Shulou(Shulou.com)06/01 Report--

Firewalls

Main configuration file: vim / etc/sysconfig/iptables

To customize the firewall, you need to clear the rules here and set the permissions to DROP

Firewall name: netfilter, tool: iptables

The firewall has three tables filter,nat,mangle

There is also a chain under each table:

The filter table is mainly used to filter packets, system preset tables. Three built-in chains INPUT, OUTPUT and FORWARD,INPUT act on packets entering the machine, OUTPUT acts on packets sent by the machine, and FORWARD acts on packets that have nothing to do with the machine.

Nat table is mainly used for network address translation. The function of PREROUTING is to change the destination address of a packet just after it arrives at the firewall, and the POSTOUTING chain changes its source address before the packet leaves the firewall.

The mangle table is mainly used to mark packets and then manipulate which packets according to the tag.

-Amanda D: add and delete a rule

-I: insert a rule, which actually has the same effect as-A

-P: specify the protocol, which can be tcp,udp,icmp

-- dport: used with-p to specify the destination port / / for firewalls

-- sport: used with-P to specify the source port

-s: specify the source IP (which can be an IP segment) / / for firewalls

-d: specify the target IP (can be an IP segment)

-j: followed by the action, where ACCEPT indicates that the packet is allowed, DORP means the packet is lost, and REJECT indicates that the packet is rejected

The rules take effect sequentially. When the two rules are the same, the first rule takes effect first, and the latter rules are ignored directly.

Fire wall source IP says that if a host wants a remote server, then the host is the source IP. It wants to send packets to the server before it wants to be remote. If the server does not want to be remote, you can DROP the packets directly.

Iptables needs to understand the structure of the firewall, which is between the local network and the external network. You can clearly understand the source IP and the target IP, as well as each chain. For example, the target IP of the INPUT is the native IP. The source IP is the external IP.

1. Command

Iptables-t filter-I INPUT-p tcp-- dport80-s 192.168.134.1-j REJECT

Iptables-F / / clear firewall rules

Iptables-Z / / Zero packets and traffic

Iptables-save > / etc/sysconfig/1.ipt / / backup firewall rules

Iptables-restore / etc/sysconfig/1.ipt / / restore firewall rules

Iptables-P INPUT DROP / / change the preset policy with high security for each chain

/ / instance:

For the filter table, the preset policy INPUT chain DROP, the other two chains ACCEPT, and then open port 22 for 192.168.134.0 account 24, port 80 for all network segments, and port 21 for all network segments. The script is as follows:

Vim 1.ipt.sh

#! / bin/bash

Ipt= "/ sbin/iptables"

$ipt-F

$ipt-P INPUT DROP

$ipt-P OUTPUT ACCEPT

$ipt-P FORWARD ACCEPT

$ipt-An INPUT-s 192.168.134.0 Universe 24-p tcp--dport 22-j ACCEPT

$ipt-An INPUT-p tcp-- dport 80-j ACCEPT

$ipt-An INPUT-p tcp-- dport 21-j ACCEPT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.