Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Firewall chapter of Linux server security configuration     - Vagrant Getting Start (Linux)

- To install MySQL 5.6 binary packages under CentOS 6.4 64bit (Database)

- Analysis: Little Notebook facing a major security threat secure online (Linux)

- Open Ubuntu system updates (Linux)

- Android Studio interface-related settings (Linux)

- MySQL innodb_table_stats table does not exist solution (Database)

- Deployment Kubernetes manage Docker example cluster on Ubuntu (Server)

- C ++ implementation of the list of basic operations and test cases (Programming)

- Oracle to create an external table (Database)

- Cobbler batch install Ubuntu / CentOS system (Linux)

- Killall five options you might not know (Linux)

- Linux GCC 5.1.0 compiler installation (Linux)

- Detailed software to run UnixBench (Linux)

- Nginx version of helloworld (Server)

- Is Linux the most secure operating system (Linux)

- Installed in the desktop version of Ubuntu Unity Tweak Tool (Linux)

- Upgrading from Fedora 20 to 21 (Linux)

- To explore the Android ListView caching mechanism again (Programming)

- Spring Integration ehcache annotation implement the query cache and cache update or delete instant (Programming)

- Shuffle Process Arrangement in MapReduce (Server)

  Firewall chapter of Linux server security configuration
  Add Date : 2017-08-31      
  Linux iptables firewall concept

Iptalbes (IP packet filter management) is used to set up, maintain and inspect the Linux kernel IP packet filtering rules.

You can define different tables, each table contains several internal chains can contain user-defined chains. Each chain is a list of rules for the corresponding packet match: Every rule specifies how it should deal with a matching bag. This is called '' '' target '' '' (target), the user can jump to the same chain within the table definition.

By using the user space, you can build your own custom rules that are stored in the kernel space of packet filtering table. These rules have a goal, they tell the kernel what comes from some source, travel to certain destinations or have some type of protocol packets do. If a packet matches a rule, then use the target ACCEPT allows the packet through. You can also use the target DROP or REJECT packets to block and kill. For other operations, there are many other goals that can be performed on the packet.

Depending on the type of packet processing rules, and the rules can be grouped in the chain. Rule processing inbound packets are added to the INPUT chain. Rule processing outbound packets are added to the OUTPUT chain. Rule processing is forwarding packets are added to the FORWARD chain. The three chains are basic packet filtering table, built-in default backbone. In addition, there are many other types available chain (such as PREROUTING and POSTROUTING), as well as providing a user-defined chain. Each chain can have a policy that defines the "default target", that is the default action to be performed when a packet with any rule in the chain does not match, do this.

Establish rules and chain put in place, we are ready to begin the real work of packet filtering. Then take over the kernel space from user space. When the packet reaches the firewall, the kernel checks the packet header information, in particular the destination of the packet. We call this process is known as routing.

If the information packet from the outside world and to the system, and the firewall is turned on, the kernel will pass it to the INPUT chain kernel space packet filtering table. If the information packet from other internal sources within the system or online system is connected and this information packet to travel to another external system, then the packet is transmitted to the OUTPUT chain. Similarly, from the external system to the external system and the packet is passed to the FORWARD chain.

iptables Example 1:

       #! / Bin / sh

# Packet forwarding function inhibiting system

echo 0> / proc / sys / net / ipv4 / ip_forward

# Iptables clear existing rules and set iptables default rule

iptables -t nat -F POSTROUTING

iptables -t nat -F PREROUTING

iptables -t nat -F OUTPUT

iptables -F

iptables -P INPUT DROP



# In the input rules need to open the tcp, upd port

iptables -A INPUT -j ACCEPT -p tcp --dport 80

iptables -A INPUT -j ACCEPT -p tcp --dport 22

iptables -A INPUT -j ACCEPT -p tcp --dport 25

iptables -A INPUT -j ACCEPT -p tcp --dport 1352

iptables -A INPUT -p udp --destination-port 53 -j ACCEPT

# Rule in the input state: STATE RELATED packets are accepted

iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

# Ip forwarding enabled system

echo 1> / proc / sys / net / ipv4 / ip_forward

< --end-->

iptables Example 2:

       Note: this example, only need to set tcp, udp port and server network segment ip range to the other has good default settings.

#! / Bin / sh

# Make: yongzhang

# Time: 2004-06-18

# E-mail: yongzhang@wiscom.com.cn

PATH = / sbin: / bin: / usr / sbin: / usr / bin

## Tcp allow ports

TPORTS = "80 22"

## Udp allow ports

UPORTS = "53"

## Internal server_ip range


## Disable forwarding

echo 0> / proc / sys / net / ipv4 / ip_forward

## Reset default policies

iptables -P INPUT ACCEPT



iptables -t nat -P PREROUTING ACCEPT

iptables -t nat -P POSTROUTING ACCEPT

iptables -t nat -P OUTPUT ACCEPT

## Del all iptables rules

iptables -F INPUT

iptables -F FORWARD

iptables -F OUTPUT

## Clean all non-default chains

iptables -X

iptables -t nat -X

## Iptables default rules

iptables -P INPUT DROP

iptables -P FORWARD DROP


## Allow ping packets

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -m limit --limit 5 / s -j ACCEPT

iptables -A FORWARD -p ICMP -j ACCEPT

## Enable forwarding

iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT

## STATE RELATED for router

iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT

## Accept internal packets on the internal i / f

iptables -A INPUT -s $ SERVER_IP -p tcp -j ACCEPT

## Open ports on router for server / services


for ATP in $ TPORTS


iptables -A INPUT! -s $ SERVER_IP -d $ SERVER_IP -p tcp --destination-port $ ATP -j ACCEPT

iptables -A FORWARD -p tcp --destination-port $ ATP -j ACCEPT



for AUP in $ UPORTS


iptables -A INPUT -p udp --destination-port $ AUP -j ACCEPT

iptables -A FORWARD -p udp --destination-port $ AUP -j ACCEPT


## Bad_packets chain

## Drop INVALID packets immediately

iptables -A INPUT -p ALL -m state --state INVALID -j DROP

## Limit SYN flood

#iptables -A INPUT -f -m limit --limit 100 / s --limit-burst 100 -j ACCEPT

#iptables -A FORWARD -f -m limit --limit 100 / s --limit-burst 100 -j ACCEPT

## Deny all ICMP packets, eth0 is external net_eth

#iptables -A INPUT -i eth0 -s -p ICMP -j DROP

## Allow loopback

iptables -A INPUT -i lo -p all -j ACCEPT

iptables -A OUTPUT -o lo -p all -j ACCEPT

## Enable forwarding

echo 1> / proc / sys / net / ipv4 / ip_forward

< --end-->

ipchains firewall type:

ipchains concepts:

Ipchains is used to install, maintain, check the Linux kernel firewall rules. Rules can be divided into four categories: IP input chain, IP output chain, IP forward chain, user defined chain.

A firewall rule specified package format and destination. When a packet comes in, the core using input chain to decide its fate. If it passes, then the kernel will decide where to send the packet next (this step is called routing). If it were sent to another machine, the core on the use of forward chain. If not, enter the designated target at a chain, it might be a user defined chain, or a particular value: ACCEPT, DENY, REJECT, MASQ, REDIRECT, RETURN.

ACCEPT means to allow packets to pass through, DENY throw away the package had not been the same as, REJECT also put the bag away, but (if it is not the ICMP packet) generates an ICMP reply to tell the developer who can not reach the destination address (please note DENY for ICMP packets and REJECT are the same).

MASQ tells the kernel camouflage this package, only to forward chain and user defined chain work, want it to work, you must allow IP Masquerading work when compiling the kernel.

REDIRECT only the input chain and user defined chain effect. It tells the kernel to wherever the reform package should be sent to a local port. Only TCP and UDP protocols can use this to specify arbitrary use '' '' -j REDIRECT '' '' to specify a port (name or number) You can make this package sent to be redirected to a particular port, even if it is marked as sent to other ports. We want it to work, when compiling the kernel, you must let CONFIG_IP_TRANSPARENT_PROXY work.

The final goal is to specify RETURN, it skips all the rules below it, until the end of the chain.

Any other targeting represents a user-defined chain. Package to be adopted at the chain. If that chain does not decide the fate of the packet, then the transmission chain is complete, the package will pass the next rule in the current chain.

ipchains examples:

    ## Clear rules input rules and changing the rules of the default input chain policy to REJECT

-F Input


## The following are allowed to input chain of rules tcp port: 808,122,123

-A Input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT

-A Input -s 0/0 -d 0/0 81 -p tcp -y -j ACCEPT

-A Input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT

-A Input -s 0/0 -d 0/0 123 -p udp -j ACCEPT

## Set apart from the above input rules that allow the chain refused 0-1023,2049,6000-6009,7100 the tcp and upd port,

-A Input -p tcp -s 0/0 -d 0/0 0: 1023 -y -j REJECT

-A Input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT

-A Input -p udp -s 0/0 -d 0/0 0: 1023 -j REJECT

-A Input -p udp -s 0/0 -d 0/0 2049 -j REJECT

-A Input -p tcp -s 0/0 -d 0/0 6000: 6009 -y -j REJECT

-A Input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

## Allow all packets occurring on the card-based system by itself

-A Input -s 0/0 -d 0/0 -i lo -j ACCEPT

-A Input -s 0/0 -d 0/0 -i eth0 -j ACCEPT

-A Input -s 0/0 -d 0/0 -i eth1 -j ACCEPT

## Clear rules output rules, and change the default output rules chain strategy ACCEPT

-F Output

-P Output ACCEPT

## Clear rules forward rules, forward and change the default rule chain strategy DENY, set forward rules allow chain network packets can be forwarded and do camouflage treatment.

-F Forward

-P Forward DENY

-A Forward -s -j MASQ
- Install minimize RHEL / CentOS 7 some things need to do (Linux)
- CentOS7 install and configure Nagios (Server)
- Linux installation and error under codeblocks exclude [Ubuntu 10.04] (Linux)
- Oracle database file path changes (Database)
- Ubuntu Apache virtual host configuration (Server)
- Hackers is how the invasion and control of Things devices? (Linux)
- Python is not C (Programming)
- How to allow users to access only a specific database (MSSQL) (Database)
- Linux System Getting Started Tutorial: How do you know Shell which is currently being used (Linux)
- Linux System Getting Started tutorial: Ubuntu desktop using the command line to change the system proxy settings (Linux)
- RPM package management tools under Linux (Linux)
- Workaround CentOS error message during compilation PHP5 common (Linux)
- HttpClient4 usage upgrade from HttpClient3 (Programming)
- CentOS installed JDK8 (Linux)
- AWK principles and commands and file input (Linux)
- Grep how to find files based on file contents in UNIX (Linux)
- Binary search is really easy as you think you do (Programming)
- Install Apache streaming media services on CentOS 6.4 (Server)
- How to manage Vim plugin (Linux)
- Alternative methods of intrusion bundled executable file new thinking (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.