Shulou(Shulou.com)06/01 Report--

This article shows you what the steps of Linux system iptables configuration are, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Many people think that iptables is a firewall, but in fact, it is only a client agent, and the netfilter behind it is the firewall. We only control iptables through iptables, so how to configure IPTABLES in the Linux system?

Introduction to IPTABLES: iptables is not a real firewall. We can think of it as a client agent. Users execute their security settings to the corresponding "security framework" through the iptables agent. This "security framework" is the real firewall. The name of this framework is netfilter.

Netfilter is the real security framework (framework) of firewalls, and netfilter is located in kernel space.

Iptables is actually a command-line tool located in user space, and we use this tool to manipulate the real framework.

Linux system configuration IPABLESXA detailed steps: let's configure a firewall for the filter table.

(1) check the settings of IPTABLES on this machine.

[root@tp] # iptables-L-nChain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination ACCEPT all- 0.0.0. 0 ACCEPT esp 0 0.0.0. 0 ACCEPT icmp-0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 ACCEPT udp 0 ACCEPT udp 0 224.0. 0.251 udp dpt:5353 ACCEPT udp-0.0.0.0 udp dpt:5353 ACCEPT udp 0 0.0.0.0 state RELATED 0 udp dpt:631 ACCEPT all-0.0.0.0 ESTABLISHED ACCEPT tcp-0.0.0.0 ESTABLISHED ACCEPT tcp 0 0.0.0.0 reject-with icmp-host-prohibited 0 state NEW tcp dpt:80 ACCEPT tcp-0.0.0.0 state NEW tcp dpt:80 ACCEPT tcp 0 0.0.0.0 Uniqure 0 0.0.0.0Uniqure 0 0.0.0.0 Uniqure 0 0.0.0.0 Universe can be seen that when I installed linux, I chose a firewall. And open 22pl 80pl 25 port.

If you don't choose to turn on the firewall when installing linux, here's the thing.

[root@tp] # iptables-L-nChain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

There are no rules.

(2) clear the original rules.

Whether or not you start the firewall when you install linux, if you want to configure your own firewall, clear all current filter rules.

[root@tp ~] # iptables-F clears the rules of all rule chains in the preset table filter [root@tp ~] # iptables-X clears the rules in the user's custom chain in the preset table filter

Let's take a look.

[root@tp] # iptables-L-nChain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

There's nothing left, just like we didn't start the firewall when we installed linux. (by the way, these configurations are like configuring IP with commands, restarting will lose its effect.) how to save.

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

[root@tp ~] # service iptables restart

Now that there is no configuration in the IPTABLES configuration table, let's start our configuration.

(3) set preset rules

[root@tp ~] # iptables-p INPUT DROP

[root@tp ~] # iptables-p OUTPUT ACCEPT

[root@tp] # iptables-p FORWARD DROP means that when the two chain rules (INPUT,FORWARD) in the filter table in IPTABLES are exceeded, how to deal with packets that are not in these two rules, that is, DROP. It should be said that this configuration is very safe. We need to control the inflow of packets.

As for the OUTPUT chain, that is, we do not have to do too many restrictions on the outflow of the package, but adopt ACCEPT, that is, what to do if the package is not in the rule, that is, through.

You can see what packets are allowed in the INPUT,FORWARD chain and what packets are not allowed in the OUTPUT chain.

This setting is quite reasonable, of course, you can DROP all three chains, but I don't think it is necessary to do so, and the rules to be written will be increased. But if you only want a limited number of rules, such as only do WEB servers. It is recommended that all three chains are DROP.

Note: if you log in remotely from SSH, you should drop it when you enter the first command. Because you didn't set any rules.

What to do, go to the local operation!

(4) add rules.

First add the INPUT chain. The default rule for the input chain is DROP, so we'll write the chain that requires ACCETP (pass).

In order to log in using remote SSH, we need to open port 22.

[root@tp] # iptables-An INPUT-p tcp-dport 22-j ACCEPT

[root@tp] # iptables-An OUTPUT-p tcp-sport 22-j ACCEPT (Note: this rule, if you set OUTPUT to DROP, you have to write this one, many people are looking forward to writing this rule, and can't SSH. Let's take a look at the remote, isn't it?

The same is true for other ports. If the web server is enabled and OUTPUT is set to DROP, a chain should also be added:

[root@tp] # iptables-An OUTPUT-p tcp-sport 80-j ACCEPT.)

If you make a WEB server, open port 80.

[root@tp] # iptables-An INPUT-p tcp-dport 80-j ACCEPT if you make a mail server, open port 25110.

[root@tp ~] # iptables-An INPUT-p tcp-dport 110j ACCEPT [root@tp ~] # iptables-An INPUT-p tcp-dport 25-j ACCEPT if you make a FTP server, open port 21

[root@tp] # iptables-An INPUT-p tcp-dport 21-j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-dport 20-j ACCEPT

If you make a DNS server, open port 53

[root@tp] # iptables-An INPUT-p tcp-dport 53-j ACCEPT

If you have made other servers, which port you need to open, just write it.

What is written above is mainly INPUT chain, and all those that are not in the above rules are DROP.

Allow icmp packets to pass, that is, allow ping

[root@tp ~] # iptables-An OUTPUT-p icmp-j ACCEPT (if OUTPUT is set to DROP)

[root@tp ~] # iptables-An INPUT-p icmp-j ACCEPT (if INPUT is set to DROP)

Allow loopback! (otherwise, it will cause problems such as DNS not shutting down normally.)

IPTABLES-An INPUT-I lo-p all-j ACCEPT (if INPUT DROP) IPTABLES-An OUTPUT-o lo-p all-j ACCEPT (if OUTPUT DROP)

Next write the OUTPUT chain, the default rule of the OUTPUT chain is ACCEPT, so we write the chain that needs DROP.

Reduce insecure port connections

[root@tp] # iptables-An OUTPUT-p tcp-sport 31337-j DROP

[root@tp] # iptables-An OUTPUT-p tcp-dport 31337-j DROP

Some Trojans scan for services on ports 31337 to 31340 (the elite port in the hacker language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chances of potentially infected machines on your network communicating independently with their remote master servers.

There are also other ports, such as: 31335, 27444, 27665, 20034 NetBus, 9704, 137139 (smb), 2049 (NFS) ports should also be prohibited, I write here is not complete, interested friends should check the relevant information.

Of course, for a more secure consideration, you can also set the OUTPUT chain to DROP, then you can add more rules, like the one above

It's like allowing SSH to log in. Just write according to it.

Let's write down a more detailed rule, which is limited to a certain machine.

For example, we only allow 192.168.0.3 machines to make SSH connections

[root@tp] # iptables-An INPUT-s 192.168.0.3-p tcp-dport 22-j ACCEPT

If you want to allow or restrict a segment of IP address, you can use 192.168.0. 0.

24 represents the number of subnet masks. But remember to delete this line from / etc/sysconfig/iptables.

-An INPUT-p tcp-m tcp-dport 22-j ACCEPT because it means that all addresses can be logged in.

Or by command:

[root@tp] # iptables-D INPUT-p tcp-dport 22-j ACCEPT

Then save, I say again, instead by command, which only takes effect at that time, and if you want to restart it, you have to save it. Write to the / etc/sysconfig/iptables file.

[root@tp ~] # / etc/rc.d/init.d/iptables save

Write this way! 192.168.0.3 means except for the ip address of 192.168.0.3

The same is true for other regular connections.

Below is the FORWARD chain, and the default rule of the forward chain is DROP, so we write the chain that needs ACCETP (through) to monitor the forwarding chain.

Enable forwarding. (when doing NAT, the default rule of FORWARD is DROP.)

[root@tp] # iptables-A FORWARD-I eth0-o eth2-m state-state RELATED,ESTABLISHED-j ACCEPT

[root@tp] # iptables-A FORWARD-I eth2-o eh0-j ACCEPT

Discard bad TCP packets

[root@tp] # iptables-A FORWARD-p TCP!-syn-m state-state NEW-j DROP

Handle the number of IP fragments to prevent attacks, allowing 100s per second

[root@tp] # iptables-A FORWARD-f-m limit- limit 100Universe s-limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second and limit the trigger condition to 10 packets.

[root@tp] # iptables-A FORWARD-p icmp-m limit- limit 1max s-limit-burst 10-j ACCEPT

I only allow ICMP packets to pass in front because I have restrictions here.

Second, configure a NAT table ignition wall

1. Check the settings of NAT on this machine.

[root@tp rc.d] # iptables-t nat-LChain PREROUTING (policy ACCEPT) target prot opt source destination

Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all-192.168.0.0 Universe 24 anywhere to:211.101.46.235

Chain OUTPUT (policy ACCEPT) target prot opt source destination

My NAT has been configured (only provides the simplest proxy access function, has not added firewall rules). Refer to my other article on how to configure NAT

Of course, if you haven't configured NAT, you don't have to clear the rules, because NAT has nothing by default.

If you want to clear it, the order is

[root@tp] # iptables-F-t nat

[root@tp] # iptables-X-t nat

[root@tp] # iptables-Z-t nat

2, add rules

Add basic NAT address translation, (see my other article on how to configure NAT)

To add rules, we only add DROP chains. Because the default chain is all ACCEPT.

Prevent the spoofing of IP in the external network

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 10.0.0.0PREROUTING 8-j DROP [root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 172.16.0.0 DROP [root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 192.168.0.0Universe 16-j DROP if we want to, for example, stop MSN,QQ,BT, we need to find the port or IP they are using. (personally, I don't think it's necessary.)

Example:

Prohibit all connections to 211.101.46.253

[root@tp] # iptables-t nat-A PREROUTING-d 211.101.46.253-j DROP

Disable FTP (21) port

[root@tp] # iptables-t nat-A PREROUTING-p tcp-dport 21-j DROP

The scope of writing in this way is too wide, we can define it more precisely.

[root@tp] # iptables-t nat-A PREROUTING-p tcp-dport 21-d 211.101.46.253-j DROP

This only disables the FTP connection at address 211.101.46.253, and other connections are OK. Such as web (port 80) connection.

According to what I wrote, all you have to do is to find the IP address, port and protocol of other software such as QQ,MSN.

Finally:

Drop illegal connection [root@tp ~] # iptables-An INPUT-m state-state INVALID-j DROP [root@tp ~] # iptables-An OUTPUT-m state-state INVALID-j DROP [root@tp ~] # iptables-A FORWARD-m state-state INVALID-j DROP allows all established and related connections [root@tp ~] # iptables-An INPUT-m state-state ESTABLISHED,RELATED-j ACCEPT [root@tp ~] # iptables-An OUTPUT-m state-state ESTABLISHED,RELATED-j ACCEPT

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

[root@tp ~] # service iptables restart

The above is what are the steps of Linux system iptables configuration. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.