iptables configuration

1. Check the iptables service status

$ service iptables status

iptables: Firewall is not running.

It means that the iptables service is installed, but the service is not started

If it is not installed, you can install it directly with yum

$ yum install -y iptables

 

#start iptables

$ service iptables start

iptables: No config file.                                  [WARNING]

solve:

$ iptables -P OUTPUT ACCEPT

$ service iptables save

 

#Current iptables configuration

$ iptables -L -n

 

2. Clear the default firewall rules

#First, change policy INPUT to ACCEPT before clearing, indicating that all requests are accepted

$ iptables -P INPUT ACCEPT

 

#Clear all default rules

$ iptables -F

 

#Clear all custom rules

$ iptables -X

 

# clear the count

$ iptables -Z

 

3. Configuration Rules

#Allow packets from the lo interface

#Without this rule, you will not be able to access local services through 127.0.0.1, for example ping 127.0.0.1

$ iptables -A INPUT -i lo -j ACCEPT 

 

#ssh port 22

$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT

$ iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT #22 is your ssh port, -s 192.168.1.0/24 means that machines on this network segment are allowed to connect, other network segments The ip address cannot log in to your machine. -j ACCEPT means accept such requests

 

#FTP port 21

$ iptables -A INPUT -p tcp --dport 21 -j ACCEPT

 

#webservice port 80

$ iptables -A INPUT -p tcp --dport 80 -j ACCEP

 

#tomcat

$ iptables -A INPUT -p tcp --dport xxxx -j ACCEP

 

#mysql

$ iptables -A INPUT -p tcp --dport xxxx -j ACCEP

 

#Allow icmp packets to pass, that is, allow ping

$ iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

 

#The established connection has to let it in

$ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

#Add intranet ip trust (accept all its TCP requests)

$ iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT

 

#Filter all requests that are not the above rules

$ iptables -P INPUT DROP

 

Fourth, save

First, iptables -L -n to see if the configuration is correct. If there is no problem, don't rush to save it, because if it is not saved, it is only valid currently, and it will not take effect after restarting. If there is any problem, you can force restart the server in the background to restore the settings.

#keep

$ service iptables save

#Add to self-starting chkconfig

$ chkconfig iptables on

 

 

Configure whitelist

iptables -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT #Allow the machines in the computer room to access

iptables -A INPUT -p all -s 192.168.140.0/24 -j ACCEPT #Allow the machines in the computer room to access

iptables -A INPUT -p tcp -s 183.121.3.7 --dport 3380 -j ACCEPT #Allow 183.121.3.7 to access port 3380 of this machine

 

iptables optimization

When the server receives a request, it will match iptables from top to bottom, matching the customized rules one by one, then if the machine receives a normal web request and wants to go to port 80, it needs to check the first five rules first. It is found that they do not meet the requirements until the sixth condition is met, then the work efficiency of the firewall will be much lower.

Optimization idea: put the most frequent requests at the top, and those with less frequent requests at the end

Adjust the order by modifying the following configuration files

$ vi /etc/sysconfig/iptables

 

iptables format

Universal match

    -s specifies the source address

    -d specifies the destination address

    -p specifies the protocol

    -i specifies that data packets flow into the interface

    -o Specifies the outgoing interface for data packets

 

Extended match

  Specify the -m option to indicate what module to use to match, such as:

    -m state --state

            NEW,ESTABLISHED,RELATED indicates that the state module is used to match the connection whose current connection state is these three states

    -m iprange

        --src-range Use the iprange module to match the source's IP address range

        --dst-range Use the iprange module to match the destination IP address range

    -m multiport

        --source-ports use the multiport module to match source port ranges

        --destination-ports use the multiport module to match destination port ranges

 

example:

-A INPUT -p tcp -m iprange --src-range 121.21.30.36-121.21.30.100 -m multiport --destination-ports 3326,3327,3328 -m state --state NEW -j ACCEPT

This means that from the address range 121.21.30.36-121.21.30.100, the request port is 3326, 3327, 3328 and the newly created connection is granted.

 

processing action

    ACCEPT: allow packets to pass through

    DROP: Directly discard the data packet without giving any response information, and will respond after the timeout period

    REJECT: Reject the data packet to pass, if necessary, it will give a response message to the data sender, and the client will receive the rejection message as soon as the request is made.

    SNAT: source address translation, solving the problem that intranet users use the same public network address to access the Internet

    MASQUERADE: It is a special form of SNAT, suitable for dynamic and temporary ip

    DNAT: Destination Address Translation

    REDIRECT: Do port mapping on this machine

    LOG: Record the log information in the /var/log/messages file, and then pass the packet to the next rule, that is to say, do not do anything other than record the packet, and still let the next rule match