[Reserved] IPTables Getting Started - Set Static Firewall
iptables -i rh-firewall-1-input 20 -p TCP -S 211.161.250.232/32 -m State --State New - Dport 3306 -J Acceptiptables -i RH-FireWall-1-Input 20 -P TCP -S 211.161.192.0/24 -m State --State New - Dport 3306 -J ACCEPT
Specify a network address with X.x.x.x / x.x.x.x, such as "192.168.1.0/255.255.255.0";
Specify a network address with xxxx / x, such as "192.168.1.0/24" here 24 indicates that the effective bits of the subnet mask (mask turn into binary), the usual representation of the UNIX environment, the default 32 That is to say, designated 192.168.1.1 is equivalent to 192.168.1.1/32
Introduction: This article is originally original, showing readers how to establish a static firewall one step to protect your computer, and in every step, I try to tell readers to tell the reader. After this tutorial, you will understand that the firewall is in the filtering mechanism, and you can also create a firewall that meets yourself. All rights reserved, reprint, please specify from www.linuxsir.org and write the author LiWeiOP1, iptables Introduction iptables is complex, it is integrated into the Linux kernel. The user can filter the packets of your computer through iptables. Set your rule through the iptables command to keep your computer network - which data is allowed to pass, which cannot be passed, which is recorded (log). Next, I will tell you how to set up my rules, starting now. 2. Initialization works in the shell prompt #, IPTables -FipTables -XipTables -t nat -fiptables -t NAT-t NAT -FIPTABLES -T NAT -X Each command has its exact meaning. Generally set up your iptables before you want to clear all previously set rules, we call it to initialize it. Although there are many cases don't do anything, but insure, you may wish to be careful! If you use redhat or fedora, you have a simpler way service iptables stop3, start setting up rules: Let's take a step below to set your rules IPTables -P input Drop This command will build a very "safe" "The firewall, I am hard to imagine which Hacker can break this machine because it discards all the data from the network into your machine (DROP). This is of course safe, and your machine will be equivalent to no network. If you ping localhost, you will find that the screen has been stopping there, because ping is not received any response. 4. Add the rules followed by continuing to enter commands: iptables -a input -i! PPP0 -J Accept This rule means: accepting all, sources are not data for network interface PPP0. We assume that you have two network interfaces, Eth0 connection LAN, loop is a loop network (LOCALHOST). PPP0 is a general ADSL Internet interface, if you are not this way, it may be Eth1. Here I assume that you are ADSL Internet, your Internet interface is PPP0 at this time, you can allow the local area network access, you can also visit LocalHost to enter the command PING LOCALHOST, and the result will be just the same as just now? At this point, we can't access WWW, or you can't mail, then look. 5, I want to access wwwiptables -a input -i ppp0 -p tcp -sport 80 -j accept allows from network interface PPP0 (Internet interface), and source ports are 80 data into your computer. The 80-port is the port used by the WWW service. Ok, you can now watch the webpage. But can you see it? If you enter www.baidu.com in the browser, can you see a web? The result you get must be: Can't find the host www.baidu.com However, if you enter 220.181.27.5, you can still access the Baidu's web page. why? If you know the DNS, you must know the reason. Because if you are in www.baidu.com, your computer cannot obtain the IP address of the name of www.baidu.com, 220.181.27.5.
If you really remember this IP, then you can still visit WWW, you can of course use IP to access WWW, if you want to challenge your memory ^ _ ^, of course, we want to open DNS. 6. Open the DNS port to open your DNS port, enter the following command: iptables -a input 53 -j accept This command has the meaning of this command, accept all 53 ports from the network interface PPP0, UPD protocol The data. 53 is also a famous DNS port. Test it at this time, can you access WWW through the host name? Can you access WWW through IP? Of course, you can! 7. View the firewall At this time you can view your firewall iptables -l If you just want to access WwW, you can only visit WWW. But don't worry, summarize the contents of the above, write into a script. #! / Bin / bash # This is a script # Edit by liwei # establish static firewalliptables -Fiptables -Xiptables -t nat -Fiptables -t nat -Xiptables -P INPUT DROPiptables -A INPUT -i! Ppp0 -j ACCEPTiptables -A INPUT -i PPP0 -P TCP --SPORT 80 -J ACCEPTIPTABLES -A INPUT -I PPP0 -P UDP - Sport 53 -J ACCEPT8, is it complicated? To this iptables can be filtered by your request. You can set some ports to allow your machine to access these ports. This is possible, you can't access QQ, or you may not be able to play online games, it is good or bad, or you want to see yourself. By the way, QQ this is really bad, the user is connected to the server and the server is 8888 port, and the friend of the friend is used in QQ, and the 4444 port of UDP (specifically 4444 is not very clear). And QQ can also use the WWW 80-port to log in and send a message. It seems that there is no end, do you really want to control this guy is not easy? Or enter our topic. What if your machine is a server? 9. If you don't cost your machine is a server and provide WWW services. Obviously, the above scripts cannot meet our requirements. But as long as you grasp the rules, you can work with a little modification. In the end, IPTables -a Input -i PPP0 -P TCP - Dport 80 -j Accept This sentence is open to the 80 port on your machine, so that other people on the Internet can access your WWW. . Of course, your WWW server has to work. If your machine is both SMTP and POP3 servers, the same plus two statements will be changed to 25 and 110 after the 80s behind -dport. If you have a FTP server, huh, if you want to open 100 ports ... Our work seems to be repeated to entered a similar statement, you may also think of it, I can use a loop statement to complete, Yes, this can effectively use the SHELL script's function, which will also experience the power of the shell scripting language.
See below: 10, simplify your work with scripts, read the following script #! / Bin / bash # this is a script # Edit by Liwei # Establish a static firewall # define consthereopen_ports = "80 25 110 10" # 自 机Open port Allow_Ports = "53 80 20 21" # Internet data can enter the port of its own machine #initiptables -fiptables-it-xiptables -t nat -fiptables -t nat-xiptables -p input Drop #WE CAN Use Another Method to Instead iTipTables -a INPUT -I! PPP0 -J Accept # define ruler SO That Some Data can come in .for port in "allow_ports"; doiptables -a input -i ppp0 -p TCP -SPORT $ port -j acceptiptables -a input - I PPP0 -P UDP -SPORT $ Port -j AcceptdOnEfor Port in "Open_Ports"; doiptables -a input $ port -j acceptiptiles -a input -j ppp0 -p UDP -DPORT $ port -j ACCEPTDONE This script has three parts (the first paragraph is a comment, not in this three parts) The first part is to define some ports: Access the data of your machine "Open_Ports" port, allow access; source is "allow_ports" port Data can also be entered. The second part is the initialization of iptables, and the third part is the specific operation of the defined port. If we have changed some changes in the future, for example, you add an FTP server to your own machine, then just add the 20 and 21 ports corresponding to the FTP in the first part "open_ports". Oh, you must also understand the powerful scalability of the script function, but the ability of the script is far from these! 11. Make your firewall more completely look at the last script init section of the second sentence IPTables -P INPUT DROP This is to set the default rule to the firewall. When entering our computer's data, do not match any of our conditions, then the data is processed by the default rules ---- DROP, no response to the sender. That is, if you pick your host from another computer in addition to the other computer, ping will stay there and have not responded. If the hacker is scanning your computer with a Namp tool, it will prompt hackers, your computer is in the protection of firewalls. I don't want hackers to understand too much about my computer. If we change the DROP to other actions, you may defraud this just-off hack.
How to change? The iptables -pinput drop will be removed, add iptables -a input -i ppp0 -p tcp -j reference -reject-with tcp-resetiptables -a input -i ppp0 -p on the last side of the script UDP -J REJECT --REJECT-with ICMP-Port-Unreachable This will be much better, although hackers can scan out our ports, but it is difficult to know that our machine is in the protection of firewalls. If you only run FTP and just access to the LAN, he is hard to know if you have run FTP. Here we give data that should not enter our machine, a deceptive answer, not discard (DROP), no longer returning. This feature is especially useful in our design-stateful firewall (I am static firewall here). You can do personally, see what the results get the scan before and after the modification will be different? 12, this tutorial I think this is over, there are many things that are not mentioned here, such as IP camouflage, port forwarding, record function for packets. There is also a very important thing is: iptables handles the data package. Here I want to tell you, the order in which you set the filter rules is very important, this is not detailed, because this tutorial will be stunned detail. iptables is complicated. I have seen a lot of tutorials on LinuxSir. They often have more, but they will be daunting. I hope that this tutorial can guide you.