Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to set up the Iptables firewall in Linux. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. Iptables introduction

Iptables is complex and integrated into the linux kernel. Users can filter packets in and out of your computer through iptables. Use the iptables command to set your rules to keep track of what data is allowed, which is not, and which is log in your computer network ──. Next, I'll show you how to set your own rules, starting now.

2. Initialization work

Type at the shell prompt #

Iptables-F

Iptables-X

Iptables-t nat-F

Iptables-t nat-X

Each of the above commands has its exact meaning. In general, before setting up your iptables, you need to clear all the previously set rules, and we will call it initialization. Although in many cases it does nothing, to be on the safe side, you might as well be careful. If you are using redhat or fedora, you have an easier way

Service iptables stop

3. Start setting rules:

Next, let's start setting your rules.

Iptables-P INPUT DROP

This command will build a very "secure" firewall for you, and it's hard for me to imagine that any hacker can break into such a machine because it discards all data coming into your machine from the network (drop). This is, of course, too safe, and your machine will be equivalent to no network. If you ping localhost, you will find that the screen has been there, because ping does not receive any response.

4. Add rules

Then continue to enter the command above:

Iptables-An INPUT-I! Ppp0-j ACCEPT

This rule means: accept all data that is not sourced from the network interface ppp0.

Let's assume that you have two network interfaces, eth0 to the local area network and loop to the localhost. Ppp0 is the general internet network interface for adsl to surf the Internet. If you don't surf the Internet in this way, it may be eth2. Here I assume that you surf the Internet with adsl, and your internet interface is ppp0.

At this point, you allow access to the local area network, and you can also access localhost

If you type the command ping localhost at this time, will the result be the same as before?

We can't access www or mail at this point, so we'll see.

5. I want to visit www

Iptables-An INPUT-I ppp0-p tcp-sport 80-j ACCEPT

Allow data from the network interface ppp0 (internet interface) and the source port 80 to enter your computer.

Port 80 is the port used by the www service.

All right, now you can look at the web page. But can you see it?

If you type www.baidu.com in the browser's address, can you see the web page?

The result you get must be: host www.baidu.com not found

However, if you type 220.181.27.5 again, you can still visit the baidu web page.

Why? If you know dns, you must know why.

Because if you enter www.baidu.com, your computer will not be able to get the ip address 220.181.27.5 that the name www.baidu.com can answer. If you do remember this ip, then you can still access www, of course you can only use ip to access www, if you want to challenge your memory ^ _ ^, of course, we have to open DNS.

6. Open the dns port

Open your dns port and enter the following command:

Iptables-An INPUT-I ppp0-p udp-sport 53-j ACCEPT

The meaning of this command is to accept all data from port 53 of the network interface ppp0,upd protocol. 53 is also known as the dns port.

Test it at this time, can you access www through the host name? Can you access www through ip?

Of course, both are fine!

7. Check the firewall

Now you can check your firewall.

Iptables-L

If you only want to access www, then you can stop there and you will only have access to www. But don't worry, summarize what has been said above and write a script.

#! / bin/bash

# This is a script

# Edit by liwei

# establish static firewall

Iptables-F

Iptables-X

Iptables-t nat-F

Iptables-t nat-X

Iptables-P INPUT DROP

Iptables-An INPUT-I! Ppp0-j ACCEPT

Iptables-An INPUT-I ppp0-p tcp-- sport 80-j ACCEPT

Iptables-An INPUT-I ppp0-p udp-- sport 53-j ACCEPT

8. is it complicated? At this point, iptables can filter packets according to your requirements. You can set some more ports to allow your machine to access these ports. It's possible that you can't access QQ or play online games, whether it's good or bad, or it depends on you. By the way, QQ is really hard to control. Users seem to use port 8888 to connect to the server, while friends on QQ use port 4444 to send messages to each other on udp (it's not clear whether it's 4444 or not). And QQ can also use port 80 of www to log in and send messages. It seems that there is no end to learning. It is not easy for you to control this guy. Let's get down to business.

What if your machine is a server?

9. If it happens that your machine is a server and you want to provide www service. Obviously, the above script will not meet our requirements. But as long as you hold on to the rules, you can do a good job with a little change. Add a sentence at the end

Iptables-An INPUT-I ppp0-p tcp-- dport 80-j ACCEPT

This means opening port 80 on your machine so that other people on the internet can access your www. Of course, your www server has to work. If your machine is both a smtp and a pop3 server, add the same two statements and change the 80 after-dport to 25 and 110. If you still have a ftp server, hehe, what if you want to open 100 ports?

Our job seems to be to repeatedly type similar statements, as you may have thought, I can use a loop statement to do it, yes, here you can effectively take advantage of the functions of shell scripts, but also let you experience the power of shell scripting language. See below:

10. Simplify your work with a script and read the following script

#! / bin/bash

# This is a script

# Edit by liwei

# establish a static firewall

# define const here

Open_ports= "8025 11010" # Ports open to your own machine

Data from Allow_ports= "53 80 20 21" # internet can enter the port of your own machine.

# init

Iptables-F

Iptables-X

Iptables-t nat-F

Iptables-t nat-X

Iptables-P INPUT DROP # we can use another method to instead it

Iptables-An INPUT-I! Ppp0-j ACCEPT

# define ruler so that some data can come in.

For Port in "Allow_ports"; do

Iptables-An INPUT-I ppp0-p tcp-sport   $Port-j ACCEPT

Iptables-An INPUT-I ppp0-p udp-sport   $Port-j ACCEPT

Done

For Port in "Open_ports"; do

Iptables-An INPUT-I ppp0-p tcp-dport   $Port-j ACCEPT

Iptables-An INPUT-I ppp0-p udp-dport   $Port-j ACCEPT

Done

The script has three parts (the first paragraph is a comment, which is not counted in these three parts)

The first part is to define some ports: access to the data of your machine's "Open_ports" port and allow access; data from the "Allow_ports" port can also be accessed.

The second part is the initialization of iptables, and the third part is the specific operation of the defined port.

If our requirements change in the future, for example, if you add a ftp server to your machine, just add ports 20 and 21 to ftp in the definition of "Open_ports" in the first part. Oh, you must have realized the powerful scalability of the script function at this point, but the ability of the script is much more than that!

11. Make your firewall better

Look at the penultimate sentence of the init section of the script above

Iptables-P INPUT DROP

This is the default rule for the firewall. When the data entering our computer does not match any of our conditions, then the default rule processes the data-drop, without giving any reply to the sender.

In other words, if you ping your host from another computer in internet, ping will always stop there and there will be no response.

If you use the namp tool to port scan your computer, it will tell you that your computer is protected by a firewall. I don't want to let * * know too much about my computer. What should I do? if we change drop to other actions, we may be able to fool the fledgling *.

How can I change it? Remove the previous sentence (iptables-P INPUT DROP) and add at the end of the script:

Iptables-An INPUT-I ppp0-p tcp- j REJECT-- reject-with tcp-reset

Iptables-An INPUT-I ppp0-p udp-j REJECT-- reject-with icmp-port-unreachable

This is much better. Although we can scan the ports we open, it is difficult for him to know that our machines are protected by firewalls. If you only run ftp and only access the local area network, it's hard for him to know if you're running ftp. Here we give a deceptive answer to data that should not enter our machine, rather than discarding it (drop). This feature is particularly useful in designing stateful firewalls (I'm talking about static firewalls here).

You can do it yourself and see how the namp scan results will be different before and after the modification.

12. I think this tutorial is over, and there are many things not mentioned here, such as ip camouflage, port forwarding, and packet logging. Another important thing is the flow of data packets processed by iptables. I want to tell you here that the order of the filtering rules you set is important and should not be described in detail here, because this tutorial will stick to the details.

Iptables is complex, I have seen a lot of tutorials on linuxsir, they are often many and comprehensive, but daunting, I hope my tutorial can guide you to get started. Come on!

Finally, I wrote the complete script as follows. You only need to modify the constant definition section to show greater scalability ^ _ ^

#! / bin/bash

# This is a script

# Edit by liwei

# establish a static firewall

# define const here

Open_ports= "8025 11010" # Ports open to your own machine

Data from Allow_ports= "53 80 20 21" # internet can enter the port of your own machine.

# init

Iptables-F

Iptables-X

Iptables-t nat-F

Iptables-t nat-X

# The follow is comment, for make it better

# iptables-P INPUT DROP

Iptables-An INPUT-I! Ppp0-j ACCEPT

# define ruler so that some data can come in.

For Port in "Allow_ports"; do

Ptables-An INPUT-I ppp0-p tcp-sport   $Port-j ACCEPT

Iptables-An INPUT-I ppp0-p udp-sport   $Port-j ACCEPT

Done

For Port in "Open_ports"; do

Iptables-An INPUT-I ppp0-p tcp-dport   $Port-j ACCEPT

Iptables-An INPUT-I ppp0-p udp-dport   $Port-j ACCEPT

Done

# This is the last ruler, it can make you firewall better

Iptables-An INPUT-I ppp0-p tcp- j REJECT-- reject-with tcp-reset

Iptables-An INPUT-I ppp0-p udp-j REJECT-- reject-with icmp-port-unreachable

This is how to set up the Iptables firewall in the Linux shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.