Use of iptables firewall in CentOS

Source: Internet
Author: User
Tags bit set
The default firewall rules for 1 rhel5 boot are in Linux. you can use the iptables command to build various types of firewalls. When the RHEL5 operating system is installed by default, the iptables firewall has been installed, and some rules are automatically added after the system is started. these rules are actually determined by the iptables file in the/etc/sysconfig directory. Accessible

1 RHEL 5 default firewall rules upon startup

In Linux, you can useIptablesCommand to build various types of firewalls. When RHEL5 is installed by default,IptablesThe firewall has been installed and some rules will be automatically added after the firewall is turned on. these rules are actually determined by the iptables file in the/etc/sysconfig directory. You can run the "iptables-L" command to view these default rules.

[Root @ edwin ~] # Iptables-L

Chain INPUT (policy ACCEPT) # rules in the INPUT Chain

Target prot opt source destination

RH-Firewall-1-INPUT all -- anywhere # rule 1

Chain FORWARD (policy ACCEPT) # rules in the FORWARD Chain

Target prot opt source destination

RH-Firewall-1-INPUT all -- anywhere # rule 2

Chain OUTPUT (policy ACCEPT) # rules in the OUTPUT Chain

Target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references) # rules in the custom RH-Firewall-1-INPUT Chain, referenced twice by other chains

Target prot opt source destination

ACCEPT all -- anywhere # rule 3

ACCEPT icmp -- anywhere icmp any # rule 4

ACCEPT esp -- anywhere # rule 5

ACCEPT ah -- anywhere # rule 6

ACCEPT udp -- anywhere 224.0.0.20.udp dpt: mdns # rule 7

ACCEPT udp -- anywhere udp dpt: ipp # rule 8

ACCEPT tcp -- anywhere tcp dpt: ipp # Rule 9

ACCEPT all -- anywhere stateRELATED, ESTABLISHED # rule 10

ACCEPT tcp -- anywhere stateNEW tcp dpt: ftp # rule 11

ACCEPT tcp -- anywhere state NEW tcp dpt: ssh # rule 12

ACCEPT tcp -- anywhere state NEW tcp dpt: http # rule 13

ACCEPT tcp -- anywhere state NEW tcp dpt: smtp # rule 14

REJECT all -- anywhere reject-with icmp-host-prohibited # rule 15

The above iptables command does not use the-t option to specify which table or chain. Therefore, the rule chain in the filter table is listed by default. From the above results, we can see that the filter table has a total of four chains. The INPUT, FORWARD, and OUTPUT chains are built in, while the RH-Firewall-1-INPUT chain is added by the user.

1.1 rule column

In the rules listed above, each rule lists 5 items. The target column indicates the action target of the rule. The prot column indicates the name of the upper-layer protocol specified by the rule, and all indicates all protocols. Opt lists some options of the rule. The source column indicates the source IP address or subnet of the data packet, while the destination column indicates the destination IP address or subnet of the data packet, and anywhere indicates all the addresses. In addition to the above five columns, if there is, each rule finally lists some sub-options, such as rule 4 in the RH-Firewall-1-INPUT chain.

If the-v option is added when executing the iptables command, you can also list the number of packets and the number of bytes that match each rule, as well as the network interfaces that require incoming and outgoing packets. If the-n option is added, the IP address and port in the displayed result are not parsed and displayed in numbers directly. In addition, if the "-- line-number" option is added, the rule number of each rule can be displayed in the first column.

1.2 Explanation of rules

Rule 1 in the INPUT chain the content of its target column is RH-Firewall-1-INPUT, the opt column is all, and the source and destination columns are both anywhere, indicating that all packets are handed over to the custom RH-Firewall-1-INPUT chain for processing. Rule 2 of the FORWARD chain is exactly the same as Rule 1. There are no rules in the OUTPUT chain.

In the custom RH-Firewall-1-INPUT chain, many rules are listed, rule 3 indicates receiving all packets. Note that if you add the-v option in iptables to list this rule, you will see that the in column is lo, that is, the packet is required to be imported from the loop interface, instead of receiving packets from any network interface.

Rule 4 indicates that all icmp data packets are received, that is, when other computers ping the local machine, they receive the data packets, and there are no rules in the OUTPUT chain. Therefore, the ICMP reply data packets of the local machine can smoothly enter the network, received by the recipient. Rules 5 and 6 indicate receiving all packets from the esp and ah protocols. These two protocols are IPv6 protocols.

Rule 7 indicates that the destination address is 224.0.0.20.and the destination port is the UDP packet of mdns. 224.0.0.20.is a multicast address, and mdns is a name of the port number. If the-n option is added when the iptables command is executed, the number 5353 is displayed, which is the DNS port of the multicast address.

Rules 8 and 9 indicate that all destination ports are allowed to pass through UDP and TCP packets of ipp, ipp is the name resolution of port 631, and it is the port used for network printing service. Rule 10 indicates that all data packets in the RELATED and ESTABLISHED statuses pass through. the RELATED status indicates that a new connection is required for the data packet, and the connection to be created is RELATED to the existing connection, for example, FTP data connection. ESTABLISHED indicates the packet that the other party responds to when the local machine establishes a connection with the other party.

From Rule 11 to Rule 14, the target Port is allowed to be ftp, ssh, http, or smtp, and the status is NEW, if the status is NEW, the TCP packet will initiate a TCP connection with the host. The ports of these rules correspond to the most common network services. their port numbers are 21, 22, 80, and 25. Rule 15 rejects all data packets and returns an icmp-host-prohibited packet to the other party.

1.3 supplementary explanation

Please remind me again that,These rules are ordered.. When a packet enters the RH-Firewall-1-INPUT chain, it is compared with rule 3 to Rule 15 in sequence. According to the target settings of these rules, if the packet can match any of the rules 3 to 14, the packet will be received. If none of them match, it will certainly match Rule 15, so the packet is rejected.

Since the RH-Firewall-1-INPUT chain is called by the INPUT chain, if you want to RETURN to the INPUT chain, you need to execute the target action Named RETURN.

(In the FORWARD chain also called the RH-Firewall-1-INPUT chain, that is, if the packet is not sent to the local machine, when the FORWARD chain, but also to enter the RH-Firewall-1-INPUT chain, match with rule 3 to Rule 15 again.

2. manage host firewall rules

There can be a lot of functional firewalls, some of which are installed on a host, mainly used to protect the security of the host itself; some are installed on a node in the network, it is used to protect the security of other computers in the network. some clients can also provide NAT services for the intranet, so that the intranet clients can share a public IP address to save IP address resources. The following describes the application example of the host firewall.

When a server provides important services to the outside world or a client is used in an insecure network environment, a firewall must be installed on the computer, to prevent the host from being attacked to the maximum extent.

For example, in order for the host to provide the telnet service for the outside world, in addition to configuring the telnet server, Port TCP23 must be opened. In the default firewall configuration, TCP packets with the destination port of 23 are not allowed to enter the host. To open port TCP23, there can be two ways, one is to add the corresponding rules in the RH-Firewall-1-INPUT chain, the other is to add the rules to the INPUT chain. However, it should be noted that the rules are ordered. if you use the following command, it will be ineffective.

[Root @ edwin ~] # Iptables-A RH-Firewall-1-INPUT-p tcp -- dport23-j ACCEPT

After the preceding command is executed, you can view the rules again.

[Root @ edwin ~] # Iptables-L-n -- line-number

...

Chain RH-Firewall-1-INPUT (2 references)

Num target prot opt source destination

...

11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 80

12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 25

13 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 23 # New Rule

You can see that the newly added rule is at the last position. Because all data packets can match the rule number 13 with the target action REJECT, and the REJECT indicates a denial, the data packets must have been discarded before they arrive at the newly added rule, this rule will not be used. To solve this problem, you need to insert the above rules to the existing rules, which must be located before Rule 13. The following is a correct command to open port TCP23.

[Root @ edwin ~] # Iptables-I RH-Firewall-1-INPUT 11-p tcp -- dport 23-j ACCEPT

In the above command, "-I RH-Firewall-1-INPUT11" indicates that a new rule is inserted before the original Rule 11 of the RH-Firewall-1-INPUT chain, the rule content is to accept TCP packets with the destination port of 23. To delete the previously added invalid rule, run the following command.

[Root @ edwin ~] # Iptables-D RH-Firewall-1-INPUT 15

15 is the invalid rule that was added for the first time. The rule number may also be another value, which can be changed according to the specific display result. If you want the newly added rules to be similar to those of the original rules 11 and 12, run the following command.

[Root @ edwin ~] # Iptables-I RH-Firewall-1-INPUT 11-m state -- state NEW-p tcp -- dport 23-j ACCEPT

The above is to add rules in the RH-Firewall-1-INPUT chain to open port TCP23. Another method to open port TCP23 is to add rules in the INPUT chain. the specific command is as follows.

[Root @ edwin ~] # Iptables-I INPUT 1-p tcp -- dport 23-jACCEPT

[Root @ edwin ~] # Iptables-L -- line-number

Chain INPUT (policy ACCEPT)

Num target protopt source destination

1 ACCEPT tcp -- anywhere tcp dpt: telnet

2 RH-Firewall-1-INPUT all -- anywhere

...

Note: The added rule also exists before the original rule 2; otherwise, any packet matches rule 2 and will jump to the RH-Firewall-1-INPUT chain and no longer return. Therefore, rules added after rule 2 are invalid.

3. common host firewall rules

When you set up a host firewall, you can first release the firewall and then disable it all. That is to say, according to the characteristics of the host, plan the external data packets that are allowed to enter the host, and then design rules to allow these data packets. If a data packet does not match the rule that allows data packets, the rule matches the last rule that prohibits access and is denied access to the host. The following lists the iptables commands commonly used in host firewalls and their explanations. The rules added by these commands are all placed in the INPUT chain of the filter table.

Example 1:

[Root @ edwin ~] # Iptables-a input-p tcp -- dport 80-j ACCEPT

Function: allow TCP data packets whose destination port is 80 to pass through the INPUT chain.

Note: This type of data packet is generally used to access the Web service of the host. if the host provides Web services on the default port, use this rule to open the TCP80 port.

Example 2:

[Root @ edwin ~] # Iptables-a input-s 192.168.1.0/24-I eth0-jDROP

Function: drops the packet whose first 3 bytes are 192.168.1 from the eth0 interface.

Note: pay attention to the location of this rule. if the data packet that matches this rule also matches the previous rule, and the previous rule is released, this rule does not work for the matched data packets.

Example 3:

[Root @ edwin ~] # Iptables-a input-p udp -- sport 53 -- dport1024: 65535-j ACCEPT

Function: in the INPUT chain, the source port number is 53, and the destination port number is 1024 to 65535.

Note: data packets with this feature are the data packets replied by the DNS server when the local machine queries DNS.

Example 4:

[Root @ edwin ~] # Iptables-a input-p tcp -- tcp-flags SYN, RST, ACKSYN-j ACCEPT

Function: SYN, RST, and ACK3 indicate that the SYN bit is 1, and the other two TCP packets with 0 are allowed. A packet that meets this characteristic is a packet that initiates a TCP connection.

Note: The "-- tcp-flags" sub-option is used to specify the flag of TCP data packets. there can be 6 SYN, ACK, FIN, RST, URG, and PSH. When these flags are used as the "-- tcp-flags" parameter, they are divided into two parts by spaces. The first part lists the required flags separated by commas (,). The second part lists the flags with a value of 1. if there are multiple flags, separate them with commas, the value of the flag not listed in the next part must be 0.

Note: Because this command is frequently used, you can use "-- syn" instead of "-- tcp-flags SYN, RST, ack syn ".

Example 5:

[Root @ edwin ~] # Iptables-a input-p tcp-m multiport -- dport20: 23,53, 80,110-j ACCEPT

Function: Receives TCP packets destined for ports 20 to 23, 53, 80, and 110.

Note: "-m multiport" is used to specify multiple ports. up to 15 ports can be specified and separated.

Example 6:

[Root @ edwin ~] # Iptables-a input-p icmp-m limit -- limit 6/m -- limit-burst 8-j ACCEPT

Function: limits the ICMP packet passing rate. when eight packets pass through within one minute, the limit for passing 6 packets per minute is triggered.

Note: In the preceding command, apart from m, s (seconds), h (hours), and d (days) can also be used ). This rule is mainly used to prevent DoS attacks.

Example 7:

[Root @ edwin ~] # Iptables-a input-p udp-m mac -- mac-source! 00: 0C: 6E: AB: CC-j DROP

Function: Rejects UDP packets whose source MAC address is not 00: 0C: 6E: AB: CC.

Note: This rule should not be prefixed. Otherwise, most UDP packets will be rejected and subsequent rules will not be used.

4. redefine firewall rules

The preceding section describes how to add your own firewall rules based on RHEL5's default firewall rules to open port TCP23. In many cases, users may want to build their own firewalls from the initial state. To set the iptables firewall from scratch, run the following command to clear all the rules of the firewall.

[Root @ edwin ~] # Iptables-F

[Root @ edwin ~] # Iptables-X

[Root @ edwin ~] # Iptables-Z

Then add your own firewall rules as required. Generally, rules for protecting the host where the firewall is located are added to the INPUT built-in chain to block some packets from accessing the local machine. Packets sent from the local machine only go through the OUTPUT chain, which is generally not restricted. If you do not want the local machine to provide route forwarding for external data packets, you can add a rule in the FORWARD chain to reject all data packets, or simply set in the kernel to not FORWARD any data packets.

Convert to a "powerful iptables protection Shell script"

#! /Bin/bash

EPT = "/sbin/iptables"

CONNECTION_TRACKING = "1"

# Private network

CLASS_A = "10.0.0.0/8"

CLASS_ B = "172.16.0.0/12"

CLASS_C = "192.168.0.0/16"

# DNS multicast and Bogus Packet

CLASS_D_MULTICAST = "224.0.0.0/4"

CLASS_E_RESERVED_NET = "240.0.0.0/5"

BROADCAST_src = "http://upload.server110.com/image/20140225/154505J05-0.jpg"

BROADCAST_DEST = "255.255.255.255"

LOOPBACK_INTERFACE = "lo"

# Remove any existing rules

$ Ipt-f

$ Ipt-x

$ Ipt-z

# Setting default firewall policy

$ Ipt-p FORWARD DROP

$ Ipp-input DROP

$ Ipp-output DROP

# Setting for loopback interface

$ Ipt-a INPUT-I lo-j ACCEPT

$ Ipt-a OUTPUT-o lo-j ACCEPT

# Stealth Scans and TCP State Flags

# All of the bits are cleared

$ Ipt-a INPUT-p tcp -- tcp-flags all none-j DROP

# SYN and FIN are both set

$ Ipt-a INPUT-p tcp -- tcp-flags SYN, fin syn, FIN-j DROP

# SYN and RST are both set

$ Ipt-a INPUT-p tcp -- tcp-flags SYN, rst syn, RST-j DROP

# FIN and RST are both set

$ Ipt-a INPUT-p tcp -- tcp-flags FIN, rst fin, RST-j DROP

# FIN is the only bit set, without the expected accompanyingACK

$ Ipt-a INPUT-p tcp -- tcp-flags ACK, FIN-j DROP

# PSH is the only bit set, without the expected accompanyingACK

$ Ipt-a INPUT-p tcp -- tcp-flags ACK, PSH-j DROP

# URG is the only bit set, without the expected accompanyingACK

$ Ipt-a INPUT-p tcp -- tcp-flags ACK, URG-j DROP

# Using Connection State to By-pass Rule Checking

If ["$ CONNECTION_TRACKING" = "1"]; then

$ Ipt-a INPUT-m state -- state

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.