Shulou(Shulou.com)06/01 Report--

The main content of this article is "detailed explanation of the configuration of IPTABLES under linux". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn "detailed explanation of the configuration of IPTABLES under linux".

Start configuration

Let's configure a firewall for the filter table.

(1) check the settings of IPTABLES on this machine.

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)

Target prot opt source destination

ACCEPT all-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT icmp-0.0.0.0Universe 0 0.0.0.0Compare 0 icmp type 255i

ACCEPT esp-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT ah-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT udp-0.0.0.0 udp dpt:5353 0 224.0.0.251

ACCEPT udp-0.0.0.0Universe 0 0.0.0.0Universe 0 udp dpt:631

ACCEPT all-0.0.0.0Universe 0 0.0.0.0Universe 0 state RELATED,ESTABLISHED

ACCEPT tcp-0.0.0.0Universe 0 0.0.0.0Universe 0 state NEW tcp dpt:22

ACCEPT tcp-0.0.0.0Universe 0 0.0.0.0Universe 0 state NEW tcp dpt:80

ACCEPT tcp-0.0.0.0Universe 0 0.0.0.0Universe 0 state NEW tcp dpt:25

REJECT all-0.0.0.0Universe 0 0.0.0.0Universe 0 reject-with icmp-host-prohibited

It can be seen that when I installed linux, I chose to have a firewall and opened the port 22-80-25.

If you don't choose to turn on the firewall when installing linux, here's the thing.

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

There are no rules.

(2) clear the original rules.

Whether or not you start the firewall when you install linux, if you want to configure your own firewall, clear all current filter rules.

[root@tp ~] # iptables-F clears all rule chains in the preset table filter

[root@tp ~] # iptables-X clears the rules in the user customized chain in the preset table filter

Let's take a look.

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

There's nothing left, just like we didn't start the firewall when we installed linux. (by the way, these configurations are like configuring IP with commands, restarting will lose its effect.) how to save.

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

[root@tp ~] # service iptables restart

Now that there is no configuration in the IPTABLES configuration table, let's start our configuration.

(3) set preset rules

[root@tp ~] # iptables-P INPUT DROP

[root@tp ~] # iptables-P OUTPUT ACCEPT

[root@tp ~] # iptables-P FORWARD DROP

The above means that when the two chain rules (INPUT,FORWARD) in the filter table in IPTABLES are exceeded, how to deal with the packets that are not in these two rules, that is, DROP. It should be said that this configuration is very safe. We need to control the inflow of packets.

As for the OUTPUT chain, that is, we do not have to do too many restrictions on the outflow of the package, but adopt ACCEPT, that is, what to do if the package is not in the rule, that is, through.

You can see what packets are allowed in the INPUT,FORWARD chain and what packets are not allowed in the OUTPUT chain.

This setting is quite reasonable, of course, you can DROP all three chains, but I don't think it is necessary to do so, and the rules to be written will be increased. But if you only want a limited number of rules, such as only do WEB servers. It is recommended that all three chains are DROP.

Note: if you log in remotely from SSH, you should drop it when you enter the first command. Because you didn't set any rules.

What to do, go to the local operation!

(4) add rules.

First add the INPUT chain. The default rule for the input chain is DROP, so we'll write the chain that requires ACCETP (pass).

In order to log in using remote SSH, we need to open port 22.

[root@tp] # iptables-An INPUT-p tcp-- dport 22-j ACCEPT

[root@tp] # iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT (Note: this rule, if you set OUTPUT to DROP, you have to write this one, many people are looking forward to writing this rule, but never SSH. Let's take a look at the remote, isn't it?

The same is true for other ports. If the web server is enabled and OUTPUT is set to DROP, a chain should also be added:

[root@tp] # iptables-An OUTPUT-p tcp-- sport 80-j ACCEPT.)

If you make a WEB server, open port 80.

[root@tp] # iptables-An INPUT-p tcp-- dport 80-j ACCEPT

If you do a mail server, open port 25110.

[root@tp] # iptables-An INPUT-p tcp-- dport 110j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-- dport 25-j ACCEPT

If you make a FTP server, open port 21

[root@tp] # iptables-An INPUT-p tcp-- dport 21-j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-- dport 20-j ACCEPT

If you make a DNS server, open port 53

[root@tp] # iptables-An INPUT-p tcp-- dport 53-j ACCEPT

If you have made other servers, which port you need to open, just write it.

What is written above is mainly INPUT chain, and all those that are not in the above rules are DROP.

Allow icmp packets to pass, that is, allow ping

[root@tp ~] # iptables-An OUTPUT-p icmp-j ACCEPT (if OUTPUT is set to DROP)

[root@tp ~] # iptables-An INPUT-p icmp-j ACCEPT (if INPUT is set to DROP)

Allow loopback! (otherwise, it will cause problems such as DNS not shutting down normally.)

IPTABLES-An INPUT-I lo-p all-j ACCEPT (if INPUT DROP)

IPTABLES-An OUTPUT-o lo-p all-j ACCEPT (if OUTPUT DROP)

Next write the OUTPUT chain, the default rule of the OUTPUT chain is ACCEPT, so we write the chain that needs DROP.

Reduce insecure port connections

[root@tp] # iptables-An OUTPUT-p tcp-- sport 31337-j DROP

[root@tp] # iptables-An OUTPUT-p tcp-- dport 31337-j DROP

Some Trojans scan for services on ports 31337 to 31340 (that is, the elite port in the language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chances of potentially infected machines on your network communicating independently with their remote master servers.

There are also other ports, such as: 31335, 27444, 27665, 20034 NetBus, 9704, 137139 (smb), 2049 (NFS) ports should also be prohibited, I write here is not complete, interested friends should check the relevant information.

Of course, for a more secure consideration, you can also set the OUTPUT chain to DROP, then you can add more rules, like the one above

It's like allowing SSH to log in. Just write according to it.

Let's write down a more detailed rule, which is limited to a certain machine.

For example, we only allow 192.168.0.3 machines to make SSH connections

[root@tp] # iptables-An INPUT-s 192.168.0.3-p tcp-- dport 22-j ACCEPT

If you want to allow or restrict a segment of IP address, you can use 192.168.0. 0.

24 represents the number of subnet masks. But remember to delete this line from / etc/sysconfig/iptables.

-An INPUT-p tcp-m tcp-- dport 22-j ACCEPT because it means that all addresses can be logged in.

Or by command:

[root@tp] # iptables-D INPUT-p tcp-- dport 22-j ACCEPT

Then save, I say again, instead by command, which only takes effect at that time, and if you want to restart it, you have to save it. Write to the / etc/sysconfig/iptables file.

[root@tp ~] # / etc/rc.d/init.d/iptables save

Write this way! 192.168.0.3 means except for the ip address of 192.168.0.3

The same is true for other regular connections.

Below is the FORWARD chain, and the default rule of the forward chain is DROP, so we write the chain that needs ACCETP (through) to monitor the forwarding chain.

Enable forwarding. (when doing NAT, the default rule of FORWARD is DROP.)

[root@tp] # iptables-A FORWARD-I eth0-o eth2-m state-- state RELATED,ESTABLISHED-j ACCEPT

[root@tp] # iptables-A FORWARD-I eth2-o eh0-j ACCEPT

Discard bad TCP packets

[root@tp] # iptables-A FORWARD-p TCP!-- syn-m state-- state NEW-j DROP

Handle the number of IP fragments to prevent * *, allowing 100s per second.

[root@tp] # iptables-A FORWARD-f-m limit--limit 100max s-limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second and limit the trigger condition to 10 packets.

[root@tp] # iptables-A FORWARD-p icmp-m limit--limit 1 ACCEPT s-limit-burst 10-j

I only allow ICMP packets to pass in front because I have restrictions here.

Second, configure a NAT table ignition wall

1. Check the settings of NAT on this machine.

[root@tp rc.d] # iptables-t nat-L

Chain PREROUTING (policy ACCEPT)

Target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

Target prot opt source destination

SNAT all-192.168.0.0 Compact 24 anywhere to:211.101.46.235

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

My NAT has been configured (only provides the simplest proxy access function, has not added firewall rules). Refer to my other article on how to configure NAT

Of course, if you haven't configured NAT, you don't have to clear the rules, because NAT has nothing by default.

If you want to clear it, the order is

[root@tp] # iptables-F-t nat

[root@tp] # iptables-X-t nat

[root@tp] # iptables-Z-t nat

2, add rules

Add basic NAT address translation, (see my other article on how to configure NAT)

To add rules, we only add DROP chains. Because the default chain is all ACCEPT.

Prevent the spoofing of IP in the external network

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 10.0.0.0 8-j DROP

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 172.16.0.0 12-j DROP

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 192.168.0.0 16-j DROP

If we want to, for example, stop MSN,QQ,BT, we need to find the port or IP they use (personally, I don't think it's necessary)

Example:

Prohibit all connections to 211.101.46.253

[root@tp] # iptables-t nat-A PREROUTING-d 211.101.46.253-j DROP

Disable FTP (21) port

[root@tp] # iptables-t nat-A PREROUTING-p tcp-- dport 21-j DROP

The scope of writing in this way is too wide, we can define it more precisely.

[root@tp] # iptables-t nat-A PREROUTING-p tcp-- dport 21-d 211.101.46.253-j DROP

This only disables the FTP connection at address 211.101.46.253, and other connections are OK. Such as web (port 80) connection.

According to what I wrote, all you have to do is to find the IP address, port and protocol of other software such as QQ,MSN.

Finally:

Illegal drop connection

[root@tp] # iptables-An INPUT-m state-- state INVALID-j DROP

[root@tp] # iptables-An OUTPUT-m state-- state INVALID-j DROP

[root@tp] # iptables-A FORWARD-m state-- state INVALID-j DROP

Allow all established and related connections

[root@tp] # iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

[root@tp] # iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

[root@tp ~] # service iptables restart

Don't forget to save it. if you can't, just write one and save it once. you can save it while doing experiments to see if it meets your requirements.

I have tried all the above rules and there is no problem.

At this point, I believe you have a deeper understanding of the "detailed explanation of the configuration of IPTABLES under linux". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.