If you do not choose to start the firewall when installing linux, this is the
[root@tp ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy
ACCEPT)
target prot opt source destination
target prot opt source destination
Chain OUTPUT (policy
ACCEPT)
target prot opt source destination
target prot opt source destination
What are the rules at all.
(2) remove the existing rule.
Whether you start the firewall when installing linux, if you want to configure their own firewall, it is now clear all the rules of the filter.
[root @ tp ~] # iptables -F Clear preset table of filter rules all rules chain
[root @ tp ~] # iptables -X clear filter in the preset table in the user-defined chain rule
[root @ tp ~] # iptables -X clear filter in the preset table in the user-defined chain rule
View list of firewall rules: # iptables -L -n
Set default rules:
#iptables -P INPUT DROP
Note: If you are SSH remote login, then when you enter the above command carriage return should be lost because you did not set any rules.
How to do, go to the native operating chant!
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD DROP
The above means that when the rule beyond the two chains (INPUT, FORWARD) IPTABLES in the filter table when, not these two rules in the packet how to deal with it, and that is DROP (give up). It should be said that this configuration is very safe. we want to control the flow of data packets
As for the OUTPUT chain, which is out of the package we do not have too many restrictions, but take ACCEPT, that is, not the rule in the package how to do it, and that is through.
It can be seen INPUT, FORWARD two-chain approach is to allow packets through what is, and is not allowed to use the OUTPUT chain by what packages.
This set was quite reasonable, of course, you can have three chain DROP, but this I think is not necessary, but also to write the rules will increase. But if you just want a limited number of rules, such as WEB server only. it is recommended that all three chains DROP.
Add Rule.
First, add the INPUT chain, the default rule in the INPUT chain is DROP, so we need to write ACCETP (through) the chain
To be able to adopt SSH remote login, we want to open 22 ports.
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Iptables -A OUTPUT -p tcp # --sport 22 -j ACCEPT
(Note: This rule, if you set the OUTPUT DROP's going to write on this one, a lot of people are looking to write rules that lead to this one, never been able to SSH. in remote it is not good.
Other ports, too, if you already have a web server, OUTPUT DROP set, then the same should also add a chain:
# Iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT, empathy other.)
If you do WEB server, open port 80.
# Iptables -A INPUT -p tcp --dport 80 -j ACCEPT
If you do a mail server, open the 25,110 ports.
If you do a mail server, open the 25,110 ports.
# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
[root @ tp ~] # iptables -A INPUT -p tcp --dport 25 -j ACCEPT
If done FTP server, port 21 opening
If done FTP server, port 21 opening
[root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
[root@tp ~]# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
If you do a DNS server, open port 53
[root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
If you have made other servers, which need to open ports, according to the writing on the line.
Are written above the main INPUT chain, who are not in the above rules are DROP
Icmp packets allowed through, of ping is allowed,
[Root @ tp ~] # iptables -A OUTPUT -p icmp -j ACCEPT (OUTPUT DROP provided any)
[Root @ tp ~] # iptables -A INPUT -p icmp -j ACCEPT (INPUT DROP provided any)
Allow loopback! (Or will cause DNS issues can not be closed properly, etc.)
IPTABLES -A INPUT -i lo -p all -j ACCEPT (如果是INPUT DROP)
IPTABLES -A OUTPUT -o lo -p all -j ACCEPT(如果是OUTPUT DROP)
IPTABLES -A OUTPUT -o lo -p all -j ACCEPT(如果是OUTPUT DROP)
The following write OUTPUT chain, OUTPUT chain default rule is ACCEPT, so we need to write DROP (give up) chain.
Reduce unsafe port
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 31337 -j DROP
[root@tp ~]# iptables -A OUTPUT -p tcp --dport 31337 -j DROP
Some of these Trojan scans ports 31337-31340 (called the elite ports hacker language) on the service. Now that opportunity no legitimate services that communicate these non-standard ports, blocking these ports can effectively reduce the independent communications on your network may be infected machines and their remote master servers
There are other ports, too, like: 31335,27444,27665,20034 NetBus, 9704,137-139 (smb), 2049 (NFS) port should also be banned, I would not write whole, interested friends should to check the relevant information.
Of course, more out of security considerations you can also pack OUTPUT chain is set to DROP, the rules that you add on some more, just add the top
SSH allows the same landing. Shining written on the line.
Here write about the more detailed rules, is restricted to a machine
Such as: We only allow the machine to 192.168.0.3 SSH connection
[root@tp ~]# iptables -A INPUT -s 192.168.0.3 -p tcp --dport 22 -j ACCEPT
To allow or restrict some available IP address 192.168.0.0/24 represent all IP 192.168.0.1-255 end.
24 represents the subnet mask, but remember to / etc / sysconfig / iptables inside this line deleted.
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT because it means that all addresses are landing.
Or using command mode:
[root@tp ~]# iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Then save, while I say, is the use of anti command mode, only take effect at the time, if you want to restart also play a role, it would have to save. Written to / etc / sysconfig / iptables file.
[root@tp ~]# /etc/rc.d/init.d/iptables save
Write! 192.168.0.3 ip address 192.168.0.3 represents the addition of
Other rules are so connected to the same setting.
In the following is FORWARD chain, the chain is the default rule FORWARD DROP, so we need to write chain ACCETP (through), the monitoring is forwarding chain.
Open forwarding (when doing NAT, FORWARD default rule is DROP, must do)
[root@tp ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@tp ~]# iptables -A FORWARD -i eth1 -o eh0 -j ACCEPT
Discarding bad TCP packets
[root@tp ~]#iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
IP processing amount of debris, to prevent the attack, allowing 100 per second
[root@tp ~]#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
ICMP packet filtering is provided, allowing a second package, with the proviso that 10 to limit the trigger packet.
[root@tp ~]#iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
So I only allow ICMP packets through the front, I am here because there is a limit.
Second, configure NAT table a fire wall
1, see this authority to set the case of NAT
[root@tp rc.d]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:211.101.46.235
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:211.101.46.235
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
I have configured the NAT (only the most simple proxy Internet access, has not added firewall rules). About how to configure NAT, refer to my other article
Of course, if you have not configured NAT, you do not have clear rules, because NAT is in default of nothing
If you want to clear, the command is
[root@tp ~]# iptables -F -t nat
[root@tp ~]# iptables -X -t nat
[root@tp ~]# iptables -Z -t nat
2, add a rule
Add basic NAT address translation (NAT on how to configure I can see another article),
Add a rule, we only add DROP chain. Because the default chain full of ACCEPT.
Prevent spoofing outside the network with IP network
[sysconfig the root @ TP] -t NAT # iptables -A the PREROUTING -j -i eth0 -s 10.0.0.0/8 the DROP
[sysconfig the root @ TP] -t NAT # iptables -A the PREROUTING -i eth0 -s 172.16.0.0/ -j DROP 12
[root @ TP sysconfig] # iptables -t NAT -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
If we want to, for example, to stop MSN, QQ, BT, etc., then they need to find used port or IP, (personally I think that there is not much need)
[sysconfig the root @ TP] -t NAT # iptables -A the PREROUTING -i eth0 -s 172.16.0.0/ -j DROP 12
[root @ TP sysconfig] # iptables -t NAT -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
If we want to, for example, to stop MSN, QQ, BT, etc., then they need to find used port or IP, (personally I think that there is not much need)
Example:
And the prohibition of all connections 211.101.46.253
[root@tp ~]# iptables -t nat -A PREROUTING -d 211.101.46.253 -j DROP
Disable FTP (21) port
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -j DROP
Write range is too big, we can be more precise definition.
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -d 211.101.46.253 -j DROP
Such disabled only address 211.101.46.253 FTP connection, other connections may also be as web (80 port).
As I write, as long as you find QQ, IP address other software such as MSN, and ports, and based on what protocol, just follow the writing on the line.
Third, and finally
drop illegal connections
[the root TP @ ~] # iptables -A the INPUT -m State --state the DROP INVALID -j
[the root TP @ ~] # iptables -A the OUTPUT -m State --state the DROP INVALID -j
[the root TP ~ @ ] # iptables-a FORWARD -m state --state INVALID -j DROP
allows all established and related connections (must be configured otherwise unable to connect httpd)
[root @ TP ~] # iptables-a State --state the INPUT -m the ESTABLISHED, The RELATED -j ACCEPT
[the root TP @ ~] # iptables -m-State A the OUTPUT --state the ESTABLISHED, The RELATED -j ACCEPT
[the root TP @ ~] # iptables -A the INPUT -m State --state the DROP INVALID -j
[the root TP @ ~] # iptables -A the OUTPUT -m State --state the DROP INVALID -j
[the root TP ~ @ ] # iptables-a FORWARD -m state --state INVALID -j DROP
allows all established and related connections (must be configured otherwise unable to connect httpd)
[root @ TP ~] # iptables-a State --state the INPUT -m the ESTABLISHED, The RELATED -j ACCEPT
[the root TP @ ~] # iptables -m-State A the OUTPUT --state the ESTABLISHED, The RELATED -j ACCEPT
[root@tp ~]# /etc/rc.d/init.d/iptables save
This can be written to / etc / sysconfig / iptables file a. After re-starting the firewall remember to write about, to work.
[root@tp ~]# service iptables restart