iptables is a free packet filtering firewall software under Linux system, which can realize packet filtering, packet redirection and network address translation and other functions. It is an efficient and flexible solution that replaces expensive commercial firewalls. iptables has powerful configuration options and rule settings, allowing users to finely control network traffic according to their own needs and improve network security and performance.
The rules of iptables actually refer to the conditions predefined by the network administrator. The rules are generally defined as "If the data packet header meets such conditions, process the data packet in this way." Rules are stored in the packet filtering table in the kernel space. These rules specify the source address, destination address, transmission protocol (such as TCP, UDP, ICMP) and service type (such as HTTP, FTP and SMTP). When data packets match the rules, iptables processes these data packets according to the methods defined by the rules, such as accept, reject, drop, etc. The main task of configuring the firewall is to add, modify and delete these rules.
iptables has four built-in tables, namely filter table, nat table, mangle table and raw table, which are used to implement packet filtering, network address translation, packet reconstruction (modification) and data tracking processing respectively. Each chain is actually just a checklist among many rules. Each chain can have one or several rules. When a packet arrives at a chain, iptables will check starting from the first rule in the chain to see if the packet meets the conditions defined by the rule. If satisfied, the system will process the packet according to the method defined by the rule; otherwise iptables will continue to check the next rule. If the packet does not comply with any rule in the chain, iptables will process the packet according to the predefined default policy of the chain.
Replace the system firewall: The default firewall management tool in Centos7 system is not iptables. When you need to use it, you need to install and replace it yourself.
[root@localhost ~]# systemctl stop firewalld [root@localhost ~]# systemctl disable firewalld [root@localhost ~]# yum install -y iptables iptables-services [root@localhost ~]# systemctl restart iptables [root@localhost ~]# systemctl enable iptables
Query the complete firewall rules: Use the -L -n –line-numbers parameter to view the default firewall configuration rules.
[root@localhost ~]# iptables -L -n --line-numbers [root@localhost ~]# iptables -F # 临时清空规则 Chain INPUT (policy ACCEPT) numtarget prot opt source destination 1ACCEPT all--0.0.0.0/00.0.0.0/0state RELATED,ESTABLISHED 2ACCEPT icmp --0.0.0.0/00.0.0.0/0 3ACCEPT all--0.0.0.0/00.0.0.0/0 4ACCEPT tcp--0.0.0.0/00.0.0.0/0state NEW tcp dpt:22 5REJECT all--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) numtarget prot opt source destination 1REJECT all--0.0.0.0/00.0.0.0/0reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) numtarget prot opt source destination
Set the firewall to deny by default: Set the default deny rule and set the INPUT chain to deny by default, which means rejecting all connection requests.
[root@localhost ~]# iptables -P INPUT DROP [root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy DROP) #这里可以看出INPUT链已变成DROP numtarget prot opt source destination Chain FORWARD (policy ACCEPT) numtarget prot opt source destination Chain OUTPUT (policy ACCEPT) numtarget prot opt source destination
Enable firewall ICMP echo: When the default rule denies it, set it to enable ICMP test and allow the host to ping.
[root@localhost ~]# iptables -I INPUT -p icmp -j ACCEPT [root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy DROP) numtarget prot opt source destination 1ACCEPT icmp --0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) numtarget prot opt source destination Chain OUTPUT (policy ACCEPT) numtarget prot opt source destination
Allow customer SSH remote connection: In the case of denial by default, set up port 22 to allow remote SSH connection to the machine.
[root@localhost ~]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT [root@localhost ~]# iptables -I OUTPUT -p tcp --sport 22 -j ACCEPT [root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy ACCEPT) numtarget prot opt source destination 1ACCEPT tcp--0.0.0.0/00.0.0.0/0tcp dpt:22 Chain OUTPUT (policy ACCEPT) numtarget prot opt source destination 1ACCEPT tcp--0.0.0.0/00.0.0.0/0tcp spt:22
Delete specified rules: In the case of default rejection, delete the INPUT chain, the second data, and delete the ICMP rule.
[root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy DROP) numtarget prot opt source destination 1ACCEPT tcp--0.0.0.0/00.0.0.0/0tcp dpt:22 2ACCEPT icmp --0.0.0.0/00.0.0.0/0 [root@localhost ~]# iptables -D INPUT 2 [root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy DROP) numtarget prot opt source destination 1ACCEPT tcp--0.0.0.0/00.0.0.0/0tcp dpt:22
Specify the allowed network segment access: In the case of denial by default, set up to only allow hosts in the 192.168.1.0/24 network segment to access port 22 of the machine.
[root@localhost ~]# iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT [root@localhost ~]# iptables -I OUTPUT -s 192.168.1.0/24 -p tcp --sport 22 -j ACCEPT [root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy DROP) numtarget prot opt source destination 1ACCEPT tcp--192.168.1.0/24 0.0.0.0/0tcp dpt:22 Chain OUTPUT (policy ACCEPT) numtarget prot opt source destination 1ACCEPT tcp--192.168.1.0/24 0.0.0.0/0tcp spt:22
Deny access to the specified port: In the INPUT rule chain, add port 8888 that denies everyone access to the machine.
[root@localhost ~]# iptables -I INPUT -p tcp --dport 8888 -j REJECT [root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy DROP) numtarget prot opt source destination 1REJECT tcp--0.0.0.0/00.0.0.0/0tcp dpt:8888 reject-with icmp-port-unreachable 2ACCEPT tcp--192.168.1.0/24 0.0.0.0/0tcp dpt:22
Deny access to the port of the specified host network segment: In the INPUT rule chain, add the 192.168.1.20 host to deny access to the local port 80.
[root@localhost ~]# iptables -I INPUT -p tcp -s 192.168.1.20 --dport 80 -j REJECT [root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy DROP) numtarget prot opt source destination 1REJECT tcp--192.168.1.20 0.0.0.0/0tcp dpt:80 reject-with icmp-port-unreachable 2REJECT tcp--0.0.0.0/00.0.0.0/0tcp dpt:8888 reject-with icmp-port-unreachable 3ACCEPT tcp--192.168.1.0/24 0.0.0.0/0tcp dpt:22
Deny access to the specified port range: In the INPUT rule chain, add a deny for all hosts to access the local port 1000-2000.
[root@localhost ~]# iptables -A INPUT -p tcp --dport 1000:2000 -j REJECT [root@localhost ~]# iptables -A INPUT -p udp --dport 1000:2000 -j REJECT [root@localhost ~]# iptables -L -n --line-numbers Chain INPUT (policy DROP) numtarget prot opt source destination 1REJECT tcp--192.168.1.20 0.0.0.0/0tcp dpt:80 reject-with icmp-port-unreachable 2REJECT tcp--0.0.0.0/00.0.0.0/0tcp dpt:8888 reject-with icmp-port-unreachable 3ACCEPT tcp--192.168.1.0/24 0.0.0.0/0tcp dpt:22 4REJECT tcp--0.0.0.0/00.0.0.0/0tcp dpts:1000:2000 reject-with icmp-port-unreachable 5REJECT udp--0.0.0.0/00.0.0.0/0udp dpts:1000:2000 reject-with icmp-port-unreachable
SNAT-Source Address Translation
#例:将本地 192.168.1.1 的请求自动伪装成外网地址 59.110.167.234 [root@localhost ~]# iptables -t nat -A POSTROUTING -o ens32 -s 192.168.1.1 -j SNAT --to-source 59.110.167.234 -o#指定外网接口,此处为ens32 -s#指定内网口地址,此处为192.168.1.1 --to-source #外网口的地址
DNAT-Destination Address Translation
#例:将请求 59.110.167.234 且端口为 80 的数据包,自动映射到内网 192.168.1.10 [root@localhost ~]# iptables -t nat -A PREROUTING -i ens32 -d 59.110.167.234 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10 --to-destination #内网口地址,此处为192.168.1.1 -i #绑定外网接口,此处为ens32 -d #外网地址,此处为8.8.8.8 -dport #内网端口,此处为80
Limit the number of physical request connections: iptables can use the connlimit module to limit the number of connections of the same IP for a certain port. It allows limiting the number of concurrent connections for each client IP, that is, the number of simultaneous connections to a server for each IP. You can also limit the network usage of intranet users, and for the server, you can limit the number of connections initiated by each IP.
# 限制同一IP同时最多100个http连接 [root@localhost ~]# iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT [root@localhost ~]# iptables -I INPUT -p tcp --syn --dport 80 -m connlimit ! --connlimit-above 100 -j ACCEPT # 只允许每组C类IP同时100个http连接 [root@localhost ~]# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 24 -j REJECT # 只允许每个IP同时5个80端口转发,超过的丢弃 [root@localhost ~]# iptables -I FORWARD -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j DROP # 限制某IP最多同时100个http连接 [root@localhost ~]# iptables -A INPUT -s 192.168.1.100 -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT # 限制每IP在一定的时间(比如60秒)内允许新建立最多100个http连接数 [root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 100 -j REJECT [root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --set -j ACCEPT
Configure basic firewall rules: We can execute the following codes in sequence in the newly installed system to configure a basic firewall rule.
# 删除已有规则 iptables --delete-chain iptables --flush # 默认禁止进,允许出,允许回环网卡 iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT # 允许已建立的或相关连接的通行 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # 限制80端口443端口的单个IP的最大连接数为10 iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j DROP iptables -I INPUT -p tcp --dport 443 -m connlimit --connlimit-above 10 -j DROP # 允许80(HTTP)/873(RSYNC)/443(HTTPS)/20,21(FTP)/25(SMTP)端口的连接 iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT # 允许SSH端口的连接,放行SSH端口 iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT # 允许ping iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT iptables -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT # 放行允许DNS解析端口 iptables -A OUTPUT -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -m udp -d 114.114.114.114 --dport 53 -j ACCEPT # 保存规则 iptables-save
Commonly used configuration rules for production: The following are the configurations of some commonly used rules in the production environment. Generally, configuring these rules is enough.
filter -P INPUT DROP #设置默认规则,拒绝所有 iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT#放行80口 iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT #放行22口 iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT#放行22口 iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT#放行80端口 iptables -t filter -I INPUT -p tcp --dport 443-j ACCEPT#插入在顶端一条放行443端口的规则 iptables -t filter -I INPUT 2 -p tcp --dport 443 -j ACCEPT #在第二列插入一条443放行规则 iptables -t filter -A INPUT -p tcp --dport 80 -j DROP#丢弃80端口的请求 iptables -I INPUT 2 -p icmp -j DROP#丢弃ICMP请求 iptables -t filter -D INPUT 3#删除第三条规则 iptables -A FORWARD -s 192.168.1.10 -j REJECT#拒绝IP的转发请求 iptables -I INPUT -s 10.20.30.0/24 -j DROP #丢弃IP网段的入站请求 iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP#丢弃从eth1网卡流入,且地址匹配的数据包 iptables -A INPUT -o eth0 -s 192.168.1.0/24 -j DROP#丢弃从eth0网卡流出,且地址匹配的数据包 iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT #放行20-21端口的数据包 iptables -I INPUT -p tcp -m multiport --dport 80-90,85 -j ACCEPT iptables -A FORWARD -p tcp -m iprange --src-range 192.168.1.10-192.168.1.100 -j ACCEPT
The above is the detailed content of Linux firewall-iptables detailed explanation. For more information, please follow other related articles on the PHP Chinese website!