1, iptables
iptables is complicated, which is integrated into the Linux kernel. The user can filter the packets of your computer through iptables. Set your rule through the iptables command to keep your computer network - which data is allowed to pass, which cannot be passed, which is recorded (log). Next, I will tell you how to set up my rules, starting now.
2, initialization work
Enter it under the shell prompt #
iptables -f
iptables -x
iptables -t nat -f
iptables -t nat -x
Each of the above orders has its exact meaning. Generally set up your iptables before you want to clear all previously set rules, we call it to initialize it. Although there are many cases don't do anything, but insure, you may wish to be careful! If you use redhat or fedora, then you have a simpler way
Service iptables stop
3, start setting rules:
Next, set your rules.
iptables -p input drop
This command will build a very "secure" firewall, I'm hard to imagine which Hacker can break this machine because it will discard all from the network into your machine (DROP). This is of course safe, and your machine will be equivalent to no network. If you ping localhost, you will find that the screen has been stopping there, because ping is not received any response.
4, add rules
Then continue the command above:
iptables -a input -i! ppp0 -j acid
The meaning of this rule is: Accepting all, source is not data from the network interface PPP0.
We assume that you have two network interfaces, Eth0 connection LAN, loop is a loop network (LOCALHOST). PPP0 is a general ADSL Internet interface, if you are not this way, it may be Eth1. Here I assume that you are ADSL Internet, your Internet interface is PPP0
At this point you allow access to the local area network, you can also visit Localhost
At this point, enter the command ping localhost, and will it be the same as just now?
At this point, we can't access WWW, or you can't mail, then look.
5, I want to visit WWW
iptables -a input -i ppp0 -p tcp -sport 80 -j acid
Allows from the network interface PPP0 (Internet interface), and the source port is 80 data into your computer. The 80-port is the port used by the WWW service.
Ok, you can now watch the webpage. But can you see it?
If you enter www.baidu.com in the browser, can you see a web?
The result you get must be: can't find the host www.baidu.com
However, if you enter 220.181.27.5, you can still access the BiDU's web page.
why? If you know the DNS, you must know the reason.
Because if you are in www.baidu.com, your computer cannot obtain the IP address of the name of www.baidu.com, 220.181.27.5. If you really remember this IP, then you can still visit WWW, you can of course use IP to access WWW, if you want to challenge your memory ^ _ ^, of course, we want to open DNS.
6, open the DNS port
Open your DNS port and enter the following command:
Iptables -a INPUT -I PPP0 -P UDP -SPORT 53 -J ACCEPT The meaning of this command is to accept data from the 53 port from the network interface PPP0, the UPD protocol. 53 is also a famous DNS port.
Test it at this time, can you access WWW through the host name? Can you access WWW through IP?
Of course, you can!
7, check the firewall
You can view your firewall at this time.
iptables -l
If you just want to access WwW, you can only visit WWW. But don't worry, summarize the contents of the above, write into a script.
#! / bin / bash
# This is a script
# Edit by Liwei
# Establish Static FireWall
iptables -f
iptables -x
iptables -t nat -f
iptables -t nat -x
iptables -p input drop
iptables -a input -i! ppp0 -j acid
iptables -a input -i ppp0 -p tcp --sport 80 -j accept
iptables -ainput -i ppp0 -p udp --sport 53 -j accept
8. Is it complicated? At this iptables, you can filter it by your request. You can set some ports to allow your machine to access these ports. This is possible, you can't access QQ, or you may not be able to play online games, it is good or bad, or you want to see yourself. By the way, QQ this is really bad, the user is connected to the server and the server is 8888 port, and the friend of the friend is used in QQ, and the 4444 port of UDP (specifically 4444 is not very clear). And QQ can also use the WWW 80-port to log in and send a message. It seems that there is no end, do you really want to control this guy is not easy? Or enter our topic.
What if your machine is a server?
9. If you don't cost your machine is a server and provide WWW services. Obviously, the above scripts cannot meet our requirements. But as long as you grasp the rules, you can work with a little modification. In the last side plus one sentence
iptables -a input -i ppp0 -p TCP - Dport 80 -J ACCEPT
This sentence is to open the 80 port on your machine, so that other people on the Internet can access your WWW. Of course, your WWW server has to work. If your machine is both SMTP and POP3 servers, the same plus two statements will be changed to 25 and 110 after the 80s behind -dport. If you have a FTP server, huh, if you want to open 100 ports ...
Our work seems to be repeated to enter a similar statement, you may also think of itself, I can use a loop statement to complete, yes, you can effectively use the shell script function, let you experience the shell script The power of the language. See the following:
10. Simplify your work with scripts, read the following scripts
#! / bin / bash
# This is a script
# Edit by Liwei
# Establish a static firewall
# Define consthere
Open_ports = "80 25 110 10" # 自 机 机 对 外 外 端 的
Allow_ports = "53 80 20 21" # Internet data can enter the port of your machine
#init
iptables -f
iptables -x
iptables -t nat -fiptables -t nat -x
iptables -p input drop #WE can use noother method to instead it
iptables -a input -i! ppp0 -j acid
# Define Ruler So That Some Data Can Come IN.
For port in "allow_ports"; do
iptables -a input -i ppp0 -p TCP -SPORT $ port -j acid
iptables -ainput -i ppp0 -p udp -sport $ port -j accept
DONE
For port in "open_ports"; do
iptables -a input -i ppp0 -p TCP -DPORT $ port -j acceptpt
iptables -a input -i ppp0 -p udp -dport $ port -j accept
DONE
There are three parts of this script (the first paragraph is a comment, it is not in these three parts)
The first part is to define some ports: Access the data of your machine "Open_Ports" port, allowing access; source is the "Allow_Ports" port data, and can be entered.
The second part is the initialization of iptables, and the third part is the specific operation of the defined port.
If we have changed some changes in the future, for example, you add an FTP server to your own machine, then just add the 20 and 21 ports corresponding to the FTP in the first part "open_ports". Oh, you must also understand the powerful scalability of the script function, but the ability of the script is far from these!
11, make your firewall more perfect
Look at the second sentence of the script init part
iptables -p input drop
This is to set the default rules for the firewall. When entering our computer's data, do not match any of our conditions, then the data is processed by the default rules ---- DROP, no response to the sender.
That is, if you pick your host from another computer in addition to the other computer, ping will stay there and have not responded.
If the hacker is scanning your computer with a Namp tool, it will prompt hackers, your computer is in the protection of firewalls. I don't want hackers to understand too much about my computer. If we change the DROP to other actions, you may defraud this just-off hack.
How to change? Will IPTables -P INPUT DROP, in the last side of the script
iptables -a input -i ppp0 -p tcp -j repject --reject-with tcp-reset
iptables -ainput -i ppp0 -p udp -j repject --reject-with icmp-port-unreachable
This is much better, although hackers can scan our ports, but it is difficult to know that our machine is in the protection of firewalls. If you only run FTP and just access to the LAN, he is hard to know if you have run FTP. Here we give data that should not enter our machine, a deceptive answer, not discard (DROP), no longer returning. This feature is especially useful in our design-stateful firewall (I am static firewall here).
You can do personally, see what the results get the scan before and after the modification will be different? 12, this tutorial I think this is over, there are many things that are not mentioned here, such as IP camouflage, port forwarding, record function for packets. There is also a very important thing is: iptables handles the data package. Here I want to tell you, the order in which you set the filter rules is very important, this is not detailed, because this tutorial will be stunned detail.
iptables is complicated. I have seen a lot of tutorials on LinuxSir. They often have more, but they will be daunting. I hope that this tutorial can guide you. Come on!
Finally, I wrote the full script as follows, you only need to modify the constant definition part, you can show a large scalability ^ _ ^
#! / bin / bash
# This is a script
# Edit by Liwei
# Establish a static firewall
# Define consthere
Open_ports = "80 25 110 10" # 自 机 机 对 外 外 端 的
Allow_ports = "53 80 20 21" # Internet data can enter the port of your machine
#init
iptables -f
iptables -x
iptables -t nat -f
iptables -t nat -x
# T FOLLOW IS Comment, for make it better # iptables -p input drop
iptables -a input -i! ppp0 -j acid
# Define Ruler So That Some Data Can Come IN.
For port in "allow_ports"; doptables -a input -i ppp0 -p tcp -sport $ port -j account iptables -a input -i ppp0 -p udp -sport $ port -j accept done
For port in "open_ports"; doiptables -a input -i ppp0 -p tcp -dport $ port -j accept iptables -a input -i ppp0 -p udp -dport $ port -j accept done
# This is the last ruler, it can make you firewall betteriptables -a input -i ppp0 -p TCP -J REJECT --REJECT-WITH TCP-RESETIPTABLES -A INPUT -I PPP0 -P udp -j respp0 -p udp -j respp0 --reject-with ICMP-port-unreachable