Use iptables to protect the email server

This document is intended for beginners of iptables. If you have just learned the principles and basic syntax of iptables, but you still do not know how to actually use this tool in the online server environment, read this article. Iptables's two main modes of work for iptables data packets, there are several flows: PREROUTING → FORWARD → POSTROUTING IptablesBeginner. If you have just learned IptablesBut it is not clear how to actually use this tool in the online server environment. Therefore, we recommend that you read this article.

Two main work modes of iptables
For iptables data packets, there are several flows:
PREROUTING → FORWARD → POSTROUTING
PREROUTING → INPUT → Local → OUTPUT → POSTROUTING
You can pay attention to the two main flows of data packets (in fact, they are also the two working modes of iptables): one is as a NAT router, and the other is as a host firewall.
For details about iptables data inflows and outflows, refer:

498) this. width = 498; "onmousewheel =" javascript: return big (this) "alt =" Fig iptables detailed flowchart of inbound and outbound packets "src =" http://upload.server110.com/image/20130927/1S55H455-0.jpg "width =" 498 "/>

Figure iptables flowchart of inbound and outbound data packets
Iptables uses different rule tables based on different data packet processing functions. It includes the following three tables: filter, nat, and mangle.
Filter is the default table that contains the real firewall filter rules. The built-in rule chains include INPUT, OUTPUT, and FORWARD.
The nat table contains the rules used for source and destination address and port conversion. the built-in rule chains include PREROUTING, OUTPUT, and POSTROUTING.
The mangle table contains rules used to set special packet routing labels, which are subsequently checked by the rules in the filter table. The built-in rule chains include PREROUTING, INPUT, FORWARD, POSTROUTING, and OUTPUT.
The related rule chain functions of the table are as follows:
INPUT chain: when a data packet is determined as a local Linux system by the route calculation in the kernel, it will pass the INPUT chain check.
OUTPUT chain: the data packet generated by the system.
FORWARD chain: data packets routed through the Linux system (that is, when the iptables firewall is used to connect two networks, data packets between the two networks must flow through the firewall ).
PREROUTING chain: used to modify the destination address (DNAT ).
POSTROUTING chain: used to modify the source address (SNAT ).
The detailed syntax of iptables is as follows:
Iptables [-t table name] <-A | I | D | R> chain name [rule number] [-I | o Nic name] [-p protocol type] [-s source IP address | source subnet] [-- sport source port number] [-d destination IP address | destination subnet] [-- dport destination port number] <-j action>
Note: This syntax rule is detailed and logic is clear. we recommend that you use this formula to remember it. When writing iptables rules at the beginning, we should develop good habits and use formulas to standardize scripts, which will be of great help to our future work.
In this section, we compile a simple iptables syntax rule for mail host protection. The network topology is very simple. the IP address of the iptables machine is 192.168.1.101/24, and the IP address of the other machine is 192.168.1.102.

Common email host protection script
The normal mail host protection script is easy to implement. The mail host mainly opens two ports: 80 and 25, while the other ports are closed. In addition, because there is not much function involved here, the module loading is very simple, only the Filter table is involved, the initialization of the script is also very simple.
We can write scripts in the order of iptables writing. the script content is as follows:
(Note: This server is placed in its own data center. Therefore, port 22 is not open. you can directly debug the server in the data center. For remote operations, open port 22 .)
#/Bin/bash
Iptables-F
Iptables-X
Iptables-Z
Modprobe ip_tables
Modprobe iptable_nat
Modprobe ip_nat_ftp
Modprobe ip_conntrack
Iptables-P INPUT DROP
Iptables-P FORWARD ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Iptables-a input-p tcp-m multiport -- dports 25, 80-j ACCEPT
Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT
Note:
You can initialize iptables in the first three items.
Modprobe is the process of manually loading modules. Generally, if you use service iptables start to start iptables, many unnecessary modules will be loaded, so here we use manual loading. The ip_conntrack module can be enabled in the usual test and learning environment to track the flow of data packets. However, in the production environment, I do not recommend that you enable this module to increase the server load.
The two ports below the default rule are used to enable the system Loop port to avoid unnecessary troubles. What are the specific troubles? You can think about it first. The answer will be provided at the end of this article.
The last one is to allow connections in the RELATED and ESTABLISHED statuses to pass through iptables. The reason for this setting will also be answered at the end of the article.
After the iptables script is enabled, run the following command to view the result:
Iptables-nv-L
The command displays the following results:
Chain INPUT (policy DROP 13539 packets, 763 K bytes)
Pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
480 32744 ACCEPT tcp -- ** 0.0.0.0/0 0.0.0.0/0 multiport dports, 80
13 1411 ACCEPT all -- ** 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 472 packets, 52779 bytes)
Pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Port 80 and port 25 are hidden by iptables. For example, we try nmap to scan this server on another machine:
Nmap-sT 192.168.1.101
The command displays the following results:
Starting Nmap 4.11 (http://www.insecure.org/nmap/) at CST
Interesting ports on 192.168.1.101:
Not shown: 1678 filtered ports
PORT STATE SERVICE
25/tcp open ssh
80/tcp open http
MAC Address: 00: E0: 62: 12: 7B: 65 (Host Engineering)
Nmap finished: 1 IP address (1 host up) scanned in 37.721 seconds
The result indicates that iptables takes effect.
In addition, I would like to provide a suggestion to my friends who have just learned iptables. One easy mistake to make when you start playing iptables is to lock yourself out of the server. In this case, we can compile a crontab scheduled task to close the firewall every five minutes and close the crontab task after the complete debugging:
Vim/etc/crontab
*/5 */etc/init. d/iptables stop
The above is only a preliminary protection script. As for other SYN and Ping attacks and other attacks, you can add them on the basis of this script after you are familiar with the principles.
The following are the answers to the two questions mentioned above:
I. Why do I need to enable the system loop interface?
By default, a Linux system will have a loopback network interface named lo, and the real Nic is generally recognized by the Linux system as a network interface such as eth0 and eth1.
Generally, the IP address of the lo interface is 127.0.0.1.
When you send data packets to yourself from a linux host, the actual data packets are sent and accepted through the virtual lo interface, rather than through your physical Nic eth0/eth1.
If the lo interface is blocked, ping/telnet/ssh local machine (local domain name, localhost and 127.0.0.1) may fail, which may cause some trouble for debugging.