iptables usage example

1.iptables parameters

-t: Specify the table to be manipulated;

-A: Add entries to the rule chain;

-D: Delete entries from the rule chain;

-i: Insert an entry into the rule chain;

-R: Replace entries in the rule chain;

-L: Display existing entries in the rule chain;

-F: Clear existing entries in the rule chain;

-Z: Clear the packet counter and byte counter in the rule chain;

-N: Create a new user-defined rule chain;

-P: Defines the default target in the rule chain;

-h: Display help information;

-p: Specifies the packet protocol type to be matched;

-s: Specify the source IP address of the data packet to be matched;

-j: Specify the target to jump to;

-i: Specifies the network interface through which data packets enter the machine;

-o: Specify the network interface used by the data packet to leave the machine

2.iptables example:

#Allow local loopback interface (that is, run the local machine to access the local machine)

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT



#Allow established or associated traffic

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



#Allow all external access from this machine

iptables -A OUTPUT -j ACCEPT



#Allow access to port 22

iptables -A INPUT -p tcp --dport 22 -j ACCEPT



#Allow access to port 80

iptables -A INPUT -p tcp --dport 80 -j ACCEPT



#Allow port 21 of ftp service

iptables -A INPUT -p tcp --dport 21 -j ACCEPT



#Allow port 20 for FTP service

iptables -A INPUT -p tcp --dport 20 -j ACCEPT



#Prohibit access by other rules that are not allowed

iptables -A INPUT -j reject



#Prohibit access by other rules that are not allowed and block IP

iptables -A FORWARD -j REJECT



#Block a single IP command

iptables -I INPUT -s 123.45.6.7 -j DROP



#Seal the entire segment, that is, the command from 123.0.0.1 to 123.255.255.254

iptables -I INPUT -s 123.0.0.0/8 -j DROP



#Block the IP segment from 123.45.0.1 to 123.45.255.254.

iptables -I INPUT -s 124.45.0.0/16 -j DROP



#Block the IP segment from 123.45.6.1 to 123.45.6.254.

iptables -I INPUT -s 123.45.6.0/24 -j DROP

(1) Check the settings of IPTABLES on this machine

[root@tp ~]# iptables -L -n

Chain INPUT (policy ACCEPT)

target prot opt source destination

CHAIN FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255

ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0

ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353

ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

It can be seen that when I installed Linux, I chose to have a firewall and opened ports 22, 80, and 25.

If you did not choose to enable the firewall when installing Linux, this is the case

[root@tp ~]# iptables -L -n

Chain INPUT (policy ACCEPT)

target prot opt source destination

CHAIN FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

There are no rules.

(2) Clear the original rules.

Regardless of whether you enabled the firewall when installing Linux, if you want to configure your own firewall, clear all the rules of the current filter.

[root@tp ~]# iptables -F clears the rules of all rule chains in the default table filter

[root@tp ~]# iptables -X Clear the rules in the user-defined chain in the default table filter

Let’s take a look

[root@tp ~]# iptables -L -n

Chain INPUT (policy ACCEPT)

target prot opt source destination

CHAIN FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

There is nothing left. It is the same as when we installed Linux without starting the firewall. (Let me tell you in advance, these configurations are just like configuring IP with commands and will lose their effect after restarting). How to save it.

[root@tp ~]# /etc/rc.d/init.d/iptables save

In this way, it can be written to the /etc/sysconfig/iptables file. After writing, remember to restart the firewall for it to take effect.

[root@tp ~]# service iptables restart

Now there are no configurations in the IPTABLES configuration table, so let’s start our configuration.

(3) Set default rules

[root@tp ~]# iptables -P INPUT DROP

[root@tp ~]# iptables -P OUTPUT ACCEPT

[root@tp ~]# iptables -P FORWARD DROP

The above means that when the two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, how to deal with the data packets that are not in these two rules, that is DROP (give up). It should be said that this configuration is Very safe. We need to control incoming data packets

As for the OUTPUT chain, that is, we do not need to impose too many restrictions on outgoing packets, but adopt ACCEPT. In other words, what to do with packets that are not in a rule? That is, they pass.

It can be seen that the INPUT and FORWARD chains use what packets are allowed to pass, while the OUTPUT chain uses what packets are not allowed to pass.

This setting is quite reasonable. Of course, you can also DROP all three chains, but I think it is unnecessary to do so, and the rules to be written will increase. But if you only want a limited few rules, such as We only make WEB servers. It is still recommended to DROP all three chains.

Note: If you are logging in via remote SSH, it should be disconnected when you enter the first command and press Enter. This is because you have not set any rules.

(4)Add rules.

First add the INPUT chain. The default rule of the INPUT chain is DROP, so we write a chain that requires ACCETP (pass).

In order to use remote SSH login, we need to open port 22.

[root@tp ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

[root@tp ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

(Note: For this rule, if you set OUTPUT to DROP, you must write this rule. Many people fail to SSH because of this rule. Is it better if I try it remotely?

The same goes for other ports. If the web server is enabled and OUTPUT is set to DROP, a link must also be added:

[root@tp ~]# iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

If you have a WEB server, open port 80.

[root@tp ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

If you set up a mail server, open ports 25 and 110.

[root@tp ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT

[root@tp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT

If you set up an FTP server, open port 21

[root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT

[root@tp ~]# iptables -A INPUT -p tcp --dport 20 -j ACCEPT

If you have a DNS server, open port 53

[root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT

If you have built other servers, just write down which port you need to open.

The main thing written above is the INPUT chain. Anything that is not in the above rules will be DROP.

Allow icmp packets to pass, that is, allow ping,

[root@tp ~]# iptables -A OUTPUT -p icmp -j ACCEPT (if OUTPUT is set to DROP)

[root@tp ~]# iptables -A INPUT -p icmp -j ACCEPT (if INPUT is set to DROP)

Allow loopback! (Otherwise it will cause problems such as DNS not shutting down properly)

IPTABLES -A INPUT -i lo -p all -j ACCEPT (if INPUT DROP)

IPTABLES -A OUTPUT -o lo -p all -j ACCEPT (if OUTPUT DROP)

Write the OUTPUT chain below. The default rule of the OUTPUT chain is ACCEPT, so we write the chain that requires DROP (give up).

Reduce insecure port connections

[root@tp ~]# iptables -A OUTPUT -p tcp --sport 31337 -j DROP

[root@tp ~]# iptables -A OUTPUT -p tcp --dport 31337 -j DROP

Some Trojans scan services on ports 31337 to 31340 (elite ports in hacker language). Since legitimate services don’t communicate using these non-standard ports, blocking these ports can effectively reduce the chances of potentially infected machines on your network communicating independently with their remote master servers.

The same goes for other ports, like: 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (smb), 2049 (NFS) ports should also be banned. Of course, for more secure access, you can also set the OUTPUT chain to DROP. Then you can add more rules, just like the ones added above to allow SSH login. Just follow the rules.

Let’s write down more detailed rules, which are restricted to a certain machine.

For example: We only allow machines at 192.168.0.3 to connect via SSH

[root@tp ~]# iptables -A INPUT -s 192.168.0.3 -p tcp --dport 22 -j ACCEPT

If you want to allow or restrict a range of IP addresses, 192.168.0.0/24 means all IPs from 192.168.0.1-255.

24 represents the subnet mask number. But remember to delete this line in /etc/sysconfig/iptables.

-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT because it means that all addresses can log in.

Or use command mode:

[root@tp ~]# iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Then save it. I will say it again, but it is a command method, which only takes effect at that time. If you want it to take effect after restarting, you need to save it and write it to the /etc/sysconfig/iptables file.

[root@tp ~]# /etc/rc.d/init.d/iptables save

Writing like this !192.168.0.3 means ip addresses other than 192.168.0.3

The other rule connections are also set up in the same way.

Below is the FORWARD chain. The default rule of the FORWARD chain is DROP, so we write the chain that requires ACCETP (pass) to monitor the forwarding chain.

Turn on the forwarding function (must be done when doing NAT and the default rule of FORWARD is DROP)

[root@tp ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

[root@tp ~]# iptables -A FORWARD -i eth1 -o eh0 -j ACCEPT

Discard bad TCP packets

[root@tp ~]#iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP

Process the number of IP fragments to prevent attacks, allowing 100 per second

[root@tp ~]#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

Set ICMP packet filtering to allow 1 packet per second and limit the trigger condition to 10 packets.

[root@tp ~]#iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT

I only allowed ICMP packets to pass because I have restrictions here.

3. Configure a NAT table firewall

(1) Check the NAT settings of this machine

[root@tp rc.d]# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

SNAT all -- 192.168.0.0/24 anywhere to:211.101.46.235

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Of course, if you haven’t configured NAT yet, you don’t need to clear the rules, because NAT has nothing by default.

If you want to clear, the command is

[root@tp ~]# iptables -F -t nat

[root@tp ~]# iptables -X -t nat

[root@tp ~]# iptables -Z -t nat

(2)Add rules

To add rules, we only add the DROP chain. Because the default chains are all ACCEPT.

Prevent external network from using internal network IP to spoof

[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP

[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP

[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP

If we want to, for example, block MSN, QQ, BT, etc., we need to find the ports or IPs they use (I personally think it is not necessary)

example:

Block all connections to 211.101.46.253

 [root@tp ~]# iptables -t nat -A PREROUTING -d 211.101.46.253 -j DROP

Disable FTP(21) port

[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -j DROP

This writing range is too large, we can define it more accurately.

[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -d 211.101.46.253 -j DROP

This only disables the FTP connection at the 211.101.46.253 address. Other connections are OK. Such as web (port 80) connections.

According to what I wrote, you only need to find the IP address and port of QQ, MSN and other software, as well as what protocol it is based on, and just follow what I wrote.

at last:

drop illegal connection

[root@tp ~]# iptables -A INPUT -m state --state INVALID -j DROP

[root@tp ~]# iptables -A OUTPUT -m state --state INVALID -j DROP

[root@tp ~]# iptables-A FORWARD -m state --state INVALID -j DROP

Allow all established and relevant connections

[root@tp ~]# iptables-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@tp ~]# iptables-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@tp ~]# /etc/rc.d/init.d/iptables save

In this way, it can be written to the /etc/sysconfig/iptables file. After writing, remember to restart the firewall for it to take effect.

[root@tp ~]# service iptables restart

1.iptables parameters

2.iptables example:

(1) Check the settings of IPTABLES on this machine

(2) Clear the original rules.

(3) Set default rules

(4)Add rules.

3. Configure a NAT table firewall

(1) Check the NAT settings of this machine

(2)Add rules