The introduction of the ipitables firewall, and how to view the rules and clear the rules, etc. have been described in a previous article. Today, here is a demonstration of how to formulate firewall rules. Because in the work, the rules are mainly formulated for the filter chain, so here we mainly use the fitler chain for demonstration.
Preparation
Before formulating the rules, we first shut down the firewalld service, open the iptables service, and then clear the existing rules.
# systemctl stop firewalld # systemctl start iptables # iptables -F #iptables -X # iptables -Z
New rule chain
About the addition of iptables Rule chain, there are many options, let’s see the basic usage below:
iptables [-t tables] -A|I chain name[-i|o network interface ] [-m state] [--state packet state] \ > [-p network-protocol] [-s source-address --sport port-range] [-d destination-address --dport port-range] \ > -j [ACCEPT|DROP|REJECT]
Options and parameters:
-
-A|I The chain name A means to add rules after the existing rules, and I means to insert rules at the front
-
-i|o network interface i means the network interface where the data packet enters , needs to be used in conjunction with the INPUT or PREROUTING chain; o indicates the interface from which the data packet goes out, and needs to be used in conjunction with the OUTPUT chain
-
-p Common network protocols include tcp, upd, icmp and all
-
-m state The state of the data packet
-
–state The common state of the data packet state is INVALID( Invalid packet), ESTABLISHED (state of successful connection), NEW (newly established packet), RELATED (new connection is associated with an existing connection)
-
– s source address can be ip address, such as 192.168.1.110 or network address 192.168.1.0/24
-
-d destination address
-
-j is followed by operations, the common ones are ACCEPT (accept), DROP (discard), REJECT (reject)
Rule formulation for ip, network, and network card interface
Below, several rule chain cases are given. We allow data from 192.168.1.110 and deny data from 192.168.1.111.
# iptables -A INPUT -s 192.168.1.110 -j ACCEPT # iptables -I INPUT -s 192.168.1.111 -j DROP # iptables -vnL Chain INPUT (policy ACCEPT 33 packets, 3048 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 192.168.1.111 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.1.110 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 18 packets, 1844 bytes) pkts bytes target prot opt in out source destination
Allow 192.168.1.0/24 network address access
# iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT # iptables -vnL Chain INPUT (policy ACCEPT 29 packets, 2328 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 192.168.1.111 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.1.110 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1460 bytes) pkts bytes target prot opt in out source destination
Think about a question, whether the data packet of 192.168.1.111 will be accepted or rejected. From the first rule of INPUT, it will be rejected, but from the last one, it will be accepted. The answer is that it will be rejected. When one of the rules is met, the following rules will not be followed, so the order of the rule chain is also very important.
Continue to look at the case: as long as the local loopback address lo is allowed
# iptables -A INPUT -i lo -j ACCEPT# iptables -A INPUT -i lo -j ACCEPTpre>Rule formulation for ports
All packets that will enter the local port 21 Block it
# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROPDrop 1024 to 65534 The ports between are open, you can use the port number: Port number to indicate a continuous port number
# iptables -A INPUT -i eth0 -p tcp --dport 1024:65534 -j ACCEPTLet's look at two comprehensive rules
The port 3306 of this machine is not open to the network 192.168.1.0/24.
The ssh service of this machine does not accept data packets from port 1024:65535 of the network 192.168.1.0/24
# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport 3306 -j DROP # iptables -A INPUT -i etc0 -p tcp -s 192.168.1.0/24 \ > --sport 1024:65535 --dport 22 -j DROPRule formulation for connection status of data packets
The common states of data packets are INVALID (invalid data packet), ESTABLISHED (successfully connected state), NEW (newly established data packet), RELATED (new connection and existing connection associated).
All packets for ESTABLISHED and RELATED states are accepted, all packets for INVALID state are discarded
# iptables -t filter - A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A INPUT -m state --state INVALID -j DROPDelete rule chain
Deleting a rule chain is basically the same as adding a rule chain, except that -A can be replaced by -D. Let's delete a few rules together.
# iptables-save # Generated by iptables-save v1.4.21 on Sun Nov 15 22:36:41 2020 *filter :INPUT ACCEPT [4:1920] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [16:1380] -A INPUT -s 192.168.1.111/32 -j DROP -A INPUT -s 192.168.1.110/32 -j ACCEPT -A INPUT -s 192.168.1.0/24 -j ACCEPT ... # iptables -t filter -D INPUT -s 192.168.1.111/32 -j DROP # iptables -D INPUT -s 192.168.1.110/32 -j ACCEPTNote: The above settings about iptables will only be saved in memory, and these settings will disappear after the system is restarted . So, as long as you don't block yourself out, please practice.
If you want to save the rules, please enter /usr/libexec/iptables/iptables.init save to save.