Linuxiptables instance configuration

Source: Internet
Author: User
Tags ftp connection
1. configure a filter table firewall (1) to clear the original rules. whether or not you have enabled the firewall when installing linux, if you want to configure your own firewall, clear all the filter rules. [root @ tp ~] # Iptables-F clear the rules of all rule chains in the filter of the preset table [root @ tp ~] # Iptables-X clear the default table fil

1. configure a filter table firewall
(1) clear the original rules.
Whether or not you have enabled the firewall when installing linux, if you want to configure your own firewall, clear all the filter rules.
[Root @ tp ~] #Iptables-F: clear all rule chains in the filter of the preset table.
[Root @ tp ~] # Iptables-X clear the rules in the user-defined chain in the filter of the preset table
[Root @ tp ~] # Iptables-L-n view firewall
Chain INPUT (policy ACCEPT)
Target prot optsource destination
Chain FORWARD (policy ACCEPT)
Target prot optsource destination
Chain OUTPUT (policy ACCEPT)
Target prot optsource destination
Nothing, just like we didn't start the firewall when installing linux.
[Root @ tp ~] #/Etc/rc. d/init. d/iptables save the firewall configuration file
[Root @ tp ~] # Service iptables restart firewall
(2) set preset rules
[Root @ tp ~] # Iptables-p INPUT DROP
[Root @ tp ~] # Iptables-p OUTPUT ACCEPT
[Root @ tp ~] # Iptables-p FORWARD DROP

1. when two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, how can we process data packets not in these two rules? that is, DROP (discard ). it should be said that the configuration is safe. we want to control inbound data packets
2. for the OUTPUT chain, that is, the outgoing package, we do not need to impose too many restrictions, but adopt ACCEPT. that is to say, what should we do if the package is not in a rule.
3. we can see what packets are allowed to pass through the INPUT and FORWARD chains, while the OUTPUT chain does not allow any packets to pass through.
4. this setting is quite reasonable. of course you can also DROP all three links, but I don't think it is necessary to do so, and the rules to be written will increase. but if you only want a limited number of rules, for example, only WEB servers. we recommend that all three links be DROP.
5. if you log on remotely through SSH, you should drop it when you enter the first command and press enter because you have not set any rules.


(3) add a rule.
First, add the INPUT chain.
The default rule of the INPUT chain is DROP, so we will write the chain that requires ACCETP ().

[Root @ tp ~] # Iptables-a input-p tcp -- dport 22-jACCEPT (enabling port 22 and allowing SSH connection)
[Root @ tp ~] # Iptables-a output-p tcp -- sport 22-j ACCEPT (port 22 is enabled and SSH connection is allowed) (if output drop is enabled)
[Root @ tp ~] # Iptables-a input-p tcp -- dport 80-j ACCEPT (enable port 80 and allow WEB services)
[Root @ tp ~] # Iptables-a input-p tcp -- dport 110-j ACCEPT (enable port 110 and MAIL service)
[Root @ tp ~] # Iptables-a input-p tcp -- dport 25-j ACCEPT (enable port 25 and MAIL service)
[Root @ tp ~] # Iptables-a input-p tcp -- dport 21-j ACCEPT (enable port 21 and enable FTP service)
[Root @ tp ~] # Iptables-a input-p tcp -- dport 20-j ACCEPT (Port 20 is enabled, FTP service is enabled, and FTP active mode is enabled)
[Root @ tp ~] # Iptables-a input-p tcp -- dport 53-j ACCEPT (enable port 25 and enable DNS service)
[Root @ tp ~] # Iptables-a output-p icmp-jACCEPT (allow icmp packets to pass through, that is, allow ping)
[Root @ tp ~] # Iptables-a input-p icmp-jACCEPT (allow icmp packets to pass through, that is, allow ping)
[Root @ tp ~] # Iptables-a input-I lo-p all-jACCEPT)
[Root @ tp ~] # Iptables-a output-o lo-p all-jACCEPT)

Write the OUTPUT chain below
The default OUTPUT chain rule is ACCEPT, so we will write the chain that requires DROP (discard.
Reduce insecure port connections:

[Root @ tp ~] # Iptables-a output-p tcp -- sport 31337-jDROP
[Root @ tp ~] # Iptables-a output-p tcp -- dport 31337-j DROP

Some Trojans scan services from ports 31337 to 31340 (elite ports in hacking languages. Since legal services do not use these non-standard ports for communication, blocking these ports can effectively reduce the chances of independent communication between machines that may be infected on your network and their remote master servers. The same applies to other ports, such as 31335, 27444, 27665, 20034, 9704, 137-139 (smb), and 2049 (NFS, I have not written all of them here. if you are interested, check the relevant information. of course, you can set the OUTPUT chain to DROP for more secure access, so you can add more rules, just like adding the above to allow SSH login. just write it.
The more detailed rules are as follows:

[Root @ tp ~] # Iptables-a input-s 192.168.0.3-p tcp -- dport 22-j ACCEPT (we only allow SSH connections to machines 192.168.0.3)
[Root @ tp ~] # Iptables-a input-s! 192.168.0.3-p tcp -- dport 22-jACCEPT (we do not allow machines with 192.168.0.3 to perform SSH connections)

If you want to allow or limit a certain IP address, 192.168.0.0/24 indicates all IP addresses at the end of 192.168.0.1-255, and 24 indicates the number of subnet masks! 192.168.0.3 indicates the IP address except 192.168.0.3. but remember to delete this line in/etc/sysconfig/iptables:-AINPUT-p tcp-m tcp -- dport 22-j ACCEPT because it indicates that all addresses can be logged on.
Or use the command: iptables-d input-p tcp -- dport 22-j ACCEPT

Below is the FORWARD chain
The default FORWARD chain rule is DROP, so we will write the chain that requires ACCETP ().
Monitor the forwarding link. enable the forwarding function. (when performing NAT, the default FORWARD rule is DROP, which must be done ):
[Root @ tp ~] # Iptables-a forward-I eth0-o eth1-m state -- stateRELATED, ESTABLISHED-j ACCEPT
[Root @ tp ~] # Iptables-a forward-I eth1-o eh0-j ACCEPT
Discard bad TCP packets:
[Root @ tp ~] # Iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP
Number of IP fragments processed to prevent attacks. 100 IP fragments per second are allowed:
[Root @ tp ~] # Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT
Set ICMP packet filtering to allow 1 packet per second. the trigger condition is 10 .:
[Root @ tp ~] # Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT

2. configure a NAT table
(1) view local NAT settings
[Root @ tp rc. d] # iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot optsource destination
Chain POSTROUTING (policy ACCEPT)
Target prot optsource destination
SNAT all -- 192.168.0.0/24 anywhere to: 211.101.46.235
Chain OUTPUT (policy ACCEPT)
Target prot optsource destination
My NAT has been configured (only the simplest proxy Internet access function is provided, and no firewall rules have been added ). of course, if you have not configured NAT, you do not need to clear the rules, because NAT does not have anything by default. if you want to clear it, run the following command:

[Root @ tp ~] # Iptables-F-t nat
[Root @ tp ~] # Iptables-X-t nat
[Root @ tp ~] # Iptables-Z-t nat

 
(2) add rules
Add basic NAT address translation and add rules. we only add DROP chain because the default chain is all ACCEPT.
Prevent internet spoofing using intranet IP addresses

[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s10.0.0.0/8-j DROP
[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s172.16.0.0/12-j DROP
[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s192.168.0.0/16-j DROP


If we want to block MSN, QQ, BT, etc., we need to find the port or IP address they use. for example:

[Root @ tp ~] # Iptables-t nat-a prerouting-d211.101.46.253-j DROP (disable all connections to 211.101.46.253)
[Root @ tp ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-jDROP (disable FTP (21) port)
[Root @ tp ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-d 211.101.46.253-j DROP (in this way, only the FTP connection with the 211.101.46.253 address is disabled. Other connections are also allowed. for example, web (port 80) connection .)

Drop illegal connection:

[Root @ tp ~] # Iptables-a input-m state -- stateINVALID-j DROP
[Root @ tp ~] # Iptables-a output-m state -- state INVALID-jDROP
[Root @ tp ~] # Iptables-a forward-m state -- state INVALID-jDROP


Allow all established and related connections:

[Root @ tp ~] # Iptables-a input-m state -- state
Related Article

E-Commerce Solutions

Leverage the same tools powering the Alibaba Ecosystem

Learn more >

Apsara Conference 2019

The Rise of Data Intelligence, September 25th - 27th, Hangzhou, China

Learn more >

Alibaba Cloud Free Trial

Learn and experience the power of Alibaba Cloud with a free trial worth $300-1200 USD

Learn more >

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.