Shulou(Shulou.com)06/01 Report--

Linux system how to use iptables tools to manage the firewall, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

With the increasing use of Linux systems in enterprises, ensuring the security of Linux systems has become one of the necessary skills for operation and maintenance personnel.

The Linux system itself has a very powerful protective measure: firewall. Then how to manage the firewall has become a top priority.

With the emergence of CentOS 7 and CentOS 8, more and more people like to use firewalld tools to manage firewalls. Because it can be set not only through the command line, but also graphically. About using firewalld tools to manage Linux firewalls, please refer to the use of firewalld tools to manage firewalls to ensure the security of Linux systems.

Below we mainly introduce the iptables tool to manage firewalls.

Iptables Overview:

When it comes to iptables, then we have to talk about the actions performed by four tables and five chains.

The four tables are:

Raw: advanced features, such as URL filtering

Mangle: packet modification (QOS) to achieve quality of service

Net: address translation for gateway router

Filter: packet filtering, for firewall rules

The five chains are:

INPUT chain: processing input packet

OUTPUT chain: processing output packet

PORWARD chain: processing forwarded packet

PREROUTING chain: for destination address translation (DNAT)

POSTOUTING chain: for source address translation (SNAT)

The actions performed are:

Accept: receive packet

DROP: drop packet

REDIRECT: redirect, mapping, transparent proxy

SNAT: source address translation

DNAT: destination address translation

MASQUERADE:IP camouflage (NAT) for ADSL

LOG: logging

Common options for the iptables command are:

-t: specify the table to manipulate

-A: add an entry to the rule chain

-D: remove entries from the rule chain

-I: insert an entry into the rule chain

-R: replace entries in the rule chain

-L: displays existing entries in the rule chain

-F: clear the existing entries in the rule chain

-Z: clear packet calculators and byte counters in the rule chain

-N: create a new user-defined rule chain

-P: define the default target in the rule chain

-h: displays help information

-p: specifies the type of packet protocol to match

-s: specify the packet source ip address to match

-j: specify the target to jump

-I: specifies the network interface on which the packet enters the machine

-o: specifies the network interface on which the packet is to leave the machine

Iptables command options entry order:

Iptables-t table name rule chain name [rule number]-p protocol name-sport source port-dport destination port-j action

Example of the iptables command:

[root@localhost ~] # iptables-F / / clear all firewall rules [root@localhost] # iptables-F INPUT / / clear all rules on the specified chain INPUT [root@localhost ~] # iptables-X / / remove the user-defined empty chain [root@localhost ~] # iptables-Z / / empty count [root@localhost ~] # iptables- P INPUT DROP / / configure default do not let in [root@localhost ~] # iptables-P FORWARD DROP / / default does not allow forwarding [root@localhost ~] # iptables-P OUTPUT ACCEPT / / default can go out the INPUT rule chain is set to allow only hosts with specified network segments to access local port 22 Deny traffic from all other hosts: [root@localhost ~] # iptables- I INPUT-s 192.168.1.0 take 24-p tcp-- dport 22-j ACCEPT [root@localhost ~] # iptables- An INPUT-p tcp-- dport 22-j REJECT [root@localhost ~] # iptables-save / / Save configuration if I only allow the PING commands of 192.168.1.100 and 192.168.1.110 How should I add [root@localhost ~] # iptables-I INPUT-s 192.168.1.110-p icmp-j ACCEPT [root@localhost ~] # iptables-I INPUT-s 192.168.1.100-p icmp-j ACCEPT [root@localhost ~] # iptables-An INPUT-p icmp-j DROP if I only allow 192.168.1.0, but reject the PING commands of 192.168.1.100 and 192.168.1.110 How to add [root@localhost ~] # iptables-I INPUT-s 192.168.1.0 ACCEPT 24-p icmp-j ACCEPT [root@localhost ~] # iptables-I INPUT-s 192.168.1.100-p icmp-j DROP [root@localhost ~] # iptables-I INPUT-s 192.168.1.110-p icmp-j DROP to the INPUT rule chain to add a policy rule that denies everyone access to port 12345 of the machine [root@localhost ~] # iptables- I INPUT-p tcp-- dport 12345-j REJECT [root@localhost ~] # iptables-I INPUT-p UDP-- dport 12345-j REJECT adds a policy rule to the INPUT rule chain that denies all hosts access to the native 1000mm 1024 port [root@localhost ~] # iptables-An INPUT-p tcp-- dport 1000dport 1024-j REJECT [root@localhost ~] # iptables-An INPUT-p UDp-dport 1000Rank 1024-j REJECT

Note: the iptables tool checks the policy according to: from top to bottom, stop as soon as you find it, and execute the default policy if it is not found! So when adding rules, you should pay attention to the order in which policies are added!

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.