Common usage of iptables firewall and modification of default configuration
Basic Usage
iptables -L
-
INPUT: Inbound rule (external connection server local machine) -
OUTPUT: Rules of engagement (server local connection external) -
FORWARD: forward (data flowing through the machine)
#Append new rules at the end Iptables - A rule chain name [- i/o adapter name] - p protocol name [- s source IP/source subnet] [-- sport source port] [- d target IP/target subnet] [-- dport target port] - j action #Insert a new rule at the specified location Iptables - I rule chain name [line number in the chain] [- i/o network adapter name] - p protocol name [- s source IP/source subnet] [-- sport source port] [- d target IP/target subnet] [-- dport target port] - j action #Delete a rule Iptables - D Line number in the rule chain name chain #Show all rules and line numbers iptables -nL --line-number
#Add in front of the second rule in the INPUT chain to release the TCP protocol connection with the external connection target port of 3306 iptables -I 2 INPUT -p tcp --dport 3306 -j ACCEPT #Add a record in the INPUT chain to allow the connection with an external source of 192.168.3.10 to access local ports 10500 to 10509 (the port uses a colon to indicate a range) iptables -A INPUT -s 192.168.3.10 --dport 10500:10509 -j ACCEPT #Block access to external source ports 12345 and 12346 (just an example rule, which should not be practical) iptables -A INPUT --sport 12345,12346 -j DROP
Modify Default Inbound Policy
#Add port (SSH port and two ports of HTTP service) iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT #Allow local loopback interface (that is, allow the local machine to access the local machine) iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow established and related connections to continue to access (without curl and other programs, you cannot access the Internet normally) iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Release the DNS service or ping and other commands will not work iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT
#Allow ping (icmp protocol) iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -P INPUT DROP
Save Rule
service iptables save
#Export Save Rules to File Iptables save>file path #Import rules from a file Iptables restore<file path
Other common rules
#Block non local access (! Means "no", for example, the following means that the Internet is not allowed to access 3456 port) iptables -A INPUT ! -s 127.0.0.1 -p tcp -m tcp --sport 3456 -j DROP #Prevent external pings to the server iptables -A INPUT -p icmp --icmp-type echo-request -j DROP #Prevent the server from accessing the default port of Internet mail protocol iptables -A OUTPUT -p tcp -m tcp --dport 25 -j DROP iptables -A OUTPUT -p udp -m udp --dport 25 -j DROP