Shulou(Shulou.com)06/02 Report--

This article is to share with you about the design examples of firewalls under linux. The editor thought it was very practical, so I shared it with you as a reference. Let's follow the editor and have a look.

The application rules are as follows:

Clear the existing rules and clear all the existing rules.

Set the default policy, set the default policy for the input chain of filter to drop, and set everything else to accept.

Trust the native machine, and the lo must be set to trusted for the loopback network card.

Response packets, packets that respond to active requests from the host can enter the local machine (establish/related)

Reject invalid packets, reject invalid packets (INVALID)

Whitelist, trust certain ip or network address, etc.

Blacklist, untrusted ip or network address, etc.

Allow icmp packages, release for icmp packages

Open some ports, some service ports must be open to the outside, such as 80,443, 22 and other ports.

We are going to make three shell script files: iptables.rule, iptables.allow (whitelist) and iptables.deny (blacklist) files. These three files, I usually first set up a directory / etc/iptables, these three files exist in this directory.

Next, let's look at the contents of the script for this iptables.rule:

#! / bin/bash# iptables rule# clear default rule iptables-Fiptables-Xiptables-Z# modify default policy iptables-P INPUT DROPiptables-P FORWARD ACCEPTiptables-P OUTPUT ACCEPT# trust native iptables-An INPUT-I lo-j ACCEPT# response packet iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT# reject invalid packet iptables-An INPUT-m state-- state INVALID-j DROP# whitelist if [- f "/ etc/iptables/iptables.allow"] Then sh / etc/iptables/iptables.allowfi# blacklist if [- f "/ etc/iptables/iptables.deny"] Then sh / etc/iptables/iptables.denyfi# allows icmp package iptables-An INPUT-p icmp-j ACCEPT# to open partial ports iptables-An INPUT-p tcp-- dport 22-j ACCEPT# ssh service iptables-An INPUT-p tcp-- dport 80-j ACCEPT# www service iptables-An INPUT-p tcp-- dport 443-j ACCEPT# ssl# save rules / usr/libexec/iptables/iptables.init save

For iptables.allow, we usually write the trusted ip or network address to this file. For example, the local network where the host is located is 192.168.1.0 and24. If you want to trust the hosts in the local area network, you can write in this file.

Iptables-An INPUT-s 192.168.1.0 Universe 24-j ACCEPT

Iptables.deny is used to block some malicious ip traffic from entering the machine, such as blocking the ip of 8.210.247.5, which can be written in this file.

Iptables-An INPUT-s 8.210.247.5 Universe 32-j DROP

At the end of iptables.rule, we use the command to save the firewall rule. Note that without this command, the rule will only take effect at 00:00. When we restart iptables or restart the system, the rules we set before will become invalid.

Thank you for reading! This is the end of the design example of the firewall under linux. I hope the above content can be helpful to you, so that you can learn more knowledge. If you think the article is good, you can share it and let more people see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.