Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "introduction to Linux iptables tutorial Summary". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Chain (chain) and rule (rules)

There are three default chains in filter table, INPUT,OUTPUT and FORWARD. FORWARD is basically useless as a station, so let's talk about INPUT and OUTPUT. Because someone else is going to attack us, as far as our server is concerned, the attack is going to come in, that is, INPUT, eh? So if you figure out the INPUT chain, you can defend it? It's something like that. Then let's just talk about INPUT, as simple as possible, the key is to clarify the concept, other details, can be found pro. In addition, INPUT, OUTPUT, and FORWARD are all chains of rules. If INPUT understands it, the rest is not difficult.

Usually we see iptables, which is a set of rules, such as:

The code is as follows:

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

See the word INPUT? This shows that this rule belongs to the chain of INPUT, tcp is a protocol, websites all use tcp,-dport 80, that is, port 80, that is, when others open your website, they need to connect with port 80 of your server, just like a printer line connects the printer port of the computer with the printer, but the port on the network is virtual, but the actual work is the same thing, that is, communication. For INPUT (incoming) packets, 80 is the destination port, or destination port, or dport.

Because your website is on your server, you need to allow others to send connection requests to port 80, ACCEPT, that is, to accept requests and connections. Now do you understand? With this sentence, others can connect to your server and open the web page above.

The previous "- A" means append, which is used with the following INPUT to add this rule to the end of the chain of INPUT. Of course, there is nothing on our INPUT chain, which is added to the last, that is, the first one.

You probably understand the rules of the command line, the "-" symbol, followed directly by the parameter name, followed by a space, followed by the value of the parameter (let's put it this way). For example,-p tcp, the'- p 'here cannot be written casually and is defined by the iptables program. If you write a "- p", the program will know that it is followed by the name of the protocol. If you write "- A", the iptables program will know that it is followed by the name of the chain. So what do the two minus signs in "- dport" mean? Its function is the same as a minus sign, which indicates that it is followed by a parameter name, but two minus signs are followed by the full name of the parameter name, and one minus sign is followed by an abbreviation, which is easy to understand and easy to write. For example, the above rule can also be written as:

The code is as follows:

Iptables-append INPUT-proto tcp-dport 80-jump ACCEPT

Of course, pretentious science students generally do not write the full name, mostly with a minus sign, a letter abbreviation.

Dear windows users, note that the parameter names and values here are case-sensitive. Write "- p" as "- P" and the program does not work. In addition, you can notice that the English is very good, even if the "full name" with two minus signs is added, it is not complete. Proto is obviously wrong, it should be protocol. You know their science students are not good at Chinese. Forgive them.

This is not enough, because there are other services on your vps, for example, you need ftp or sftp to upload files, and the default port for ssh,ftp to enter the backend is 21, and ssh is 22. We'll add them as well.

The code is as follows:

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

All right, you're going to open so many services, and finally add one.

The code is as follows:

Iptables-An INPUT-j DROP

It means to reject all connections... How can this work? Didn't you say that 80,021 and 22 should be allowed? This is because INPUT is a chain, beginning and ending, in order. If someone connects your 80 ports, the first rule says ACCEPT, come on in. Then the shuttle bullet he sent will no longer pass the following rules, and of course it will not be rejected by the sentence DROP at the end.

Now all our rules are:

The code is as follows:

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

Iptables-An INPUT-j DROP

Translated into the language of liberal arts students is to send 80 (mouth), 21 (chrysanthemum), 22 (cat) three mouth data will be accepted, want to put data elsewhere, all rejected. Review what I said at the beginning, what these things mean is that there are four rules on the INPUT chain, and the rules come one by one in order. After the data sent is matched, it jumps out of the chain, and the following rules are no longer enforced. If you put the iptables-An INPUT-j DROP at the head of the chain, your vps will become a stone girl and can only be restarted through the service provider's panel!

REJECT and DROP

The reject operation after-j is DROP, and the correct English translation should be "REJECT". Yes, it is also possible to write "- j REJECT". The difference is that REJECT is more polite, which is tantamount to telling people who want to do you, "I'm sorry, it's not convenient these two days." And DROP just refused without cheating. For intruders, don't be so polite, just use DROP. Because if you respond, it is tantamount to telling the person who wants to do you that you are online, but if you refuse, it will arouse his morale to continue his efforts.

Status (state) matching

If you are delighted to take a few of the above to experiment, it is estimated that some of the sites on your vps may be useless, iptables this sister is very difficult to deal with. For your server to work properly, you also need to add this sentence before the DROP sentence.

The code is as follows:

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

"- m" means "match", and-m state means to match the packet status. Packets sent by users have different states, namely NEW, ESTABLISHED, and RELATED. NEW is the beginning of the chat-up, and ESTABLISHED is the subsequent data packet after the chat-up, and RELATED is the packet related to the existing connection. In short, this sentence means to accept a packet that has established a connection, that is, a packet after a chat-up. Now our INPUT chain looks like this:

The code is as follows:

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An INPUT-j DROP

It means that the tcp packets destined for the native 80Magi 21 and 22, as well as the established (established) and related (related) packets destined for any port (the fourth sentence) are accepted outside, and the remaining INPUT packets are discarded.

Why should inbound data of status ESTABLISHED and RELATED be allowed? Because your server is also a computer, you have to download things from other servers. When downloading, your server first sends a connection request (new) to another server, which allows you to connect. After the connection is established (ESTABLISHED), you need to accept data from other servers, which belongs to INPUT for your server. In other words, without the phrase iptables-An INPUT-m state-state ESTABLISHED,RELATED-j ACCEPT, wget curl would not work. With this sentence, add the first three sentences, that is, allow other computers to connect to your 80 new 21 and 22 ports, and allow other servers to send data to you if your server sends a request to it first. In addition, these states are based on the tcp protocol (thank you, BOYPT).

-A (- append) and-I (- insert)

As I just said,-An INPUT means to add a rule to the end of the existing INPUT chain, then write-I INPUT, which means to force a rule into the front. If you're a pervert, it's okay to write the INPUT chain backwards:

The code is as follows:

Iptables-I INPUT-j DROP

Iptables-I INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-I INPUT-p tcp-- dport 22-j ACCEPT

Iptables-I INPUT-p tcp-- dport 21-j ACCEPT

Iptables-I INPUT-p tcp-- dport 80-j ACCEPT

That is, the latter one will always be inserted into the front of the existing INPUT chain, and the final INPUT chain will be the same as before.

But don't try! Because you usually operate your vps remotely, you type the first sentence on the command line and drop it immediately! You can't lose it all in the back!

-insert is also useful, for example, the previous INPUT chain has already worked, and you want to open a port on top of the existing INPUT chain, such as 443. Then it must be written as

The code is as follows:

Iptables-I INPUT-p tcp-- dport 443-j ACCEPT

If you write-A, then this rule is followed by the DROP sentence, and the data sent to 443 is killed before it comes to the new sentence.

If you don't want to add it to the front, you can also write a number after the INPUT to indicate the location of the addition. If you treat a rule as a line, you can specify the so-called line number. Write the rule for adding port 443 above as follows:

The code is as follows:

Iptables-I INPUT 3-p tcp-- dport 443-j ACCEPT

So put it in the position of the third rule (that is, the third line). Type iptables-nvx-L INPUT on the command line (see the INPUT chain that is now in effect) and you will find that the new rule comes after the sentence on port 21.

Save the above rules to a file, run it, and your server will be much safer.

The code is as follows:

Iptables-flush

Iptables-delete-chain

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An INPUT-j DROP

This is the end of the summary of the introduction to Linux iptables. Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.