Shulou(Shulou.com)06/01 Report--

This article mainly introduces what are the common methods of iptables in linux. It is very detailed and has a certain reference value. Friends who are interested must finish it!

Iptables is actually a command line tool, which can be understood as a client agent. Users execute their security settings into the corresponding "security framework" through the iptables agent. This "security framework" is the real firewall, and the name of this framework is netfilter.

1. Clear packet traffic, clear chain, clear rules

Use the following commands to empty the iptables table:

# use the-t option to select which table to choose. There are three tables: filter, nat and mangle. Iptables-t filter-Fiptables-t filter-Xiptables-t filter-Z

-F empties all chain rules,-X deletes custom chains, and-Z empties packet traffic.

2. Set the default policy

The default chain strategy is ACCEPT. For all INPUT,FORWARD and OUTPUT chains, change it to DROP, as follows:

Iptables-P INPUT DROPiptables-P OUTPUT DROPiptables-P FORWARDING DROP

When the default policy for both INPUT and OUTPUT chains is set to DROP, two rules should be defined for each firewall rule requirement, one for INPUT and one for OUTPUT.

If you trust internal users, you can omit the OUTPUT above. That is, all OUTPUT packets are not dropped by default. In this case, you only need to define one rule for each firewall rule requirement you have. That is, only rules are defined for INPUT, because the outgoing of all packets is ACCEPT.

3. Block the specified IP address from entering BLOCK_THIS_IP= "x.x.x.x" iptables-An INPUT-s "$BLOCK_THIS_IP"-j DROP or iptables-An INPUT-I ens160-s "$BLOCK_THIS_IP"-j DROP or iptables-An INPUT-I ens160-p tcp-s "$BLOCK_THIS_IP"-j DROP.

Define a variable whose value is written to the ip address to be blocked. The first rule above means that traffic entering from a certain ip is denied. The second rule is to block incoming traffic from an ip address from eth0. The third rule refers to denying an ip address from eth0 access to the tcp protocol.

4. Allow external users ssh to log in to this machine

The following rules allow all incoming ssh connections on the ens160 interface.

Iptables-An INPUT-I ens160-p tcp-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o ens160-p tcp-- sport 22-m state-- state ESTABLISHED-j ACCEPT

The following is a ssh service that allows the ip address of the specified network segment to connect to the local machine:

Iptables-An INPUT-I ens160-p tcp-s 192.168.100.0 ACCEPTiptables 24-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o ens160-p tcp-- sport 22-m state-- state ESTABLISHED-j ACCEPT5, allow the local machine to log in to the remote host using ssh

The following rules allow outgoing ssh connections. When connecting to an external server from an internal ssh, you can use:

Iptables-An OUTPUT-o ens160-p tcp-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An INPUT-I ens160-p tcp-- sport 22-m state-- state ESTABLISHED-j ACCEPT6, using multiport module, allows external access to 80443 of this machine

Using the multiport module below, you can reduce the number of write rules. The following example allows external access to the native http,https service.

Iptables-An INPUT-I ens160-p tcp-m multiport-dports 80443-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o ens160-p tcp-m multiport-- sports 80443-m state-- state ESTABLISHED-j ACCEPTiptables Common rules use instance iptables Common rules use instance 7, allow local access to external http,https services

The following command allows local access to external http,https services:

Iptables-An OUTPUT-o ens160-p tcp-m multiport-dports 80443-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An INPUT-I ens160-p tcp-m multiport-- sports 80443-m state-- state ESTABLISHED-j ACCEPT

Iptables common rules use instance iptables common rules use instance 8, allow external ping native

The following rules allow external users to ping your server:

Iptables-An INPUT-p icmp--icmp-type echo-request-j ACCEPTiptables-An OUTPUT-p icmp--icmp-type echo-reply-j ACCEPTiptables Common rules use instance iptables Common rules use instance 9, allow native ping external

The following rules allow ping from internal to any external server:

Iptables-An OUTPUT-p icmp--icmp-type echo-request-j ACCEPTiptables-An INPUT-p icmp--icmp-type echo-reply-j ACCEPTiptables Common rules use instance iptables Common rules use instance 10, prevent DDOS attacks

The following rules will help you prevent denial of service (DoS) attacks on Web servers:

Iptables-An INPUT-p tcp-- dport 80-m limit--limit 25/minute-- limit-burst 100-j ACCEPT-m limit: use the limit module-limit 25/minute: this limit is up to 25 connections per minute. Change this value-limit-burst 100 according to specific requirements: this value indicates that limit 25/minute is performed only after the total number of connections reaches the limit-burst level. The above is all the content of the article "what are the common methods of iptables in linux". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.