Use of Iptables firewall in Linux

Posted by priti on Tue, 28 Dec 2021 16:50:33 +0100

Use of Iptables firewall in Linux

  • Use of Iptables
  • Iptables action
  • Iptables basic condition matching
  • -s source address, - d destination address
  • --sport source port, -- dport destination port
  • -i. - o, - m, - j action
  • modular

 

1, Use of Iptables

  1. Installing Iptables

[root@m01 ~]# yum install iptables*
have access to rpm -q iptables Command view iptables Is it installed

  2. Start Iptables

[root@m01 ~]# systemctl start iptables
 have access to systemctl status iptables Command view iptables state

  3. Close firewalld

[root@m01 ~]# systemctl disable --now firewalld

Format:

-t               Specifies the table for the operation
-L, --list       List current rules
-v               Displays packets and packet sizes
-n               Do not reverse address
-A, --append     Append a rule to the chain
-I, --insert     Insert a rule to the top
-F, --flush      empty
-Z, --zero       Clear counter (number of packets, packet size)

-D, --delete     Delete rules in the chain

-R, --replace    modify
-S, --list-rules List all rules


-N, --new-chain  Create a custom chain
-X, --delete-chain Delete a custom chain
-P, --policy     Specifies the default policy for the chain

 

2, Iptables action

ACCEPT     Release the data packet. After this processing, it will no longer compare other rules and directly jump to the next rule chain.
REJECT     Block the packet and transmit the packet to notify the other party.
DROP       The discarded packet will not be processed. After this processing action, the filter program will be directly interrupted without comparing other rules.
REDIRECT   Redirect the package to another port. After this processing, it will continue to compare other rules.

 

3, Iptables basic condition matching

TCP(http)
UDP
ICMP(ping)
ALL

 

4, - s source address, - d destination address

Source address: the address where the request is sent

Destination address: the address accessed

 

5, -- sport source port, -- dport destination port

Source port: the port to send the request

Target port: the port accessed

 

6, - i, - o, - m, - j action

-i : Incoming network card
-o : Outgoing network card
-m : Specify module
-j : Forwarding action
-p : Specify protocol

 

7, Case

Case 1: only port 22 is allowed to be accessed, and all other ports cannot be accessed

iptables -t filter -A INPUT -p TCP --dport 22  -j ACCEPT
iptables -t filter -A INPUT -p TCP -j DROP

Case 2: only ports 22 and 80443 are allowed to access, and all other ports cannot be accessed

iptables -t filter -A INPUT -p TCP --dport 22  -j ACCEPT
iptables -t filter -A INPUT -p TCP --dport 80  -j ACCEPT
iptables -t filter -A INPUT -p TCP --dport 443  -j ACCEPT
iptables -t filter -A INPUT -p TCP -j DROP

Case 3: only ports 22 and 80443 are allowed to access, and all other ports cannot be accessed, but this machine can access Baidu

  

Case 4: 192.168 is required 15.81 can be linked through port 22, but others can't

iptables -t filter -A INPUT -p TCP -d 192.168.15.81 --dport 22  -j ACCEPT
iptables -t filter -A INPUT -p TCP -j DROP

Case 5: only 192.168 is allowed 15.71 can be linked through port 22, others can't

iptables -t filter -A INPUT -p  TCP -s 192.168.15.71  -d 192.168.15.81 --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p TCP -j DROP

Case 6: requirement 192.168 15.71 invisible to the outside

iptables -t filter -A INPUT -p TCP -d 192.168.15.71 -j DROP

Case 7: all requests for eth0 network card are rejected

iptables -t filter -A INPUT -p TCP -i eth0 -j DROP

Case 8: Port 8080 of the access server is required to be forwarded to port 80

iptables -t nat -A PREROUTING -p TCP --dport 8080 -j REDIRECT --to-port 80

Case 9: it is required that only windows is allowed to connect 192.168 through ssh 15.81 other rejections

iptables -t filter -I INPUT -p TCP -s 192.168.15.1 -d 192.168.15.81 --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p TCP --dport 22 -j DROP

Knowledge reserve:

View native port occupancy commands

netstat -nutlp

 

8, Module

Expand the functions of Iptables

-m : Specify module

  1. Continuously match multiple ports

--dports  : Specify multiple ports(Different ports are separated by commas, and consecutive ports are separated by colons)

  2. Specifies a contiguous range of ip addresses (iprange)

--src-range from[-to]: Source address range
--dst-range from[-to]: Destination address range

  3. Matches the specified string (string)

--string pattern  # Specifies the string to match
--algo {bm|kmp}  # Matching query algorithm

  4. Matching message according to time period (time)

--timestart hh:mm[:ss]    # start time
--timestop hh:mm[:ss]    # End time
--monthdays day[,day...]    # Specify a day of the month
--weekdays day[,day...]    # Specify week or Sunday

  5. ping is forbidden. By default, the machine cannot ping others and others cannot ping itself

--icmp-type {type[/code]|typename}
echo-request  (8) request 
echo-reply    (0) respond

  6. Limit the number of links, concurrent connections (connlimit)

--connlimit-upto n        #  Matches if the number of existing connections is less than or equal to n
--connlimit-above n       #  Match if the number of existing connections is greater than n

  7. Limit the message rate. Seconds, minutes, hours, days

--limit rate[/second|/minute|/hour|/day]  # Number of messages 
--limit-burst number  # Number of messages (default:5)

  

9, Module case

  1. All ports between 22, 80443 and 30000-50000 are required to be exposed to the outside, and other ports are rejected

iptables -t filter -A INPUT -p TCP -m multiport --dports 22,80,443,30000:50000 -j ACCEPT
iptables -t filter -A INPUT -p TCP -j DROP

  2. It is required to access the data containing HelloWorld in the data package. It is not allowed to pass through

iptables -t filter -A INPUT -p TCP -m string --string "HelloWorld" --algo kmp -j DROP

  3. Requirements 192.168 15.1 - 192.168. All IP addresses between 15.10 can be connected to 192.168 15.81, other rejections

iptables -t filter -A INPUT -p TCP -m iprange --src-range 192.168.15.1-192.168.15.10 -j ACCEPT 
iptables -t filter -A INPUT -p TCP -j DROP

  4. It is required to be between 12 and 13 every day, and access is not allowed

iptables -t filter -A INPUT -p TCP -m time  --timestart 4:00   --timestop 5:00 -j DROP

Note: time must be in UTC

  5. Ask others not to Ping this machine, but this machine can ping others

iptables -t filter -A INPUT -p TCP -m icmp --icmp-type "echo-request" -j DROP

  6. A maximum of 2 host connections are required

iptables -t filter -A INPUT -p TCP --dport 22 -m connlimit --connlimit-above 2 -j DROP

  7. The speed limit is required to be about 500k/s

iptables -t filter -A INPUT -p TCP -m limit 333/s -j ACCEPT
iptables -t filter -A INPUT -p TCP -j DROP

 

Hot Topics

©2025 Programmer Think