Basic usage of IPTABLES firewall in LINUX

  • 2020-12-20 03:57:51
  • OfStack

preface

For VPS production environments with public IP, only the required ports are opened, that is, ACL is used to control IP and ports (Access Control List).

Here you can use the Linux firewall netfilter user mode tool

iptables has four kinds of tables: raw > mangle(modify the original data of the message) > nat(define address translation) WW > filter(Defining permitted or not allowed rules)

Each table can be configured with multiple chains:

* For filter 1 can only be done on 3 chains: INPUT, FORWARD, OUTPUT

* For nat, 1 general can only be done on 3 chains: PREROUTING, OUTPUT, POSTROUTING

* For mangle there are 5 chains that can be done: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

The three chains of filter table

* INPUT chain: Filters all packets whose destination address is local

* FORWARD chain: Filters all packets passing through the machine

* OUTPUT chain: Filters all packets generated by the machine

Pick 1 inverse 3 to learn:


 Filter all access: 
iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -d X.X.X.X -j DROP

 That's right SSH the 22 The port is open 
iptables -I INPUT -s 0.0.0.0/0.0.0.0 -d X.X.X.X -p tcp --dport 22 -j ACCEPT

 Open. Open 80 port 
iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d X.X.X.X -p tcp --dport 80 -j ACCEPT


 [k 'pkui] n.come from 124 Data is forbidden to pass 174 IP
iptables -A OUTPUT -p tcp -s 45.32.102.124 -d 157.240.22.174 -j REJECT 

 Print what is currently in effect iptables Rules ( -n According to IP Address) 
iptables -L -n 

The iptables firewall in Linux specifies the port range


iptables -I INPUT -p tcp --dport 700:800 -j DROP 
iptables -I INPUT -s 11.129.35.45 -p tcp --dport 700:800 -j ACCEPT

1.700:800 represents all ports between 700 and 800

2.:800 represents all ports 800 and below

3.700: represents 700 and all ports above

The example function is, port 700-800, open only to 11.129.35.45 IP, whitelist mechanism.

Snat, Dnat USE:

Source address translation (Snat): ES93en-ES94en ES959en-ES997en private ES98en-ES99en Snat?? to-source public IP?

Destination address conversion (Dnat): ES108en-ES109en ES110en-ES111en-ES112en-ES113en public ES114en-ES115en PRIVATE IP

Details of the iptables command

Common command options for iptables are:

[

-P: to set the default policy (whether the default door is closed or open), e.g. iptables-P INPUT (DROP|ACCEPT)
-ES137en: FLASH, clearing the chain of rules (note the administrative permissions for each chain)
-ES140en :NEW supports the user to create a new chain, for example: iptables-ES143en inbound_tcp_web means the web attached to the tcp table for checking web.
-ES150en: Used to remove user-defined empty chains
-ES152en: Empty chain
- A: additional
-ES156en num: Insert, which rule to insert for the current rule
-R num: Replays which rule to replace/modify
-ES163en num: Delete, specifying which rule to delete
-ES166en: View rule details, such as "ES167en-ES168en-ES169en-ES170en"
-ES172en represents the source address IP
-ES175en represents the target address IP
DROP means discard (reject)
ACCEPT means accept
-p represents the applicable protocol, such as tcp

]

More examples:


 Add [ri 'mju: t] n iptables The rules prohibit the user from accessing the domain name www.sexy.com The web site. 

iptables -I FORWARD -d www.sexy.com -j DROP

 Add [ri 'mju: t] n iptables The rules prohibit user access IP Address is 20.20.20.20 The web site. 

iptables -I FORWARD -d 20.20.20.20 -j DROP

 Add [ri 'mju: t] n iptables The rules ban IP Address is 192.168.1.X Of the client network. 

iptables -I FORWARD -s 192.168.1.X -j DROP

 Add [ri 'mju: t] n iptables The rules ban 192.168.1.0 All the clients in the subnet go online. 

iptables -I FORWARD -s 192.168.1.0/24 -j DROP

 Forbid [' fo: t] vt 192.168.1.0 All clients in the subnet are used FTP Protocol downloads. 

iptables -I FORWARD -s 192.168.1.0/24 -p tcp  � dport 21 -j DROP

 Enforce all client access 192.168.1.x The machine Web The server. 

iptables -t nat -I PREROUTING -i eth0 -p tcp  � dport 80 -j DNAT  � to-destination 192.168.1.x:80

 Use is forbidden ICMP The agreement. 

iptables -I INPUT -i ppp0 -p icmp -j DROP

conclusion


Related articles: