Shulou(Shulou.com)06/02 Report--

Preface

For the production environment VPS with public network IP, only the required ports are opened, that is, ACL is used to control IP and port (Access Control List).

You can use the user mode tool of Linux Firewall netfilter here

Iptables has four tables: raw- > mangle (modify message original data)-> nat (define address translation)-> filter (define allowed or disallowed rules)

Each table can be configured with multiple chains:

* for filter, it can only be done on three chains: INPUT, FORWARD, and OUTPUT.

* for nat, it can only be done on three chains: PREROUTING, OUTPUT, and POSTROUTING.

* for mangle, all 5 chains can be done: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

The three chains of filter table are explained in detail:

* INPUT chain: filter all packets whose destination address is local

* FORWARD chain: filter all packets passing through the machine

* OUTPUT chain: filter all packets generated by this machine

Learn from the following examples:

[example]: filter all accesses: iptables-t filter-An INPUT-s 0.0.0.0 DROP 0.0.0.0-d X.X.X.X-j DROP [example]: open iptables-I INPUT-s 0.0.0.0 tcp for port 22 of SSH-- dport 22-j ACCEPT [example]: open port 80 iptables-An INPUT-s 0.0.0 .0 / 0.0.0.0-d X.X.X.X-p tcp-- dport 80-j ACCEPT [example]: data from 124,174A OUTPUT-p tcp-s 45.32.102.124-d 157.240.22.174-j REJECT printing currently in force iptables rules (- n shows IP address) iptables-L-n

Specified port range of iptables firewall in Linux

Iptables-I INPUT-p tcp-- dport 700 tcp 800-j DROP iptables-I INPUT-s 11.129.35.45-p tcp-dport 700 tcp 800-j ACCEPT

One, 700PUR 800 represents all ports between 700 and 800

2. 800 means all ports up to 800

III. 700: indicates 700 and all ports above

This example is used as a whitelist mechanism, which is only open to 11.129.35.45 IP.

Iptables uses of Snat and Dnat:

Source address Translation (Snat): iptables-t nat-A-s Private IP-j Snat-to-source Public IP

Destination address translation (Dnat): iptables-t nat-A-PREROUTING-d public IP-j Dnat-to-destination private IP

Detailed explanation of iptables command

Common command options for iptables are:

-P: set the default policy (set whether the default door is closed or open) such as: iptables-P INPUT (DROP | ACCEPT)

-F: FLASH, clear the rule chain (note the administrative permissions of each chain)

-N:NEW allows users to create a new chain, for example: iptables-N inbound_tcp_web represents the one attached to the tcp table to check the web.

-X: used to delete a user-defined empty chain

-Z: clear the chain

-A: append

-I num: insert, insert the current rule into which item

-R num:Replays replaces / modifies rules

-D num: delete, explicitly specify which rule to delete

-L: view rule details, such as "iptables-L-n-v"

-s indicates the source address IP

-d indicates the destination address IP

DROP means to discard (reject)

ACCEPT expresses acceptance

-p indicates the applicable protocol, such as tcp

Other more examples:

[example] add iptables rules to prohibit users from visiting websites with the domain name www.sexy.com. Iptables-I FORWARD-d www.sexy.com-j DROP add an iptables rule to prohibit users from visiting a website with an IP address of 20.20.20.20. Iptables-I FORWARD-d 20.20.20.20-j DROP add iptables rule to prohibit clients with IP address 192.168.1.X from surfing the Internet. Iptables-I FORWARD-s 192.168.1.X-j DROP add iptables rule to prohibit all clients in the 192.168.1.0 subnet from surfing the Internet. Iptables-I FORWARD-s 192.168.1.0 DROP 24-j download forbids all clients in the 192.168.1.0 subnet to download using the FTP protocol. Iptables-I FORWARD-s 192.168.1.0 Web 24-p tcp-dport 21-j DROP forces all clients to access the 192.168.1.x Web server. Iptables-t nat-I PREROUTING-I eth0-p tcp-dport 80-j DNAT-to-destination 192.168.1.x:80 forbids the use of the ICMP protocol. Iptables-I INPUT-I ppp0-p icmp-j DROP

Summary

The above is the whole content of this article, I hope that the content of this article has a certain reference and learning value for your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.