Use iptables to configure linux to prohibit all ports from logging on and opening specified ports

Source: Internet
Author: User
Tags ftp connection domain server nslookup

1. Disable all input forward output and only open it to some ports.
The following is a command implementation:

Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT DROP

Run the command iptables-L-n to check whether the settings are correct.
After the settings are completed, we only need to temporarily restart the server to restore the previously unconfigured status.
You must also use service iptables save to save
The firewall rules are saved in/etc/sysconfig/iptables.
You can open the file to view vi/etc/sysconfig/iptables
2,
Below I only open port 22 to see how I operate, that is, the following two statements

Iptables-a input-p tcp-dport 22-j ACCEPT
Iptables-a output-p tcp-sport 22-j ACCEPT

Check whether iptables-L-n is added.

Chain INPUT (policy DROP)
Target prot opt source destination
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 22

Chain FORWARD (policy DROP)
Target prot opt source destination

Chain OUTPUT (policy DROP)
Target prot opt source destination
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp spt: 22

Now the linuxserver only opens the 22nd port, and uses putty.exe to test whether the link can be connected.
The link is available, indicating no problem.

Finally, do not forget to save the firewall settings.
Run the command: service iptables save to save

Iptables-a input-p tcp-dport 22-j ACCEPT
Iptables-a output-p tcp-sport 22-j ACCEPT
Let's explain the two commands.
-Parameter A is regarded as A rule for adding an INPUT.
-P specifies what protocol we commonly use tcp protocol, of course there are also udp such as 53 port DNS
Now we need to configure DNS to use port 53, and we will find that the udp protocol is used.

-Dport is the target port. When data enters the server from outside, it is the target port.
Otherwise, the data is exported from the server and the data source port uses-sport.

-J indicates that ACCEPT or DROP does not receive
3. Prohibit Access from an IP address
One Linux server and two windows xp operating systems
Linux Server ip address 192.168.1.99
Xp1 ip: 192.168.1.2
Xp2 ip: 192.168.1.8

Next let's take a look at what I can access on both xp servers.

192.168.1.2 this is accessible by xp1,
192.168.1.8 xp2 is also accessible.

Now I want to disable access to 192.168.1.2 xp1, and access to xp2 is normal,
Next let's take a look at the demo

Run iptables-a input-p tcp-s 192.168.1.2-j DROP
Here it means-A is to add A new rule. What kind of rule? Because we use tcp to access the website,
We use-p tcp. If it is udp, we write udp. Here we use tcp, and-s is the source,
The ip address comes from 192.168.1.2.-j should be DROP.

Okay. Check the effect. Add successfully. Verify whether the configuration takes effect.

The page cannot be displayed after the wait state appears. This is because access to 192.168.1.2 xp1 is denied.

Check whether another xp instance can be accessed. If it is 192.168.1.8, it can be accessed normally.
4. How to delete a rule
First, we need to know the number of this rule. Each rule has a number.

You can use iptables-L-n-line-number to display rules and corresponding numbers.
Num target prot opt source destination
1 DROP tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 3306
2 DROP tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 21
3 DROP tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 80
With the num column added, we can see that the rule corresponds to number 2.

Then we can delete it.
Iptables-d input 2
Delete the rule with INPUT Chain number 2.

Click iptables-L-n to check whether it has been cleared.
5. Filter invalid data packets
Assume that someone enters the server or has a virus Trojan program, it can transmit data outside the server through port.
This method is different from the normal access to port 22 and 80. The data it sends to the external server is not sent by visiting the webpage.
The response packet.

We will disable all the packets that are not responded through the request and block them.

Iptables provides a parameter to check the status. Next we will Configure Ports 22 and 80 to prevent invalid data packets.

Iptables-a output-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

We can see the following:
Iptables-a output-p tcp-sport 22-j ACCEPT


An additional status judgment is provided.

The same is true for port 80. Now, the original two rules are deleted,
Iptables-L-n-line-number. This is a query rule with a number. We can see the number.
The rule is deleted.

Iptables-d output 1 1 1 indicates the first rule.

When you delete the preceding rule, the number also changes. See it.

Okay. We have deleted the first two rules, and port 22 can still be used properly. It indicates there is no problem.

Save it as follows. Do not forget it. Otherwise, it will be restored after restart.

Service iptables save.

Saving firewall rules to/etc/sysconfig/iptables: [OK]
In fact, the rules just set are written to the/etc/sysconfig/iptables file.
6. DNS port 53 settings
Next let's take a look at how to set iptables to open the DNS port. The DNS port corresponds to 53.

As you can see, I only open ports 22 and 80. Now let's see if I can resolve the domain name.

Host www.google.com has been waiting after entering this command, indicating that DNS is not available

The following prompt is displayed:
; Connection timed out; no servers cocould be reached

Ping the domain name.
[Root @ localhost ~ Ping www.google.com
Ping: unknown host www.google.com

The reason here is that iptables limits port 53.

Some servers, especially Web servers, are slowing down and DNS is also related, resulting in the failure to send packets to DNS servers.

The following shows how to use iptables to set the DNS 53 port. If you do not know the Domain Name Service port number

Run the grep domain/etc/services Command.

[Root @ localhost ~ Grep domain/etc/services
Domain 53/tcp # name-domain server
Domain 53/udp
Domaintime 9909/tcp # domaintime
Domaintime 9909/udp # domaintime

As you can see, we generally use udp.

Okay. Start setting...

Iptables-a output-p udp-dport 53-j ACCEPT
We ping a domain name, and the data is sent from the local machine. Therefore, we first set the OUTPUT,
We can set it according to the ping process.

Then the DNS server receives the packet we sent and responds to it.
Iptables-a input-p udp-sport 53-j ACCEPT

You must also set
Iptables-a input-p udp-dport 53-j ACCEPT
Iptables-a output-p udp-sport 53-j ACCEPT

Now, let's start the test. You can use iptables-L-n to check the settings. If there is no problem, you can test the settings.

[Root @ localhost ~ Iptables-L-n
Chain INPUT (policy DROP)
Target prot opt source destination
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 22
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 80
ACCEPT udp-0.0.0.0/0 0.0.0.0/0 udp spt: 53
ACCEPT udp-0.0.0.0/0 0.0.0.0/0 udp dpt: 53

Chain FORWARD (policy DROP)
Target prot opt source destination

Chain OUTPUT (policy DROP)
Target prot opt source destination
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp spt: 22 state ESTABLISHED
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp spt: 80 state ESTABLISHED
ACCEPT udp-0.0.0.0/0 0.0.0.0/0 udp dpt: 53
ACCEPT udp-0.0.0.0/0 0.0.0.0/0 udp spt: 53

You can test whether DNS can pass iptables.

[Root @ localhost ~ Host www.google.com
Www.google.com is an alias for www.l.google.com.
Www.l.google.com is an alias for www-china.l.google.com.
Www-china.l.google.com has address 64.233.189.104
Www-china.l.google.com has address 64.233.189.147
Www-china.l.google.com has address 64.233.189.99

Google domain names can be resolved normally.

You may need to set something for ping.

Use nslookup

[Root @ localhost ~ Nslookup
> Www.google.com
Server: 192.168.1.1
Address: 192.168.1.1 #53

Non-authoritative answer:
Www.google.com canonical name = www.l.google.com.
Www.l.google.com canonical name = www-china.l.google.com.
Name: www-china.l.google.com
Address: 64.233.189.147
Name: www-china.l.google.com
Address: 64.233.189.99
Name: www-china.l.google.com
Address: 64.233.189.104

This indicates that the local DNS is normal, and iptables allows access to the port 53.
7. iptables ftp settings
Now I start setting the ftp port. Add the port to be opened according to our previous video.
The ftp connection port has two ports 21 and 20. Now I add the corresponding rules.

[Root @ localhost rootiptables-a input-p tcp-dport 21-j ACCEPT
[Root @ localhost rootiptables-a input-p tcp-dport 20-j ACCEPT
[Root @ localhost rootiptables-a output-p tcp-sport 21-j ACCEPT
[Root @ localhost rootiptables-a output-p tcp-sport 20-j ACCEPT

Okay, so we can use a browser to access the ftp, and there is a timeout.

So I just mentioned that ftp is a special port, and some of its ports are data transmission ports,
Such as Directory List, upload, and download all use these ports.

And these ports are arbitrary ports... This is really special.

If no port range is specified, iptables is hard to open to any port,
If iptables allows access from any port, it is no different from not setting a firewall, so it is unrealistic.

The solution is to specify a range of the data transmission port.

Next, modify the ftp configuration file.

Here I use vsftpd to modify the demo. I don't know where to modify other ftp files. You can look for information.

[Root @ localhost rootvi/etc/vsftpd. conf

Add at the bottom of the configuration file

Pasv_min_port = 30001
Pasvanderbilt max_port = 31000

Save and exit.

The meaning of these two statements tells vsftpd that the port range for data transmission is between 30001 and 31000.

In this way, we can use iptables more easily, and we can open ports 30001 to 31000.

[Root @ localhost rootiptables-a input-p tcp-dport 30001: 31000-j ACCEPT
[Root @ localhost rootiptables-a output-p tcp-sport 30001: 31000-j ACCEPT

[Root @ localhost rootservice iptables save

Save the file, and use ftp in the browser. Normal access

You can log in with an account, and there is no problem. upload some files and check them.

You can see that the upload and download operations are normal .. Check the iptables settings.

[Root @ localhost rootiptables-L-n
Chain INPUT (policy DROP)
Target prot opt source destination
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 22
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 21
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp dpt: 20
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp dpts: 30001: 31000

Chain FORWARD (policy DROP)
Target prot opt source destination

Chain OUTPUT (policy DROP)
Target prot opt source destination
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp spt: 22
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp spt: 21
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp spt: 20
ACCEPT tcp-0.0.0.0/0 0.0.0.0/0 tcp spts: 30001: 31000

This is a simple rule to demonstrate the special ftp port. You can add some data packet verification rules.
For example,-m state-state ESTABLISHED and RELATED require higher verification.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.