Shulou(Shulou.com)06/02 Report--

1. Turn off all INPUT FORWARD OUTPUT and only open to certain ports.

The following is the command implementation:

Iptables-P INPUT DROPiptables-P FORWARD DROPiptables-P OUTPUT DROP

Reuse command

Iptables-L-n

Check if it is set up so that you can see all the DROP

Once this is set up, we are only temporary. Restarting the server will still restore the state that was not set up before.

Also use service iptables save to save

Service iptables save

To see the information, the rules of the firewall rules firewall are actually saved in / etc/sysconfig/iptables

You can open the file to view vi / etc/sysconfig/iptables

2. I will only open port 22 to see how I operate it, which is the following two sentences

Iptables-An INPUT-p tcp-- dport 22-j ACCEPTiptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

Then check whether iptables-L-n is added, and see if it has been added.

Chain INPUT (policy DROP) target prot opt source destinationACCEPT tcp-0.0.0.0 0 0.0.0.0 0 tcp dpt:22Chain FORWARD (policy DROP) target prot opt source destinationChain OUTPUT (policy DROP) target prot opt source destinationACCEPT tcp-0.0.0.0According to 0 0.0.0.0 0 tcp spt:22

Now that the Linux server is only open at port 22, use putty.exe to test whether it can be linked.

It can be linked up, which means there is no problem.

Finally, don't forget to save the settings for the firewall.

Save through the command: service iptables save

Iptables-An INPUT-p tcp-- dport 22-j ACCEPTiptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

Let's explain some of these two commands.

The-A parameter is treated as a rule for adding an INPUT

-p specifies what the protocol is. Our commonly used tcp protocol, of course, also has udp, such as DNS with port 53.

Then we have to configure DNS to use port 53, and you will find that you will use the udp protocol.

And-- dport is the target port when data enters the server from the outside.

On the contrary, if the data goes out of the server, it will be used for the data source port-- sport

-j is to specify whether ACCEPT receives or DROP does not receive

3. Disable access to a certain IP

1 Linux server and 2 windows xp operating systems for access

Linux server ip: 192.168.1.99

Xp1 ip: 192.168.1.2

Xp2 ip: 192.168.1.8

Let's take a look at the two xp that can be accessed.

192.168.1.2 this is accessible by xp1

192.168.1.8 xp2 is also accessible.

So now I'm going to disable 192.168.1.2 xp1 access, xp2 normal access.

Let's take a look at the demonstration.

By command

Iptables-An INPUT-p tcp-s 192.168.1.2-j DROP

This means-A means to add new rules, what kind of rules? Since we visit the website using tcp's

Let's use-p tcp. If it's udp, we'll write udp. Here we'll use tcp.-s means source.

Ip comes from 192.168.1.2. How do we reject it? this should be DROP.

Okay, let's see how it works. All right, add it successfully. Let's verify whether it is effective.

The waiting status has been present and the page cannot be displayed at last. This is 192.168.1.2 xp1 access denied.

Let's see if another xp can be accessed. 192.168.1.8 can be accessed normally.

4. How to delete a rule

First of all, we need to know the number of this rule, and each rule has a number.

The rules and corresponding numbers can be displayed through iptables-L-n-- line-number

Iptables-L-n-- line-numbernum target prot opt source destination1 DROP tcp-- 0.0.0.0 tcp dpt:33062 DROP tcp 0 0.0.0.0 tcp dpt:80 0 tcp dpt:213 DROP tcp-- 0.0.0.0 pound 0 0.0.0.0 tcp dpt:80

Add the num column, so we can see that the rule just now corresponds to the number 2.

Then we can delete it.

Iptables-D INPUT 2

Delete the rule with INPUT chain number 2.

Check again iptables-L-n that it has been cleared.

5. Filter invalid packets

Suppose someone has entered the server, or there is a virus Trojan, which can transmit data outside the server through port 225080.

This way is different from our normal access to port 22Bo 80. The data it sends out is not a packet that we respond to by visiting a web page.

Next, we want to ban these packets that do not respond to the request and block them all.

Iptables provides a parameter to check the status, so let's configure ports 22 and 80 to prevent invalid packets.

The copy code is as follows:

Iptables-An OUTPUT-p tcp-- sport 22-m state-- state ESTABLISHED-j ACCEPT

You can see the same as what we used before:

Iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

There is one more state judgment.

The same is true for port 80, now delete the original 2 rules

Iptables-L-n-- line-number

Check the rules and number them. We can just see the number.

Delete the corresponding rule.

Iptables-D OUTPUT 1

The 1 here represents the first rule.

When you delete the previous rule, the number will change accordingly.

OK, we have deleted the previous two rules, and port 22 can still be used normally, which means there is no problem.

Save it below, don't forget, otherwise the restart will be restored to its original appearance.

Service iptables save

Save it.

Saving firewall rules to / etc/sysconfig/iptables: [OK]

In fact, you write the rules you just set to the / etc/sysconfig/iptables file.

6. DNS port 53 settings

Let's take a look at how to set iptables to open the DNS port. The DNS port corresponds to 53.

At present, only 22 and 80 ports are open. I'll see if I can resolve the domain name.

Hostwww.google.com

After entering this command, I have been waiting, indicating that the DNS is not working.

The following prompt appears:;; connection timed out; no servers could be reached

The domain name is also impassable after ping.

[root@localhost ~] # pingwww.google.comping: unknown hostwww.google.com

The reason why I am here is that iptables limits 53 ports.

Some servers, especially the Web server, slow down, and DNS actually has something to do with the inability to send packets to the DNS server.

The following shows how to use iptables to set the port DNS 53. If you do not know the domain name service port number, you

You can use the command:

Grep domain / etc/services [root@localhost] ~ # grep domain / etc/servicesdomain 53/tcp # name-domain serverdomain 53/udpdomaintime 9909/tcp # domaintimedomaintime 9909/udp # domaintime

You see, we usually use the udp protocol.

All right, start setting up.

Iptables-An OUTPUT-p udp-- dport 53-j ACCEPT

This is a domain name of our ping, and the data comes out of this machine, so let's set up OUTPUT first.

We follow the ping process to set up.

Then the DNS server received the packet we sent out and responded to one back.

Iptables-An INPUT-p udp-- sport 53-j ACCEPT

At the same time, set up

Iptables-An INPUT-p udp-- dport 53-j ACCEPTiptables-An OUTPUT-p udp-- sport 53-j ACCEPT

All right, let's start the test. You can use iptables-L-n to check the settings and make sure there are no problems.

[root@localhost ~ iptables-L-nChain INPUT (policy DROP) target prot opt source destinationACCEPT tcp-- 0.0.0.0 0 0.0.0.0udp spt:53ACCEPT udp 0 tcp dpt:22ACCEPT tcp-0.0.0.0Univer 0.0.0.0.0Uniplex 0 tcp dpt:80ACCEPT udp-- 0.0.0.0Universe 0.0.0.0.0tcp dpt:80ACCEPT udp-- 0.0.0.0Universe-- 0.0.0.0Universe-- 0.0.0.0Universe-- 0.0.0.0Universe-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-- 0.0.0.0A-0.0.0.0A-0.0.0.0A-0.0.0.0A .0.0 udp dpt:53Chain FORWARD 0 0.0.0.0 target prot opt source destinationACCEPT tcp 0 udp dpt:53Chain FORWARD (policy DROP) target prot opt source destinationChain OUTPUT (policy DROP) target prot opt source destinationACCEPT tcp-0.0.0.0 0 0.0.0.0 0 tcp spt:22 state ESTABLISHEDACCEPT tcp-0.0.0.0According to 0 0.0.0.0 tcp spt:80 state ESTABLISHEDACCEPT udp-- 0 .0.0.0 / 0 0.0.0.0 udp dpt:53ACCEPT udp 0 udp spt:53-- 0.0.0.0 Uniqure 0 0.0.0.0

You can test whether DNS can pass iptables.

[root@localhost] # hostwww.google.comwww.google.comis an alias forwww.l.google.com.www.l.google.comis an alias forwww-china.l.google.com.www-china.l.google.com has address 64.233.189.104www-china.l.google.com has address 64.233.189.147www-china.l.google.com has address 64.233.189.99

The google domain name can be resolved normally.

There may be a few more things to set up for ping.

Use nslookup to have a look.

The copy code is as follows:

[root@localhost] # nslookup > www.google.com Server: 192.168.1.1 Address: 192.168.1.1 Non-authoritative answer: www.google.comcanonical name = www.l.google.com. Www.l.google.com canonical name = www-china.l.google.com. Name: www-china.l.google.com Address: 64.233.189.147 Name: www-china.l.google.com Address: 64.233.189.99 Name: www-china.l.google.com Address: 64.233.189.104

Indicates that the native DNS is normal, and the iptables allows access to port 53.

7. Iptables's setting of ftp

Now I'm going to set up the ftp port and add the ports that need to be open according to our previous video.

The ftp connection port has two ports 21 and 20, and I will now add the corresponding rules.

[root@localhost root] # iptables-An INPUT-p tcp-- dport 21-j ACCEPT [root@localhost root] # iptables-An INPUT-p tcp-- dport 20-j ACCEPT [root@localhost root] # iptables-An OUTPUT-p tcp-- sport 21-j ACCEPT [root@localhost root] # iptables-An OUTPUT-p tcp-sport 20-j ACCEPT

OK, so that's it. Let's use the browser to access ftp, and there will be a timeout.

So I just said that ftp is a special port, and some of its ports are data transfer ports, such as directory lists, uploading and downloading files.

And these ports are arbitrary ports. This arbitrariness is really special. If you do not specify a port range, it is very difficult for iptables to open to any port.

If iptables allows access to any port, it is no different from not setting up a firewall, so it is not realistic. So our solution is to specify a range of this data transfer port.

Let's modify the ftp configuration file.

I use vsftpd here to modify the presentation, other ftp I do not know where to modify, you can look for information.

[root@localhost root] # vi / etc/vsftpd.conf

Add at the bottom of the configuration file

Pasv_min_port=30001pasv_max_port=31000

Then save the exit.

The meaning of these two sentences tells vsftpd that the port on which the data is to be transmitted is in the range of 30001 to 31000.

This makes it much easier for us to use iptables, and we open these ports from 30001 to 31000.

[root@localhost root] # iptables-An INPUT-p tcp-- dport 30001 ACCEPT 31000-j ACCEPT [root@localhost root] # iptables-An OUTPUT-p tcp-- sport 30001 ACCEPT 31000-j ACCEPT [root@localhost root] # service iptables save

Finally, save it, and then we will use ftp in the browser scope. Can be accessed normally

Log in with an account, there is no problem, upload some files to have a look.

Upload and download are normal. Check the settings of iptables again.

[root@localhost root] # iptables-L-nChain INPUT (policy DROP) target prot opt source destinationACCEPT tcp-- 0.0.0.0tcp dpt:21ACCEPT tcp 0 0.0.0.0tcp dpt:20ACCEPT tcp 0 tcp dpt:20ACCEPT tcp-- 0.0.0.0Universe 0.0.0.0.0tcp dpt:20ACCEPT tcp-- 0.0.0.0.0tcp dpt:20ACCEPT tcp-- 0.0.0.0.0tcp dpt:20ACCEPT tcp-- 0. 0. 0. 0 tcp dpts:30001:31000Chain FORWARD (policy DROP) target prot opt source destinationChain OUTPUT (policy DROP) target prot opt source destinationACCEPT tcp-- 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 tcp spt:22ACCEPT tcp-- 0. 0. 0. 0. 0. 0. 0 of tcp spt:21ACCEPT tcp-- 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

This is a simple rule I made to demonstrate the special port of ftp. You can add some authentication to the packet.

For example,-m state-- state ESTABLISHED,RELATED and so on, more demanding verification

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.