1024programmer Linux Software firewall iptables under linux – definition and deletion of rules – linux operation and maintenance

Software firewall iptables under linux – definition and deletion of rules – linux operation and maintenance

The introduction of the ipitables firewall, and how to view the rules and clear the rules, etc. have been described in a previous article. Today, here is a demonstration of how to formulate firewall rules. Because in the work, the rules are mainly formulated for the filter chain, so here we mainly use the fitler chain for demonstration.

Preparation

Before formulating the rules, we first shut down the firewalld service, open the iptables service, and then clear the existing rules.

# systemctl stop firewalld
 # systemctl start iptables
 # iptables -F
 #iptables -X
 # iptables -Z

New rule chain

About the addition of iptables Rule chain, there are many options, let’s see the basic usage below:

iptables [-t tables] -A|I chain name[-i|o network interface  ] [-m state] [--state packet state] \
 > [-p network-protocol] [-s source-address --sport port-range] [-d destination-address --dport port-range] \
 > -j [ACCEPT|DROP|REJECT]

Options and parameters:

  • -A|I The chain name A means to add rules after the existing rules, and I means to insert rules at the front

  • -i|o network interface i means the network interface where the data packet enters , needs to be used in conjunction with the INPUT or PREROUTING chain; o indicates the interface from which the data packet goes out, and needs to be used in conjunction with the OUTPUT chain

  • -p Common network protocols include tcp, upd, icmp and all

  • -m state The state of the data packet

  • –state The common state of the data packet state is INVALID( Invalid packet), ESTABLISHED (state of successful connection), NEW (newly established packet), RELATED (new connection is associated with an existing connection)

  • – s source address can be ip address, such as 192.168.1.110 or network address 192.168.1.0/24

  • -d destination address

  • -j is followed by operations, the common ones are ACCEPT (accept), DROP (discard), REJECT (reject)

Rule formulation for ip, network, and network card interface

Below, several rule chain cases are given. We allow data from 192.168.1.110 and deny data from 192.168.1.111.

# iptables -A INPUT -s 192.168.1.110 -j ACCEPT
 # iptables -I INPUT -s 192.168.1.111 -j DROP

 # iptables -vnL
 Chain INPUT (policy ACCEPT 33 packets, 3048 bytes)
  pkts bytes target prot opt ​​in out source destination
     0 0 DROP all -- * * 192.168.1.111 0.0.0.0/0
     0 0 ACCEPT all -- * * 192.168.1.110 0.0.0.0/0
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt ​​in out source destination
 Chain OUTPUT (policy ACCEPT 18 packets, 1844 bytes)
  pkts bytes target prot opt ​​in out source destination

Allow 192.168.1.0/24 network address access

# iptables -A INPUT -s  192.168.1.0/24 -j ACCEPT
 # iptables -vnL
 Chain INPUT (policy ACCEPT 29 packets, 2328 bytes)
  pkts bytes target prot opt ​​in out source destination
     0 0 DROP all -- * * 192.168.1.111 0.0.0.0/0
     0 0 ACCEPT all -- * * 192.168.1.110 0.0.0.0/0
     0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt ​​in out source destination
 Chain OUTPUT (policy ACCEPT 15 packets, 1460 bytes)
  pkts bytes target prot opt ​​in out source destination

Think about a question, whether the data packet of 192.168.1.111 will be accepted or rejected. From the first rule of INPUT, it will be rejected, but from the last one, it will be accepted. The answer is that it will be rejected. When one of the rules is met, the following rules will not be followed, so the order of the rule chain is also very important.

Continue to look at the case: as long as the local loopback address lo is allowed

# iptables -A INPUT -i lo -j ACCEPT

# iptables -A INPUT -i lo -j ACCEPT

  pre>

Rule formulation for ports

All packets that will enter the local port 21 Block it

# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP

Drop 1024 to 65534 The ports between are open, you can use the port number: Port number to indicate a continuous port number

# iptables -A INPUT -i eth0 -p tcp --dport 1024:65534 -j ACCEPT

Let's look at two comprehensive rules

The port 3306 of this machine is not open to the network 192.168.1.0/24.

The ssh service of this machine does not accept data packets from port 1024:65535 of the network 192.168.1.0/24

# iptables  -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport 3306 -j DROP
 # iptables -A INPUT -i etc0 -p tcp -s 192.168.1.0/24 \
 > --sport 1024:65535 --dport 22 -j DROP

Rule formulation for connection status of data packets

The common states of data packets are INVALID (invalid data packet), ESTABLISHED (successfully connected state), NEW (newly established data packet), RELATED (new connection and existing connection associated).

All packets for ESTABLISHED and RELATED states are accepted, all packets for INVALID state are discarded

# iptables -t filter -  A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 # iptables -A INPUT -m state --state INVALID -j DROP

Delete rule chain

Deleting a rule chain is basically the same as adding a rule chain, except that -A can be replaced by -D. Let's delete a few rules together.

# iptables-save
 # Generated by iptables-save v1.4.21 on Sun Nov 15 22:36:41 2020
 *filter
 :INPUT ACCEPT [4:1920]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [16:1380]
 -A INPUT -s 192.168.1.111/32 -j DROP
 -A INPUT -s 192.168.1.110/32 -j ACCEPT
 -A INPUT -s 192.168.1.0/24 -j ACCEPT
 ...

 # iptables -t filter -D INPUT -s 192.168.1.111/32 -j DROP
 # iptables -D INPUT -s 192.168.1.110/32 -j ACCEPT

Note: The above settings about iptables will only be saved in memory, and these settings will disappear after the system is restarted . So, as long as you don't block yourself out, please practice.

If you want to save the rules, please enter /usr/libexec/iptables/iptables.init save to save.

This article is from the internet and does not represent1024programmerPosition, please indicate the source when reprinting:https://www.1024programmer.com/software-firewall-iptables-under-linux-definition-and-deletion-of-rules-linux-operation-and-maintenance/

author: admin

Previous article
Next article

Leave a Reply

Your email address will not be published. Required fields are marked *

Contact Us

Contact us

181-3619-1160

Online consultation: QQ交谈

E-mail: [email protected]

Working hours: Monday to Friday, 9:00-17:30, holidays off

Follow wechat
Scan wechat and follow us

Scan wechat and follow us

Follow Weibo
Back to top
首页
微信
电话
搜索