Rule setting commonly used in iptables 01/16 Update SLTechnology News&Howtos

Rule setting commonly used in iptables

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Iptables 4 watches and 5 ripples

Iptables displays related commands

Iptables-L-n-x-v

Check the status of iptables for Firevall is stopped solution: enter step-- Firevall configuration--enable on the Linux command line

Clear default rules

Iptables-F is equivalent to iptables-- flush// clears all rules

Iptables-X is equivalent to iptables-- delete-chain// deletes user-defined rules

Iptables-Z is equivalent to zeroing counters of iptables-- zero// chain.

Tip: by default, our cleanup rule is actually an operation on the filter table. If it is a nat table, we need iptables-t nat-F

ACCEPT (accept) DROP (discard) REJECT (reject)

Iptables runs in the system kernel. Check the basic relevant kernel modules

Modprobe ip_tables

Modprobe iptable_filter

Modprobe iptable_nat

Modprobe ip_conntrack

Modprobe conntrack_ftp

Modprobe ip_nat_ftp

Modprobe ipt_state

Lsmod | grep ip

1. Shuts down port 22 of ssh shuts down

Open and close port 22

Iptables-An INPUT-p tcp-dport 22-j DROP

Delete the rule 22

Iptables-D INPUT-p tcp-- dport 22-j DROP

Delete according to line number (iptables-D INPUT 1)

Iptables-L-n-- line-numbers (display line number)

Prohibit the connection of 10.0.0.0Universe 24 network segment

Iptables-t filter-An INPUT-I eth0-s 10.0.0.0It 24-j DROP

Delete the command that prohibits the 10 network segment of the source address

Iptables-D INPUT-I eth0-s 10.0.0.0 Unip 24-y DROP

Seal an ip

Iptables-I INPUT-p tcp-s 10.0.0.101-j DROP

Packets with a destination port of 22 are prohibited from passing through the firewall

Iptables-I INPUT-p tcp-- dport 22-j DROP

Configure a valid address to ping

Iptables-t filter-I INPUT-p icmp--icmp-type 8-I eth0-s! 10.0.0.101-j DROP

Prohibit a network segment

Iptables-t filter-I INPUT-I eth0-s! 10.0.0.0True 24-j DROP is equivalent to

Iptables-t filter-I INPUT-I eth0-s 10.0.0.0It 24-j ACCEPT

Seal off 3306

Iptables-An INPUT-p tcp-- dport 3306-j DROP

Practice of iptables rules for Common Services

Allow legitimate ip to pass through iptables

Iptables-An INPUT-s 10.0.0.1 Plus 24-p all-j ACCEPT

Allow nagios

Iptables-An INPUT-s 10.0.0.1 tcp 24-p ACCEPT-- dport 5666-j ACCEPT

Allow MySQL and oracle ip acc

Iptables-An INPUT-s 10.0.0.1 tcp 24-p ACCEPT-- dport 3306-j ACCEPT

Iptables-An INPUT-s 10.0.0.1 tcp 24-p ACCEPT-- dport 1521-j ACCEPT

Allow legitimate ip to connect to ssh

Iptables-An INPUT-p tcp-s 10.0.0.1 Universe 24-- dport 5801-j ACCEPT

The opening of http requests (generally unrestricted)

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

For http service enterprises, general special ports, and restrict legal ip connections or × × connections

Iptables-An INPUT-s 10.0.0.1 tcp 24-p tcp-n unltiport-- dport 8080 dport 8888,-j ACCEPT

Limitations of snmp

Iptables-An INPUT-s 10.0.0.1 Plus 24-p UDP-- dport 161j ACCEPT

Restriction Policy of rsync Service

Iptables-An INPUT-s 10.0.0.1 tcp 24-p tcp-m tcp-- dport 873-j ACCEPT

Limitations of nfs services

Iptables-An INPUT-s 10.0.0.1 ACCEPT 24-p TCP-n multiport-- dport 111 people 892Time 2049-j ACCEPT

Ftp service restrictions

# iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-n state-- state ESTABLSHED,RELATED-j ACCEPT

Iptables-An OUTPUT-n state-- state ESTABLSHED,RELATED-j ACCEPT

Limitations of icmp

Iptables-An INPUT-p icmp- n icmp--icmp-type any-j ACCEPT

Iptables-An INPUT-p icmp- s 10.0.0.1 ACCEPT 24-n icmp--icmp-type any-j ACCEPT

Iptables-An INPUT-p icmp--icmp-type 8-j ACCEPT

Advanced mode

Ip one-to-one mapping of NAT mode (external network corresponds to internal network)

Iptables-t nat-A PREROUTING-d 201.10.10.11-p tcp-n tcp-dport 80-j DNAT-to-destination 10.10.10.12 PREROUTING 80

SNAT (source network translation)

Iptables-t nat-A POSTROUTING-s 10.0.0.0Universe 255.255.255.0-o eth0-j SANT-to-source 203.21.9.1

Mapping multiple external networks ip to the Internet

Iptables-t nat-A POSTROUTING-s 10.0.0.0Universe 255.255.255.0-o eth0-j SANT-to-source 203.21.9.1-203.21.9.20

Rookie writing documents, please give me a lot of advice!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.