Fourth, IPTables use instances first let us take a look at the interaction of the server / client. Server provides a particular functional service is always provided by a specific background program. This particular service is often bound to a specific TCP or UDP port in the TCP / IP network. Thereafter, the background program is constantly listening to this port. Once the eligible client request is received, the service is set up with the client with the client, responding to the customer request. At the same time, a copy of the binding copy is generated to continue to listen to the client's request. To give a specific example: Suppose there is a server A (IP address is 1.1.1.1) in the network provides WWW services, and also client B (2.2.2.2), C (3.3.3.3). First, the server A runs a background program (such as Apache) that provides the WWW service and binds the service to port 80, that is, listens on port 80. When b is initiated, B will open a connection port greater than 1024 (1024 for a defined port), assuming 1037. A After receiving the request, establish a connection with B with B to respond to the request of B, while generating a copy of an 80-port binding, continuing to listen to the client's request. If a concurrent connection request (set up the connection request port is 1071), a request to continue listening to the client at the same time as the connection is established with the C. As shown below, because the system is identified by the source address, source port, destination address, destination port, which is unique here. Server client connection 1: ABC1: 80 <=> ABC4: 1037 Connection 2: ABC1: 80 <=> ABC7: 1071 Every specific service has its own specific port, which is generally less than 1024 The port is mostly reserved, or the port is defined, the low-port assigned to well-known services (such as WWW, FTP, etc.), from 512 to 1024 ports typically reserve to special UNIX TCP / IP applications, please Reference / etc / service file or RFC1700. Suppose the network environment is as follows: one unit, rent DDN line online, the network topology is as follows: ------------ | Internal network segment | Eth1 ------ Eth0 DDN | ------------ | firewall | <============================ 198.168.80.0 | -------- -------------- Eth0: 198.199.37.254 Eth1: 198.168.80.254 The above IP address is the true IP on the Internet, so IP spoof is not used.
And, we assume that there is the following servers in the internal network: www.yourdomain.com 198.168.80.11 FTP server: ftp.yourdomain.com 198.168.80.12 Email Server: mail.yourdomain.com 198.168.80.13 Let's use iptables Step step by step to build our package filter firewall, it is necessary to explain that in this example, we are mainly to protect the internal servers. 1. Create a firewall file with the touch command in the /etc/rc.d/ directory, execute the CHMOD U X Firewll to change the file properties, edit the /etc/rc.d/rc.local file, plus / etc / Rc.D / firewall can be automatically executed when it is turned on. 2. Refresh the rules of all chains #! / Bin / sh echo "Starting iptables rules ..." #Refresh All chains / sbin / iptables -f 3. We will first prohibit forwarding any packages, then set step by step to allow pass Pack. So first set the firewall Forward chain policy for Drop: / sbin / iptables -p Forward DROP 4. Setting up the enuters of the server: It should be noted here that the server / client interaction is available, that is Said to be two-way, so we don't just set the rules of the packet, but also set the rules returned by the packet, we first build a rule for confidence from the Internet packet. WWW service: The service port is 80, using TCP or UDP protocol. The rules are: eth0 => Allow the purpose of the Package of the internal network WWW server. #################### DEFINE HTTP PACKETS ######################## ################ #allow www request packets from internet cliants to www servers / sbin / iptables -a forward -p TCP -D 198.168.80.11 --dport www -i eth0 - J Accations FTP Service: The FTP service is a bit special because two ports are required because the FTP has command channels and data channels. The command port is 21, the data port is 20, and there are active and negative two service modes. The negative mode connection process is: the FTP client initiates a connection request to the FTP server, and the command channel is established after three steps, then build the command channel, then by FTP The server requests to establish a data channel. After successful, the data is started, and most FTP clients are now supporting negative mode because this model can improve security. The FTP service uses the TCP protocol. Rules is: eth0 => Allows only the purpose of the internal network FTP server.
########################################################################################################################################################################################################################################################################################################## ################### #allow ftp request packets from internet clients to intranet ftp server / sbin / iptables -a forward -p tcp -d 198.168.80.12 --dport ftp - I ETH0 -J Accept Email Service: Contains two protocols, one is SMTP, one is POP3. For security considerations, only the internal POP3 services are usually provided, so we only consider the security issues for SMTP. The SMTP port is 21 and the TCP protocol is adopted. Eth0 => Allows only the purpose of the EMAIL server's SMTP request. #################### d d SMTP Packets ####################### ################ / sbin / iptables -a forward -p tcp -d 198.168.80.13 --dport smtp -i eth0 -j accept 5. Setting up confidence for intranet customers : In this example, our firewall is located in the gateway, so we mainly prevent attacks from Internet and cannot prevent attacks from Intranet. If our server is Linux, you can also set up relevant tax rules on each server to prevent attacks from intranet. We define the following rules for the Intranet customer's return package. ############# Define Packets from Internet Server to intranet ####################### / sbin / iptables -a forward -p TCP -S 0/0 --Sport ftp-data -d 198.168.80.0/24 -i eth0 -j accept / sbin / iptables -a forward -p tcp -d 198.168.80.0/24! -syn -i eth0 -j accept / sbin / iptables -a forward -p UDP -D 198.168.80.0/24 -i eth0 -j accept Description: Article 1 Allow intranet customers to access the Internet's FTP server in a negative mode; the second receiving from Internet Non-connection requests TCP package; the last one receives all UDP packets, mainly for OICQ, etc. UDP services. 6. Accept the data package from the entire intranet, we define the following rules: ################################################################################################################################################################################################################################################################ ## / sbin / iptables -a forward -s 198.168.80.0/24 -i eth1 -j accept 7. Processing IP debris We accept all IP debris, but use LIMIT matching extension to the number of IP pieces that can pass through the unit time Restrictions to prevent IP debris attacks.
######################################################################################################################################################################################################################################################################################################## #################### / sbin / iptables -a forward -f -m limit --LIMIT 100 / s --LIMIT-BURST 100 -J ACCEPT Description: No matter where IP debris is limited, it is allowed to pass 100 IP debris per second, which is 100 IP debris. 8. Setting the ICMP package filter ICMP package is usually used for network testing, so all ICMP packages are allowed. However, hackers often use ICMP to attack, such as ping of death, so we use LIMIT matching extensions to limit: ########################### ###### DEFINE ICMP RULE ################################################# -p icmp -m limit --limit 1 / s --limit-burst 10 -j accept description: Regarding the ICMP package from where to do, allow each second to pass a package, the condition triggering condition is 10 packs . Through the above steps, we have established a relatively complete firewall. Only a limited number of ports are only open, and the customer provides a seamless access to the Internet, and provides effective protection for IP debris attacks and ICMP Ping of Death.
The following is the complete script file content, I hope to pass this instance to understand the usage of iptables: #! / Bin / sh echo "Starting iptables rules ..." #Refresh all chains / sbin / iptables -f ### ######################################################################################################################################################################################################################################################################################################## ############# #allow www required packets from internet clients to www servers / sbin / iptables -a forward -p tcp -d 198.168.80.11 --dport www - e0 -j accept # #################### d f FTP Packets ###################################### ################# orthol / iptables -a forward -p tcp -d 198.168.80.12 --dport ftp -i Eth0 -j accept #################### DEFINE SMTP PACKETS ################ ################################################################################################################# ######## Define packets from Internet server to intranet ##################################### 0/0 --sport ftp-data -d 198.168.80.0/24 -i eth0 -j accept / sbin / iptables -a forward -p TCP -D 198.168.80.0/24! -S Yn -i eth0 -j accept / sbin / iptables -a forward -p udp -d 198.168.80.0/24 -i eth0 -j accept ########### d p Packets from intranet to internet # ############## / sbin / iptables -a forward -s 198.168.80.0/24 -i eth1 -j accept #################### ################ Define fregment rule ############################################################################################################################################################################################################################################################################ #### / sbin / iptables -a forward -f -m limit --LIMIT 100 / s --LIMIT-BURST 100 -J Accept ######################################################################################################################################################################################################################## ############## DEFINE ICMP RULE ########################################################################################################################################################################### # / Sbin / iptables -a forward -p ICMP -M LIMIT --LIMIT 1 / S --LIMIT-BURST 10 -J Accept 5. Iptables and ipchains 'distinguishes · iptables' default chains Names from lower-write to uppercase, And the meaning is no longer the same: INPUT and OUTPUT are placed on the destination address, respectively, and the data packets issued by this unit. · -I option only represents the input network interface, and enter the network interface, use the -o option.
