iptables
The iptables service is used to process or filter traffic policy items (rules). Multiple rules can form a rule chain, which is categorized according to the location of data packet processing.
Preprocessing data packets (PREROUTING) before routing;
Processing incoming data packets (INPUT);
Processing Outgoing Packets (OUTPUT);
Processing forwarded packets (FORWORD);
Post-processing data packets (POSTROUTING) for routing.
Generally speaking, the traffic sent from the Intranet to the External Network is generally controllable and benign, so the most used is the INPUT rule chain, which can increase the difficulty of hackers intruding the Intranet from the External Network.
Basic parameters in iptables
Common parameters and functions in iptables
| parameter | Effect |
| -P | Setting default policy |
| -F | Clear the chain of rules |
| -L | View the rule chain |
| -A | Add new rules at the end of the rule chain |
| -I num | Add new rules to the head of the rule chain |
| -D num | Delete a rule |
| -s | Match source address IP/MASK with exclamation mark "!" Represents the exception of this IP |
| -d | Matching target address |
| - i Network Card Name | Match the data coming in from this network card |
| - o Network Card Name | Match the data coming out of this network card |
| -p | Matching protocols, such as TCP, UDP, ICMP |
| --dport num | Matching target port number |
| --sport num | Match source port number |
Add the - L parameter after the iptables command to view the existing firewall rule chain
[root@localhost ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destinationtarget prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Add-F parameter after iptables command to clear the existing firewall rule chain
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Set the default policy of INPUT rule chain to reject:
[root@localhost ~]# iptables -P INPUT DROP
Set the INPUT rule chain to allow only the host of the specified network segment to access port 22 of the local machine, and reject traffic from all other hosts:
[root@localhost ~]# iptables -I INPUT -s 10.6.12.0/24 -p tcp --dport 22 -j ACCEPT [root@localhost ~]# iptables -A INPUT -p tcp --dport 22 -j REJECT [root@localhost ~]# iptables -LChain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.6.12.0/24 anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
The firewall policy rules are matched from top to bottom, so it is important to put the allowable action before the rejection action. Otherwise, all traffic will be rejected.
Using CRT
One is that host access from 192.168.72.0/24 will be denied.
Connection timed out
Host access from 10.6.72.0/24
Last login: Sat Aug 31 11:43:09 2019 from 10.6.12.47
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#