Detailed IPTABLES configuration under Linux

If your IPTABLES basic knowledge is still not understood, it is recommended to take a look at it.

Start to configure us to configure a firewall for the filter table. (1) View the settings of the machine on IPTABLES [root@ Tp ~]# iptables -L -nChain INPUT (policy ACCEPT)target prot opt ​​source destinationChain FORWARD (policy ACCEPT)target prot opt ​​source destinationChain OUTPUT (policy ACCEPT)target prot opt ​​source destinationChain RH-Firewall-1-INPUT (0 references) Target prot opt ​​source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT Ah -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631ACCEPT all -- 0.0 .0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 80ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited When I installed Linux, I chose to have a firewall and opened ports 22, 80, and 25. If you did not choose to start the firewall when installing Linux, this is [root@tp ~]# iptables -L -nChain INPUT ( Policy ACCEPT)target prot opt ​​source destinationChain FORWARD (policy ACCEPT)target prot opt ​​source destinationChain OUTPUT (policy ACCEPT)target prot opt ​​source destination What rules are not. (2) Clear the original rules. Whether you start it when you install linux Firewall, if you want to configure your own firewall, then clear all the rules of the current filter. [root@tp ~]# iptables -F Clear the rules of all rule chains in the preset table filter [root@tp ~]# iptables -X Clear the rules in the user-defined chain in the preset table filter. Let's take a look at [root@tp ~]# iptables -L -nChain INPUT (policy ACCEPT)target prot opt ​​source destinationChain FORWARD (policy ACCEPT)target prot Opt source destinationChain OUTPUT (policy ACCEPT) target prot opt ​​source destination nothing, and we did not start the firewall when installing linux (In advance, these configurations are just like using the command to configure the IP, the restart will be useless), how to save. [root@tp ~]# /etc/rc.d/init.d/iptables save Can be written to the /etc/sysconfig/iptables file. After writing, remember to restart the firewall to work. [root@tp ~]# service iptables restart Now there is no configuration in the IPTABLES configuration table, then we Start our configuration (3) set the default rules [root@tp ~]# iptables -P INPUT DROP[root@tp ~]# iptables -P OUTPUT ACCEPT[root@tp ~]# iptables -P FORWARD DROP The meaning is that when the two chain rules (INPUT, FORWARD) in the filter table in IPTABLES are exceeded, how to deal with the packets in these two rules, that is DROP (abandon). It should be said that this configuration is very Safe. We want to control the flow of incoming packets. For the OUTPUT chain, that is, the outgoing packets, we don't have to make too many restrictions, but take ACCEPT, that is, what to do with the packets in the rules, that is, pass. It can be seen that the INPUT, FORWARD two chains use what packets are allowed to pass, and the OUTPUT chain does not allow It's quite reasonable to set it up. Of course, you can also DROP all three chains, but I don't think it is necessary, and the rules to be written will increase. But if you only want a limited number of The rule is, if you only do WEB server. Or recommend three links are DROP. Note: If you are remote SSH login, you should drop when you enter the first command to enter. Because you have not set any rules What to do, go to the local operation! (4) Add rules. First add the INPUT chain, the default rule of the INPUT chain is DROP, so we will write the chain that needs ACCETP (pass) in order to use remote SSH login, we have to open 22 port.[root@tp ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT[root@tp ~]# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT (Note: This rule If you set OUTPUT to DROP, you should write this section. Many people are looking forward to writing this rule. It is always impossible to SSH. In the remote, it is not good. Other ports are the same, if Open the web server, if OUTPUT is set to DROP, also add a chain: [root@tp ~]# iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT , other similar.) If you do a WEB server, open port 80. [root@tp ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT if you do Mail server, open port 25,110. [root@tp ~]# iptables -A INPUT -p tcp --dport 110 -j ACCEPT[root@tp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT If you have an FTP server, open port 21 [root@tp ~]# iptables -A INPUT -p tcp --dport 21 -j ACCEPT[root@tp ~]# iptables -A INPUT -p tcp --dport 20 -j ACCEPT If you have a DNS server, open port 53 [root@tp ~]# iptables -A INPUT -p tcp --dport 53 -j ACCEPT If you have other servers, you need to open which port, write it. The above mainly writes the INPUT chain. If it is not in the above rules, DROP allows the icmp package to pass, that is, allows ping, [root@tp ~]# iptables -A OUTPUT -p icmp -j ACCEPT (OUTPUT is set to DROP)) [root@tp ~]# iptables -A INPUT -p icmp -j ACCEPT (INPUT is set to DROP) Allow loopback! (Otherwise it will cause DNS to fail to close properly) IPTABLES -A INPUT -i lo -p All -j ACCEPT (if it is INPUT DROP) IPTABLES -A OUTPUT -o lo -p all -j ACCEPT (if it is OUTPUT DROP)

Write the OUTPUT chain below, the default rule of the OUTPUT chain is ACCEPT, so we will write Need a chain of DROP (abandon).zh-CN"],null,[0.98682177],zh-CN"]]]