In the previous articles, I have introduced the tables and chains of iptables, and how to add rule chains. Here, I want to share a simple firewall rule with you. Here I mainly set the rules for the input chain of the filter. This article is equivalent to a practical iptables rule to help you deepen and consolidate the knowledge you have learned.
The application rules are as follows:
-
Clear the existing rules and clear all the original rules.
-
Set the default policy, set the default policy of the input chain of the filter to drop, and set the others to accept.
-
Trust this machine, for the loopback network card lo must be set to trustworthy.
-
Response data packet, the data packet that responds to the host’s active external request can enter the machine (establish/related)
-
Reject invalid data packets, reject invalid data packets (INVALID)
-
White list, trust certain ip or network addresses, etc.
-
Blacklist, untrusted ip or network address, etc.
-
Allow icmp packets, release icmp packets
-
Open some ports, some service ports must be opened to the outside world, such as 80, 443, 22 and other ports
We are going to make 3 shell scripts Files: iptables.rule, iptables.allow (whitelist), iptables.deny (blacklist) files. For these three files, I usually create a directory /etc/iptables first, and these three files exist in this directory.
Next, let’s look at the script content of this iptables.rule:
#!/bin/bash
# iptables rule
# clear default rules
iptables -F
iptables -X
iptables -Z
# Modify the default policy
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# trust this machine
iptables -A INPUT -i lo -j ACCEPT
# response packet
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# reject invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
# whitelist
if [ -f "/etc/iptables/iptables.allow" ];then
sh /etc/iptables/iptables.allow
the fi
# blacklist
if [ -f "/etc/iptables/iptables.deny" ];then
sh /etc/iptables/iptables.deny
the fi
# Allow icmp packets
iptables -A INPUT -p icmp -j ACCEPT
# Open some ports
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ssh service
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # www service
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # ssl
# save rules
/usr/libexec/iptables/iptables.init save
For iptables.allow, we generally write the trusted ip or network address to this file, for example, the local area network where the host is located is 192.168.1.0/ 24. If you want to trust the hosts in this LAN, you can write in this file
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
The iptables.deny is used to prevent some malicious ip traffic from entering the machine, such as blocking the 8.210.247.5 ip, you can write in this file
iptables -A INPUT -s 8.210.247.5/32 -j DROP
At the end of iptables.rule, we use the command to save the firewall rules, pay attention, If this command is not added, the rule will only take effect at zero time. When restarting iptables or restarting the system, the rules we set before will become invalid.
微信扫一扫打赏
支付宝扫一扫打赏
