Nine common iptables configuration instances

Source: Internet
Author: User

The iptables command can be used to configure Linux packet filtering rules. It is often used to implement firewall and Nat. The configuration of iptables is complex. After mastering the rules, it is not difficult to use iptables to complete the specified task. Next we will learn the detailed usage of iptables through specific instances.

 

1. delete an existing rule

When you set a new iptables rule, make sure that the old rule is cleared. Run the following command to clear the old rule:

 
Iptables-F (or iptables-- Flush)

 

2. Set the chain Policy

For the filter table, the default chain policy is accept. We can use the following command to modify the chain policy:

 
Iptables-P input dropiptables-P forward dropiptables-P output drop

The preceding command configuration discards the received, forwarded, and sent packets, and implements strict packet management. Because both the receiving and sending packets are discarded, When configuring other rules, you must configure the input and output Rules separately. Of course, if you trust this machine to send packets out, you do not need to configure the third rule.

 

3. shield the specified IP Address

Sometimes we find that an IP address keeps sending packets to the server. In this case, we can use the following command to discard packets sent from a specified IP Address:

Block_this_ip ="X. x"Iptables-A input-I eth0-P TCP-S"$ Block_this_ip"-J Drop

The preceding command is used to discard the TCP packet sent from x. x ip to the eth0 port.

 

4. Configure service items

Using iptables, we can perform security management on the service items that are commonly used. For example, we can only set the network segment to be specified and connect to the local machine through SSH Through the specified network port:

Iptables-A input-I eth0-P TCP-S192.168.100.0/24-- Dport22-M state -- state new, estableshed-J acceptiptables-A output-O eth0-p tcp -- Sport22-M state -- State established-J accept

To connect a local machine to another machine through SSH, you need to set the following rules because the connection is established on the local port:

 
Iptables-A input-I eth0-P TCP-S192.168.100.0/24-- Dport22-M state -- state estableshed-J acceptiptables-A output-O eth0-p tcp -- Sport22-M state -- state new, established-J accept

Similarly, for TCP connection-based services such as HTTP/HTTPS (80/443), POP3 (110), rsync (873), and MySQL (3306), you can also configure the preceding command.

 

Run the following command to enable the UDP-based DNS Service:

 
Iptables-A output-p udp-O eth0 -- dport53-J acceptiptables-A input-p udp-I eth0 -- Sport53-J accept

 

5. configure network port forwarding

For a server used as a firewall or gateway, a network port is connected to the public network, and packets from other network ports are forwarded to this network port for Intranet Communication. Assume that eth0 is connected to the Intranet and eth1 is connected to the public network. The configuration rules are as follows:

 
Iptables-a forward-I eth0-O eth1-J accept

 

6. Configure port forwarding

For ports, we can also use iptables to configure forwarding:

Iptables-T Nat-A prerouting-p tcp-d192.168.102.37-- Dport422-J dnat --192.168.102.37:22

The above command forwards the packet from Port 422 to port 22, so SSH connection can be performed through port 422. Of course, for port 422, we also need. configure the rules that support connection establishment in the same way as in the "Configure service items" section.

 

7. DoS attack prevention

With the extension module limit, we can also configure iptables rules to prevent DoS Attacks:

 
Iptables-A input-p-TCP -- dport80-M limit -- limit25/Minute -- limit-burst100-J accept

-- Litmit 25/minute indicates that the maximum number of connections per minute is 25

-- Litmit-burst 100 indicates that litmit/minute is enabled when the total number of connections exceeds 100.

 

8. Configure web traffic balancing

We can use a server as a front-end server to distribute traffic using iptables. The configuration method is as follows:

Iptables-A prerouting-I eth0-P TCP -- dport 80 -M state -- state new-M nth -- Counter 0 -- Every 3 -- Packet 0 -J dnat -- to-destination 192.168 . 1.101 : 80  Iptables -A prerouting-I eth0-P TCP -- dport 80 -M state -- state new-M nth -- Counter 0 -- Every 3 -- Packet 0 -J dnat -- to-destination 192.168 . 1.102 : 80  Iptables -A prerouting-I eth0-P TCP -- dport 80 -M state -- state new-M nth -- Counter 0 -- Every 3 -- Packet 0 -J dnat -- to-destination 192.168 . 1.103 : 80 

The above Configuration Rules use the nth extension module to balance the traffic on port 80 to three servers.

 

9. log the discarded packets

Using the log target and syslog service, we can record the packets sent and received under a certain port of a protocol. For example, you can use the following method to record packet loss.

First, define a chain:

 
Iptables-N Logging

Next, import all received packets to the logging chain:

 
Iptables-A input-J Logging

Set the log prefix and Log Level:

 
Iptables-a logging-m limit -- limit2/Min-J log -- log-Prefix"Iptables packet dropped:"-- Log-level7

Finally, the package is dropped to discard the package:

 
Iptables-a logging-J Drop

You can also configure the syslog. conf file to specify the log output of iptables.

 

have fun!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.