20 IPTables firewall rules Usage

Others 2019-06-13 02:05:17 views: null

20 Tiao IPTables firewall rules Usage

 

IPTables includes a set of built-in and user-defined rules "chain", administrator can attach a variety of packet processing rules on the "chain."

  • FILTER default filter table, built-in chains are:
    • The INPUT : local processing incoming packets
    • The FORWARD : processing data packets routed through the system
    • The OUTPUT : local processing outgoing packets
  • NAT implement network address translation table, the built-in chains are:
    • The PREROUTING : imminent packets received
    • The OUTPUT : locally generated packet processing
    • POSTROUTING : imminent outgoing packets
  • MANGLE This table is used to changing the data packet, total . 5 chains:
    • PREROUTING : handling incoming connections
    • The OUTPUT : locally generated packet processing
    • The INPUT : processing the message
    • POSTROUTING : imminent outgoing packets
    • The FORWARD : processing data packets forwarded through the machine

Next we will introduce simple to difficult 20  Tiao Linux administrator will use most of IPTables rules.

1, start, stop and restart the IPTables

Although IPTables is not a service, but Linux still can be managed in the same service as their state.

Based SystemD system

systemctl start iptables

systemctl stop iptables

systemctl restart iptables

 

Based SysVinit system

/etc/init.d/iptables start

/etc/init.d/iptables stop

/etc/init.d/iptables restart

 

1. Check IPtables firewall policy

You can use the following command to view IPtables firewall policy:

 iptables -L -n -v

More command should return the output data of FIG:

The above command is to check the default FILTER table, if you only want to view a specific table, you can -t keep a separate table name to view the parameters. For example, to see only the NAT rules table, you can use the following command:

 iptables -t nat -L -v - n

 

2. shield an IP address

If you have posted an IP import attacks or abnormal traffic to the server, you can use the following rules shield its IP address:

 iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

Note that the above-mentioned need XXX changed to be shielded actual IP address, where -A parameter indicates INPUT added to the end of the chain of this rule. ( IPTables The rules are matched top to bottom, once the match is successful will not continue down match)

If you just want to shield TCP traffic, you can use the -p parameter specifies the protocol, for example:

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP

 

3. reopened an IP address

To unseal IP mask address, you can use the following command to delete:

iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

Wherein -D parameter indicates to delete one or more rules from the chain.

 

4. Use IPtables closing specific ports

Many times, we need to block a specific network port, you can use IPtables close a specific port.

Block specific outgoing connections:

iptables -A OUTPUT -p tcp --dport xxx -j DROP

Block specific incoming connections:

iptables -A INPUT -p tcp --dport xxx -j ACCEPT

 

5. Use Multiport control multiport

Use multiport we can write-once multiple ports in a single rule, for example:

iptables -A INPUT  -p tcp -m multiport --dports 22,80,443 -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT

 

6. Use in the rule IP address range

In IPtables the IP address range can be used directly CIDR representing, for example:

iptables -A OUTPUT -p tcp -d 192.168.100.0/24 --dport 22 -j ACCEPT

 

7. Configure port forwarding

Sometimes we need Linux to forward a service server traffic to another port, then you can use the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525

All the above command will arrive eth0 NIC 25 flow ports are redirected to 2525 port.

 

8. shield HTTP service Flood Attack

Sometimes the user a service, such as HTTP 80 initiated a large number of connection requests, then we can enable the following rules:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT

The above command will be limited to a minute connection 100 th, the upper limit is 200 .

 

9. prohibit PING

For Linux ban PING can use the following rules shielding ICMP incoming connections:

iptables -A INPUT -p icmp -i eth0 -j DROP

 

10. allow access loopback adapter

Access loopback ( 127.0.0.1 ) is more important, we are open to suggestions:

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

 

11. The mask specified MAC address

Using the following rules can be specified shield MAC address:

iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP

 

12. The limit concurrent connections

If you do not want too many concurrent connections from a specific port, you can use the following rules:

iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Each of the above rules limit does not exceed the client . 3 connections.

13. Empty IPtables rules

To empty IPtables chains with the following command:

iptables -F

To clear a particular table can be used -t parameter specifies, for example:

iptables -t nat F

14. Save IPtables rules

By default, the administrator IPtables rules will take immediate effect. But because the rules are stored in the memory of them, so rebooting, the system configuration loss, you want to permanently save IPtables rules can use iptables-save command:

iptables-save > ~/iptables.rules

Save name we can change ourselves.

15. Restore IPtables rules

There has saved naturally correspond to restore, you can use the iptables-restore command to restore saved rules:

iptables-restore < ~/iptables.rules

16. allow the establishment of relevant connections

With the separation of the network traffic in and out, to allow the establishment of relevant incoming connection, you can use the following rules:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow the establishment of rules related to outgoing connections:

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

17. A drop invalid packets

Many will attempt cyber attacks from illegal data packets defined by hackers to try, we can use the following commands to drop invalid packets:

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

18.IPtables shield mailing rules

If your system will not be used to send e-mail, we can shield rule SMTP outgoing port:

iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT

19. preventing the connection to a NIC

If your system has multiple network cards, we can limit the IP range to access a piece of card:

iptables -A INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP

Source address can be IP or CIDR .

 

Guess you like

Origin www.cnblogs.com/gytbolg/p/11013365.html
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com