Use of iptables firewall

This article describes 25 common iptables usage. If you do not know much about iptables, refer to the previous iptables detailed tutorial:

This article describes 25 CommonIptablesUsage. If youIptablesFor more information, see the previous iptables Tutorial: basic, architecture, clearing rules, append rules, and application instances. after reading this article, you can understand the usage of iptables and the basic terms mentioned in this article.

I. iptables: from here Delete existing rules
Iptables-F
(OR)
Iptables -- flush
Set the default link policy

The iptables filter table has three links: INPUT, FORWARD, and OUTPUT. The default chain policy is ACCEPT. you can set them to DROP.

Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT DROP

You need to understand that this will shield all input and output packets from the network card, unless you specify which packets can pass through the network card.

Shield the specified IP address

The following rules will block the IP address specified by BLOCK_THIS_IP from accessing the local host:

BLOCK_THIS_IP = "x. x"
Iptables-a input-I eth0 -S "$ BLOCK_THIS_IP"-J DROP
(Or only shield TCP packets from this IP address)
Iptables-a input-I eth0 -P tcp-S "$ BLOCK_THIS_IP"-j DROP
Allow external ping tests
Iptables-a input-p icmp -- icmp-type echo-request-j ACCEPT
Iptables-a output-p icmp -- icmp-type echo-reply-j ACCEPT
Allow external host ping from the local machine
Iptables-a output-p icmp -- icmp-type echo-request-j ACCEPT
Iptables-a input-p icmp -- icmp-type echo-reply-j ACCEPT
Allow loopback access
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
II. iptables: Protocol and port settings Allow all SSH connection requests

This rule allows all external SSH connection requests, that is, onlyEnter the eth0 interface, and the destination port is 22 packets

Iptables -A input-I eth0-P tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables -A output-o eth0-P tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT
Allow local SSH connections

This rule is different from the above rules. it is intended to allow the local machine to initiate an SSH connection. the above rules are the opposite.

Iptables -A output-o eth0-P tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables -A input-I eth0-P tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT
Only allow SSH connection requests from the specified network

The following rules only allow networks from 192.168.100.0/24:

Iptables-a input-I eth0-p tcp -S 192.168.100.0/24-- Dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT

In the above example, you can also use-S192.168.100.0/255.255.255.0As the network address. Of course, the above CIDR address is easier to understand.

Only requests for SSH connection from the local device to the specified network can be initiated.

The following rules allow connection from a local host only192.168.100.0/24Network:

Iptables-a output-o eth0-p tcp -D 192.168.100.0/24-- Dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a input-I eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT
Allow HTTP/HTTPS connection requests
#1. allow HTTP connection: Port 80
Iptables-a input-I eth0-p tcp -- dport 80-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 80-m state -- state ESTABLISHED-j ACCEPT
#2. allow HTTPS connection: port 443
Iptables-a input-I eth0-p tcp -- dport 443-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 443-m state -- state ESTABLISHED-j ACCEPT
Allow local HTTPS connections

This rule allows you to initiate an HTTPS connection from a local host to access the Internet.

Iptables -A output-o eth0-P tcp -- dport 443-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables -A input-I eth0-P tcp -- sport 443-m state -- state ESTABLISHED-j ACCEPT

Similarly, you can set to allow HTTP protocol (port 80 ).

-M multiport: specifies multiple ports.

By specifying-MmultiportTo allow both SSH, HTTP, and HTTPS connections in a rule:

Iptables-a input-I eth0-p tcp -M multiport-- Dports 443,-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -M multiport-- Sports 22,80, 443-m state -- state ESTABLISHED-j ACCEPT
Allow outbound DNS connection
Iptables-a output-p udp-o eth0 -- dport 53-j ACCEPT
Iptables-a input-p udp-I eth0 -- sport 53-j ACCEPT
Allow NIS connection

If you are using NIS to manage your user account, you need to allow NIS connection. Even if you have enabled SSH connection, you still need to allow the ypbind connection related to NIS, otherwise the user will not be able to log on. The NIS port is dynamic. when ypbind is started, it automatically allocates a port. Therefore, first we need to obtain the port numbers. the ports used in this example are 853 and 850:

Rpcinfo-p | grep ypbind

Then, allow the request packet to connect to Port 111 and the port used by ypbind:

Iptables-a input-p tcp -- dport 111-j ACCEPT
Iptables-a input-p udp -- dport 111-j ACCEPT
Iptables-a input-p tcp -- dport 853-j ACCEPT
Iptables-a input-p udp -- dport 853-j ACCEPT
Iptables-a input-p tcp -- dport 850-j ACCEPT
Iptables-a input-p udp -- dport 850-j ACCEPT

The above method will expire after you restart the system, because ypbind will re-assign the port. We have two solutions:
1. use static IP addresses for NIS
2. call the script each time the system starts to obtain the NIS port and add it to the filter table according to the iptables rules described above.

Allow rsync connection requests from the specified network

You may have enabled the rsync service, but do not want to expose rsync. you only want to access it from the internal network (192.168.101.0/24:

Iptables-a input-I eth0-p tcp-s 192.168.101.0/24 -- dport 873-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 873-m state -- state ESTABLISHED-j ACCEPT
Allow MySQL connection requests from the specified network

You may have enabled the MySQL service, but only want the DBA and relevant developers to directly log on to the database from the internal network (192.168.100.0/24:

Iptables-a input-I eth0-p tcp-s 192.168.100.0/24 -- dport 3306-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 3306-m state -- state ESTABLISHED-j ACCEPT
Allow Sendmail and Postfix email services

Email service uses port 25. you only need to allow connection requests from port 25.

Iptables-a input-I eth0-p tcp -- dport 25-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 25-m state -- state ESTABLISHED-j ACCEPT
Allow IMAP and IMAPS
# IMAP: 143
Iptables-a input-I eth0-p tcp -- dport 143-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 143-m state -- state ESTABLISHED-j ACCEPT
# IMAPS: 993
Iptables-a input-I eth0-p tcp -- dport 993-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 993-m state -- state ESTABLISHED-j ACCEPT
Allow POP3 and POP3S
# POP3: 110
Iptables-a input-I eth0-p tcp -- dport 110-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 110-m state -- state ESTABLISHED-j ACCEPT
# POP3S: 995
Iptables-a input-I eth0-p tcp -- dport 995-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 995-m state -- state ESTABLISHED-j ACCEPT
Prevent DoS attacks
Iptables-a input-p tcp -- dport 80 -M limit -- limit 25/minute -- limit-burst 100-J ACCEPT

-M limit:Enable limit extension

? Limit 25/minute:Up to 25 connections per minute are allowed

? Limit-burst100:The preceding 25/minute limit is enabled only when 100 connections are reached.

III. forwarding and NAT Allow routing

If the local host has two NICs, one connected to the intranet (eth0) and the other connected to the Internet (eth1), you can use the following rules to route eth0 data to eht1:

Iptables-a forward-I eth0-o eth1-j ACCEPT
DNAT and port forwarding

The following rules will forward traffic from Port 422 to port 22. This means that the SSH connection request from Port 422 is equivalent to the request from port 22.

#1. enable DNAT forwarding
Iptables-t nat-a prerouting-p tcp-d 192.168.102.37 -- dport 422-j DNAT -- to-destination 192.168.102.37: 22
#2. allow requests to connect to Port 422
Iptables-a input-I eth0-p tcp -- dport 422-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp -- sport 422-m state -- state ESTABLISHED-j ACCEPT

Assuming that the Internet gateway is xxx. xxx, what should we do if we want to forward the HTTP request to an internal computer?

Iptables-t nat-a prerouting-p tcp-I eth0-d xxx. xxx -- dport 8888-j DNAT -- to 192.168.0.2: 80
Iptables-a forward-p tcp-I eth0-d 192.168.0.2 -- dport 80-j ACCEPT

After the packet arrives at xxx. xxx, you need to forward the packet to port 80 of 192.168.0.2. what NAT actually does isModifyThe destination address and port number of the data packet. ThenRoutingTo the corresponding host.
But will iptables accept such a package that requires routing? This is determined by the FORWARD chain. The second command tells iptables to forward packets whose destination address is 192.168.0.2: 80. Let's take a look at Port 422 to port 22 in the above example. this is the same IP address, so you do not need to set the FORWARD chain.

SNAT and MASQUERADE

Run the following command to SNAT all the packets in the 10.8.0.0 CIDR block to the ip address 192.168.5.3 and then send the packets:

Iptables-t nat-a postrouting-s 10.8.0.0/24-o eth0-j snat -- To-source 192.168.5.3

For snat, whether it is a few addresses, you must specify the IP address to be snat. If our computer uses the ADSL dial-up method to access the Internet, the Internet IP address is dynamic. at this time, we can consider using MASQUERADE.

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j MASQUERADE
Load balancing

You can use iptables's-M nthExtension and its parameters (? Counter 0? Every 3? Packet x? To-destination) to distribute the load evenly to three servers:

Iptables-a prerouting-I eth0-p tcp -- dport 443-m state -- state NEW-m nth -- counter 0 -- every 3 -- packet 0-j DNAT -- to-destination 192.168.1.101: 443
Iptables-a prerouting-I eth0-p tcp -- dport 443-m state -- state NEW-m nth -- counter 0 -- every 3 -- packet 1-j DNAT -- to-destination 192.168.1.102: 443
Iptables-a prerouting-I eth0-p tcp -- dport 443-m state -- state NEW-m nth -- counter 0 -- every 3 -- packet 2-j DNAT -- to-destination 192.168.1.103: 443
Custom chain Record discarded packets
#1. create a chain named LOGGING
Iptables -N LOGGING
#2. redirect all data packets from the INPUT chain to the LOGGING chain
Iptables-a input-j LOGGING
#3. specify the custom log prefix "IPTables Packet Dropped :"
Iptables-a logging-m limit -- limit 2/min-j LOG -- log-prefix "IPTables Packet Dropped:" -- log-level 7
#4. discard these packets
Iptables-a logging-j DROP
References:

[1] 25 Most Frequently Used Linux IPTables RulesExamples
[2] contact and difference between iptables: SNAT, DNAT, and MASQUERADE