Shulou(Shulou.com)06/01 Report--

Configure iptables Firewall

Manage iptables rules

1. Reject packets of all inbound protocols

[root@s2 ~] # iptables-P INPUT DROP

2. Allow the system administrator to use SSH remote firewall hosts from 192.168.10.100 to the 24 network segment.

[root@s2] # iptables-An INPUT-p tcp-- dport 22-s 192.168.10.100Accord 24-j ACCEPT

3. View all the rules in the INPUT chain of the filter table and display the sequence numbers of each rule at the same time

[root@s2] # iptables-L INPUT-- line-numbers

4. Check the trust information of all the rules in each chain of the filter table, and display the address and port information in numeric form.

[root@s2 ~] # iptables-vnL Note-L option is placed at the end, otherwise vn will be used as the chain name

Chain INPUT (policy DROP 47 packets, 10544 bytes)

Pkts bytes target prot opt in out source destination

732 51752 ACCEPT tcp-- * 0.0.0.0 ACCEPT tcp 0 0.0.0.0 tcp dpt:22

0 0 ACCEPT icmp-* 0. 0. 0. 0.

0 0 ACCEPT tcp-* 0. 0. 0. 0.

0 0 ACCEPT tcp-* 0. 0. 0. 0.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 566 packets, 57384 bytes)

Pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)

Pkts bytes target prot opt in out source destination

5. Delete the second rule in the INPUT chain of filter table

[root@s2 ~] # iptables-D INPUT 2

6. Clear all rules in the chains of filter table, nat table and mangle table

[root@s2 ~] # iptables-F defaults to empty filter table when no table name is specified

[root@s2] # iptables-t nat-F

[root@s2] # iptables-t mangle-F

7. Set the default policy of the FORWARD rule chain in the filter table to DROP

[root@s2] # iptables-t filter-P FORWARD DROP

8. Set the default policy of the OUTPUT rule chain in the filter table to ACCEPT

[root@s2 ~] # iptables-P OUTPUT ACCEPT

9. Get help on the use of iptables-related options

View help on the icmp protocol in the iptables command

[root@s2] # iptables-p icmp-h

10. Add a custom rule chain named TCP_PACKETS to the raw table

[root@s2] # iptables-t raw-N TCP_PACKETS

[root@s2] # iptables-t raw-L

Chain PREROUTING (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

Chain TCP_PACKETS (0 references)

Target prot opt source destination

11. Clear all user-defined rule chains

[root@s2] # iptables-t raw-X

Condition matching

1. General condition matching

All icmp protocol packets that are denied access to the firewall

[root@s2] # iptables-I INPUT-p icmp-j REJECT

2. Allow the firewall to forward all packets except the icmp protocol (using exclamation points! The conditions can be reversed)

[root@s2] # iptables-A FORWARD-p! Icmp-j ACCEPT

[root@s2] # iptables-L FORWARD

Chain FORWARD (policy DROP)

Target prot opt source destination

ACCEPT! icmp-- anywhere anywhere

3. Refuse to forward data from 192.168.1.11 host, and allow data from 192.168.0.0amp24 network segment to be forwarded.

[root@s2] # iptables-A FORWARD-s 192.168.1.11-j REJECT

[root@s2] # iptables-A FORWARD-s 192.168.0.0According 24-j ACCEPT

4. Discard the local source address of the firewall from the public network interface (eth2) to the private network

[root@s2] # iptables-An INPUT-I eht1-s 192.168.0.0Unip 24-j DROP

5. Block an IP segment and unlock it after setting it for two hours

[root@s2] # iptables-I INPUT-s 192.168.1.0 take 24-j DROP

[root@s2] # iptables-I FORWARD-s 192.168.1.0 take 24-j DROP

[root@s2 ~] # at now + 2 hours is set for 2 hours and unlocked

At > iptables-D INPUT 1

At > iptables-D FORWARD 1

Job 3 at 2010-04-25 19:52 press the Ctrl+D key combination here to submit the task

6. Allow the local machine to open the application services provided from TCP port 20cm 1024

[root@s2] # iptables-An INPUT-p tcp-- dport 20pur1024-j ACCEPT

[root@s2] # iptables-An OUTPUT-p tcp-- dport 20pur1024-j ACCEPT

7. When used as a gateway, it is allowed to forward DNS parsing request packets from the 192.168.0.0swap 24 LAN segment.

[root@s2] # iptables-A FORWARD-s 192.168.0 take 24-p udp-- dport 53-j ACCEPT

[root@s2] # iptables-A FORWARD-d 192.168.0 take 24-p udp-- sport 53-j ACCEPT

-- dport destination port-- sport source port

8. Deny direct access to local packets of the firewall from the external network interface (eth2), but allow packets that respond to firewall TCP requests to enter

[root@s2] # iptables-I INPUT-I eth2-p tcp--tcp-flags SYN,RST,ACK SYN-j REJECT

[root@s2] # iptables-I INPUT-I eth2-p tcp--tcp-flags! SYN,RST,ACK SYN-j ACCEPT

-- TCP tag bits used by tcp-flags to find packets

9. Disable other hosts ping firewall hosts, but allow ping of other hosts from the firewall (allow ICMP echo data to be accepted)

[root@s2] # iptables-An INPUT-p icmp--icmp-type Echo-Request-j DROP

[root@s2] # iptables-An INPUT-p icmp--icmp-type Echo-Reply-j ACCEPT

[root@s2] # iptables-An INPUT-p icmp--icmp-type destination-Unreachable-j ACCEPT

Echo-Request numeric code is 8 Echo-Reply numeric code is 0 destination-Unreachable numeric code is 3, corresponding to ICMP protocol request, echo, target unreachable data, respectively.

10. Prohibit forwarding packets from hosts with MAC address 00-50-56-C0-00-01.

[root@s2] # iptables-A FORWARD-m mac--mac-source 00:50:56:C0:00:01-j DROP

The form of-m module keyword calls display matching

11. Allow the firewall to open TCP ports 20, 21, 25, 110 and passive mode FTP port 1250 to 1280 locally.

[root@s2 ~] # iptables-An INPUT-p tcp-m multiport-- dport 20, 21, 25, 11, 1250, tcp, 1280-j ACCEPT--dports port list or-sports port list

12. Prohibit forwarding of TCP packets with source IP address 192.168.1.20 "192.168.1.199"

[root@s2 ~] # iptables-An INPUT-p tcp-m multiport-- dport 20, 21, 25, 11, 1250, INPUT, 1280-j ACCEPT--src-range IP address range or-- dst-rangeIP address range

13. Prohibit forwarding of non-syn request packets that have nothing to do with normal TCP connections (such as some illegal * * packets that may exist in the network)

[root@s2 ~] # iptables-A FORWARD-m state-- state NEW-p tcp!-- syn-j DROP state check packet connection status common packet states include NEW (independent of any connection), ESTABLISHED (responding to requests or established connections) and RELATED (related to existing connections, such as FTP data connections)

14. Deny access to new packets from the firewall, but allow responses to connections or packets related to existing connections

[root@s2] # iptables-An INPUT-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

15. Set the firewall policy in the server, open only local Web services (port 80) and FTP services (ports 20, 21, 20450, 20480), release reply packets sent by external hosts to other ports of the server, and discard other inbound packets.

[root@s2] # iptables-I INPUT-p tcp-m multiport-- dport 20, 21 ACCEPT 80-j ACCEPT

[root@s2] # iptables-I INPUT-p tcp-- dport 20450 INPUT 20480-j ACCEPT

[root@s2] # iptables-I INPUT-p tcp-m state-- state ESTABLISHED-j ACCEPT

[root@s2 ~] # iptables-P INPUT DROP sets the default policy to DROP

Packet control

1. Log information and prohibit other access to access data that attempts to log in to the firewall host through SSH.

Iptables-I INPUT-p tcp-- dport 22-j DROP

Iptables-I INPUT-p tcp-- dport 22-j LOGLOG records log information in, var/log/messages files

2. In order to avoid logging too frequently, it is usually combined with LIMIT to display matching (- limit) to limit the frequent log writes. The following rules are used to limit the frequency of logs to an average of three times per minute, with a peak value of eight times.

[root@s2] # iptables-R INPUT 1-p tcp-- dport 22-m limit--limit 3/minute-- limit-burst 8-j LOG

3. Customize a new chain MyLAN1, and the packets forwarded from / to 192.168.1.0 and 24 network segments are better than the rules in the chain.

[root@s2] # iptables-t filter-N MyLAN1

[root@s2] # iptables-A FORWARD-s 192.168.1.0 take 24-j MyLAN1

[root@s2] # iptables-A FORWARD-d 192.168.1.0 take 24-j MyLAN1

[root@s2] # iptables-A MyLAN1-p icmp-j DROP

SNAT (Source address Translation) modifies the source IP address of a packet

DNAT (destination address Translation) modifies the destination IP address of a packet

Use firewall script

1. When the iptables-save command is executed directly, the currently set firewall information will be output to the terminal.

[root@s2 ~] # iptables-save

# Generated by iptables-save v1.3.5 on Sun Apr 25 19:41:15 2010

* filter

: INPUT DROP [456:29475]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [1855:180828]

: MyLAN1-[0:0]

: RH-Firewall-1-INPUT-[0:0]

-An INPUT-p tcp-m tcp-- dport 22-m limit--limit 3/min-- limit-burst 8-j LOG

-An INPUT-p tcp-m tcp-- dport 22-j ACCEPT

-A FORWARD-s 192.168.1.0 FORWARD 255.255.255.0-j MyLAN1

-A FORWARD-d 192.168.1.0 FORWARD 255.255.255.0-j MyLAN1

-A MyLAN1-p icmp-j DROP

COMMIT

# Completed on Sun Apr 25 19:41:15 2010

2. Save the currently tuned iptables rules to the configuration file and load them automatically through the iptables service.

[root@s2 ~] # iptables-save > / etc/sysconfig/iptables

[root@s2 ~] # service iptables restart

Flushing firewall rules: [OK]

Setting chains to policy ACCEPT: filter [OK]

Unloading iptables modules: [OK]

Applying iptables firewall rules: [OK]

Loading additional iptables modules: ip_conntrack_netbios_ns [OK]

[root@s2] # chkconfig-- level 35 iptables on

3. Import iptables rules from the saved rule configuration file

[root@s2] # [root@s2] # chkconfig-- level 35 iptables on

Write firewall scripts

1. The IP address, network interface and LAN address of the firewall host are defined as variables in advance in the script file.

#! / bin/bash

INET_IP= "214.16.18.20"

INET_IF= "eth2"

LAN_IP= "192.168.0.1"

LAN_IF= "eth0"

2. Preload the kernel modules needed for iptables in the script file.

/ sbin/depmod-a

/ sbin/modprobe ip_tables

/ sbin/modprobe ip_conntrack

/ sbin/modprobe iptable_filter

/ sbin/modprobe iptable_nat

/ sbin/modprobe iptable_mangle

/ sbin/modprobe iptable_raw

/ sbin/modprobe ipt_REJECT

/ sbin/modprobe ipt_LOG

/ sbin/modprobe ipt_iprange

/ sbin/modprobe xt_tcpudp

/ sbin/modprobe xt_state

/ sbin/modprobe xt_multiport

/ sbin/modprobe xt_mac

/ sbin/modprobe xt_limit

/ sbin/modprobe ip_nat_ftp

/ sbin/modprobe ip_nat_irc

/ sbin/modprobe ip_conntrack_ftp

/ sbin/modprobe ip_conntrack_irc

3 enable route forwarding function

Enable the routing and forwarding function of the firewall host in the script file

[root@s2 ~] # echo 1 > / proc/sys/net/ipv4/ip_forward

[root@s2 ~] # cat / proc/sys/net/ipv4/ip_forward

one

Turn on the routing and forwarding function of the firewall host by modifying the / etc/sysctl.conf file.

Net.ipv4.ip_forward = 1

4. Iptables rules set by users

Delete the user's custom chain, clear the rules to save, and restore the default policy of the filter table to allow

/ sbin/iptables-X

/ sbin/iptables-t nat-X

/ sbin/iptables-t mangle-X

/ sbin/iptables-t raw-X

/ sbin/iptables-F

/ sbin/iptables-t nat-F

/ sbin/iptables-t mangle-F

/ sbin/iptables-t raw-F

/ sbin/iptables-p INPUT ACCEPT

/ sbin/iptables-p OUTPUT ACCEPT

/ sbin/iptables-p FORWARD ACCEPT

The experimental part of the computer

Write iptables script to realize IP address and port filtering

1. Set the default policy of INPUT and FORWARD chains in the filter table of iptables to DROP

[root@s2 ~] # iptables-P INPUT DROP

[root@s2 ~] # iptables-P FORWARD DROP

2 、

(1) allow access to the designated port of the gateway server from Internet, and record the access log every 15 minutes

[root@s2] # iptables-An INPUT-p tcp-- dport 22-s 201.12.13.14 + 24-j ACCEPT

[root@s2] # iptables-I INPUT-p tcp-- dport 22-m limit-- limit 15/minute-j LOG

(2) allow hosts from the private network with IP of 192.168.1.5 to access port 22 of the gateway.

[root@s2] # iptables-An INPUT-p tcp-- dport 22-s 192.168.1.5Ip 24-j ACCEPT

(3) allow hosts with MAC address 00:0C:27:30:4E:5D to access port 22 of the gateway

[root@s2] # iptables-An INPUT-p tcp-- dport 22-m mac--mac-source 00:0C:27:30:4E:5D-j ACCEPT

(4) only local area network hosts (LAN1:192.168.1.0/24) are allowed to access the proxy service on port 3128.

[root@s2] # iptables-An INPUT-p tcp-- dport 3128-s 192.168.1.0 take 24-j ACCEPT

(5) allow LAN hosts to access DNS servers

[root@s2] # iptables-A FORWARD-s 192.168.1.5 dport 24-d 192.168.2.2 ACCEPT 24-p udp-- dport 53-j ACCEPT

[root@s2] # iptables-A FORWARD-s 192.168.2.2 ACCEPT 24-d 192.168.1.5 dport 53-j ACCEPT

3. Enable routing forwarding

/ etc/sysctl.conf

Net.ipv4.ip_forward = 1

Reload sysctl configuration in / etc/sysctl.conf file

[root@s2] # sysctl-p

Net.ipv4.ip_forward = 1

Net.ipv4.conf.default.rp_filter = 1

Net.ipv4.conf.default.accept_source_route = 0

Kernel.sysrq = 0

Kernel.core_uses_pid = 1

Net.ipv4.tcp_syncookies = 1

Kernel.msgmnb = 65536

Kernel.msgmax = 65536

Kernel.shmmax = 4294967295

Kernel.shmall = 268435456

4. Write a script

Net_ip= "201.12.13.1 Compact 24"

Inet_if= "eth0"

Inet2_ip= "192.168.2.1"

Inet2_if= "eth2"

Yuan_ip= "201.12.13.14 Compact 24"

Lan_ip= "192.168.1.0 Compact 24"

Lan_mac= "00:0C:27:30:4E:5D"

Dns= "192.168.2.2 Compact 24"

/ sbin/depmod-a

/ sbin/modprobe ip_tables

/ sbin/modprobe ip_conntrack

/ sbin/modprobe iptable_filter

/ sbin/modprobe iptable_nat

/ sbin/modprobe iptable_mangle

/ sbin/modprobe iptable_raw

/ sbin/modprobe ipt_REJECT

/ sbin/modprobe ipt_LOG

/ sbin/modprobe ipt_iprange

/ sbin/modprobe xt_tcpudp

/ sbin/modprobe xt_state

/ sbin/modprobe xt_multiport

/ sbin/modprobe xt_mac

/ sbin/modprobe xt_limit

/ sbin/modprobe ip_nat_ftp

/ sbin/modprobe ip_nat_irc

/ sbin/modprobe ip_conntrack_ftp

/ sbin/modprobe ip_conntrack_irc

/ sbin/iptables-P INPUT DROP

/ sbin/iptables-P FORWARD DROP

/ sbin/iptables-An INPUT-p tcp-- dport 22-s $yuan_ip-j ACCEPT

/ sbin/iptables-I INPUT-p tcp-- dport 22-m limit-- limit 15/minute-j LOG

/ sbin/iptables-An INPUT-p tcp-- dport 22-s $lan_ip-j ACCEPT

/ sbin/iptables-An INPUT-p tcp-- dport 22-m mac--mac-source $lan_mac-j ACCEPT

/ sbin/iptables-An INPUT-p tcp-- dport 3128-s $lan_ip-j ACCEPT

/ sbin/iptables-A FORWARD-s $lan_ip-d $dns-p udp-- dport 53-j ACCEPT

/ sbin/iptables-A FORWARD-s $dns-d $lan_ip-p udp-- dport 53-j ACCEPT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.