Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use IPTables firewall, the article is very detailed, has a certain reference value, interested friends must read it!

iptables is a packet filtering firewall for Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering, packet redirection and network address translation (NAT). In daily Linux operation and maintenance work, iptables firewall rules are often set to strengthen service security.

Start, Stop and Restart IPTables

Although IPTables is not a service, its state can be managed as a service in Linux.

Systems based on SystemD

systemctl start iptablessystemctl stop iptablessystemctl restart iptables

SysVinit based systems

/etc/init.d/iptables start/etc/init.d/iptables stop/etc/init.d/iptables restart

You can view IPtables firewall policy using the following command:

iptables -L -n -v

The above command should return the output of the data below:

The above command is to view the default FILTER table. If you only want to view specific tables, you can follow the-t parameter with the name of the table you want to view separately. For example, to view only the rules in the NAT table, you can use the following command:

iptables -t nat -L -v-n3, Block an IP address

If you publish an IP that imports attacks or unusual traffic to the server, you can mask its IP address using the following rules:

iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

Note that the XXX above needs to be changed to the actual IP address to be blocked, where the-A parameter indicates that this rule is added at the end of the INPUT chain. (The rules in IPTables match from top to bottom. Once the match is successful, it will not continue to match downward.)

If you only want to block TCP traffic, you can specify the protocol using the-p parameter, for example:

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx-j DROP4, Unpack an IP address

To unmask an IP address, delete it using the following command:

iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

where the-D parameter indicates that one or more rules are removed from the chain.

5. Use IPtables to close specific ports

Many times, we need to block network connections to a specific port, which can be closed using IPtables.

Block specific outgoing connections:

iptables -A OUTPUT -p tcp --dport xxx -j DROP

Block specific incoming connections:

iptables -A INPUT -p tcp --dport xxx -j ACCEPT6, Using Multiport to Control Multiport

With multiport we can write multiple ports in a single rule at once, for example:

iptables -A INPUT -p tcp -m multipoint--dports 22,80,443 -j ACCEPTables-A OUTPUT -p tcp -m multipoint--sports 22,80,443 -j ACCEP7. Use IP address ranges in rules

In IPtables, IP address ranges can be expressed directly using CIDR, for example:

iptables -A OUTPUT -p tcp -d 192.168.100.0/24--dport 22 -j ACCEP8, Configure port forwarding

Sometimes we need to forward a service traffic from a Linux server to another port. In this case, we can use the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525

The above command redirects all traffic arriving on port 25 of the eth0 NIC to port 2525.

9. Shield HTTP service Flood attack

Sometimes users make a lot of connection requests on a service, such as HTTP 80, and we can enable the following rules:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT

The above command limits connections to 100 per minute, with an upper limit of 200.

10. Prohibition of PING

Forbidden PING for Linux You can mask ICMP incoming connections using the following rules:

iptables -A INPUT -p icmp -i eth0 -j DROP11. Allow access to loopback NIC

Loopback access (127.0.0.1) is more important, and it is recommended that everyone be open:

iptables -A INPUT -i lo -j ACCEPDiptables-A OUTPUT -o lo -j ACCEPT12, Mask specified MAC address

You can mask a specified MAC address using the following rules:

iptables -A INPUT -m mac --mac-source 00:00:00:00 -j DROP13, Limit concurrent connections

If you don't want too many concurrent connections from a particular port, you can use the following rules:

iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

The above rule limits each client to no more than 3 connections.

14. Clear IPtables rules

To empty the IPtables chain, use the following command:

iptables -F

To empty a specific table, you can specify it with the-t parameter, for example:

iptables -t nat-F15, Save IPtables rules

By default, administrator actions on IPtables rules take effect immediately. However, since the rules are saved in memory, restarting the system will cause the configuration to be lost. To permanently save the IPtables rules, you can use the iptables-save command:

iptables-save > ~/iptables.rules

You can change the name of the store by yourself.

16. Restore IPtables rules

Save naturally corresponds to restore, you can use the iptables-restore command to restore the saved rules:

iptables-restore17. Allow related connections to be established

As network traffic separates in and out, to allow incoming dependent connections to be established, the following rules can be used:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Rules allowing outgoing correlation connections to be established:

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT18, Drop invalid packets

Many network attacks attempt to use hacker custom illegal packets to try, we can use the following command to discard invalid packets:

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP19, IPtables Shield Mail Sending Rules

If your system isn't used for mail delivery, we can block SMTP outgoing ports in our rules:

iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT20, Prevent connection to a network card

If your system has multiple network cards, we can restrict IP range access to a network card:

iptables -A INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP

The source address can be IP or CIDR.

The above is "IPTables firewall how to use" all the content of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.