Coding With Fun
Home Docker Django Node.js Articles Python pip guide FAQ Policy

8.2.2 Basic command parameters

May 24, 2021 That's what Linux should learn

iptables is a command-line-based firewall policy management tool with a large number of parameters, learning is difficult. Fortunately, for the daily firewall policy configuration, we do not need to understand the theoretical concepts such as "four watches and five chains", just need to master the commonly used parameters and flexible matching, this is enough to cope with the daily work.

The iptables command matches information such as the source address, destination address, transport protocol, service type, and so on, and once the match is successful, the iptables handle the traffic according to the actions preset by the policy rules. A lso, again, firewall policy rules are matched from top to bottom, so put more stringent, higher priority policy rules ahead to avoid errors. T able 8-1 summarizes the commonly used iptables command parameters. Again, we don't need to metly met these parameters, we just need to use the following experiments to understand and master them.

The parameters and effects commonly used in Table 8-1 iptables

Parameter Action - P Set Default Policy - F Empty Rule Chain - L View Rule Chain - A Add a new rule at the end of the rule chain - I num Add a new rule at the head of the rule chain - D num Deletes a rule -s matches the source address IP/MASK, exclamation point "!" Indicates that in addition to this IP -d matching destination address -i network card name matching data inflowing from this network card -o network card name matching data flowing out of this network card -p matching protocol, such as TCP, UDP, ICMP --dport num matching target port number --sport num matching source port number Added after iptables command - L parameters to view existing firewall rule chains:

[root@linuxprobe ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all -- anywhere anywhere r eject-with icmp-host-prohibited .................. O mit some of the output information... Add the -F parameter after the iptables command to empty the existing firewall rule chain:

[root@linuxprobe ~]# iptables -F [root@linuxprobe ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination .................. O mit some of the output information... Set the default policy for the INPUT rule chain to deny:

[root@linuxprobe ~]# iptables -P INPUT DROP [root@linuxprobe ~]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ............ O mit some of the output information... As mentioned earlier firewall policy settings are no more than two ways, one is "pass", one is "blocking", when the INPUT chain is set to the default deny, it is necessary to write the allowed policy inside, otherwise all inflow of packets will be rejected by default, students need to pay attention to the rule chain of the default policy rejection action can only be DROP, not REJECT.

Add a policy rule to the INPUT chain that allows ICMP traffic to enter:

In daily operations, ping commands are often used to check that the other host is online, and adding a policy rule to the FIREWALL's INPUT rule chain that allows ICMP traffic to enter allows this ping command detection behavior by default.

[root@linuxprobe ~]# iptables -I INPUT -p icmp -j ACCEPT [root@linuxprobe ~]# ping -c 4 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. 6 4 bytes from 192.168.10.10: icmp_seq=1 ttl=64 time=0.156 ms 64 bytes from 192.168.10.10: icmp_seq=2 ttl=64 time=0.117 ms 64 bytes from 192.168.10.10: icmp_seq=3 ttl=64 time=0.099 ms 64 bytes from 192.168.10.10: icmp_seq=4 ttl=64 time=0.090 ms --- 192.168.10.10 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.090/0.115/0.156/0.027 ms Removes the policy just added to the INPUT rule chain (allows ICMP traffic) and sets the default policy to allow:

[root@linuxprobe ~]# iptables -D INPUT 1 [root@linuxprobe ~]# iptables -P INPUT ACCEPT [root@linuxprobe ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination .................. O mit some of the output information... Set the INPUT rule chain to allow only hosts of the specified segment to access the 22 ports of the machine, denying traffic from all other hosts:

[root@linuxprobe ~]# iptables -I INPUT -s 192.168.10.0/24 -p tcp --dport 22 -j ACCEPT [root@linuxprobe ~]# iptables -A INPUT -p tcp --dport 22 -j REJECT [root@linuxprobe ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.10.0/24 anywhere tcp dpt:ssh REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable .................. O mit some of the output information... A gain, firewall policy rules are matched from top to below, so be sure to put the allowed action before the deny action, otherwise all traffic will be denied, resulting in no host being able to access our services. In addition, the port 22 mentioned here is the use of ssh services (for ssh services, see the next chapter), Mr. Liu Wei first dug a hole here, and so we can learn Chapter 9 before verifying the effectiveness of this experiment.

After setting up the INPUT rule chain above, we use the IP address in the 192.168.10.0/24 segment to access the 22 ports of the server (i.e., the host that set up the INPUT rule chain mentioned earlier) with the following effect:

[root@Client A ~]# ssh 192.168.10.10 The authenticity of host '192.168.10.10 (192.168.10.10)' can't be established. E CDSA key fingerprint is 70:3b:5d:37:96:7b:2e:a5:28:0d:7e:dc:47:6a:fe:5c. A re you sure you want to continue connecting (yes/no)? y es Warning: Permanently added '192.168.10.10' (ECDSA) to the list of known hosts. [email protected]'s password: Last login: Sun Feb 12 01:50:25 2017 (root@Client A s) then we use IP again The 22 ports of the host access server within the 192.168.20.0/24 network segment (although the segments are different but confirmed to be able to communicate with each other) will, as follows, prompt that the connection request has been denied (Connection failed):

[root@Client B ~]# ssh 192.168.10.10 Connecting to 192.168.10.10:22... C ould not connect to '192.168.10.10' (port 22): Connection failed. Add a policy rule to the INPUT rule chain that denys everyone access to port 12345:

[root@linuxprobe ~]# iptables -I INPUT -p tcp --dport 12345 -j REJECT [root@linuxprobe ~]# iptables -I INPUT -p udp --dport 12345 -j REJECT [root@linuxprobe ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT udp -- anywhere anywhere udp dpt:italk reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:italk reject-with i cmp-port-unreachable ACCEPT tcp -- 192.168.10.0/24 anywhere tcp dpt:ssh REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable .................. O mit some of the output information... Add a policy rule to the INPUT rule chain that denys 192.168.10.5 host access to the local 80 port (Web service):

[root@linuxprobe ~]# iptables -I INPUT -p tcp -s 192.168.10.5 --dport 80 -j REJECT [root@linuxprobe ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- 192.168.10.5 anywhere tcp dpt:http reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:italk reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt: i talk reject-with icmp-port-unreachable ACCEPT tcp -- 192.168.10.0/24 anywhere tcp dpt:ssh REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable .................. O mit some of the output information... Add a policy rule to the INPUT rule chain that denys all hosts access to the local 1000-1024 ports:

[root@linuxprobe ~]# iptables -A INPUT -p tcp --dport 1000:1024 -j REJECT [root@linuxprobe ~]# iptables -A INPUT -p udp --dport 1000:1024 -j REJECT [root@linuxprobe ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- 192.168.10.5 anywhere tcp dpt:http reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:italk r eject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpt:italk reject-with icmp-port-unreachable ACCEPT tcp -- 192.168.10.0/24 anywhere tcp dpt:ssh REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere tcp dpts:cadlock2:1024 reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpts: c adlock2:1024 reject-with icmp-port-unreachable .................. O mit some of the output information... T he knowledge of the iptables command is over. C onsidering the trend of Linux firewall, as long as you can absorb the above examples and digest them, you can completely handle the daily iptables configuration work. Note, however, that firewall rules configured with the iptables command expire the next time the system restarts, and if you want the configured firewall policy to take effect permanently, execute the save command:

[root@linuxprobe ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]


Related

9.2.3 Remote transfer command

20.2 LNMP Dynamic Website Architecture

9.2.1 Configure the sshd service

16.1 Agent cache service

14.4 Assign a fixed IP address

1.5 RPM Red Hat Package

14.3 Automatic management of IP addresses

Chapter 15 Deploy the messaging system using Postfix and Dovecot.

16.3.3 Transparent forward agent

Chapter 3 Pipeline Characters, Redirects, and Environment Variables.