Use iptables
Original Source: http: //www.unixreview.com/articles/2001/0104/0104l/0104l.htm Author: Joe "Zonker" Brockmeier Compile: ideal
In the previous article, we discussed how to implement support for Netfilter Framers and IPTables in the Linux 2.4 kernel. In this article, we will continue to discuss the basic syntax of IPTALBES and how to create a basic firewall.
If you are still using Linux2.2.x kernel, you will not be able to use the IPTALBES tool, however, you want to know more about iptables regarding the migration to 2.4 core-based preparation. Currently, the stable latest version core is 2.4.5, and the latest stable version of iptables is 1.2.2. You can access the home page of the Netfilter Framework at the following address:
Netfilter.samba.org/,
Netfilter.gnumonks.org or
Netfilter.filewatcher.org. At the same time, I posted a pair on April 16
IP_CONNTRACK_FTP security weakness patch. I hope that the complete description of this security weakness can be
Http://netfilter.samba.org/security-fix/index.html gets, and downloads the patch.
start working
There is no doubt that users need to log in to the system as root, after logging in into the system as root, you may first want to see what settings in the current firewall system, come to see the currently set firewall through the command "iptables -l". Rule, if you want to understand the view details for the firewall settings, you can use the "iptables --list" command to view.
If no rule chain is loaded, the output will be shown below:
By default, there are three rule chains: Input, Output, and Forward, all rule chains have an Accept. That is to say, the system is fully open before configuring any rules.
If you want to use your system as a firewall, then you need to open the IP forwarding switch:
Echo "1"> / proc / sys / net / ipv4 / ip_forward.
Add rule
If there is no rule, iptables will not produce any effect. Let's add some rules to the existing rules chain. If you don't want others to detect your host through the PING tool, you can use the rules below to limit:
iptables -a input -p icmp -j drop
Parameter "-a INPUT" Set IPTables After the IPTables, the parameter "-p ICMP" indicates that the rule is applied to the ICMP protocol, and the parameter "-j DROP" indicates that the data report that matches the rule should be discarded. Ping data sent to the server now, the server will discard the data, so there is no response. Where the protocol name "ICMP" is independent of the size, it can be "ICMP" or "ICMP".
If you need to delete this rule, use the following command to respond to the ping command:
iptables -d input 1
"-D" parameter indicates the first rule in the IPTables tool to delete the first rule in the INPUT rule chain. If there are multiple rules in your rule chain, the command will not affect the rules. At this time, you may want to clear the rules defined by all of the previous commands, you can use the command:
iptables -finput This command indicates all rules in the iptables clearing the INPUT rule chain.
Blocking Telnet connection
Now let's try a slightly complex example. We want to block SSH connections from external networks to the server but allow the SSH connection of the internal network. To prevent users' username and password leakage, all Telnet connects to the external network will be organized.
First set a rule that allows internal network SSH connection servers in the Input Rules chain:
iptables -a input -s 198.168.0.0 -p tcp --dstination-port ssh -j acid
Parameter "-s" Specifies which source address for this rule applies. "--Destination-port" specifies the TCP connection port.
The following rules block all SSH connections from external networks to internal servers:
iptables -ainput -s! 198.168.0.0 -p tcp --dstination-port ssh -j drop
This command and the above command are almost the same command, except that it defines the SSH connection to block the external network. Do not define this rule if you want to connect the internal server in the external network. To make the definition rule work, the host that defines the rule must be a router, and all the data can be controlled by the server, otherwise these rules cannot work. At the same time, pay attention to "!" And back network addresses in the above rules definition must have a space.
Finally, add the following rules to the OUTPUT rules chain to block the outer Telnet connection to the outside.
iptables -a output -p tcp --dstination-port telnet -j drop
This time defined rule is to add to the INPUT chain. When the rule is defined, the user attempts to be blocked when the Telnet link is linked, and the user will not respond. This may cause the user to think that the target server has a problem, so we modify this rule, not discarding Telnet data, but rejects the data:
iptables -f output iptables -a output -p tcp --dstination-port telnet -j repjict
After emptying the Output link, we will use a similar command, just the rule target action turns "reject". At this time, the user Telnet external server will get a link to be rejected.
If you want to allow Telnet link internal servers, empty Output rules will be reset after resetting rules:
iptables -a output -p tcp --dstination-port telnet -d 198.168.0.0 -j accept iptables -a output -p tcp --dstination-port telnet -d! 198.168.0.0 -j respject
You may now apply the "iptables -l" command to view the current definition rules, make sure the rules are entered correctly, and the output is as shown below:
to sum up
In this article, we discussed the basic use of iptables. As you can see, IPTables is not as complex and difficult to use, but it is very powerful and flexible. At present, iptables are still in constant development and maturity. If you have any related questions, you can participate in the mailing list http://lists.samba.org/pipermail/netfilter/0 for consultation.
Resource Link The Netfilter Project HomePage
http://netfilter.samba.org/)
Netfilter Mailing List
Http://lists.samba.org/pipermail/netfilter/)
