Here, I must explain the status of the firewall. for example, if you use ssh for remote access, your host and the remote host will communicate with each other. The static firewall processes the data packets sent to the machine during the check. it finds that the data source is Port 22. when Port 22 is enabled, the data that communicates with each other after the connection is the same. check each data, the data found comes from 22. here, I must explain the firewall status (state)
For example, if you use ssh for remote access, your host will communicate with the remote host.
The static firewall will handle this as follows:
When checking the data packets sent to the machine, it is found that the data source is Port 22. when allowed, the data that communicates with each other after the connection is the same. check each data and find that the data source is Port 22, allowed!
What if a stateful firewall is used?
After you successfully connect to the remote host, your host records the connection. when data enters your machine from the remote ssh server
Check your connection status table and find that the data comes from a established connection, allowing the data packet to enter.
The above two processes clearly show that static firewall is relatively stiff, while stateful firewall is smarter!
Now let's explain the status.
NEW: If your host sends a connection request to the remote host, the data packet status is NEW.
ESTABLISHED: after the connection is ESTABLISHED, the data status of the remote host communicating with your host is ESTABLISHED.
RELATED: a service like ftp uses port 21 to send commands, while port 20 or other ports (PASV mode) to transmit data. Establish a connection on port 21 and send the command. The data sent with Port 20 is in the RELATED status.
With the above knowledge, let's proceed with step by step.
First, set the default rules.
Iptables-P INPUT DROP
In this way, your machine will discard all data that enters your host.
If you have a host that is only used for personal desktop applications and your host does not provide any services, we will prohibit other machines from sending any connection requests to your host.
Iptables-a input-m state -- state NEW-j DROP
This rule discards all packets sent to your machine in the NEW status. In this way, other machines are not allowed to actively initiate connections to your machine, but you can actively connect to other machines, but only connect, the data after the connection is in the ESTABLISHED state, and we add another one.
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
All the data that has been connected or related to it can be passed through
Let's sum up three statements, because it is a good firewall for personal desktop hosts.
Iptables-P INPUT DROP
# Iptables-a input-m state -- state NEW-j DROP
Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
We can see that the second rule is commented out, because that rule can be completely omitted, so that the default rule can be processed.
Isn't it easy? for personal desktop applications, just the two statements just now can make your hosts connected to the internet secure enough. And you can access the internet at will, but the external connection cannot be initiated to your machine!
Of course, if your IE has a vulnerability, iptables is useless, and this is not the scope of iptables.
We can see that stateful firewalls are more "intelligent" than static firewalls. of course, rules are easier to set.
If your host is a server, the next problem will be simple. Let's assume that we have enabled the www and ftp services. Note that the pasv mode of ftp uses dynamic ports to transmit data, rather than Port 20. These are easy for stateful firewalls, and you don't even need to know which ports are used for pasv mode ftp, because your host will realize that when ftp transfers files to other hosts, recognize that the data is RELATED
Add
Iptables-a input-I ppp0-p tcp-dport 21-j ACCEPT
Iptables-a input-I ppp0-p udp-dport 21-j ACCEPT
Iptables-a input-I ppp0-p tcp-dport 80-j ACCEPT
Iptables-a input-I ppp0-p udp-dport 80-j ACCEPT
Now, all our work has been completed. I followed the method in the previous article and finally gave a script with detailed comments.
! /Bin/bash
# Define const here
Accept_Ports = "80 20 21" # Your service port that allows internet access
# Init
Iptables-F
Iptables-X
Iptables-t nat-F
Iptables-t nat-X
# Set default rfound here
Iptables-P INPUT DROP
# Allow inner Network access
Iptables-a input-I! Ppp0-j ACCEPT
# Set stated ruler here, this is the most important ruler
Iptables-a input-I ppp0-m state -- state ESTABLISHED, RELATED-jACCEPT
# Set ruler so that other can access service on your server
For Port in "$ Accept_Ports"; do
Iptables-a input-I ppp0-p udp -- dport $ {Port}-j ACCEPT
Iptables-a input-I ppp0-p tpc -- dport $ {Port}-j ACCEPT
Done
# The r0000can make you firewall betterd
Iptables-a input-I ppp0-p tcp-j REJECT -- reject-withtcp-reset
Iptables-a input-I ppp0-p udp-j REJECT -- reject-withicmp-port-unreachable
Note:
Stateful firewalls require kernel support. Fortunately, most releases support this feature.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
