start configuration
Let's configure a firewall with a filter table.
(1) Check the settings of the machine about IPTABLES
[root@tp ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0 .0.0/0 state NEW tcp dpt:25 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited It can be seen that when I installed linux, I chose to have a firewall and opened 22 ,80,25 ports.
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0 .0.0/0 state NEW tcp dpt:25 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited It can be seen that when I installed linux, I chose to have a firewall and opened 22 ,80,25 ports.
If you did not choose to start the firewall when installing linux, it is like this
[root@tp ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
There are no rules whatsoever.
(2) Clear the original rules.
Regardless of whether you enabled the firewall when you installed linux, if you want to configure your own firewall, then clear all the rules of the current filter.
[root@tp ~]# iptables -F
clears the rules of all rule chains in the default table filter
[root@tp ~]# iptables -X clears the rules in the user-defined chain in the default table filter
[root@tp ~]# iptables -X clears the rules in the user-defined chain in the default table filter
we're taking a look
[root@tp ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
There is nothing left, it is the same as when we did not start the firewall when we installed linux. (In advance, these configurations are like configuring IP with commands, and restarting will lose their effect), how to save.
[root@tp ~]# /etc/rc.d/init.d/iptables save
This can be written to the /etc/sysconfig/iptables file. Remember to restart the firewall after writing to make it work.
[root@tp ~]# service iptables restart
Now that there is no configuration in the IPTABLES configuration table, let's start our configuration
(3) Set preset rules
[root@tp ~]# iptables -p INPUT DROP
[root@tp ~]# iptables -p OUTPUT ACCEPT
[root@tp ~]# iptables -p FORWARD DROP
The above means that when the two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, how to deal with the data packets that are not in these two rules, That is DROP (give up). It should be said that this configuration is very safe. We want to control incoming packets
The above means that when the two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, how to deal with the data packets that are not in these two rules, That is DROP (give up). It should be said that this configuration is very safe. We want to control incoming packets
As for the OUTPUT chain, that is, the outgoing package, we don't need to do too many restrictions, but adopt ACCEPT, that is, what to do with the package that is not in a rule, that is, pass.
It can be seen that the INPUT and FORWARD chains use what packets are allowed to pass, while the OUTPUT chain uses what packets are not allowed to pass.
This setting is quite reasonable. Of course, you can also DROP all three chains, but I don't think it is necessary to do so, and the rules to be written will increase. But if you only want a limited number of rules, such as Only do WEB server. It is recommended that all three chains are DROP.
Note: If you are logging in via remote SSH, it should be dropped when you enter the first command and enter. Because you have not set any rules.
What to do, go to the local operation!
(4) Add rules.
First add the INPUT chain, the default rule of the INPUT chain is DROP, so we write the chain that needs ACCETP (pass)
In order to use remote SSH login, we need to open port 22.
[root@tp ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
(Note: this rule, if you set OUTPUT to DROP, you must write this part, many people are looking to write As a result of this rule, SSH has never been possible. Check it remotely, is it okay?
The same is true for other ports. If the web server is enabled and OUTPUT is set to DROP, a chain should also be added:
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT , the same for others.)
If you are a web server, open port 80.
[root@tp ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
If you are a mail server, open ports 25 and 110.
If you are a mail server, open ports 25 and 110.
[root@tp ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
[root@tp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
If you are an FTP server, enable 21 port
[root@tp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
If you are an FTP server, enable 21 port
[root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
[root@tp ~]# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
If you do a DNS server, open port 53
[root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT
If you have made other servers, you need to open which port, just copy it.
The above is mainly written in the INPUT chain. Anything that is not in the above rules will be DROP.
Allow icmp packets to pass, that is, allow ping,
[root@tp ~]# iptables -A OUTPUT -p icmp -j ACCEPT (if OUTPUT is set to DROP)
[root@tp ~]# iptables -A INPUT -p icmp -j ACCEPT (if INPUT is set to DROP)
Allow loopback! (Otherwise it will cause problems such as DNS failure to shut down normally)
IPTABLES -A INPUT -i lo -p all -j ACCEPT (如果是INPUT DROP)
IPTABLES -A OUTPUT -o lo -p all -j ACCEPT(如果是OUTPUT DROP)
IPTABLES -A OUTPUT -o lo -p all -j ACCEPT(如果是OUTPUT DROP)
The OUTPUT chain is written below. The default rule of the OUTPUT chain is ACCEPT, so we write the chain that needs DROP (abandonment).
Reduce insecure port connections
[root@tp ~]# iptables -A OUTPUT -p tcp --sport 31337 -j DROP
[root@tp ~]# iptables -A OUTPUT -p tcp --dport 31337 -j DROP
Some Trojans scan for services on ports 31337 to 31340 (the elite port in hacker language). Since none of legitimate services use these non-standard ports to communicate, blocking these ports can effectively reduce the chances of potentially infected machines on your network communicating independently with their remote master servers
There are other ports as well, such as: 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (smb), 2049 (NFS) ports should also be banned, I have not written all here, interested friends should Check out the relevant information.
Of course, for safer access, you can also set the OUTPUT chain to DROP, then you add more rules, just like adding the above
The same as allowing SSH login. Just do as written.
Let's write more detailed rules, that is, limit to a certain machine
For example: we only allow 192.168.0.3 machines to make SSH connections
[root@tp ~]# iptables -A INPUT -s 192.168.0.3 -p tcp --dport 22 -j ACCEPT
If you want to allow or restrict a range of IP addresses, 192.168.0.0/24 means all IPs on the 192.168.0.1-255 end.
24 represents the subnet mask number. But remember to delete this line in /etc/sysconfig/iptables.
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT because it means that all addresses can be logged in.
Or use the command method:
[root@tp ~]# iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Then save it, and I'll talk about it. Instead, the command method is used, which only takes effect at that time. If you want to restart it, you must save it. Write it to the /etc/sysconfig/iptables file.
[root@tp ~]# /etc/rc.d/init.d/iptables save
Write like this! 192.168.0.3 means ip address other than 192.168.0.3
The same is true for other rule connections.
Below is the FORWARD chain. The default rule of the FORWARD chain is DROP, so we write the chain that needs ACCETP (pass) to monitor the forwarding chain.
Turn on the forwarding function, (it must be done when the default rule of FORWARD is DROP when doing NAT)
[root@tp ~]# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@tp ~]# iptables -A FORWARD -i eth1 -o eh0 -j ACCEPT
Drop bad TCP packets
[root@tp ~]#iptables -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
Handles the number of IP fragments, prevents attacks, allows 100 per second
[root@tp ~]#iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
Set up ICMP packet filtering, allow 1 packet per second, and limit the trigger condition to 10 packets.
[root@tp ~]#iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
I only allow ICMP packets in the front because I have restrictions here.
Second, configure a NAT table to set the firewall
1, Check the settings of the machine about NAT
[root@tp rc.d]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:211.101.46.235
target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to:211.101.46.235
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
target prot opt source destination
My NAT has already been configured (it only provides the simplest proxy Internet access function, and no firewall rules have been added). For how to configure NAT, please refer to my other article
Of course, if you haven't configured NAT, you don't need to clear the rules, because NAT has nothing by default
If you want to clear, the command is
[root@tp ~]# iptables -F -t nat
[root@tp ~]# iptables -X -t nat
[root@tp ~]# iptables -Z -t nat
2, add rules
Add basic NAT address translation, (see my other article on how to configure NAT),
To add rules, we only add the DROP chain. Because the default chain is all ACCEPT.
Prevent extranet from using intranet IP spoofing
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/ 12 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
If we want to block MSN, QQ, BT, etc., we need to find the Port or IP, (personally think it is not necessary)
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/ 12 -j DROP
[root@tp sysconfig]# iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
If we want to block MSN, QQ, BT, etc., we need to find the Port or IP, (personally think it is not necessary)
example:
Disallow all connections to 211.101.46.253
[root@tp ~]# iptables -t nat -A PREROUTING -d 211.101.46.253 -j DROP
Disable FTP(21) port
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -j DROP
In this way, the writing range is too large, and we can define it more precisely.
[root@tp ~]# iptables -t nat -A PREROUTING -p tcp --dport 21 -d 211.101.46.253 -j DROP
In this way, only the FTP connection of the 211.101.46.253 address is disabled, and other connections are ok. For example, the web (port 80) connection.
According to what I wrote, you only need to find the IP address, port, and protocol of other software such as QQ, MSN, etc., just follow the writing.
finally:
drop illegal connection
[root@tp ~]# iptables -A INPUT -m state --state INVALID -j DROP
[root@tp ~]# iptables -A OUTPUT -m state --state INVALID -j DROP
[root@tp ~ ]# iptables-A FORWARD -m state --state INVALID -j DROP
allow all established and related connections
[root@tp ~]# iptables-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root @tp ~]# iptables-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@tp ~]# iptables -A INPUT -m state --state INVALID -j DROP
[root@tp ~]# iptables -A OUTPUT -m state --state INVALID -j DROP
[root@tp ~ ]# iptables-A FORWARD -m state --state INVALID -j DROP
allow all established and related connections
[root@tp ~]# iptables-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root @tp ~]# iptables-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@tp ~]# /etc/rc.d/init.d/iptables save
In this way, it can be written to the /etc/sysconfig/iptables file. Remember to restart the firewall after writing to make it work.
[root@tp ~]# service iptables restart
don't forget to save