1. Basic command parameters in iptables
- -P sets default policy
- -F clears the rule chain
- -L View rule chain
- -A adds a new rule to the end of the rule chain
- -I num adds a new rule at the head of the rule chain
- -D num delete a rule
- -s matches the source address IP/MASK, adding an exclamation mark "!" means except this IP
- -d matches target address
- -i The network card name matches the data flowing in from this network card
- -o The network card name matches the data flowing out of this network card
- -p matches protocols such as TCP, UDP, ICMP
- –dport num matches the target port number
- -sport num matches source port number
2. Practical operation
2.1 Deny 192.168.56.106 ICMP protocol packets entering the firewall
[root@localhost ~]# iptables -I INPUT -s 192.168.56.106 -p icmp -j REJECT
[root@localhost ~]# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 980 packets, 121K bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT icmp -- * * 192.168.56.106 0.0.0.0/0 reject-with icmp-port-unreachable
938 115K LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
2.2 View the rules of the INPUT chain
[root@localhost ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 1168 packets, 133K bytes)
num pkts bytes target prot opt in out source destination
1 3 252 REJECT icmp -- * * 192.168.56.106 0.0.0.0/0 reject-with icmp-port-unreachable
2 1126 127K LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
2.4 Delete the newly created icmp REJECT
[root@localhost ~]# iptables -D INPUT 1
[root@localhost ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 1223 packets, 137K bytes)
num pkts bytes target prot opt in out source destination
1 1181 130K LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
2.5 Clear the existing firewall rule chain
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2.6 Set the default policy of the INPUT rule chain to deny
[root@localhost ~]# iptables -P INPUT DROP
2.7 Add policy rules that allow ICMP traffic to enter the INPUT chain
[root@localhost ~]# iptables -I INPUT -p icmp -j ACCEPT
[root@localhost ~]# ping -c 4 192.168.10.10
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
64 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.156 ms
64 bytes from 192.168.10.10: icmp_seq=2 ttl=64 time=0.117 ms
64 bytes from 192.168.10.10: icmp_seq=3 ttl=64 time=0.099 ms
64 bytes from 192.168.10.10: icmp_seq=4 ttl=64 time=0.090 ms
--- 192.168.10.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.090/0.115/0.156/0.027 ms
2.8 Delete the policy just added in the INPUT rule chain (allow ICMP traffic), and set the default policy to allow
[root@linuxprobe ~]# iptables -D INPUT 1
[root@linuxprobe ~]# iptables -P INPUT ACCEPT
[root@linuxprobe ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
2.9 Set the INPUT rule chain to only allow hosts in the specified network segment to access port 22 of the machine and deny traffic from all other hosts.
[root@localhost ~]# iptables -I INPUT -p tcp -s 192.168.56.0/24 --dport 22 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -j DROP
[root@localhost ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 6306 packets, 6997K bytes)
num pkts bytes target prot opt in out source destination
1 216 14861 ACCEPT tcp -- * * 192.168.56.0/24 0.0.0.0/0 tcp dpt:22
2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Note that the DROP rule uses A, append, which means adding a rule after ACCEPT. If DROP is added in front, the message will be intercepted from the beginning, and subsequent ACCEPT will not take effect.
2.10 Add a policy rule that denies everyone access to the local machine’s 12345 port to the INPUT rule chain
[root@localhost ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 6324 packets, 6999K bytes)
num pkts bytes target prot opt in out source destination
[root@localhost ~]# iptables -I INPUT -p tcp --dport 12345 -j REJECT
[root@localhost ~]# iptables -I INPUT -p udp --dport 12345 -j REJECT
[root@localhost ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 6718 packets, 7023K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:12345 reject-with icmp-port-unreachable
2 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 reject-with icmp-port-unreachable
2.11 Add a policy rule that denies the 192.168.56.103 host from accessing the local port 80 (Web service) to the INPUT rule chain.
[root@localhost ~]# iptables -I INPUT -s 192.168.56.103 -p tcp --dport 80 -j REJECT
2.12 Add a policy rule that denies all hosts access to the local port 1000~1024 to the INPUT rule chain.
[root@localhost ~]# iptables -I INPUT -p tcp --dport 1000:1024 -j REJECT
[root@localhost ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 7335 packets, 7061K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1000:1024 reject-with icmp-port-unreachable
3. Black and white list mechanism
3.1 Blacklist
Assume that I want to release ssh remote connection-related messages and web service-related messages. Then, we add the following rules to the INPUT chain.
[root@localhost ~]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
[root@localhost ~]# iptables -P INPUT DROP
[root@localhost ~]# iptables -nvL INPUT --line
Chain INPUT (policy DROP 8511 packets, 9003K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 255 14844 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
If at this time, I accidentally execute the "iptables -F" operation, after executing the "iptables -F" command in the current ssh remote tool, since there are no rules in the INPUT chain, all packets will be rejected. , including the current ssh remote connection.
This is the disadvantage of setting the default policy to DROP. When no rules are set in the corresponding chain, it is very unwise to use the default policy to DROP, because the administrator will also exclude himself. In addition, even if there are release rules in the corresponding chain, when we accidentally use "iptables -F" to clear the rules, the release rules are deleted and all data packets cannot enter. This is equivalent to digging a hole for the administrator. , so if we want to use the "whitelist" mechanism, it is best to keep the default policy of the chain as "ACCEPT", and then place the "deny all requests" rule at the end of the chain and the "release rule" In the previous step, this can not only implement the "whitelist" mechanism, but also ensure that when the rules are cleared, the administrator still has the opportunity to connect to the host. The following whitelist mechanism is more suitable.
3.2 Whitelist
[root@localhost ~]# iptables -P INPUT ACCEPT
[root@localhost ~]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
[root@localhost ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j REJECT
[root@localhost ~]# iptables -nvL INPUT --line
Chain INPUT (policy ACCEPT 8889 packets, 9045K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 182 11316 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
The default policy of the INPUT chain is set to ACCEPT, and the whitelist mechanism is also used, because if the packet meets the release conditions, it will be matched by the previous release rules. If the packet does not meet the release conditions, it will be matched by the last one. The deny rule is matched. At this moment, even if we mistakenly perform the "iptables -F" operation, we can ensure that the administrator can remotely go to the host for maintenance because the default policy is still ACCEPT.