Common usage of iptables firewall and modification of default configuration

Snow Station construction , technology 604 Reading

Iptables is the default firewall service for most Linux. Recently, I found that the default configuration of the server is a bit unreasonable. I spent some time learning and adjusting it. Here also do some sorting.

Basic Usage

Use the following command to see existing rules:

 iptables -L

By default, there are three groups (Chain, or rule chain):

  • INPUT: Inbound rule (external connection server local machine)
  • OUTPUT: Rules of engagement (server local connection external)
  • FORWARD: forward (data flowing through the machine)

The default policy of the INPUT group is ACCEPT, that is, the external connections to the server are all Release (blacklist mode). However, it may not be safe. The default value of the incoming connection is refuse Then, it is better to manually release some allowed connections (white list mode).

The common usage of the iptables command is:

 #Append new rules at the end Iptables - A rule chain name [- i/o adapter name] - p protocol name [- s source IP/source subnet] [-- sport source port] [- d target IP/target subnet] [-- dport target port] - j action #Insert a new rule at the specified location Iptables - I rule chain name [line number in the chain] [- i/o network adapter name] - p protocol name [- s source IP/source subnet] [-- sport source port] [- d target IP/target subnet] [-- dport target port] - j action #Delete a rule Iptables - D Line number in the rule chain name chain #Show all rules and line numbers iptables -nL --line-number

The parameters in square brackets are optional, and the last "action" has two common values: ACCEPT Indicates permission (release), DROP Indicates discard (reject).

Here are some examples:

 #Add in front of the second rule in the INPUT chain to release the TCP protocol connection with the external connection target port of 3306 iptables -I 2 INPUT -p tcp --dport 3306 -j ACCEPT #Add a record in the INPUT chain to allow the connection with an external source of 192.168.3.10 to access local ports 10500 to 10509 (the port uses a colon to indicate a range) iptables -A INPUT -s 192.168.3.10 --dport 10500:10509 -j ACCEPT #Block access to external source ports 12345 and 12346 (just an example rule, which should not be practical) iptables -A INPUT --sport 12345,12346 -j DROP

The effective order of iptables rules is from top to bottom. Please pay attention to the order of rules when inserting.

Modify Default Inbound Policy

After you understand the basic usage, you can adjust it. First, add several release rules:

 #Add port (SSH port and two ports of HTTP service) iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT #Allow local loopback interface (that is, allow the local machine to access the local machine) iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow established and related connections to continue to access (without curl and other programs, you cannot access the Internet normally) iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Release the DNS service or ping and other commands will not work iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT

The necessary service ports for this normal operation are added.

At this time, however, external pinging of the server is not possible. You need to add two more

 #Allow ping (icmp protocol) iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT

The last two commands have an equivalent writing method:

 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Finally, change the default rule of INPUT group to DROP (default block of unmatched rules)

 iptables -P INPUT DROP

The outbound OUTPUT rule group can use the ACCEPT rule by default, and can be adjusted if necessary.

Save Rule

After the rule is modified, you need to manually save it, otherwise the modified rule configuration will be lost after the iptables service is restarted.

Most servers configured with iptables service have set the path for saving rules, which can be directly saved with the following command:

 service iptables save

If the iptables rules are saved and restored manually, you need to export and restore them with the following commands

 #Export Save Rules to File Iptables save>file path #Import rules from a file Iptables restore<file path

Other common rules

Here are some other commonly used rules for reference.

 #Block non local access (! Means "no", for example, the following means that the Internet is not allowed to access 3456 port) iptables -A INPUT ! -s 127.0.0.1 -p tcp -m tcp --sport 3456 -j DROP #Prevent external pings to the server iptables -A INPUT -p icmp --icmp-type echo-request -j DROP #Prevent the server from accessing the default port of Internet mail protocol iptables -A OUTPUT -p tcp -m tcp --dport 25 -j DROP iptables -A OUTPUT -p udp -m udp --dport 25 -j DROP

In addition, I saw an article that was well summarized. If you are interested, you can see: Iptables Usage

Unless otherwise specified, the content of this website is Salted fish pioneer Original, can be quoted freely, but please indicate the source and link.
https://xyuxf.com/archives/2153
Welcome to follow Salted fish pioneer (WeChat official account: xyuxf), get dry goods push
THE END
share
QR code
< <Previous
Next>>
Article Contents
close
catalog