Use Linux Iptables Firewall

Use the Linux Iptables firewall-Linux Enterprise Application-Linux server application information. For more information, see. The built-in firewall mechanism of Linux is implemented through the netfilter module in the kernel (www. netfilter. ort ). Linux kernel uses netfilter to filter incoming and outgoing data packets. netfilter consists of three rule tables, each of which consists of many built-in chains. You can use the iptables command to operate these table chains, such as adding, deleting, and listing rules.

I. Netfilter rule table-filter nat mangle

Filter, used to route network data packets. Yes, that is, if the-t parameter is not specified, when a new rule is created, it will be stored in the table by default.

INPUT Network Packet Flow to server

OUTPUT network packet outflow from the server

FORWARD network data packets are routed by the server

Nat, used for NAT table. NAT (Net Address Translation) is an IP Address conversion method.

The PREROUTING network packet can be modified when it reaches the server.

OUTPUT network data packets flow out from the server

The POSTROUTING network packet can be modified when it is about to be sent from the server.

Mangle, used To modify tables Of network data packets, such as TOS (Type Of Service), TTL (Time To Live), etc.

INPUT Network Packet Flow to server

OUTPUT network packet outflow Server

FORWARD network packets through the server

The PREROUTING network packet can be modified when it reaches the server.

The POSTROUTING network packet can be modified when it is about to be sent from the server.

1. Configure Iptables

When a data packet enters the server, Linux Kernel searches for the corresponding link until a rule matches the data packet. If the target of the rule is ACCEPT, the remaining Rules will be skipped and data packets will be sent again. If the target of the rule is DROP, the packet will be intercepted and the kernel will not refer to other rules.

Note: If there is no rule from the beginning that matches the data packet, and there is no rule to drop all at the end of the table, the data packet will be accept. Cisco, on the contrary, will follow the rules containing deny all at the end of the table.

1.) Command Options of Iptables

Iptables [-t tables] command option parameter target

-A adds A rule at the end of the chain

-C. Check the rules before they are added to the user-defined chain.

-D. delete a rule from the chain.

-E. Rename the User-Defined chain without changing the chain itself.

-F. Clear the chain and delete all rules on the chain.

-I insert a rule into the chain

-L list rules on a chain, such as iptables? L rules for listing INPUT chains

-N: Create a new chain

-P defines the Default policy of a chain

-R: replaces a rule on the chain.

-X: deletes a user-related chain.

-Z: clears the bytes and data packet counters of all links in all tables.

2.) Command Parameters of Iptables

-P? Protocol

The protocol type applied to data packets. It can be tcp udp icmp or ALL .! It can also be used.

When-p tcp is used, other options can be used to allow further rule definition. Options include:

-- Sport allows you to specify the source port of the matched data packet. port1: port, indicating all ports between port1 and port2.

The destination port of -- dport is the same as that of -- sport.

When-p is used! During udp, there are also special options for use:

-- Sport, -- dport, which is the same as-p tcp but used for UDP packets.

Only one option is available when the-p icmp parameter is used.

-- Icmp-type: allows you to specify the icmp type in the filter rule.

-S? Source specifies the source address of the data packet. This parameter is followed by an IP address, a network address with sub-net mask, or a host name. (Host names are not recommended)

-D,--destination Packet destination Address, same as-s.

-J, -- jump is used to specify a target, telling the rule to send the matched data packet to the target. Target can be ACCEPT, DROP, QUEUE, RETURN. If there is no-j, no operation is performed on the data packet, but the counter is added to 1.

-I--in-interface: for the INPUT FORWARD PREROUTING chain, this parameter specifies the port used when the data packet arrives at the server.

-O--out-interface: For the output forward postrouting chain, this parameter specifies the port used when the packet leaves the server.

3.) Iptables Command target

The last step to create a rule is to specify Iptables operations on data packets. As long as a rule matches this packet, no other rule operations will be performed. The built-in targets are: accept drop queue return.

ACCEPT: Allow data packets to pass to the destination.

DROP: the packet is rejected and the packet is discarded.

QUEUE: sends data packets back to the user application for processing.

RETURN: no longer checks data packets according to other rules of the current chain, but returns directly and continues to be sent to its destination address or the next chain.


2. Example of applying Iptables rules


Allow WWW


Iptables? A input? P tcp? Dport 80? J ACCEPT

This rule is added to the INPUT chain of the filter table, allowing data packets whose destination port is 80.

Allow DHCP on the Internal interface

Iptables? A input? I eth0? P tcp-sport 68--dport 67 ACCEPT

Iptables? A input? I eth0? P ucp--sport 68--dport 67 ACCEPT

Both TCP and UDP protocols are allowed.


3. Save and restore Iptables

Save Iptables

You can use iptables-save to save the current iptables rules,

Iptables-save> iptables save path, for example, # iptables-save>/etc/iptables. up. rule

Restore Iptables

You can use iptables-restore to restore the iptables table from the configuration document to the current iptables table.

Iptables-restore </etc/iptables. up. rule

Ii. Iptables in Ubuntu Server

Iptables has been installed by default in Ubuntu server 6.06. Version 1.3.3. The default status is disabled.

You can enable iptables by modifying/etc/network/interfaces:

Auto lo


Iface lo inet loopback


Auto eth0

Iface eth0 inet dhcp

# Add the following content

Pre-up iptables-restore </etc/iptables. up. rule

# Call the restored rule when active the eth0

Post-down iptables-save>/etc/iptables. up. rule

# Restore the iptables rule when shutdown the interface eth0

Then, reactivate eth0.

In addition, you can modify the/etc/iptables. up. rule configuration file at any time to change iptables rules. The format of Iptables. up. rule is as follows:

# Generated by iptables-save V1.3.3 on Tue Jul 31 14:18:44 2007

* Filter

: Input accept [73: 8213]

: Forward accept [0: 0]

: Output accept [8: 825]

-A input? I lo? P icmp? J DROP

-A input? I eth0? P icmp? J DROP

COMMIT

# Completed on Tue Jul 31 14:10:44 2007

Rows and rows cannot be empty.

Iii. Summary

The order of each rule in the iptables table chain is very important. If the first rule is accept all, all data packets are allowed to pass through firewall. Therefore, the Rule Order should be properly arranged.

The general rule is: deny all allowed minority.