1.iptables parameters
-t: Specify the table to be manipulated; -A: Add entries to the rule chain; -D: Delete entries from the rule chain; -i: Insert an entry into the rule chain; -R: Replace entries in the rule chain; -L: Display existing entries in the rule chain; -F: Clear existing entries in the rule chain; -Z: Clear the packet counter and byte counter in the rule chain; -N: Create a new user-defined rule chain; -P: Defines the default target in the rule chain; -h: Display help information; -p: Specifies the packet protocol type to be matched; -s: Specify the source IP address of the data packet to be matched; -j: Specify the target to jump to; -i: Specifies the network interface through which data packets enter the machine; -o: Specify the network interface used by the data packet to leave the machine
2.iptables example:
#Allow local loopback interface (that is, run the local machine to access the local machine) iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow established or associated traffic iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow all external access from this machine iptables -A OUTPUT -j ACCEPT #Allow access to port 22 iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allow access to port 80 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allow port 21 of ftp service iptables -A INPUT -p tcp --dport 21 -j ACCEPT #Allow port 20 for FTP service iptables -A INPUT -p tcp --dport 20 -j ACCEPT #Prohibit access by other rules that are not allowed iptables -A INPUT -j reject #Prohibit access by other rules that are not allowed and block IP iptables -A FORWARD -j REJECT #Block a single IP command iptables -I INPUT -s 123.45.6.7 -j DROP #Seal the entire segment, that is, the command from 123.0.0.1 to 123.255.255.254 iptables -I INPUT -s 123.0.0.0/8 -j DROP #Block the IP segment from 123.45.0.1 to 123.45.255.254. iptables -I INPUT -s 124.45.0.0/16 -j DROP #Block the IP segment from 123.45.6.1 to 123.45.6.254. iptables -I INPUT -s 123.45.6.0/24 -j DROP
-
(1) Check the settings of IPTABLES on this machine
[root@tp ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination CHAIN FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
It can be seen that when I installed Linux, I chose to have a firewall and opened ports 22, 80, and 25.
If you did not choose to enable the firewall when installing Linux, this is the case
[root@tp ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination CHAIN FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination There are no rules.
-
(2) Clear the original rules.
Regardless of whether you enabled the firewall when installing Linux, if you want to configure your own firewall, clear all the rules of the current filter.
[root@tp ~]# iptables -F clears the rules of all rule chains in the default table filter [root@tp ~]# iptables -X Clear the rules in the user-defined chain in the default table filter
Let’s take a look
[root@tp ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination CHAIN FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
There is nothing left. It is the same as when we installed Linux without starting the firewall. (Let me tell you in advance, these configurations are just like configuring IP with commands and will lose their effect after restarting). How to save it.
[root@tp ~]# /etc/rc.d/init.d/iptables save
In this way, it can be written to the /etc/sysconfig/iptables file. After writing, remember to restart the firewall for it to take effect.
[root@tp ~]# service iptables restart
Now there are no configurations in the IPTABLES configuration table, so let’s start our configuration.
-
(3) Set default rules
[root@tp ~]# iptables -P INPUT DROP [root@tp ~]# iptables -P OUTPUT ACCEPT [root@tp ~]# iptables -P FORWARD DROP
The above means that when the two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, how to deal with the data packets that are not in these two rules, that is DROP (give up). It should be said that this configuration is Very safe. We need to control incoming data packets
As for the OUTPUT chain, that is, we do not need to impose too many restrictions on outgoing packets, but adopt ACCEPT. In other words, what to do with packets that are not in a rule? That is, they pass.
It can be seen that the INPUT and FORWARD chains use what packets are allowed to pass, while the OUTPUT chain uses what packets are not allowed to pass.
This setting is quite reasonable. Of course, you can also DROP all three chains, but I think it is unnecessary to do so, and the rules to be written will increase. But if you only want a limited few rules, such as We only make WEB servers. It is still recommended to DROP all three chains.
Note: If you are logging in via remote SSH, it should be disconnected when you enter the first command and press Enter. This is because you have not set any rules.
-
(4)Add rules.
First add the INPUT chain. The default rule of the INPUT chain is DROP, so we write a chain that requires ACCETP (pass).
In order to use remote SSH login, we need to open port 22.
[root@tp ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
(Note: For this rule, if you set OUTPUT to DROP, you must write this rule. Many people fail to SSH because of this rule. Is it better if I try it remotely?
The same goes for other ports. If the web server is enabled and OUTPUT is set to DROP, a link must also be added:
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
If you have a WEB server, open port 80.
[root@tp ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
If you set up a mail server, open ports 25 and 110.
[root@tp ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT [root@tp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
If you set up an FTP server, open port 21
[root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT [root@tp ~]# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
If you have a DNS server, open port 53
[root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
If you have built other servers, just write down which port you need to open.
The main thing written above is the INPUT chain. Anything that is not in the above rules will be DROP.
Allow icmp packets to pass, that is, allow ping,
[root@tp ~]# iptables -A OUTPUT -p icmp -j ACCEPT (if OUTPUT is set to DROP) [root@tp ~]# iptables -A INPUT -p icmp -j ACCEPT (if INPUT is set to DROP) Allow loopback! (Otherwise it will cause problems such as DNS not shutting down properly) IPTABLES -A INPUT -i lo -p all -j ACCEPT (if INPUT DROP) IPTABLES -A OUTPUT -o lo -p all -j ACCEPT (if OUTPUT DROP)
Write the OUTPUT chain below. The default rule of the OUTPUT chain is ACCEPT, so we write the chain that requires DROP (give up).
Reduce insecure port connections
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 31337 -j DROP [root@tp ~]# iptables -A OUTPUT -p tcp --dport 31337 -j DROP
Some Trojans scan services on ports 31337 to 31340 (elite ports in hacker language). Since legitimate services don’t communicate using these non-standard ports, blocking these ports can effectively reduce the chances of potentially infected machines on your network communicating independently with their remote master servers.
The same goes for other ports, like: 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (smb), 2049 (NFS) ports should also be banned. Of course, for more secure access, you can also set the OUTPUT chain to DROP. Then you can add more rules, just like the ones added above to allow SSH login. Just follow the rules.
Let’s write down more detailed rules, which are restricted to a certain machine.
For example: We only allow machines at 192.168.0.3 to connect via SSH
[root@tp ~]# iptables -A INPUT -s 192.168.0.3 -p tcp --dport 22 -j ACCEPT
If you want to allow or restrict a range of IP addresses, 192.168.0.0/24 means all IPs from 192.168.0.1-255.
24 represents the subnet mask number. But remember to delete this line in /etc/sysconfig/iptables.
-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT because it means that all addresses can log in.
Or use command mode:
[root@tp ~]# iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Then save it. I will say it again, but it is a command method, which only takes effect at that time. If you want it to take effect after restarting, you need to save it and write it to the /etc/sysconfig/iptables file.
[root@tp ~]# /etc/rc.d/init.d/iptables save
Writing like this !192.168.0.3 means ip addresses other than 192.168.0.3
The other rule connections are also set up in the same way.
Below is the FORWARD chain. The default rule of the FORWARD chain is DROP, so we write the chain that requires ACCETP (pass) to monitor the forwarding chain.
Turn on the forwarding function (must be done when doing NAT and the default rule of FORWARD is DROP)
[root@tp ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@tp ~]# iptables -A FORWARD -i eth1 -o eh0 -j ACCEPT
Discard bad TCP packets
[root@tp ~]#iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
Process the number of IP fragments to prevent attacks, allowing 100 per second
[root@tp ~]#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
Set ICMP packet filtering to allow 1 packet per second and limit the trigger condition to 10 packets.
[root@tp ~]#iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
I only allowed ICMP packets to pass because I have restrictions here.
3. Configure a NAT table firewall
-
(1) Check the NAT settings of this machine
[root@tp rc.d]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.0.0/24 anywhere to:211.101.46.235 Chain OUTPUT (policy ACCEPT) target prot opt source destination
Of course, if you haven’t configured NAT yet, you don’t need to clear the rules, because NAT has nothing by default.
If you want to clear, the command is
[root@tp ~]# iptables -F -t nat [root@tp ~]# iptables -X -t nat [root@tp ~]# iptables -Z -t nat
-
(2)Add rules
To add rules, we only add the DROP chain. Because the default chains are all ACCEPT.
Prevent external network from using internal network IP to spoof
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP [root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP [root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
If we want to, for example, block MSN, QQ, BT, etc., we need to find the ports or IPs they use (I personally think it is not necessary)
example:
Block all connections to 211.101.46.253
[root@tp ~]# iptables -t nat -A PREROUTING -d 211.101.46.253 -j DROP
Disable FTP(21) port
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -j DROP
This writing range is too large, we can define it more accurately.
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -d 211.101.46.253 -j DROP
This only disables the FTP connection at the 211.101.46.253 address. Other connections are OK. Such as web (port 80) connections.
According to what I wrote, you only need to find the IP address and port of QQ, MSN and other software, as well as what protocol it is based on, and just follow what I wrote.
at last:
drop illegal connection
[root@tp ~]# iptables -A INPUT -m state --state INVALID -j DROP [root@tp ~]# iptables -A OUTPUT -m state --state INVALID -j DROP [root@tp ~]# iptables-A FORWARD -m state --state INVALID -j DROP
Allow all established and relevant connections
[root@tp ~]# iptables-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT [root@tp ~]# iptables-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT [root@tp ~]# /etc/rc.d/init.d/iptables save
In this way, it can be written to the /etc/sysconfig/iptables file. After writing, remember to restart the firewall for it to take effect.
[root@tp ~]# service iptables restart