Shulou(Shulou.com)06/02 Report--

Linux Firewall iptables- Foundation and Writing Firewall rules. Txt

The Foundation of Linux Firewall and the Writing of Firewall rules

Https://www.cnblogs.com/L2366/p/9285917.html

Linux Firewall configuration rules

Https://blog.csdn.net/lemontree1945/article/details/79309273

Iptables details (1) to (14)

Https://www.zsythink.net/archives/category/%e8%bf%90%e7%bb%b4%e7%9b%b8%e5%85%b3/iptables/

Https://www.cnblogs.com/wanstack/category/1153938.html

Example of iptables Command rules and configuration of linux system Firewall

Https://blog.whsir.com/post-167.html

Linux system modifies firewall configuration

Https://www.cnblogs.com/ixan/p/8243623.html

Linux Centos 7 Firewall configuration

Https://www.cnblogs.com/su-king/p/9996633.html

RHEL 7.0Modification of firewall configuration

Https://blog.csdn.net/weixin_30488085/article/details/95228014

Https://blog.csdn.net/catoop/article/details/47861583

Rule chain: a collection of rules

Five chains: (must be capitalized)

INPUT: inbound

OUTPUT: outbound

FORWARD: forwardin

POSTROUTING: translation after routing

PREROUTING: pre-route translation

1) INPUT chain: when you receive a packet (inbound) that accesses the local address of the firewall, apply the rules in this chain.

2) OUTPUT chain: when the firewall sends packets locally (outbound), the rules in this chain are applied.

3) FORWARD chain: apply the rules in this chain when you receive a packet (forwarding) that needs to be forwarded to another address in the firewall.

4) PREROUTING chain: apply the rules in this chain before routing a packet.

5) POSTROUTING chain: after routing the packet, apply the rules in this chain.

Rule tables: collection of rule chains

There are 4 tables:

Raw: status tracking

Mangle: setting markup

Nat: address translation

Filter: packet filtering

1) filter table: used to filter packets. The table contains three chains, namely: INPUT,FORWARD,OUTPUT

2) Nat table: nat table is mainly used to modify ip address, port number and other information of data packets. Contains three chains, namely PREROUTING,POSTROUTING,OUTPUT

3) Mangle table: used to modify the TOS and TTL of a packet, or to set a MARL tag for a packet to achieve advanced applications such as traffic shaping and policy routing, including five chains, PREROUTING,POSTROUTING,INPUT,OUTPUT,FORWARD

4) Raw table: used to determine whether to track the status of packets, including two chains: OUTPUT,PREROUTING

Iptables-t table name command option chain name condition option-j control type

1) No table name is specified, which is filter table

2) Command options, chain names, control types must be uppercase, others must be lowercase

3) multiple items can be set for conditional options

Command options:

-A: append to the end

-I: insert (insert to the first entry by default)

-L: viewin

-D: delete (serial number must be added)

-F: empty, but the default policy is not empty

-P: default policy, only ACCEPT or DROP

-R: replace

-X: delete custom chain

-N: create a new custom chain

-n: display digitally

-- line-number: add serial number

Type of control:

1) ACCEPT: allow

2) REJECT: reject and return information

3) DROP: discarded, no information

4) LOG: log and pass to the next rule

5) SNAT: source address translation

6) DNAT: destination address translation

7) MASQUERADE:ip camouflage, source address translation

8) REDIRECT: redirect

Condition options:

1) Universal matching: it can be used directly without any conditions.

-s: source address-d: destination address

-p: protocol-I: entry

-o: exit! : reverse

2) implicit matching: depending on the specified protocol

-- sport: source port-- dport: destination port

-- tcp-flags:TCP tag

-- there are two types of icmp-type:icmp:

Echo-request (8 can be used instead) request

Echo-reply (0 can be used instead) response

Enable the forwarding feature:

Permanently valid: vim / etc/sysctl.conf

Net.ipv4.ip_forward=1

Effective: sysctl-p

Temporary forwarding, effective immediately

Sysctl-w net.ipv4.ip_forward=1

Echo "1" > / proc/sys/net/ipv4/ip_forward

3) display configuration: depending on the specified functional module, the module name must be clearly specified before it can be used

Multi-port matching:-m multiport-- sports source port list

-m multiport-- dports destination port list

IP range matching:-m iprange-- src-range ip range

MAC address matching:-m mac--mac-source MAC address

State matching:-m state-- state connection status

Check the settings of native IPTABLES

Iptables-nL

Service iptables status

Save the newly set rules to a file

Format: iptables-save [- t table]

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

Other formats: iptables [- t table] [- FXZ]

-F: please remove all established rules

-X: get rid of all user-defined chain

-Z: clear all statistical values 0

Add rules: add INPUT chain. The default rule of input chain is DROP. Anything that is not in the rule is DROP.

Create a custom chain

Iptables-t filter-N self_control

-N = new

Add custom chain rules

Iptables-t filter-I self_control-s 192.151.102.2-j REJECT

Reference custom chain

Iptables-t filter-I INPUT-j self_control

Delete the custom chain:

There are two conditions for deleting a custom chain:

1. There are no rules in the custom chain

two。 The custom chain is not referenced

Clear custom chain rules:

Iptables-t filter-F self_ctl

Delete chain reference rule:

Iptables-t filter-D INPUT 1

Delete the custom chain:

Iptables-X self_ctl

Rename a custom chain

Iptables-E self_control self_ctl

-E =-- rename-chain

Example

We only allow 192.168.0.3 machines to make SSH connections

Iptables-An INPUT-s 192.168.0.3-p tcp-dport 22-j ACCEPT

If you want to allow or restrict a segment of IP address, you can use 192.168.0. 0.

Allow host access within the 172.16 network segment:

# iptables-t filter-An INPUT-s 172.16.0.0amp 16-d 172.16.63.7-j ACCEPT

-t table, default filter-An append rule INPUT enter-s check source-d check target-j processing action ACCEPT accept; stack target is native, so-d is native IP

Deny host access to 172.16.63.66 (currently 172.16.63.66 can use ping, ssh, etc.):

Iptables-t filter-An INPUT-s 172.16.63.66-d 172.16.63.7-j REJECT

Note: if you have operated the first one, after setting it at this time, you will find that 172.16.63.66 can still enter ping. It turns out that we have just added a rule that allows access to the 172.16 IP address range, so this rule is added later, so it does not take effect. The same service rules are placed on a small scale, and the order is very important.

If it is multiple different services, the rules should be sorted according to the actual situation. For example, the web service has a large number of visits every day, while the prohibition of a certain IP service belongs to a small range. If you put a certain IP prohibited service first, each web service should check the IP first, so you should put the matching rules first.

Delete the "allow access to 172.16 network segment" rule that you just added:

Iptables-D INPUT 1

Note: need to first-vnL-- line-numbers query, which this rule belongs to, here is the first rule, then delete the first one.

Insert a rule to prevent the host of 172.16.63.66 from accessing the machine:

Iptables-I INPUT-s 172.16.63.66-d 172.16.63.7-j REJECT

Note: the first entry is inserted by default, and if the second entry is inserted, then: # iptables-I INPUT 2-s 172.16.63.66-d 172.16.63.7-j REJECT

Note: this 172.16.63.66 ping local machine, will directly prompt to reject, of course, this is unfriendly (that is, reject you, hehe.), so we generally recommend using DROP to discard directly.

Replace the first rule and do not allow the host of 172.16.63.77 to access the machine:

Iptables-R INPUT 1-s 172.16.63.77-d 172.16.63.7-j DROP

Using remote SSH login, we need to open port 22

Iptables-An INPUT-p tcp-dport 22-j ACCEPT

Iptables-An OUTPUT-p tcp-sport 22-j ACCEPT

Reduce insecure port connections

Iptables-An OUTPUT-p tcp-sport 31337-j DROP

Iptables-An OUTPUT-p tcp-dport 31337-j DROP

The same is true for other regular connections: FORWARD chains

Iptables-A FORWARD-I eth2-o eh0-j ACCEPT

Handle the number of IP fragments to prevent attacks, allowing 100s per second

Iptables-A FORWARD-f-m limit- limit 100max s-limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second, and limit the trigger condition to 10 packets

Iptables-A FORWARD-p icmp-m limit- limit 1max s-limit-burst 10-j ACCEPT

Check the settings of NAT on this computer.

Iptables-t nat-L

Prevent the spoofing of IP in the external network

Iptables-t nat-A PREROUTING-I eth0-s 10.0.0.0 DROP 8-j

Prohibit all connections to 211.101.46.253

Iptables-t nat-A PREROUTING-d 211.101.46.253-j DROP

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.