20 Tiao IPTables firewall rules Usage
IPTables includes a set of built-in and user-defined rules "chain", administrator can attach a variety of packet processing rules on the "chain."
- FILTER default filter table, built-in chains are:
- The INPUT : local processing incoming packets
- The FORWARD : processing data packets routed through the system
- The OUTPUT : local processing outgoing packets
- NAT implement network address translation table, the built-in chains are:
- The PREROUTING : imminent packets received
- The OUTPUT : locally generated packet processing
- POSTROUTING : imminent outgoing packets
- MANGLE This table is used to changing the data packet, total . 5 chains:
- PREROUTING : handling incoming connections
- The OUTPUT : locally generated packet processing
- The INPUT : processing the message
- POSTROUTING : imminent outgoing packets
- The FORWARD : processing data packets forwarded through the machine
Next we will introduce simple to difficult 20 Tiao Linux administrator will use most of IPTables rules.
1, start, stop and restart the IPTables
Although IPTables is not a service, but Linux still can be managed in the same service as their state.
Based SystemD system
systemctl start iptables
systemctl stop iptables
systemctl restart iptables
Based SysVinit system
/etc/init.d/iptables start
/etc/init.d/iptables stop
/etc/init.d/iptables restart
1. Check IPtables firewall policy
You can use the following command to view IPtables firewall policy:
iptables -L -n -v
More command should return the output data of FIG:
The above command is to check the default FILTER table, if you only want to view a specific table, you can -t keep a separate table name to view the parameters. For example, to see only the NAT rules table, you can use the following command:
iptables -t nat -L -v - n
2. shield an IP address
If you have posted an IP import attacks or abnormal traffic to the server, you can use the following rules shield its IP address:
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
Note that the above-mentioned need XXX changed to be shielded actual IP address, where -A parameter indicates INPUT added to the end of the chain of this rule. ( IPTables The rules are matched top to bottom, once the match is successful will not continue down match)
If you just want to shield TCP traffic, you can use the -p parameter specifies the protocol, for example:
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP
3. reopened an IP address
To unseal IP mask address, you can use the following command to delete:
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
Wherein -D parameter indicates to delete one or more rules from the chain.
4. Use IPtables closing specific ports
Many times, we need to block a specific network port, you can use IPtables close a specific port.
Block specific outgoing connections:
iptables -A OUTPUT -p tcp --dport xxx -j DROP
Block specific incoming connections:
iptables -A INPUT -p tcp --dport xxx -j ACCEPT
5. Use Multiport control multiport
Use multiport we can write-once multiple ports in a single rule, for example:
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
6. Use in the rule IP address range
In IPtables the IP address range can be used directly CIDR representing, for example:
iptables -A OUTPUT -p tcp -d 192.168.100.0/24 --dport 22 -j ACCEPT
7. Configure port forwarding
Sometimes we need Linux to forward a service server traffic to another port, then you can use the following command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525
All the above command will arrive eth0 NIC 25 flow ports are redirected to 2525 port.
8. shield HTTP service Flood Attack
Sometimes the user a service, such as HTTP 80 initiated a large number of connection requests, then we can enable the following rules:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
The above command will be limited to a minute connection 100 th, the upper limit is 200 .
9. prohibit PING
For Linux ban PING can use the following rules shielding ICMP incoming connections:
iptables -A INPUT -p icmp -i eth0 -j DROP
10. allow access loopback adapter
Access loopback ( 127.0.0.1 ) is more important, we are open to suggestions:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
11. The mask specified MAC address
Using the following rules can be specified shield MAC address:
iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
12. The limit concurrent connections
If you do not want too many concurrent connections from a specific port, you can use the following rules:
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Each of the above rules limit does not exceed the client . 3 connections.
13. Empty IPtables rules
To empty IPtables chains with the following command:
iptables -F
To clear a particular table can be used -t parameter specifies, for example:
iptables -t nat –F
14. Save IPtables rules
By default, the administrator IPtables rules will take immediate effect. But because the rules are stored in the memory of them, so rebooting, the system configuration loss, you want to permanently save IPtables rules can use iptables-save command:
iptables-save > ~/iptables.rules
Save name we can change ourselves.
15. Restore IPtables rules
There has saved naturally correspond to restore, you can use the iptables-restore command to restore saved rules:
iptables-restore < ~/iptables.rules
16. allow the establishment of relevant connections
With the separation of the network traffic in and out, to allow the establishment of relevant incoming connection, you can use the following rules:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Allow the establishment of rules related to outgoing connections:
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
17. A drop invalid packets
Many will attempt cyber attacks from illegal data packets defined by hackers to try, we can use the following commands to drop invalid packets:
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
18.IPtables shield mailing rules
If your system will not be used to send e-mail, we can shield rule SMTP outgoing port:
iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT
19. preventing the connection to a NIC
If your system has multiple network cards, we can limit the IP range to access a piece of card:
iptables -A INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP
Source address can be IP or CIDR .