Software firewall iptables under Linux - view and clear rules, define default policy

A firewall is a way for users to restrict access to certain IPs or users to their hosts. Firewalls are divided into two categories: hardware firewalls and software firewalls. Software firewalls are mainly used to filter data packets, while hardware firewalls are mainly used to protect against malicious attacks and filter data packets, such as DDOS attacks. Here, we will explain the software firewall under Linux-iptables.

iptables and firewalld

Under centOS6, the default software firewall is iptables, and in centos7, it is firewalld. What is the connection between them? In fact, firewalld is a newly packaged software on the original iptables.

When learning iptables, it is recommended to close firewalld first and enable iptables

yum install iptables-services
systemctl stop firewalld
systemctl start iptables

iptables tables and chains

iptables Different tables represent different functions. There are 4 tables by default

• filter (filter) nat (address translation) mangle raw

Under different tables, there are their own rule chains:

• ##filter (INPUT/OUTPUT/FORWARD)

• nat (prerouting/output/postouting )

The meanings represented by these chains are as follows:

• INPUT chain - incoming data packets apply the rules in this rule chain

• OUTPUT chain - outgoing packets apply the rules in this rule chain

• FORWARD chain - apply the rules in this rule chain when forwarding packets Rules

• PREROUTING chain - Apply the rules in this chain before routing the data packet

• POSTROUTING chain - Apply the rules to the data packet Apply the rules in this chain after routing

Rule viewing and clearing of iptables

Rule View

Usage example: iptables [-t tables] -L [-nv]

Options and parameters:

• -t is followed by the table type. If this option is omitted, the default is the filter table.

• -L List the rules of the current table

• -n Do not perform domain name and IP reverse query

• -v Show more information

# 查看filter表的规则
# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   67  4444 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
    2   286 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 38 packets, 4664 bytes)
 pkts bytes target     prot opt in     out     source               destination  
 
# 查看nat表的规则
iptables -t nat -L -nv

The meaning of the rule options under the chain is as follows:

• target: represents the operation to be performed, ACCEPT release, drop, reject

• prot: represents the data packet protocol used, including tcp, udp and icmp

• opt: Description Information

• source: Restrict a certain source host

• destination: Restrict a certain destination host

The five rules of the INPUT chain shown above have the following meanings:

1. As long as the status of the data packet is RELATED or ESTABLISHED, it is accepted

2. As long as it is an icmp packet, it is accepted

3. As long as it is a local loopback network card, all data is accepted

4. As long as it is an active packet sent to port 22 Connection TCP packets are accepted.

5. Reject all packets

Clear the rules of iptables

After centOS7 is installed by default, the system already has many iptables rules. Here we will teach you how to clear these rules.

Usage example: iptables [-t tables] [-FXZ]

Options and parameters:

• -F Clean up all customized rules

• -X Clear all user-defined rules

• -Z Set all statistics to zero

# iptables -F
# iptables -X
# iptables -Z

View specific rules

Use iptables-save to view specific rules

Usage: iptables-save [-t tables ]

# iptables-save -t filter
# Generated by iptables-save v1.4.21 on Sat Nov 14 21:51:56 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [56:7196]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 
# Completed on Sat Nov 14 21:51:56 2020

Define the default strategy

After we clear the rules, only the default strategy is left. What is the default policy is that when any of our rules are not met, the default rule is used. The default policies are ACCEPT (accept packets) and DROP (drop packets)

Usage: iptables [-t tables] -P [INPUT|OUTPUT|FORWARD……] [ACCEPT|DROP]

Now, we try to change the default INPUT chain of the filter to DROP, OUTPUT and FORWARD chain to ACCETP

iptables -t filter -P INPUT DROP
# 注意，该命令敲完后，你的终端就可能会断开连接了
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Related recommendations: "

linux course"

The above is the detailed content of Software firewall iptables under Linux - view and clear rules, define default policy. For more information, please follow other related articles on the PHP Chinese website!