Shulou(Shulou.com)06/01 Report--

Editor to share with you how to use the iptables firewall in Ubuntu Server, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

◆ basic command

Type:

# iptables-L

List the rules in your current iptables. If you have just set up your server, there may not be any rules at this time, and you should see the following:

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

◆ allows you to establish a session

We can allow sessions to be established to receive traffic:

# iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

◆ allows inbound traffic on designated ports

You can also start the system by blocking all traffic, but you may be working through SSH, so it is necessary to allow SSH traffic before you block other traffic.

To allow traffic inbound on port 22 (the default SSH port), you can tell iptables to allow your network card to accept all TCP traffic with destination port 22.

# iptables-An INPUT-p tcp-I eth0-- dport ssh-j ACCEPT

Specifically, this will append the (- A) INPUT rule to the table, allowing all traffic with the destination port number of SSH to enter interface (- I) eth0 so that iptables can complete the jump (- j) or action: ACCEPT

Let's check these rules: (only a few lines are shown here, and you should see more)

# iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp-anywhere anywhere tcp dpt:ssh

Now, let's allow all web traffic

# iptables-An INPUT-p tcp-I eth0-- dport 80-j ACCEPT

Check our existing rules

# iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp-anywhere anywhere tcp dpt:ssh

ACCEPT tcp-anywhere anywhere tcp dpt:www

We have specified SSH and web ports as allowed TCP traffic, but since we have not blocked any traffic, so far all traffic can still enter.

◆ blocks traffic

Once a rule matches a package, other rules are no longer valid for that package. Because our rules allow SSH and WEB traffic first, as long as our rules for blocking all traffic follow, we can still accept the traffic we are interested in. All we have to do is put the rule of blocking all traffic at the end, so we need to use it again.

# iptables-An INPUT-j DROP

# iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp-anywhere anywhere tcp dpt:ssh

ACCEPT tcp-anywhere anywhere tcp dpt:www

DROP all-anywhere anywhere

Because we did not specify an interface or a protocol just now, any traffic except web and ssh traffic will be blocked.

◆ Editing iptables

The only problem with our setup so far is that the loopback port (loopbakc) is also blocked. We could have dropped only the packets on the eth0 by specifying-I eth0, but we could also add a rule for the loopback port (loopback). If we add this rule, it will be too late-because all traffic has been discarded. We have to insert this to kneel down to line 4.

# iptables-I INPUT 4-I lo-j ACCEPT

# iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp-anywhere anywhere tcp dpt:ssh

ACCEPT tcp-anywhere anywhere tcp dpt:www

ACCEPT all-anywhere anywhere

DROP all-anywhere anywhere

The last two lines look almost the same, so we can make the iptables column more detailed.

# iptables-L-v

◆ logging

In the above example, all traffic is not recorded. If you are willing to record discarded packets in syslog, here is the quickest way:

# iptables-I INPUT 5-m limit-- limit 5/min-j LOG-- log-prefix "iptables denied:"-- log-level 7

See the prompt section for more ideas about logging.

◆ saves iptables

If you restart the machine now, your iptables configuration will disappear. Instead of typing these commands every time you reboot, you can save your configuration and let it start automatically when the system starts. You can save the configuration through the iptables-save and iptables-restore commands.

◆ configuration automatically loads rules at startup

Save your firewall unit to a file

# iptables-save > / etc/iptables.up.rules

Then modify the / etc/network/interfaces script to automatically apply these rules (the last line is added)

Auto eth0

Iface eth0 inet dhcp

Pre-up iptables-restore

< /etc/iptables.up.rules 你也可以准备一组规则冰并自动应用它 auto eth0 iface eth0 inet dhcp pre-up iptables-restore < /etc/iptables.up.rules post-down iptables-restore < /etc/iptables.down.rules ◆ 提示 ◆ 如果你要在一个规则基础上手动编辑iptables 下面的步骤复习了怎样建立你的防火墙规则，并假定它们相对固定(而且对于大多数人来说它们也应该是)。但是如果你要做许多研究工作，你也许想要你的 iptables在你每次重启时保存一次。你可以在 /etc/network/interfaces 里添加像下面的一行: pre-up iptables-restore < /etc/iptables.up.rules post-down iptables-save >

/ etc/iptables.up.rules

"post-down iptables-save > / etc/iptables.up.rules" this line will save the rule for use the next time you start.

◆ uses iptables-save/restore to test the rules

If you go beyond this guide to edit iptables, you may want to use iptables-save and iptables-restore to edit and test your rules. You can edit these rule files by opening them using your favorite text editor (gedit here).

# iptables-save > / etc/iptables.test.rules

# gedit / etc/iptables.test.rules

You will get a file similar to the following (the following is the example file immediately above):

# Generated by iptables-save v1.3.1 on Sun Apr 23 06:19:53 2006

* filter

: INPUT ACCEPT [368:102354]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [92952:20764374]

-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

-An INPUT-I eth0-p tcp-m tcp-- dport 22-j ACCEPT

-An INPUT-I eth0-p tcp-m tcp-- dport 80-j ACCEPT

-An INPUT-I lo-j ACCEPT

-An INPUT-m limit-- limit 5/min-j LOG-- log-prefix "iptables denied:"-- log-level 7

-An INPUT-j DROP

COMMIT

# Completed on Sun Apr 23 06:19:53 2006

Notice that these are iptables statements that subtract the iptables command. Feel free to edit these commands and save them when you are finished. And then a simple test:

# iptables-restore

< /etc/iptables.test.rules 测试完毕後，如果你还没添加iptables-save命令 到 /etc/network/interfaces 里面，记得不要丢失了你的更改： # iptables-save >

/ etc/iptables.up.rules

◆ 's more detailed log

To get more details in your syslog, you may want to create an extra chain. Here's a short example-my / etc/iptables.up.rules, which shows how I set up iptables records to syslog:

# Generated by iptables-save v1.3.1 on Sun Apr 23 05:32:09 2006

* filter

: INPUT ACCEPT [273:55355]

: FORWARD ACCEPT [0:0]

: LOGNDROP-[0:0]

: OUTPUT ACCEPT [92376:20668252]

-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

-An INPUT-I eth0-p tcp-m tcp-- dport 22-j ACCEPT

-An INPUT-I eth0-p tcp-m tcp-- dport 80-j ACCEPT

-An INPUT-I lo-j ACCEPT

-An INPUT-j LOGNDROP

-A LOGNDROP-p tcp-m limit-- limit 5/min-j LOG-- log-prefix "Denied TCP:"-- log-level 7

-A LOGNDROP-p udp-m limit-- limit 5/min-j LOG-- log-prefix "Denied UDP:"-- log-level 7

-A LOGNDROP-p icmp-m limit-- limit 5/min-j LOG-- log-prefix "Denied ICMP:"-- log-level 7

-A LOGNDROP-j DROP

COMMIT

# Completed on Sun Apr 23 05:32:09 2006

Notice that a chain named LOGNDROP is at the top of the file. Also, the standard DROP at the bottom of the INPUT chain is replaced with LOGNDROP, and the protocol description so it makes sense looking at the log is added. In the end, we dropped the traffic at the end of the LOGNDROP chain. The following line tells us what happened:

*-- limit sets the number of times the same rule is recorded in syslog

*-log-prefix "Denied..." Adding a prefix makes it more easy to look in syslog

*-- log-level 7 sets the message level of syslog (see man syslog for more detail, but you can probably leave this)

Disable Firewall in ◆

If you want to disable the firewall temporarily, you can clear my rules with the following command:

# iptables-F

◆ is easily configured via GUI

A novice can configure her or his iptables rules using Firetarter (a gui tool)-software available in the warehouse (acquired by Synaptic or apt-get), requiring command-line knowledge. Please check the guide, though. Configuration is simple, but it may not be enough for advanced users. However, it is enough for most home users. . I recommend that you use firestarter to configure outbound as "restricted" in the policy table and whitelist the type of connection you need (such as 80 for http, 1683 of 443 https MSN chat, and so on). You can also use it to view active connections to and from your computer. . The firewall will be maintained once it has been configured through the wizard. The dialing user must specify in the wizard that it starts automatically when dialing.

The above is all the contents of the article "how to use iptables Firewall in Ubuntu Server". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.