Article Title: Rules for building a firewall using IPtables. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
We have introduced the basic concepts and usage of iptables. Now we will officially use iptables to create our firewall. The method for starting and stopping iptables depends on the Linux release version in use. You can view the documentation of the Linux version in use. In Red Hat, start iptables:
# Service iptables start
Generally, iptables is included in the Linux release. You can run iptables -- version to check whether iptables is installed in the system. In my ora Core 1, the installed version is iptables v1.2.8. If your system does not have iptables installed, you can download it from the following address:
Http://www.netfilter.org/
View Rule Sets
Although the usage of iptables is briefly described above, we may need to know more complete information in reality. In this case, we can run man iptables to view the complete introduction of all commands and options, you can also run iptables help to view a quick help. To view the existing iptables planning set in the system, run the following command:
Iptables list
The following figure shows the iptables when no planning is defined:
As shown in the preceding example, each data packet must pass one of the three built-in chains (INPUT, OUTPUT, and FORWARD. Filter is the most commonly used table. The basic syntax for setting all the table rules is as follows: iptables [-t table] command [match] [target].
In reality, it is not necessary to use all the options listed here, nor necessarily in this order. Of course, this is a convention, because the rules are generally relatively long. For clarity, it is best to follow this order.
If no rule table is specified, a time-saving filter table is missing. The three most common targets in the filter table are ACCEPT, DROP, and REJECT. DROP discards the data packet and does not process it any more. The REJECT will send the error message to the host that sends the data packet. Although there are sometimes unexpected effects, it is still very useful in many cases.
Add Rules
In this example, the rules will block data packets from a specific IP address range, because the IP address range is suspected by administrators that a large number of malicious attackers are active:
# Iptables-t filter-a input-s 123.456.789.0/24-j DROP
To learn more about iptables parameters and command formats, use man iptables. It can be said that we have already hated malicious attackers on the Internet, but in any case, we cannot simply retaliate against them in the same way because we hate them, at least this kind of thing cannot happen on your network. Therefore, we can easily block all data packets that flow to the attacker's IP address. This command is slightly different:
# Iptables-t filter-a output-d 123.456.789.0/24-j DROP
Note that option A here is used to add rules for existing chains, as described earlier.
Delete rule
Malicious attackers on the network are always changing, so we need to constantly change the IP address. Assume that an online attacker is transferred to a new IP address, and the old IP address is assigned to some innocent users, in this case, the user data packets cannot pass through your network. In this case, we can use the command with the-D option to delete the existing rule:
# Iptables-t filter-d output-d 123.456.789.0/24-j DROP
Default policy
It takes a lot of time to create a rule that is flexible and can withstand various unexpected events. For those who do not want to do this, the most basic principle is "deny all the packets first and then allow the required packets ". Next we will set the default rules for each chain:
# Iptables-P INPUT DROP
# Iptables-P FORWARD DROP
# Iptables-P OUTPUT ACCEPT
Here, option-P is used to set the chain policy. Only three built-in chains have a policy. These policies allow information to flow out without restrictions, but do not allow information to flow in. However, in many cases, we still need to receive external information. Use the following command:
We cannot close all ports, so we will be completely isolated from each other ". We cannot specify only some ports in the open state, because we cannot predict which port will be used. In fact, simply allowing data streams destined for a specific port to pass will be meaningless in preventing malicious attacks. So how can we set an effective rule that allows normal users to pass normally and prevents malicious attackers from accessing our network?
For those who are using iptables at the beginning, we can fully use the syn mark to block unauthorized access. Because iptables only detects the packet header, it does not increase the load. In fact, many other useful packet analysis methods except iptables are based on headers.
For example, when a Web surfing request is sent from your PC to a Web server in another place, the server then responds to the request and sends you a packet, and get a temporary port on your system. Different from the Response Request, the server does not care about the content you send. You can use this feature to set a rule to prevent all TCP connections that are not authorized by your system:
# Iptables-t filter-a input-I eth0-p tcp -- syn-j DROP
Here-I refers to the NIC,-p refers to the protocol, and -- syn indicates the TCP packet with the syn flag. We can see that the understanding of TCP/IP is very helpful for maintaining network security. SYN is used to initialize a TCP connection. If you do not run any server on your machine, others will naturally not send SYN packets to you.
In this regard, some people will say: Why is it so troublesome? Indeed, we have a simpler way to create a firewall, and there are a lot of good software that can help us build our own rule set, but we should be clear, the simplest way, it is often not the best method. Since we have a better method, why not use it?
Share an Internet connection
Both Network Address Translation and IP disguise allow multiple hosts to share an Internet connection, which can be a multi-system LAN consisting of Linux and Windows systems. Assume that one machine has two NICs, eth0 is a public nic and eth1 is a private Nic.
In other words, eth0 is assigned a static and routable IP address, while eth1 is assigned a private IP address that cannot be routed, that is to say, the IP belongs to the LAN subnet. To implement the above functions, we need to add some links to the nat and filter tables:
This shows the value of stateful packet detection. Please note that the inbound data packets are allowed only when they belong to an existing connection, and all data packets from the inbound data packets from the LAN are allowed to pass (note: here, the filter is the default table, but it is not required ). The first rule makes all outgoing information appear from the firewall machine, and does not show that there is a LAN behind the firewall.
The following example sets a default policy for the FORWARD and POSTROUTING chains. When Using camouflage, a default postrouting drop policy is very important. Otherwise, there may be malicious users who break through the gateway and disguise their identities.
# Iptables-t filter-P FORWARD DROP
# Iptables-t nat-P POSTROUTING DROP
The following example is set for a dial-up connection. It can dynamically allocate IP addresses:
The problem with changing rules using scripts is that the command iptables must be called to change each rule, and iptables must be extracted from the entire rule set in the netfilter kernel space for each call, insert or append the rule set, or make other changes. At last, it takes a lot of time to insert the new rule set from its memory space to the kernel space.
To solve this problem, you can use the command iptables-save and restore. Iptables-save is used to save the rule set to a text file in a special format, while iptables-restore is used to reload the file into the kernel space.
The best thing about these two commands is that you can load and save the rule set after one call, instead of calling iptables once for every rule in the script.
Iptables-save can extract the entire rule set from the kernel and save it to the file once it runs, while iptables-restore loads a rule table each time. In other words, for a large rule set, if you set it with a script, these rules will be uninstalled and installed Multiple times repeatedly, now we can save the entire rule set once and install it as a table, which saves a lot of time. Therefore, once the test results are satisfactory, you can save them as scripts:
# Iptables-save> iptables-script
Now, all the rules in the information packet filtering table are saved in the file iptables-script. You can use the iptables-restore command to restore the rule set from the script file to the information packet filtering table at any time. The recovery command is as follows:
# Iptables-restore iptables-script
If you are willing to automatically restore the rule set every time you boot the system, you can put the command specified above in any initialization shell script.
In fact, most releases provide users with a file that can be automatically loaded, allowing users to edit rule sets, and most releases have a pre-configured firewall. The configuration files of Different releases vary in different locations. You can use the locate iptables command to find the configuration file. For Red Hat or Fedora Core, this configuration file is located in/etc/sysconfig/iptables
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
