Policy rules for Linux firewalls

Introduced:

Firewall default has four table five chain

Four table : (Priority of Table: Raw > Mangle > Nat > Filter)

1.Raw table--Two chains: Prerouting, OUTPUT

Function: Determines whether the packet is handled by the state tracking mechanism kernel module: Iptable_raw

2.Mangle table--Five chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD

Function: Modify the service type of the packet, TTL, and can configure the routing implementation of the QoS kernel module: iptable_mangle

3.Nat table--Three chains: Prerouting, Postrouting, OUTPUT

Function: For network address translation (IP, port) kernel module: Iptable_nat

4.filter table--Three chains: INPUT, OUTPUT, FORWARD

Function: Filter packets, define deny or allow kernel modules: Iptables_filter

five-strand : (default, cannot delete, but can clear the rules inside)

1.input--incoming packets Apply the policy in this rule chain

2.output--outgoing packets Apply policies in this rule chain

3.forward--policies in this rule chain are applied when forwarding packets

4.prerouting--apply rules in this chain before routing packets to a packet

5.postrouting--apply the rules in this chain after the packet is routed

First , when you start the firewall configuration :

Iptables-x (Clear all custom rule chains)

Iptables-f (Clear all rules)

Iptables-l (list all [plus n to digitally display IP])

Ii. preparation of the rules :

Iptables-i (insert rule) rule chain name Precedence

Iptables-a (add rule, default is) rule chain name

iptables-d (delete rule) rule chain name ordinal

Iptables-n (custom rule chain name)

Iptables-p (default) rule chain name DROP (Deny) or accept (allow) PS: Recommended last configuration except for emergencies

-P (Protocol)

--sport (Source port)

--dport (Destination port)

-S (source address)

-D (Destination address)

-I (Network card)

-O (out network card)

-M (extended)

1, State--state related,established// with the status of Detection, because the back of the data can not be forwarded . 2,limit--limit 5/m--limit-burst//10 passes, increase 5 per minute 3,connlimit--connlimit-above 1// Only 1 connections allowed per IP address

-j (behavior)

Accept (accepted)

DROP (STOP)

DNAT (destination address forwarding) generally in the prerouting chain

SNAT (source address forwarding) is generally in the postrouting chain

Rule chain name (join this rule chain)

Masquserade (Address spoofing)

--to-destination (Destination address)

-T NAT (select NAT table, used for general address mapping)

--line-number (show serial number)

Example:

1) When the Linux system acts as a server and a firewall:

1. Allow outside access to my 80-port httpd service:

Iptables-a input-p TCP--dport 80-j ACCEPT TCP protocol Destination port 80 in inbound rules through

Iptables-a output-p TCP--sport 80-j ACCEPT TCP protocol Source port 80 in outbound rules through

You can also customize the rule chain:

Iptables-n httpd-in//custom rule named httpd-in

Iptalbes-a input-j httpd-in//Add the httpd-in rule chain to the INPUT chain

Iptables-a httpd-in-p TCP--dport 80-j ACCEPT TCP protocol destination port 80 through the httpd-in chain

Iptables-n httpd-out//custom rule named Httpd-out

Iptalbes-a output-j httpd-out//Add Httpd-out rule chain to the OUTPUT chain

Iptables-a httpd-out-p TCP--sport 80-j ACCEPT TCP protocol source port 80 through the Httpd-out chain

Custom rule chains must be added to the default rule chain to make the iptables default rule chain not chaotic

2. Allow Ping: (as long as the previous two bars can be ping through)

Iptables-a input-i eth0-p icmp-j accept eth0 nic when inbound ICMP packets are allowed through

Iptables-a output-o eth0-p icmp-j ACCEPT eth0 NIC outbound ICMP packet allowed through

Iptables-a output-o eth0-m State--state related,established-j ACCEPT status detection allowed when outbound from eth0 NIC

2) When the Linux system is only used as a firewall:

echo 1 >/proc/sys/net/ipv4/ip_forward/Start Routing function, allow forwarding

1. Allow 80-port httpd service forwarding:

Iptables-a forward-p TCP--dport 80-j Accept//Allow TCP Destination port 80 forwarding

2. Allow Ping Forwarding:

Iptables-a forward-p icmp-j Accept//allow ICMP packet forwarding

3. Destination Address mapping:

iptables–t nat–a prerouting–d 192.168.99.101–j DNAT--to 192.168.100.102//Before routing, destination ip:192.168.99.101 converted to Ip:1 92.168.100.102)

4. Intranet Source Address hiding:

Iptables-t nat-a Postrouting-j Masquerade//After routing, the Intranet address is hidden and the source address becomes the firewall extranet IP address

5. Limited access: (Date display time, 072016182005[months of the year) July 20 16:18 2005, Direct date digital change system time to test)

Iptables–i forward–s 192.168.100.0/24–m time--timestart 16:10--timestop 18:10-j ACCEPT//To source segment 192.168.100.0/24, start 16:10-18:10 allowed through

Iptables–i forward–d 192.168.100.0/24–m time--timestart 16:10--timestop 18:10-j ACCEPT//target segment 192.168.100.0/24, start 16:10-18:10 allowed through

6. Access Speed limit:

Iptables-i forward-p TCP--dport 21-m connlimit--connlimit-above 1-j DROP//On 21 port forwarding, with each IP address exceeding 1 connections denied

3) logging using the Log monitor program:

/USR/LOCAL/ULOGD/SBIN/ULOGD &//start this program

Iptables-a forward-p icmp-j Accept//allow ICMP forwarding chain

Iptables-a forward-p icmp-j ulog//monitoring ICMP forwarding Chain

The above is my personal learning accumulated knowledge, if there is a need to correct or increase the place, welcome to exchange with me to learn a common progress, thank you to watch.

This article is from the "Pan" blog, make sure to keep this source http://zonds.blog.51cto.com/12638755/1930504

Policy rules for Linux firewalls