Basic usage tutorial of IPTABLES firewall in LINUX

Preface

For production VPS with public IP, only the required ports are opened, that is, ACL is used to control IP and port (Access Control List).

Here you can use the user mode tool of Linux firewall netfilter

Iptables has 4 tables: raw–>mangle (modify the original data of the message)–>nat (define address translation)–>filter (define rules for allowing or not allowing)

Each table can be configured with multiple chains:

* For filters, they can generally only be done on three chains: INPUT, FORWARD, OUTPUT

* For NAT, it can generally only be done on three chains: PREROUTING, OUTPUT, POSTROUTING

* For mangle, all five chains can be used: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

Detailed explanation of the three chains of the filter table:

* INPUT chain: Filter all packets whose destination address is local

* FORWARD chain: Filter all data packets passing through this machine

* OUTPUT chain: filters all data packets generated by the local machine

Learn by analogy:

[Example]: Filter all visits:
iptables -t filter -A INPUT -s 0.0.0.0/0.0.0.0 -d XXXX -j DROP

[Example]: Open port 22 of SSH iptables -I INPUT -s 0.0.0.0/0.0.0.0 -d XXXX -p tcp --dport 22 -j ACCEPT

[Example]: Open port 80 iptables -A INPUT -s 0.0.0.0/0.0.0.0 -d XXXX -p tcp --dport 80 -j ACCEPT


[Example]: Data from 124 is prohibited from passing through 174 IP
iptables -A OUTPUT -p tcp -s 45.32.102.124 -d 157.240.22.174 -j REJECT 

[Example] Print the currently effective iptables rules (-n displays the IP address)
iptables -L -n

Specifying port range in Linux iptables firewall

iptables -I INPUT -p tcp --dport 700:800 -j DROP 
iptables -I INPUT -s 11.129.35.45 -p tcp --dport 700:800 -j ACCEPT

1. 700:800 means all ports between 700 and 800

2. :800 means all ports 800 and below

3. 700: indicates 700 and all ports above

The effect of this example is that ports 700-800 are only open to the IP address 11.129.35.45, using the whitelist mechanism.

Snat, Dnat iptables usage:

Source Address Translation (Snat): iptables -t nat -A -s private IP -j Snat –to-source public IP

Destination Address Translation (Dnat): iptables -t nat -A -PREROUTING -d public IP -j Dnat –to-destination private IP

Detailed explanation of iptables command

Commonly used iptables command options are:

-P: Set the default policy (set the default door to be closed or open) such as: iptables -P INPUT (DROP|ACCEPT)
-F: FLASH, clear the rule chain (note the management permissions of each chain)
-N:NEW supports users to create a new chain, for example: iptables -N inbound_tcp_web means to attach to the tcp table for checking web.
-X: used to delete user-defined empty chains
-Z: Clear the chain
-A: Append
-I num: insert, insert the current rule as the number
-R num: Replays replaces/modifies the rule number
-D num: delete, explicitly specify the number of rules to delete
-L: View rule details, such as "iptables -L -n -v"
-s indicates source IP address
-d indicates the target IP address
DROP means discard (reject)
ACCEPT means acceptance
-p indicates the applicable protocol, such as tcp

More examples:

[Example] Add iptables rules to prohibit users from accessing the website with the domain name www.sexy.com.

iptables -I FORWARD -d www.sexy.com -j DROP

[Example] Add iptables rules to prohibit users from accessing the website with IP address 20.20.20.20.

iptables -I FORWARD -d 20.20.20.20 -j DROP

[Example] Add iptables rules to prohibit clients with IP address 192.168.1.X from accessing the Internet.

iptables -I FORWARD -s 192.168.1.X -j DROP

[Example] Add iptables rules to prohibit all clients in the 192.168.1.0 subnet from accessing the Internet.

iptables -I FORWARD -s 192.168.1.0/24 -j DROP

[Example] Prohibit all clients in the 192.168.1.0 subnet from downloading using the FTP protocol.

iptables -I FORWARD -s 192.168.1.0/24 -p tcp –dport 21 -j DROP

[Example] Force all clients to access the Web server at 192.168.1.x.

iptables -t nat -I PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.168.1.x:80

[Example] The use of ICMP protocol is prohibited.

iptables -I INPUT -i ppp0 -p icmp -j DROP

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support for 123WORDPRESS.COM.