Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "detailed steps of linux configuration firewall". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Through iptables, we can configure our Linux server with a dynamic firewall, which can specify and remember the status of connections established to send or receive packets. It is a set of command packages used to set, maintain, and check IP packet filtering rules for the Linux kernel. The way iptables defines rules is complicated. This article gives a detailed introduction to how to write Iptables rules in Linux firewall:

The basic format of ⑴ and Iptables rules is:

Iptables [- ttable] COMMAND chain CRETIRIA-j ACTION

Description of parameters related to ⑵ and Iptables rules:

-t table:3 filter nat mangle

Define how to manage rules

Chain: specify the chain on which you operate the next rules, which can be omitted when defining policies

CRETIRIA: specify matching criteria

-j ACTION: specify how to handle it

Other writing methods and instructions for ⑶ and Iptables rules:

Iptables-L-n-v # View the details of defining rules

Iptables is a necessary setting tool for firewall configuration on Linux server, and it is an important tool that we often use when we do a good job of server security and deploy large-scale network. A good grasp of iptables can make us have a thorough understanding of the structure of the whole network of Linux server, and better master the security configuration skills of Linux server.

Let's configure a firewall for the filter table.

(1) check the settings of IPTABLES on this machine.

The code is as follows:

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)

Target prot opt source destination

ACCEPT all-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT icmp-0.0.0.0Universe 0 0.0.0.0Compare 0 icmp type 255i

ACCEPT esp-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPTah--0.0.0.0/00.0.0.0/0

ACCEPTudp--0.0.0.0/0224.0.0.251udpdpt:5353

ACCEPTudp--0.0.0.0/00.0.0.0/0udpdpt:631

ACCEPTall--0.0.0.0/00.0.0.0/0stateRELATED,ESTABLISHED

ACCEPTtcp--0.0.0.0/00.0.0.0/0stateNEWtcpdpt:22

ACCEPTtcp--0.0.0.0/00.0.0.0/0stateNEWtcpdpt:80

ACCEPTtcp--0.0.0.0/00.0.0.0/0stateNEWtcpdpt:25

REJECTall--0.0.0.0/00.0.0.0/0reject-withicmp-host-prohibited

It can be seen that when I installed linux, I chose to have a firewall and opened the port 22-80-25.

If you don't choose to turn on the firewall when installing linux, here's the thing.

The code is as follows:

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

There are no rules.

(2) clear the original rules.

Whether or not you start the firewall when you install linux, if you want to configure your own firewall, clear all current filter rules.

The code is as follows:

[root@tp ~] # iptables-F clears all rule chains in the preset table filter

[root@tp ~] # iptables-X clears the rules in the user customized chain in the preset table filter

Let's take a look.

The code is as follows:

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

There's nothing left, just like we didn't start the firewall when we installed linux. (by the way, these configurations are like configuring IP with commands, restarting will lose its effect.) how to save.

The code is as follows:

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

The code is as follows:

[root@tp ~] # service iptables restart

Now that there is no configuration in the IPTABLES configuration table, let's start our configuration.

(3) set preset rules

The code is as follows:

[root@tp ~] # iptables-P INPUT DROP

[root@tp ~] # iptables-P OUTPUT ACCEPT

[root@tp ~] # iptables-P FORWARD DROP

The above means that when the two chain rules (INPUT,FORWARD) in the filter table in IPTABLES are exceeded, how to deal with the packets that are not in these two rules, that is, DROP. It should be said that this configuration is very safe. We need to control the inflow of packets.

As for the OUTPUT chain, that is, we do not have to do too many restrictions on the outflow of the package, but adopt ACCEPT, that is, what to do if the package is not in the rule, that is, through.

You can see what packets are allowed in the INPUT,FORWARD chain and what packets are not allowed in the OUTPUT chain.

This setting is quite reasonable, of course, you can DROP all three chains, but I don't think it is necessary to do so, and the rules to be written will be increased. But if you only want a limited number of rules, such as only do WEB servers. It is recommended that all three chains are DROP.

Note: if you log in remotely from SSH, you should drop it when you enter the first command. Because you didn't set any rules.

What to do, go to the local operation!

(4) add rules.

First add the INPUT chain. The default rule for the input chain is DROP, so we'll write the chain that requires ACCETP (pass).

In order to log in using remote SSH, we need to open port 22.

The code is as follows:

[root@tp] # iptables-An INPUT-p tcp-- dport 22-j ACCEPT

[root@tp] # iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

(note: this rule, if you set OUTPUT to DROP, you have to write this one, many people are looking to write this rule, always can not SSH. Let's take a look at the remote, isn't it?

The same is true for other ports. If the web server is enabled and OUTPUT is set to DROP, a chain should also be added:

The code is as follows:

[root@tp] # iptables-An OUTPUT-p tcp-- sport 80-j ACCEPT

Oh, the same goes for others.

If you make a WEB server, open port 80.

The code is as follows:

[root@tp] # iptables-An INPUT-p tcp-- dport 80-j ACCEPT

If you do a mail server, open port 25110.

The code is as follows:

[root@tp] # iptables-An INPUT-p tcp-- dport 110j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-- dport 25-j ACCEPT

If you make a FTP server, open port 21

The code is as follows:

[root@tp] # iptables-An INPUT-p tcp-- dport 21-j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-- dport 21-j ACCEPT

If you make a DNS server, open port 53

The code is as follows:

[root@tp] # iptables-An INPUT-p tcp-- dport 53-j ACCEPT

If you have made other servers, which port you need to open, just write it.

What is written above is mainly INPUT chain, and all those that are not in the above rules are DROP.

Allow icmp packets to pass, that is, allow ping

The code is as follows:

[root@tp ~] # iptables-An OUTPUT-p icmp-j ACCEPT (if OUTPUT is set to DROP)

[root@tp ~] # iptables-An INPUT-p icmp-j ACCEPT (if INPUT is set to DROP)

Allow loopback! (otherwise, it will cause problems such as DNS not shutting down normally.)

The code is as follows:

IPTABLES-An INPUT-I lo-p all-j ACCEPT (if INPUT DROP)

IPTABLES-An OUTPUT-o lo-p all-j ACCEPT (if OUTPUT DROP)

Next write the OUTPUT chain, the default rule of the OUTPUT chain is ACCEPT, so we write the chain that needs DROP.

Reduce insecure port connections

The code is as follows:

[root@tp] # iptables-An OUTPUT-p tcp-- sport 31337-j DROP

[root@tp] # iptables-An OUTPUT-p tcp-- dport 31337-j DROP

Some Trojans scan for services on ports 31337 to 31340 (the elite port in the hacker language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chances of potentially infected machines on your network communicating independently with their remote master servers.

There are also other ports, such as: 31335, 27444, 27665, 20034 NetBus, 9704, 137139 (smb), 2049 (NFS) ports should also be prohibited, I write here is not complete, interested friends should check the relevant information.

Of course, for a more secure consideration, you can also set the OUTPUT chain to DROP, then you can add more rules, like the one above

It's like allowing SSH to log in. Just write according to it.

Let's write down a more detailed rule, which is limited to a certain machine.

For example, we only allow 192.168.0.3 machines to make SSH connections

The code is as follows:

[root@tp] # iptables-An INPUT-s 192.168.0.3-p tcp-- dport 22-j ACCEPT

If you want to allow or restrict a segment of IP address, you can use 192.168.0. 0.

24 represents the number of subnet masks. But remember to delete this line from / etc/sysconfig/iptables.

-An INPUT-p tcp-m tcp-- dport 22-j ACCEPT because it means that all addresses can be logged in.

Or by command:

The code is as follows:

[root@tp] # iptables-D INPUT-p tcp-- dport 22-j ACCEPT

Then save, I say again, instead by command, which only takes effect at that time, and if you want to restart it, you have to save it. Write to the / etc/sysconfig/iptables file.

The code is as follows:

[root@tp ~] # / etc/rc.d/init.d/iptables save

Write this way! 192.168.0.3 means except for the ip address of 192.168.0.3

The same is true for other regular connections.

Below is the FORWARD chain, and the default rule of the forward chain is DROP, so we write the chain that needs ACCETP (through) to monitor the forwarding chain.

Enable forwarding. (when doing NAT, the default rule of FORWARD is DROP.)

The code is as follows:

[root@tp] # iptables-A FORWARD-I eth0-o eth2-m state-- state RELATED,ESTABLISHED-j ACCEPT

[root@tp] # iptables-A FORWARD-I eth2-o eh0-j ACCEPT

Discard bad TCP packets

The code is as follows:

[root@tp] # iptables-A FORWARD-p TCP!-- syn-m state-- state NEW-j DROP

Handle the number of IP fragments to prevent attacks, allowing 100s per second

The code is as follows:

[root@tp] # iptables-A FORWARD-f-m limit--limit 100max s-limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second and limit the trigger condition to 10 packets.

The code is as follows:

[root@tp] # iptables-A FORWARD-p icmp-m limit--limit 1 ACCEPT s-limit-burst 10-j

I only allow ICMP packets to pass in front because I have restrictions here.

Second, configure a NAT table ignition wall

1. Check the settings of NAT on this machine.

The code is as follows:

[root@tp rc.d] # iptables-t nat-L

Chain PREROUTING (policy ACCEPT)

Target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

Target prot opt source destination

SNAT all-192.168.0.0 Compact 24 anywhere to:211.101.46.235

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

My NAT has been configured (only provides the simplest proxy access function, has not added firewall rules). Refer to my other article on how to configure NAT

Of course, if you haven't configured NAT, you don't have to clear the rules, because NAT has nothing by default.

If you want to clear it, the order is

The code is as follows:

[root@tp] # iptables-F-t nat

[root@tp] # iptables-X-t nat

[root@tp] # iptables-Z-t nat

2, add rules

Add basic NAT address translation, (see my other article on how to configure NAT)

To add rules, we only add DROP chains. Because the default chain is all ACCEPT.

Prevent the spoofing of IP in the external network

The code is as follows:

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 10.0.0.0 8-j DROP

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 172.16.0.0 12-j DROP

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 192.168.0.0 16-j DROP

If we want to, for example, stop MSN,QQ,BT, we need to find the port or IP they use (personally, I don't think it's necessary)

Example:

Prohibit all connections to 211.101.46.253

The code is as follows:

[root@tp] # iptables-t nat-A PREROUTING-d 211.101.46.253-j DROP

Disable FTP (21) port

The code is as follows:

[root@tp] # iptables-t nat-A PREROUTING-p tcp-- dport 21-j DROP

The scope of writing in this way is too wide, we can define it more precisely.

The code is as follows:

[root@tp] # iptables-t nat-A PREROUTING-p tcp-- dport 21-d 211.101.46.253-j DROP

This only disables the FTP connection at address 211.101.46.253, and other connections are OK. Such as web (port 80) connection.

According to what I wrote, all you have to do is to find the IP address, port and protocol of other software such as QQ,MSN.

Finally:

Illegal drop connection

The code is as follows:

[root@tp] # iptables-An INPUT-m state-- state INVALID-j DROP

[root@tp] # iptables-An OUTPUT-m state-- state INVALID-j DROP

[root@tp] # iptables-A FORWARD-m state-- state INVALID-j DROP

Allow all established and related connections

The code is as follows:

[root@tp] # iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

[root@tp] # iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

The code is as follows:

[root@tp ~] # service iptables restart

Don't forget to save it. if you can't, just write one and save it once. you can save it while doing experiments to see if it meets your requirements.

I've tried all the above rules, no problem.

This is the end of the detailed steps for linux to configure the firewall. Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.