Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "the detailed steps of setting up iptables firewall in linux". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Let's start with a brief introduction to what IPTables is:

Iptables is a firewall built into the Linux kernel that allows administrators to filter and NAT packets by setting table, chain and related rules. In general, iptables firewalls are built into CentOS 6 and other Linux versions, and iptables services are enabled by default. Iptables is applied to IPv4. If you want to use IPv6, you need to use ip6tables.

The command format of iptables:

The code is as follows:

Iptables [- ttable] command [chain] [rules] [- jtarget]

[- ttable]: to indicate which table to use, there are three options: filter,nat and mangle. If not specified, filter is used as the default table. In fact, for the firewall configuration of a single server, generally speaking, we only need to OK the filter table. The filter table includes three chain, INPUT,OUTPUT, and FORWARD.

Command indicates what iptables naming should do, such as

-A (- append): this command appends a rule to the end of chain.

-D (- delete) is used to delete a rule.

-F (- flush) if chain is specified, delete all rules in the chain, and if no chain is specified, delete all rules in all chain.

Target: is the action specified by the rule. These include the following:

ACCEPT: receives the packet (allowing it to go to its destination) and will stop traversing the chain.

DROP: reject

In addition, there are REJECT,RETURN,LOG,REDIRECT,MARK,MIRROR,MAQUERADE and so on.

The specific syntax and concept of iptables will not be said any more, please refer to the official documentation of iptablesmanpage.

To put it simply, an iptables firewall is made up of a series of rules (rule). A data request will be compared with these rules in turn. If it happens to meet the definition of the rules, the data request will either be received ACCEPT or rejected DRIP. If the definition of any rule is not met, the default rule will eventually be applied.

Before you start the operation:

Note: be sure to make a snapshot backup of your server on DigitalOcean/Linode/ Ali Cloud, otherwise if there is something wrong with your iptables configuration, you are very likely to block yourself out and you will not be able to connect to the server! When this happens, there will be no tears, and there seems to be no better way than to redo the system. (DigitalOcean provides a webconsole interface, which sometimes gives you the opportunity to go back on your promises and erase iptables settings, but Aliyun does not.)

Decide which ports need to be open

First of all, port 22 of SSH naturally needs to be open, otherwise we won't be able to log in to the server.

Generally speaking, VPS of CentOS is often used as Web server, FTP server, Mail server and so on, which are built with LAMP.

For Web service, port 80 is required, and port 443 is required for HTTPS/SSL protocol.

For Mail services, due to the SMTP,POP3,IMAP protocol involved, the ports that need to be opened are as follows:

SMTP:25SecureSMTP:465POP3:110SecurePOP3:995IMAP:143IMAPoverSSL:993

For FTP services, two ports need to be opened.

Step 1: block the most common attacks

By default, the iptables setting for CentOS allows any data to pass through.

We first need to clear all the rules in the iptables:

The code is as follows:

Iptables-F

Then we add rules to prevent simple scans and attacks.

The code is as follows:

Iptables-AINPUT-ptcp--tcp-flagsALLNONE-jDROP#NONE packets (all identity bit is not set) are mainly scanning class packets

Iptablesslay AINPUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMAPUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUT

Iptables-AINPUT-ptcp--tcp-flagsALLALL-jDROP#ALL packets (all labeled bit are set) are also network scanned packets

For sync-flood, please refer to wikipedia's explanation.

Step 2: open the corresponding port for the corresponding service

First of all, we should accept any request from the native localhost, otherwise, the database connection will not work.

one

Iptables-AINPUT-ilo-jACCEPT

Different ports need to be opened for different services

The code is as follows:

Iptables-AINPUT-ptcp--dport22-jACCEPT#SSH

Iptables-AINPUT-ptcp--dport80-jACCEPT#HTTP

Iptables-AINPUT-ptcp--dport443-jACCEPT#HTTPS

Iptables-AINPUT-ptcp--dport25-jACCEPT#SMTP

Iptables-AINPUT-ptcp--dport465-jACCEPT#SecureSMTP

Iptables-AINPUT-ptcp--dport110-jACCEPT#POP3

Iptables-AINPUT-ptcp--dport995-jACCEPT#SecurePOP3

Iptables-AINPUT-ptcp--dport143-jACCEPT#IMAP

Iptables-AINPUT-ptcp--dport993-jACCEPT#SecureIMAP

Step 3: add general rules

First of all, all connections initiated from the server should be allowed, and the response data returned from this should be allowed! For example, yumupdate initiated by VPS must allow external update data to enter.

The code is as follows:

Iptables-IINPUT-mstate--stateESTABLISHED,RELATED-jACCEPT

Finally, set the default policy: block any incoming data requests and allow all requests from the Server

The code is as follows:

Iptables-POUTPUTACCEPT

Iptables-PINPUTDROP

At this point, the rules are set.

Step 4: save the settings

First of all, use the following command to see if our settings are correct!

The code is as follows:

Iptable-L-n

After confirming that there is no problem, execute the following command

The code is as follows:

Serviceiptablessave

After executing the above command, the corresponding rules will be written to the file / etc/sysconfig/iptables, which you can check.

Final execution

The code is as follows:

Serviceiptablesrestart.

Restart iptables Firewall for the above settings to take effect.

The best way:

In order to make it easier to modify and maintain my own iptables settings, I usually write all the iptables settings into a separate file before testing. Then save it to the configuration file of iptable.

The following is my own iptables file ~ / script/firewall.sh

The code is as follows:

#! / bin/bash

# Asimpleiptablesfirewallconfiguration

PATH=/sbin:/bin:/usr/sbin:/usr/bin;exportPATH

# flush/eraseoriginalrules

Iptables-F# clears all established rule

Iptables-X# clears user-defined chain/table

Iptables-Z# returns all chain counts and traffic statistics to zero

# Acceptlocalhostconnetting,nomatterwhatitis

Iptables-AINPUT-ilo-jACCEPT

# Acceptanyresponsepackagewhichisinitiatedfrominside

Iptables-AINPUT-mstate--stateESTABLISHED,RELATED-jACCEPT

# blockmostcommonnetworkattacks (reconpacketsandsyn-floodattack)

Iptables-AINPUT-ptcp--tcp-flagsALLNONE-jDROP

Iptablesslay AINPUTMUTMUTMYPUTMUTMYPUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMIPTACHUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMUTMU

Iptables-AINPUT-ptcp--tcp-flagsALLALL-jDROP

# openportsfordifferentservices

Iptables-AINPUT-ptcp--dport22-jACCEPT#SSH

Iptables-AINPUT-ptcp--dport80-jACCEPT#HTTP

# iptables-AINPUT-ptcp--dport443-jACCEPT#HTTPS

# iptables-AINPUT-ptcp--dport25-jACCEPT#SMTP

# iptables-AINPUT-ptcp--dport465-jACCEPT#SecureSMTP

# iptables-AINPUT-ptcp--dport110-jACCEPT#POP3

# iptables-AINPUT-ptcp--dport995-jACCEPT#SecurePOP

# ICMPconfiguration

# TopreventICMPDDOS,wedonotallowICMPtype8 (echo-request) orlimitthisrequestwith2/second

# someICMPrequestsareallowed.

Icmp_type= "0341112141618"

Forticmpin$icmp_type

Do

Iptables-AINPUT-picmp--icmp-type$ticmp-jACCEPT

Done

# iptables-AINPUT-picmp--icmp-type8-mlimit--limit1/second-jACCEPT

# defaultpolicies

Iptables-POUTPUTACCEPT

Iptables-PINPUTDROP

# saveto/etc/sysconfig/iptables

/ etc/init.d/iptablessave

You can modify it according to your needs.

This is the end of the content of "detailed steps for linux to set up iptables firewall". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.