At present, the company needs to do a verification, and needs to isolate the two network segments, so it thinks of setting the corresponding rules through iptables to achieve the goal.
network status
1. All servers are in the intranet segment (172.16.XX), and all intranets are interoperable;
2. All servers can access the Internet, such as Baidu, Ali, Tencent, etc., but the external network cannot access the internal network IP;
Testing requirements
1. Two intranet servers A (172.16.6.100) and B (172.16.6.101);
2. It is required that server A cannot access the Internet network, but can access all servers in the intranet (that is, the network that can access the 172.16.XX network segment);
train of thought
1. First disable all outgoing networks;
2. Allow some of the networks we need;
iptables settings
iptables -P OUTPUT DROP # 禁用所有出去的网络
iptables -A OUTPUT -d 172.16.0.0/8 -j ACCEPT # 允许部分出去的网络In this way, machine A cannot access the Internet such as Baidu, Tencent, and Ali, and can only access servers in the network segment of 172.16.XX. It can be verified by ping www.baidu.com.
restore network
iptables -P OUTPUT ACCEPT # 允许所有出去的网络In this way, the previous disabling rules can be released. It can also be verified by ping www.baidu.com.
Here are some common scenarios:
1. Open all IPs and ports
iptables -P INPUT ACCEPT # 允许所有IP和端口访问本机
iptables -P OUTPUT ACCEPT # 允许本机访问所有IP和端口2. Disable all IPs and ports
iptables -P INPUT DROP # 禁止所有IP和端口访问本机
iptables -P OUTPUT DROP # 禁止本机访问所有IP和端口3. Close all port 80
iptables -I INPUT -p tcp --dport 80 -j DROP 4. Open port 80 of the ip segment 192.168.1.0/24
iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPTiptables common commands
Command -A, --append
Example iptables -A INPUT ...
Explanation: Add a rule to a rule chain, and this rule will become the last rule in the rule chain.
Command -D, --delete
Example iptables -D INPUT --dport 80 -j DROP
iptables -D INPUT 1
Explanation: Delete a rule from a rule chain, you can enter the complete rule, or directly specify the rule number to delete.
Command -R, --replace
Example iptables -R INPUT 1 -s 192.168.0.1 -j DROP
Explanation: Replace the current rules, and the rules will not change the order after being replaced.
Command -I, --insert
Example iptables -I INPUT 1 --dport 80 -j ACCEPT
Explanation: Insert a rule, and the rule at the original position will move backward one position.
Command -L, --list
Example iptables -L INPUT
Description: List all rules in a rule chain.
Command -F, --flush
Example iptables -F INPUT
Description: Delete all rules in a rule chain.
Command -Z, --zero
Example iptables -Z INPUT
Description: Reset the packet counter to zero. The packet counter is used to count the number of occurrences of the same packet, and is an indispensable tool for filtering and blocking attacks.
Command -N, --new-chain
Example iptables -N allowed
Description: Define a new rule chain.
Command -X, --delete-chain
example iptables -X allowed
Explanation: delete a rule chain.
Command -P, --policy
Example iptables -P INPUT DROP
Description: Define filter policy. That is, the default processing method for packets that do not meet the filtering conditions.
Command -E, --rename-chain
Example iptables -E allowed disallowed
Description: Modify the name of a custom rule chain.