1024programmer Linux Software firewall iptables under linux – view and clear rules, define default policies – linux operation and maintenance

Software firewall iptables under linux – view and clear rules, define default policies – linux operation and maintenance

A firewall is a way for users to restrict access to certain ip or users to their hosts. There are two types of firewalls, hardware firewalls and software firewalls. Software firewalls are mainly used to filter data packets, and hardware firewalls are mainly used to protect against malicious attacks and filter data packets, such as DDOS attacks. Here, let’s explain the software firewall under linux-iptables.

iptables and firewalld

Under centOS6, the default software firewall is iptables, and in centos7, it is firewalld. What is the connection between them? In fact, firewalld is a newly packaged software on the original iptables.

When learning iptables, it is recommended to close firewalld first, and open iptables

yum install iptables-services
 systemctl stop firewalld
 systemctl start iptables

table and chain of iptables

Different of iptables Tables represent different functions, there are 4 tables by default

  • filter (filter) nat (address translation) mangle raw

Under different tables, they have their own rule chains:

  • filter (INPUT/OUTPUT/FORWARD)

  • nat (prerouting/output/postouting)

The meaning of these chains As follows:

  • INPUT chain – incoming data packets apply the rules in this rule chain

  • OUTPUT chain – apply the rules in this rule chain to outgoing packets

  • FORWARD chain – apply the rules in this rule chain when forwarding packets

  • PREROUTING chain – apply the rules in this chain before routing packets

  • POSTROUTING chain – right Apply the rules in this chain after the data packet is routed

iptables rule view and clear

Rule View

Example of usage: iptables [-t tables] -L [-nv]

Options and parameters:

  • -t Followed by the table type, if this option is omitted, it defaults to the filter table.

  • -L lists the rules of the current table

  • -n does not perform domain name and ip reverse check

  • -v show more information

# View the rules of the filter table
 # iptables -nvL
 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt ​​in out source destination
    67 4444 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
     0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
     0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
     0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
     2 286 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt ​​in out source destination
     0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
 Chain OUTPUT (policy ACCEPT 38 packets, 4664 bytes)
  pkts bytes target prot opt ​​in out source destination
 
 # View the rules of the nat table
 iptables -t nat -L -nv

The meaning of the rule options under the chain is as follows:

  • target : Represents the operation performed, ACCEPT release, drop discard, reject rejection

  • prot: Represents the packet protocol used, including tcp, udp and icmp

  • opt: description information

  • source: restrict a source host

  • destination: yes A target host is restricted

The five rules of the INPUT chain shown above have the following meanings:

  1. As long as the status of the data packet is RELATED, ESTABLISHED, it is accepted

  2. As long as it is an icmp packet, it is accepted

  3. As long as it is a local loopback network card, all data is accepted

  4. As long as the TCP data packet sent to the active connection of port 22 is accepted.

  5. Reject all packets

Know the rules of iptables

After installing centOS7 by default, the system already has many iptables rules. Here I will teach you how to clear these rules.

Usage example: iptables [-t tables] [-FXZ]

Options and parameters:

  • -F clears all customized rules

  • -X Clear all user-defined rules

  • -Z Set all statistics to zero

# iptables -F
 #iptables -X
 # iptables -Z

View specific rules

Use iptables-save You can view the specific rules

Usage: iptables-save [-t tables]

# iptables-save -t filter
 # Generated by iptables-save v1.4.21 on Sat Nov 14 21:51:56 2020
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [56:7196]
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 
 # Completed on Sat Nov 14 21:51:56 2020

Define Default Policy

When we are clear about the rules, only the default strategy is left. What is the default strategy is that when any of our rules are not met, the default rule is adopted. The default policies are ACCEPT (accept packets) and DROP (drop packets)

Usage: iptables [-t tables] -P [INPUT|OUTPUT|FORWARD…] [ACCEPT|DROP]

Now, we try to modify the default INPUT chain of filter to DROP, OUTPUT and FORWARD chain to ACCETP

iptables -t filter -  P INPUT DROP
 # Note that after typing this command, your terminal may be disconnected
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD ACCEPT

This article is from the internet and does not represent1024programmerPosition, please indicate the source when reprinting:https://www.1024programmer.com/software-firewall-iptables-under-linux-view-and-clear-rules-define-default-policies-linux-operation-and-maintenance/

author: admin

Previous article
Next article

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us

Contact us

181-3619-1160

Online consultation: QQ交谈

E-mail: [email protected]

Working hours: Monday to Friday, 9:00-17:30, holidays off

Follow wechat
Scan wechat and follow us

Scan wechat and follow us

Follow Weibo
Back to top
首页
微信
电话
搜索