Shulou(Shulou.com)06/02 Report--

1 Overview of Linux Firewall

Linux firewall actually refers to Netfilter/Iptables under Linux. Netfilter/Iptables is an IP packet filtering system integrated with the 2.4.x/2.6.x version of the Linux kernel.

View the Linux kernel version

Netfilter/Iptables packet filtering system can be regarded as a whole, netfilter is the module implementation of the kernel, and iptables is the upper operating tool.

Netfilter is a general architecture in the core of Linux that works in kernel space.

Netfilter supports the following ways to classify packets:

Source IP address destination IP address using interface connection status using protocol port number

It provides a series of tables (tables), each table consists of several chains (chains), each chain can be composed of one or more rules (rules), and the rules consist of packet filtering tables that contain the set of rules used by the kernel to control packet filtering.

The essence of chain is the different filter points defined by Netfilter. A total of 5 filter points are defined. INPUT,FORWARDING,OUTPUT,PREROUTING,POSTROUTIONG .

The essence of Table is the division of different functions defined by Netfilter.

Filter is used to perform basic filtering.

Nat is a modification of the data IP.

Mangle is an advanced modification of a packet.

Different Table can only be used for a specific Chain.

Iptables is a tool for managing kernel packet filtering that can be used to configure the rules in the core packet filtering table. Runs in user space.

1.1 Application of Linux Firewall

Linux firewalls are very useful in enterprise applications, such as:

Small and medium-sized enterprises and Internet cafes have iptables as the enterprise's NAT router, which can be used to replace traditional routers and save costs. Generally, there is no hardware firewall in the IDC computer room, and the server in the IDC computer room can use the Linux firewall instead of the hardware firewall. Iptables can be combined with squid as a transparent agent for internal Internet access. The traditional proxy needs to configure the proxy server information in the browser, while the transparent proxy of iptables+squid can redirect client requests to the port of the proxy server. The client does not make any settings and does not feel the presence of the agent. When using iptables as an enterprise NAT router, you can use the expansion module of iptables to block P2P traffic and prohibit illegal web pages. Iptables can be used to map public network IP to private network IP. Iptables can easily prevent lightweight DOS attacks, such as ping attacks and SYN flood attacks.

In summary, there are two application modes of Iptables: host firewall and NAT router.

1.2 basic components of iptables 1.2.1 rules

A rules is a condition predefined by an administrator, which is generally defined as "if the packet header meets such a condition, the packet is processed in this way." Rules are stored in the packet filtering table in kernel space, specifying the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP), respectively. When packets match rules, iptables processes them according to the methods defined by the rules, such as accept, reject, drop, and so on. The main job of configuring a firewall is to add, modify, and delete these rules.

1.2.2 chain

Chains is the path of packet propagation, and each chain is actually a checklist of many rules, and there can be one or more rules in each chain. When a packet reaches a chain, iptables checks from the first rule in the chain to see if the packet meets the conditions defined by the rule. If so, the packet is processed according to the method defined by the rule; otherwise, iptables will continue to check the next rule, and if the packet does not meet any of the rules in the chain, iptables will process the packet according to the default policy predefined by the chain.

There are default rules on every chain.

PREROUTING: before the packet enters the local machine and enters the router. Can be used for destination address translation (DNAT). INPUT: the destination is local after passing through the routing table. FORWARDING: after passing the routing table, the destination is not native. Can be used to forward data. OUTPUT: generated by this machine and forwarded to the outside. POSTROUTIONG: after passing through the routing table, it is sent to the interface of the network card. Can be used to forward data (SNAT,MASQUERADE) 1.2.3 table

Tables provides specific functions. Iptables has four tables, namely, raw table, filter table, nat table and mangle table, which are used to realize packet filtering, network address translation and packet reconstruction respectively. The rules in the table are written on the chain.

Filter table

It is mainly used for data packet filtering. The table filters eligible packets based on a set of rules predefined by the system administrator. For firewalls, the rules specified in the filter table are mainly used to filter data packets. Filter table is the default table. If no table is specified, iptables uses filter table to execute all commands by default. Filter table contains INPUT chain, RORWARD chain and OUTPUT chain. Only accept and discard packets are allowed in the filter table, but no changes can be made to the packets.

Nat table

Mainly used for network address translation NAT, the table can achieve one-to-one, one-to-many, many-to-many and other NAT work (SNAT,DNAT,PNAT), iptables is to use this table to achieve shared access to the Internet, NAT table includes PREROUTING chain, POSTROUTING chain, OUTPUT chain.

The nat rule table has two rule chains, prerouting and postrouting, and its main function is to perform one-to-one, one-to-many, many-to-many and other URL conversion work (SNAT,DNAT). Due to the characteristics of conversion, packets requiring destination URL translation do not need source URL translation, and vice versa. Therefore, in order to improve the efficiency of rewriting packets, each packet will only pass through this rule table once during the operation of the firewall. If we define the rules of packet filtering in this data table, we will not be able to compare the same packet multiple times, so this rule table should not be used for any purpose other than for URL conversion.

Mangle table

It is mainly used as a function to modify the properties of data messages. For example, the six flag bits of the TCP message. In the linux version after kernel version 2.4.18, the chains contained in this table are: INPUT chain (processing incoming packets), RORWARD chain (processing forwarded packets), OUTPUT chain (processing locally generated packets) POSTROUTING chain (modifying outgoing packets), PREROUTING chain (modifying incoming packets)

The mangle table is mainly used to change specified packets. In the linux version after kernel version 2.4.18, the links included in this table are: INPUT chain (processing incoming packets), RORWARD chain (processing forwarded packets), OUTPUT chain (processing locally generated packets) POSTROUTING chain (modifying outgoing packets), PREROUTING chain (modifying upcoming packets).

Raw table

Used only on PREROUTING and OUTPUT chains, the priority is highest and packets received can be processed before connection tracking. Once the user uses the RAW table, after the RAW table is processed on a chain, the NAT table and ip_conntrack processing will be skipped, that is, address translation and packet link tracking will no longer be done.

Priority between rule tables:

Raw > mangle > nat > filter

1.3 basic principles of Linux Firewall

The principle of Linux firewall is mainly the control of data packets, see the following figure (the following pictures are from the Internet): the relationship between the five chains of netfilter, that is, the flow chart of iptables packet forwarding.

(1) when the packet enters the network card, it first enters the PREROUTING (pre-routing) chain, and then does the routing to determine where the packet should be sent, local machine or other machine.

(2) if the original destination address of the packet is local, the packet will go to the INPUT chain. After reaching the INPUT chain, any process will receive it.

(3) when the native program sends out the data packet, the packet will pass through the OUTPUT chain and then reach the output of the POSTROUTING chain.

(4) if the original destination address of the packet is not native, it needs to be forwarded, and the kernel allows it to be forwarded. The packet goes to the FORWARD chain and then reaches the output of the POSTROUTING (routed) chain.

Netfilter uses HOOK technology to do rule checking on five chains.

1.4 iptables rule execution

When iptables executes a rule, it executes sequentially from the top to the bottom of the rule table.

If there is no matching rule, match down one by one.

If there is no matching rule at all, the default rule on the chain is executed

If a matching rule is encountered, the rule is executed. After execution, the next step is decided according to the action of this rule (accept,reject,log,drop, etc.). There are generally three cases of subsequent execution:

Continue to execute the next rule in the current rule queue. For example, after executing the LOG in the Filter queue, the next rule in the Filter queue will be executed. Aborts the execution of the current rule queue and goes to the next rule queue. For example, after executing accept, other rules in Filter queue are interrupted and executed by jumping to nat queue rules. Aborts execution of all rule queues.

The advantage of this mechanism is that complex and multiple packet filtering can be carried out. In short, iptables can perform crisscross filtering (tables) instead of chain filtering (chains).

1.5 status of the packet

The state of the package varies depending on the protocol contained in IP, but outside the kernel, that is, in user space, there are only four states: NEW,ESTABLISHED,RELATED and INVALID. They are mainly used with state matching.

The status of the packet in user space:

NEW: indicates that a packet has started or will start a new connection, or that it is associated with a connection that has not been used to send and receive packets. If the host sends a connection request to the remote machine, the status of the packet is NEW. ESTABLISHED: the status indicates that the packet belongs to an established connection that has been used to send and receive packets and is fully valid. After the connection is established (after completing the three-way handshake of TCP), the remote host and host communicate data status as ESTABLISHED. RELATED: a new online packet associated with an existing online. Services like FTP use port 21 to send commands and port 20 (port mode) or other ports (PASV mode) to transmit data. After establishing a connection on the existing port 21, a command is sent to transmit data (FTP-DATA) on 20 or other ports with the status of RELATED. INVALID: the status indicates that the packet is not associated with any known stream or connection and may contain incorrect data or headers. That is, invalid packets cannot be identified as belonging to any connection or without any state, and packets in this state are usually discarded.

These states can be used together to match packets. This makes the firewall very strong and effective.

2 Overview of iptables actual combat

In the experiment of iptables, please try to operate in a virtual machine or a non-remote system to avoid accidental misoperation that may lead to the failure of ssh.

In general, iptables firewalls are built into CentOS 6 and other Linux versions, and iptables services are enabled by default. Iptables is applied to IPv4. If you want to use IPv6, you need to use ip6tables.

Iptables, together with ip6_tables and arp_tables, is built on the framework of Xtables, which allows system administrators to define "tables", "chain" and "rules" to handle packet delivery. Each "table" is related to different packet processing, determining whether the packet can traverse the "chain", while a "rule" in the key can determine whether to send to the next chain (or other action). This processing can be reused in nested structures. Each network packet passes through at least one chain (that is, forwarding or local routing) from arrival to departure from the computer.

Check to see if iptables:rpm-qa is installed | grep iptables

If the man command is installed on the machine. Use man iptables to view the help documentation for iptables.

2.1 iptables Services related 2.1.1 enable iptables Services service iptables start# or / etc/init.d/iptables start2.1.2 disable iptables Services service iptables stop# or / etc/init.d/iptables stop2.1.3 Settings iptables start by default # turn on chkconfig iptables on# start close chkconfig iptables off2.1.4 use setup to set firewall when startup

Run setup on the terminal and select firewall enter.

Press Tab to switch to the Enablede item, and then press Spacebar to select. Then press Tab to switch to OK, press Spacebar or enter to select. Press Tab to switch to quit and exit setup.

3 iptables Command 3.1 basic syntax of iptables command

Iptables [- t table] command [match] [target/jump]

-t table

To indicate which table to use, there are three options: filter,nat,mangle. If not specified, the filter table is used by default.

Command

Specify what iptables will do with the rules we submit. All commands need to take chain as an argument.

-P (--policy) defines the default policy. -L (--list) to view a list of rules. -A (--append) adds rules to the end of the list of rules. -I (--insert) inserts the rule at the specified location. -D (--delete) removes a rule from the rule list. -R (--replace) replaces a rule in the rule list. -F (--flush) clearly specifies the rules. -Z (--zero) returns all counters for the specified chain (if not specified, all chains) to zero. -X (--delete-chain) deletes the specified user custom chain.

Command option

-v,-- verbose (detailed)

Commands for this option are available:-- list,-- append,-- insert,-- delete,-- replace

Description: this option makes the output more detailed and is often used with-- list. When used with-- list, the output includes the address of the network interface, options for the rule, TOS mask, bytes, and packet counters, where counters are in units K, M, and G (here the power of 10 is used instead of the power of 2). If-v is used with-- append,-- insert,-- delete or-- replace, iptables will output detailed information to tell you how the rules are interpreted, whether they are inserted correctly, and so on.

-x,-- exact (exact)

The command for this option is available:-- list

Description: make the counters in the list output display accurate values instead of K, M, G, etc.

-n,-- numeric (numeric)

The command for this option is available:-- list

Description: make the IP address and port in the output display as a numeric value instead of the default name, such as hostname, network name, program name, etc.

-- line-numbers

The command for this option is available:-- list

Description: the function of this option is to display the serial number of each rule in the corresponding chain. Useful for inserting new rules.

-c,-- set-counters

Commands for this option are available:-- insert,-- append,-- replace

Description: set the counter when creating or changing the rule. The syntax is as follows:-- set-counters 20 4000, which means that the kernel sets the package counter to 20 and the byte counter to 4000.

-- modprobe

Command available for this option: All

Description: this option tells iptables to probe and load the module to use. This is a very useful option and will be used if the modprobe command is not in the search path. With this option, iptables knows to search when loading a module, even if one of the modules you need is not loaded.

Matches matching

The match option specifies the characteristics of the packet matching the rule, including source address, destination address, transport protocol, and port number, as follows:

[- I | o Nic name]

Description:

-I-- in-interface network interface name specifies the network interface through which packets enter.

-o-- the out-interface network interface name specifies the network interface from which the packet is output.

[- p protocol type]

-p-proto protocol type specifies the protocol that the packet matches, such as TCP, UDP, ICMP, etc.

[- s source IP address | Source subnet]

-s-- source source address or subnet specifies the source address that the packet matches

[--sport source port number]

-- sport source port number specifies the source port number that the packet matches

[- d destination IP address | destination subnet]

-s-- source destination address or subnet specifies the destination address that the packet matches

[--dport destination port number]

-- dport destination port number specifies the destination port number for packet matching

[- m module]

-m-- match matching module specifies the filtering module used by the packet rule

Targets/Jumps

Target/jump determines where the eligible package goes, and the syntax is-- jump target or-j target.

Target can be subdivided into two categories, Target and Jump.

The goal of jump is to have a chain in the same table. The goal of target is to do something specific.

Target specifies the actions to be done on the package, such as DROP and ACCEPT. Different target have different results. Some target will stop the package from moving forward, that is, stop comparing other rules in the current chain or other rules in the parent chain. Other target will continue to compare the package with other rules, such as LOG,ULOG and TOS, after the package has been manipulated. They record the package and then let it pass to match other rules in the chain. With such a target, you can change both its TTL and its TOS for the same package. Some target must have exact parameters (such as the values that TOS needs to determine), some are not necessary, but we can also specify them if we want (such as the prefix of the log, the port used by camouflage, etc.).

A brief introduction of commonly used Target

ACCEPT

When the packet meets the specified matching criteria, it is ACCEPT, allowing the packet to go to the next destination. It no longer matches other rules in the current chain or other rules in the same table, but the package also has to pass through chains in other tables and may be DROP.

DROP

When a packet exactly matches a rule with a DROP target, the packet is blocked and no further processing is done on it. The target is specified as-j DROP.

If the packet meets the criteria, the target discards the target, that is, the life of the packet ends, and the effect is that the packet is blocked.

In some cases, this target can cause unexpected results because it does not return any message to the sender or to the router, which may cause the sockets on the other side of the connection to die from waiting for a reply:) A better way to solve this problem is to use REJECT target, because it returns an error message to the sender while dropping the packet. So that the other party can end normally), especially when the port scanning tool is prevented from getting more information, it can hide the filtered port and so on. It is generally believed that the port is not open or filtered out by devices such as firewalls. Also note that if the package is DROP in the subchain, it will not move forward in the main chain, whether in the current table or in other tables. Anyway, the bag is awesome.

REJECT

REJECT is basically the same as DROP, except that it not only blocks packets, but also returns error messages to the sender. Target can only be used in INPUT, FORWARD, OUTPUT and their subchains, and chains containing REJECT can only be called by them, otherwise they won't work. It has only one option and is used to control the type of error messages returned. There are many kinds, but if you have basic knowledge of TCP/IP, it's easy to understand them.

Block the packet and return the packet to inform the other party that there are several options for the returned packet: ICMP port-unreachable, ICMP echo-reply or tcp-reset (this packet will require the other party to shut down the online). After this processing action, it will no longer compare other rules and directly interrupt the filter program. Examples are as follows:

Iptables-An INPUT-p TCP-- dport 22-j REJECT-- reject-with ICMP echo-reply

RETURN

The RETURN target set in the rule causes packets that match the rule to stop traversing the chain containing the rule. If the chain is a mainchain such as INPUT, the default policy for that chain is used to process packets. It is specified as-jump RETURN.

End the filter program in the current rule chain, return to the main rule chain to continue filtering, if the custom rule chain as a subroutine, then this action is equivalent to early termination of the subroutine and return to the main program.

REDIRECT

Redirect the packet to another port (PNAT), and after this processing, you will continue to compare other rules. This feature can be used to implement transparent proxies or to protect web servers.

For example: iptables-t nat-A PREROUTING-p tcp-- dport 80-j REDIRECT--to-ports 8081

LOG

Record the relevant information of the packet in / var/log. For more information, please refer to the / etc/syslog.conf configuration file. After this processing action, you will continue to compare other rules.

For example:

Iptables-An INPUT-p tcp-j LOG-- log-prefix "input packet"

MASQUERADE

Overwrite the source IP of the packet to the IP of the firewall. You can specify the range corresponding to the port. After this processing, jump directly to the next rule chain (mangle:postrouting). This feature is slightly different from SNAT. When performing IP camouflage, you do not need to specify which IP,IP will be read directly from the network card. When using dial-up cables, IP is usually assigned by ISP's DHCP server, and MASQUERADE is especially useful.

For example: iptables-t nat-A POSTROUTING-p TCP-j MASQUERADE-- to-ports 21000-31000

SNAT

The source IP of the overwrite packet is a specific IP or IP range, and you can specify the corresponding range of port. After this processing, you will jump to the next mangle:postrouting directly.

For example: iptables-t nat-A POSTROUTING-p tcp-o eth0-j SNAT-- to-source 192.168.10.15-192.168.10.160 POSTROUTING 2100-3200

DNAT

Rewrite the packet destination IP to a specific IP or IP range, and you can specify the corresponding range of port. After this processing action, it will jump directly to the next rule chain (filter:input or filter:forward).

For example: iptables-t nat-A PREROUTING-p tcp-d 15.45.23.67-- dport 80-j DNAT-- to-destination 192.168.10.1-192.168.10.10 PREROUTING 80-100

MIRROR

Mirror the packet, that is, after swapping the source IP with the destination IP, the packet is returned. After this processing, the filter program will be interrupted.

QUEUE

Interrupt filter program, put the packet into the queue, and give it to other programs for processing. Other applications can be carried out through self-developed processing programs, such as calculating online costs. Wait.

MARK

The packet is marked with a code to provide a basis for determining the conditions for subsequent filtering, and after this processing action, other rules will continue to be compared.

For example: iptables-t mangle-A PREROUTING-p tcp-- dport 22-j MARK-- set-mark 22

3.2 permanent entry into force of iptables services and preservation

As the basic service of Linux, iptables is started by default.

View the status of the iptables service

Command: service iptables status

Restart iptables statu

Command: service iptables restart

Using the iptables command can only make the rule take effect temporarily.

If you need to be in force permanently, save it. Write to the / etc/sysconfig/iptables file.

/ etc/rc.d/init.d/iptables save

The iptables rules file is saved in / etc/sysconfig/iptables.

Remember to restart the firewall after writing in order to work.

4. Iptables configuration 4.1 under 4 Linux clears the original rules

Whether or not you start the firewall when you install linux, if you want to configure your own firewall, clear all current filter rules.

Iptables-F # clears the rules of all rule chains in the preset table filter. Iptables-X # clears the rules in the user-customized chain in the preset table filter. The iptables-Z # packet counter returns to zero.

Example: check the setting of IPTABLES on this machine: iptables-L-n

The case of the filter table is displayed by default, so the rule situation on the INPUT,FORWARD,OUTPUT chain is shown.

Example: view the rule on the nat table: iptables-t nat-L

4.2 configure default policy

Set the default policy: close the INPUT chain and FORWARD chain of the filter table and open the OUTPUT chain.

Iptables-P INPUT DROPiptables-P OUTPUT ACCEPTiptables-P FORWARD DROP4.3 filtering rules for IP, network interface, protocol

Remote SSH login. Allow tcp protocol, open port 22.

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

If you set OUTPUT to DROP, you need to use the following rules:

Iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

WEB server, open port 80

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

If OUTPUT is set to DROP, you need to use the following rules, and the same goes for others.

Iptables-An OUTPUT-p tcp-- sport 80-j ACCEPT

Mail server port configuration

Smtp: iptables-A FORWARD-p tcp-- dport 25-j ACCEPT#pop3: iptables-A FORWARD-p tcp-- dport 110j ACCEPTiptables-A FORWARD-p udp-- dport 110j ACCEPT#imap: iptables-A FORWARD-p tcp-dport 143j ACCEPTiptables-A FORWARD-p udp-dport 143j ACCEPTimaps: iptables-A FORWARD-p tcp-dport 993-j ACCEPTiptables-A FORWARD-p udp-dport 993-j ACCEPTpop3s:iptables-A FORWARD-p tcp-dport -j ACCEPTiptables-A FORWARD-p udp-- dport 995-j ACCEPT

FTP server, open port 21

Iptables-An INPUT-p tcp-- dport 21-j ACCEPTiptables-An INPUT-p tcp-- dport 20-j ACCEPT

DNS server, open port 53

Iptables-An INPUT-p tcp-- dport 53-j ACCEPT

Allow ping, that is, allow icmp packets to pass through

Iptables-An INPUT-p icmp-j ACCEPT # if INPUT is set to DROPiptables-An OUTPUT-p icmp-j ACCEPT # if OUTPUT is set to DROP

Allow loopback, the general system needs to allow loopback. Otherwise, it may lead to some problems. For example, DNS cannot be shut down properly.

IPTABLES-An INPUT-I lo-p all-j ACCEPT

If you set OUTPUT to DROP, you need to use the following rules:

IPTABLES-An OUTPUT-o lo-p all-j ACCEPT

Reduce insecure port connections

Iptables-An OUTPUT-p tcp-- sport 31337-j DROPiptables-An OUTPUT-p tcp-- dport 31337-j DROP

Some Trojans scan services on ports 31337 to 31340 (the elite port in hacker language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chances of potentially infected machines on the network communicating independently with their remote master servers.

The port of sshd is 22, if the system directly opens port 22, then all hosts on the Internet can connect to Linux, which is not safe. Better still, only a certain range of IP or a specified ip is allowed, and the host of a certain range of ports can connect to the host, and all other IP rejects:

Iptables-An INPUT-I ppp0-p tcp-s 222.91.99.0 DROP 28-sport 1024 tcp 65536-dport 22-j ACCEPTiptables-An INPUT-I ppp0-p tcp-dport 22-j DROP

Description: 1024VR 65535 indicates that the port range is from 1024 to 65535, including the ports at both ends.

The above practices ensure a certain degree of security. However, because illegal packets can be blocked, some port scanning tools will prompt "the computer is protected by a firewall," which is also insecure. To deceive these tools, you can use the following rules:

Iptables-An INPUT-I ppp0-p tcp- s 222.91.99.0 take 28-- sport 1024 ppp0 65536-dport 22-j ACCEPTiptables-An INPUT-I ppp0-p tcp- dport 22-j REJECT-reject-with tcp-reset

Under such a rule, when an illegal connection to the server is made, a tcp-reset request will be issued, and the packet will ask the other party to close the connection. In this way, the server is more secure.

Only 192.168.0.3 machines are allowed to make SSH connections

Iptables-An INPUT-s 192.168.0.3-p tcp-- dport 22-j ACCEPT

To allow or restrict a segment of IP address, you can use 192.168.0.0Universe 24 to represent all IP on the 192.168.0.1-255side.

Remember to delete this line from / etc/sysconfig/iptables.

-An INPUT-p tcp-m tcp-- dport 22-j ACCEPT

This line means all addresses can be logged in.

Or by command:

Iptables-D INPUT-p tcp-- dport 22-j ACCEPT explains: 192.168.0.1 take 24 24 means that the subnet mask indicates that the number of binary digits of the network is 24 bits. That is, 11111111.111111111111111111.00000000, that is, 24 1s. To decimal is: the meaning of the 255.255.255.0 subnet mask converts IP (192.168.0.1) into a binary number, that is, 11000000.10101000.00000000.00000001 the IP and subnet mask are calculated to: 11000000.10101000.00000000.00000000 and then into a decimal number: 192.168.0.0 this is the network address to which IP belongs. It can also be said that 192.168.0.1 is within the network segment 192.168.0.0. Tips:! Represents not. Example:! 192.168.0.3 indicates that other regular connections are set in the same way except the ip address of 192.168.0.3.

Example: a Linux system, as a proxy server for ADSL, runs WWW service at the same time, and has two network interfaces. Eth0 is connected to the local area network, and ppp0 is the Internet network interface for ADSL. Add the following rules.

Allow all hosts on the LAN 192.168.60.24Accord 24 to access the proxy server, except for the host 192.168.60.3:

Iptables-An INPUT-I eth0-s 192.168.60.3-j DROPiptables-An INPUT-I eth0-s 192.168.0 Compact 24-j ACCEPT

Note: the order of the two rules cannot be reversed.

Example: let the Linux proxy server accept all data that is not from the network interface ppp0, that is, only local area network access is allowed, and all hosts in the local area network cannot access Internet.

Iptables-An input-I! ppp0-j ACCEPT4.4 based on modification of the data status module

Allow all established and related connections

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Illegal DROP connection

Iptables-An INPUT-m state-- state INVALID-j DROP iptables-An OUTPUT-m state-- state INVALID-j DROP iptables-A FORWARD-m state-- state INVALID-j DROP

Discard bad TCP packets

Iptables-A FORWARD-p TCP!-- syn-m state-- state NEW-j DROP

Handle the number of IP fragments to prevent attacks, allowing 100s per second

Iptables-A FORWARD-f-m limit--limit 100 ACCEPT s-limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second and limit the trigger condition to 10 packets.

Iptables-A FORWARD-p icmp-m limit--limit 1Universe s-- limit-burst 10-j ACCEPT4.5 setting NAT table

The figure shows the principle of public network mapping:

Clear rules in the nat table

Iptables-F-t natiptables-X-t natiptables-Z-t nat

For example: redirect proxy server port 80 to port 8009. The setting rules are as follows:

Iptable-t nat-A PREROUTING-p tcp-dport 80-j REDIRECT-to-ports 8009

For example, intranet machines publish WEB websites to the outside world.

The IP address of the private network WEB server is 192.168.0.3. When the public network client accesses the server, the firewall maps the request to port 80 of 192.168.0.3.

Iptables-t nat-A PREROUTING-I ppp0-p tcp-- dport 80-j DNAT-- to-destination 192.168.0.3

Example: all connections to 211.101.46.253 are prohibited

Iptables-t nat-A PREROUTING-d 211.101.46.253-j DROP

Example: disable FTP port

Iptables-t nat-A PREROUTING-p tcp-- dport 21-j DROP

Only disable FTP connection at address 211.101.46.253, other connections are OK. Such as web (port 80) connection.

Iptables-t nat-A PREROUTING-p tcp-- dport 21-d 211.101.46.253-j DROP

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.