Home >Operation and Maintenance >Linux Operation and Maintenance >Software firewall iptables under Linux - definition and deletion of rules
The introduction to ipitables firewall, as well as how to view rules and cleanup rules, etc., have been described in a previous article. Today, here is a demonstration of how to formulate firewall rules. Because at work, we mainly formulate rules for the filter chain, so here we mainly use the fitler chain for demonstration.
Preparation work
Before formulating rules, we first close the firewalld service, enable the iptables service, and then clear the existing rules.
# systemctl stop firewalld # systemctl start iptables # iptables -F # iptables -X # iptables -Z
Add a new rule chain
There are many options for adding a rule chain to iptables. Let’s look at the basic usage below:
iptables [-t tables] -A|I 链名 [-i|o 网络接口] [-m state] [--state 数据包状态] \ > [-p 网络协议] [-s 源地址 --sport 端口范围] [-d 目标地址 --dport 端口范围] \ > -j [ACCEPT|DROP|REJECT]
Options and parameters:
-A|I chain name A means to add the rule after the existing rule, while I is to insert the rule at the front
-i|o Network interface i represents the network interface through which the data packet enters, and needs to be used in conjunction with the INPUT or PREROUTING chain; o represents the interface through which the data packet goes out, and needs to be used in conjunction with the OUTPUT chain
-p Network protocols Common ones include tcp, upd, icmp and all
-m state The status of the data packet
--state packet status Common statuses include INVALID (invalid packet), ESTABLISHED (successfully connected status), NEW (newly established packet), RELATED (new connection associated with existing connection)
-s Source address The address can be an IP address, such as 192.168.1.110 or network address 192.168.1.0/24
-d Destination address
-j is followed by operations, common ones are ACCEPT (accept), DROP (drop), REJECT (reject)
Formulation of rules for IP, network, and network card interfaces
Below, several rule chain examples are given. We allow data sent from 192.168.1.110 and reject data sent from 192.168.1.111.
# iptables -A INPUT -s 192.168.1.110 -j ACCEPT # iptables -I INPUT -s 192.168.1.111 -j DROP # iptables -vnL Chain INPUT (policy ACCEPT 33 packets, 3048 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 192.168.1.111 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.1.110 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 18 packets, 1844 bytes) pkts bytes target prot opt in out source destination
Allow 192.168.1.0/24 network address access
# iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT # iptables -vnL Chain INPUT (policy ACCEPT 29 packets, 2328 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 192.168.1.111 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.1.110 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1460 bytes) pkts bytes target prot opt in out source destination
Think about a question, whether the data packet of 192.168.1.111 will be accepted or rejected. Judging from the first rule of INPUT, it will be rejected, but judging from the last rule, it will be accepted. The answer is that it will be rejected. When one of the rules is met, the following rules will not be followed, so the order of the rule chain is also very important.
Continue to look at the case: as long as it is the local loopback address lo, it is allowed
# iptables -A INPUT -i lo -j ACCEPT
The rules for the port
will enter Block all local data packets on port 21
# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP
Open all ports between 1024 and 65534. You can use port number: port number to represent a continuous port number
# iptables -A INPUT -i eth0 -p tcp --dport 1024:65534 -j ACCEPT
The following Look at the two comprehensive rules
The 3306 port of this machine is not open to the network 192.168.1.0/24.
The local ssh service does not accept data packets from the 1024:65535 port of the network 192.168.1.0/24
# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport 3306 -j DROP # iptables -A INPUT -i etc0 -p tcp -s 192.168.1.0/24 \ > --sport 1024:65535 --dport 22 -j DROP
Rules for the connection status of data packets Formulate
Common statuses of data packets include INVALID (invalid data packet), ESTABLISHED (successfully connected status), NEW (newly established data packet), RELATED (new connection and associated with an existing connection).
Accept all data packets for ESTABLISHED and RELATED status, discard all data packets for INVALID status
# iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A INPUT -m state --state INVALID -j DROP
Delete rule chain
Deleting a rule chain is basically the same as adding a rule chain, except that -A can be replaced with -D. Let's delete a few rules together.
# iptables-save # Generated by iptables-save v1.4.21 on Sun Nov 15 22:36:41 2020 *filter :INPUT ACCEPT [4:1920] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [16:1380] -A INPUT -s 192.168.1.111/32 -j DROP -A INPUT -s 192.168.1.110/32 -j ACCEPT -A INPUT -s 192.168.1.0/24 -j ACCEPT …… # iptables -t filter -D INPUT -s 192.168.1.111/32 -j DROP # iptables -D INPUT -s 192.168.1.110/32 -j ACCEPT
Note: The above settings for iptables will only be saved in memory. These settings will disappear after the system is restarted after the service is restarted. So, as long as you don't block yourself from the outside, please practice it
If you want to save the rules, please enter /usr/libexec/iptables/iptables.init save to save.
Related recommendations: "linux video tutorial"
The above is the detailed content of Software firewall iptables under Linux - definition and deletion of rules. For more information, please follow other related articles on the PHP Chinese website!