The main categories of firewalls are:
1, NetFilter
2. TCP Wrappers
3. Proxy
Packet filtering software for Linux: iptables
The order of the rules is very important
Three sheets: Filter, NAT, mangle
Five chains: input, output, forward, prerouting, postrouting
View and purge of rules
iptables [-t tables] [-L] [-nv]-t:nat/filter-L:列出当前的规则-n:不进行IP的反查,显示速度快-v:列出更多的信息iptables-save [-t tables]#列出完整的防火墙规则iptables [-t tables] [-FXZ]-F:清除所有已制定的规则-X:除掉所有用户自定义的chain(tables)-Z:清零所有chain的计数和流量统计
Define a default Policy
iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]
Grammar:
[[email protected] ~]# iptables [-AI [INPUT|OUTPUT|FOREARD...]] [-io [eth0|eth1...]] > [-p [tcp|udp|icmp...]] [-s [sip|net]] [-d [dip|net]] -j [ACCEPT|DROP|REJECT|LOG]--sport、--dport[-m state] [--state 状态][-m mac] [--mac-source xxx]
Iptables Setup Script:
1. Clear existing Rules
2. Make the default policy
3. Set the Rules
4. Save
#!/bin/bash# Please enter the relevant parameters, do not enter the error extif= "eth0" # This is the network interface that can come to you on public IP inif= "eth1" #内部LAN network connection, if none is written inif= "" Innet= "192.168 .100.0/24 "# If there is no internal network interface, please fill in innet=" "Export extif inif INNEF # The first part, the firewall settings for this machine # 1. Set the network function of the kernel first echo "1" >/proc/sys/net/ipv4/tcp_syncookiesecho "1" >/proc/sys/net/ipv4icmp_echo_ignore_ Broadcastsfor i In/proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; Do echo "1" > $idonefor i in/proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; Do echo "0" > $idone # 2. Purge rules, set default policies, and open lo with associated setting values Path=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; Export pathiptables-fiptables-xiptables-ziptables-p INPUT dropiptables-p OUTPUT acceptiptables-p fprward ACCEPTiptab Les-a input-i lo-j acceptiptables-a input-nm state-state related,established-j accept# 3. Start the additional firewall script module if [-f/usr/local/virus/iptables/iptables.deny]; Then Sh/usr/local/virus/iptables/iptables.denyfi if [-f/usr/local/virus/iptables/iptabLes.allow]; Then Sh/usr/local/virus/iptables/iptables.allowfiif [-f/usr/local/virus/iptables/iptables.http]; Then sh/usr/local/virus/iptables/iptables.httpfi# 4. Allow certain types of ICMP packets to enter AICMP = "0 3 3/4" for tyicmp in $AICMPdo iptables-a input-i #EXTIF-P ICMP--icmp-typ E $tyicmp-j acceptdone# 5. Allow access to certain services, please open it in your own environment # iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # ftp# iptables-a INPUT -P tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # ssh# iptables-a input-p tcp-i $EXTIF--dport--sport 102 4:65535-j Accept # smtp# iptables-a input-p tcp-i $EXTIF--dport,--sport 1024:65535-j ACCEPT # dns# Iptables-a in Put-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # dns# iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j Accept # www# iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # pop3# Iptables- A input-p tcp-i $EXTIF--dport 443--sport 1024:65535-j ACCEPT # https# The second part, the firewall settings for the backend host # 1. Load some useful modules first modules= "Ip_tables iptables_nat ip_nat_ftp ip_nat-irc ip_conntrack ip_conntrack_ftp Ip_conntrack_irc" for MoD in $modulesdo testmod= ' lsmod | grep "^${mod}" | awk ' {print '} ' if [' $testmod ' = = ' "]; Then Modprobe $mod fi# 2. Rules for clearing NAT table Iptables-f-T natiptables-x-t natiptables-z-t natiptables-t nat-p prerouting acceptiptables-t NAT -P postrouting acceptiptables-t nat-p OUTPUT accept# 3. If there is an internal interface (dual NIC) Open as a router, and for IP-sharing if ["$INIF"! = ""]; Then iptables-a input-i $INIF-j ACCEPT echo "1" >/proc/sys/net/ipv4/ip_forward if ["$INIET"! = ""]; Then for innet in $INNET do iptables-r nat-a postrouting-s $innet-o $EXTIF-j MA Squerade done fifi# If your MSN has been unable to connect, or some sites ok some sites are not OK, may be the problem of MTU, then you can uncomment the following line to start the range of MTU Iptables-a Forward-p tcp-m TCP--tcp-flags stn,rst syn-m tcpmss--mss 1400:1536-j tcpmss--clamp-mss-to-pmtu# 4. NAT Server Backend on-LAN external value server settings iptables-t nat-a prerouting-p tcp-i $EXTIF--dport 80-j DNAT--tp-description 192.168.1.210:80 #WWW # 5. Special features, including rules generated by Windows Remote Desktop, assume that the desktop host is 1.2.3.4# iptables-t nat-a prerouting-p tcp-s 1.2.3.4--dport 6000-j DNAT--to-desc Ription 192.168.100.10# iptables-t nat-a prerouting-p tcp-s 1.2.3.4--sport 3389-j DNAT--to-description 192.168.100. 20# 6. Finally, store these functions/etc/init.d/iptables save
Linux iptables