationaccept TCP--0.0.0.0/0 0.0.0.0/0 TCP Dpt:22chain FORWARD (Policy drop) target prot opt source destinationchain OUTPUT (Policy drop) target prot Opt source destinationaccept TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22
Now the Linux server only opened 22 ports, with Putty.exe test whether you can link up.
Can be linked up, stating that there is no problem.
Finally, don't forget to save your firewall settings
Save by Command: Service iptables save
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT
Do some explaining to these 2 commands.
The-a parameter is considered a rule to add an INPUT
-p Specifies what protocol we commonly use for the TCP protocol, and of course there are UDP such as 53-port DNS
By the time we're going to configure DNS for Port 53, you'll find that using the UDP protocol
And--dport is the target port when the data goes from outside to the server as the destination port
Conversely, data from the server is used for the data source port--sport
-J is designated as accept or DROP not receive
3. Prohibit an IP access
1 Linux servers, 2 Windows XP operating systems access
Linux Server ip:192.168.1.99
XP1 ip:192.168.1.2
XP2 ip:192.168.1.8
Let's take a look at 2 XP-accessible
192.168.1.2 This is what XP1 can access,
192.168.1.8 XP2 is also available for normal access.
So now I'm going to ban 192.168.1.2 xp1 access, XP2 normal access,
Here's a look at the demo
by command
Iptables-a input-p tcp-s 192.168.1.2-j DROP
This means that the-A is the addition of new rules, what are the rules? As we visit the website using TCP,
We use-p TCP, if it is UDP to write UDP, here with TCP,-S is the source of meaning,
IP comes from 192.168.1.2,-j How do we reject it here should be DROP
Well, look at the effect. Good to add success. Verify that the following is in effect
The wait state has been present for the last time the page cannot be displayed, this is 192.168.1.2 XP1 's access was denied.
Then see if another XP can be accessed, is the normal access to the 192.168.1.8 is able to access the normal
4. How to delete a rule
First of all we need to know the number of this rule, each rule has a number
Rules and relative numbers can be displayed by Iptables-l-N--line-number
123456 |
iptables -L -n --line-number
num target prot opt
source
destination
1 DROP tcp -- 0.0.0.0
/0
0.0.0.0
/0 tcp dpt:3306
2 DROP tcp -- 0.0.0.0
/0
0.0.0.0
/0
tcp dpt:21
3 DROP tcp -- 0.0.0.0
/0
0.0.0.0
/0 tcp dpt:80
|
More num This column so that we can see just the rule corresponds to the number 2
Then we can delete it.
Iptables-d INPUT 2
Delete the input chain number 2 rule.
Again Iptables-l-n view has been cleared.
5. Filter Invalid Packets
Suppose someone enters the server, or has a virus trojan, which can transmit data out of the 22,80 port like a server.
It's the same way as our normal access to the 22,80 port difference. It sends outward data not we request by accessing the webpage
While responding to the packet.
Now we're going to block those packets that don't respond by asking for them.
Iptables provides a parameter that is checked for status, let's configure the next 22 and 80 ports to prevent invalid packets.
Iptables-a output-p TCP--sport 22-m State--state established-j ACCEPT
Can see and we used before:
Iptables-a output-p TCP--sport 22-j ACCEPT
More of a state to judge.
Same as 80 ports, now delete the original 2 rules,
Review the rules and bring the numbers. We can just see the numbers.
Delete the corresponding rule.
The 1 here represents the first rule.
When you delete the previous rule, the number will change as well.
OK, we have removed the previous 2 rules, 22 port can also be used normally, it means that no problem.
Save it below, and don't forget, otherwise the reboot will revert back to the original look.
Service Iptables Save
To save.
Saving firewall rules to/etc/sysconfig/iptables: [OK]
In fact, the rules you just set are written to the/etc/sysconfig/iptables file.
6. DNS Port 53 settings
Let's take a look at how to set iptables to open the DNS port, which corresponds to 53
Currently only open 22 and 80 ports, I now see if I can parse the domain name.
Hostwww.google.com
After entering this command, always wait, stating that DNS does not pass
The following prompt appears:
;; Connection timed out; No servers could be reached
Ping the domain is not a pass
[[Email protected] ~] #pingwww. Google.comping:unknown hostwww.google.com
The reason I'm here is that iptables restricts port 53.
Some servers, especially Web servers, are slowing down, and DNS is actually related and cannot be caused by sending packets to the DNS server.
Below is a demonstration of how to use iptables to set up DNS 53 for this port, if you do not know the domain Name Service port number, you
You can use the command:
grep domain/etc/services
[[email protected]] ~ #grep domain/etc/services
Domain 53/TCP # name-domain Server
Domain 53/UDP
Domaintime 9909/tcp # Domaintime
Domaintime 9909/UDP # Domaintime
See, we generally use the UDP protocol.
OK, start setting ...
Iptables-a output-p UDP--dport 53-j ACCEPT
This is our ping a domain name, the data is to go out from this machine, so we set OUTPUT first,
We follow the ping process to set.
Then the DNS server receives the package we sent out and responds with a return
Iptables-a input-p UDP--sport 53-j ACCEPT
You also set
Iptables-a input-p UDP--dport 53-j acceptiptables-a output-p UDP--sport 53-j ACCEPT
OK, below the test, you can use Iptables-l-N to view the settings, to determine that no problem can be tested
[[Email protected] ~iptables-l-N
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:80
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53
Chain FORWARD (Policy DROP)
Target Prot opt source destination
Chain OUTPUT (Policy DROP)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22 State established
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 TCP SPT:80 State established
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:53
ACCEPT UDP--0.0.0.0/0 0.0.0.0/0 UDP spt:53
You can test if DNS can pass iptables.
[[Email protected] ~] #hostwww. Google.comwww.google.comis an alias Forwww.l.google.com.www.l.google.comis a alias for Www-china.l.google.com.www-china.l.google.com has an address 64.233.189.104www-china.l.google.com has address 64.233.189.147www-china.l.google.com has address 64.233.189.99
Normal can resolve Google domain name.
There may be some things to set up in Ping.
Take a look at nslookup.
[[Email protected] ~] #nslookup >www.google.com server:192.168.1.1 address:192.168.1.1#53 non-authoritative Answer: Www.google.comcanonical name =www.l.google.com. www.l.google.com canonical name = www-china.l.google.com. name:www-china.l.google.com address:64.233.189.147 name:www-china.l.google.com address:64.233.189.99 Name: Www-china.l.google.com address:64.233.189.104
Note that native DNS is OK, Iptables allows access to 53 of this port.
7, Iptables to FTP settings
Now I start setting up the FTP port, according to our previous video, add ports that need to be open
The FTP connection port has 2 ports of 21 and 20, and I now add the corresponding rules.
[[email protected] root] #iptables-a input-p tcp--dport 21-j accept[[email protected] root #iptables-a input-p TCP-- Dport 20-j accept[[email protected] root] #iptables-A output-p TCP--sport 21-j accept[[email protected] root] #iptables -A Output-p TCP--sport 20-j ACCEPT
OK, this is done, we use the browser to access the FTP, there is a timeout.
So I just said that FTP is a more special port, it also has some ports are data transfer ports,
For example, directory list, upload, download files are used to these ports.
And these ports are any port ... This one is really more special.
If you do not specify a port range, iptables is difficult to open on any port,
If iptables allows any port access, that is not the same as not setting the firewall, so unrealistic.
Then our solution is to specify a range of this data port.
Let's modify the FTP configuration file.
I use vsftpd here to modify the demo, other FTP I do not know where to modify, we can look for information.
[[email protected] root] #vi/etc/vsftpd.conf
At the bottom of the configuration file, add
pasv_min_port=30001pasv_max_port=31000
Then save the exit.
The meaning of these two words tells Vsftpd that the range of ports to transmit data is transmitted within the range of 30001 to 31000.
So we can use iptables to do much better, we open 30001 to 31000 of these ports.
[[email protected] root] #iptables-a input-p tcp--dport 30001:31000-j accept[[email protected] root #iptables-a OUTPUT -P TCP--sport 30001:31000-j accept[[email protected] Root #service iptables Save
Last save, then we'll use the browser-scoped FTP. can be accessed normally
Log in with an account, there is no problem, upload some files to see.
Both uploads and downloads are normal. And look at the settings for the next iptables
[[email protected] root] #iptables-L-N
Chain INPUT (Policy DROP)
target prot opt source Destination
accept TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
accept TCP--0.0.0.0/0 0.0.0.0/0 TCP DPT:21
accept TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:20
accept TCP--0.0.0.0/0 0.0.0.0/0 TCP dpts:30001:31000
Chain FORWARD (Policy DROP)
target prot opt source Destination
Chain OUTPUT (Policy DROP)
target prot opt source Destination
accept TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:22
accept TCP--0.0.0.0/0 0.0.0.0/0 TCP SPT:21
accept TCP--0.0.0.0/0 0.0.0.0/0 TCP spt:20
accept TCP--0.0.0.0/0 0.0.0.0/0 TCP spts:30001:31000
This is my simple rule to demonstrate the FTP special port, you can add some validation of the packet
such as-M state--state established,related and so on require higher authentication
Linux under Iptables forbidden ports and open ports