Software firewall iptables under linux - firewall design

In the previous articles, we have introduced the tables and chains of iptables, as well as how to add rule chains, etc. Here, I would like to share with you a simple firewall rule. This article mainly sets the rules for the input chain of the filter. This article is equivalent to a practical iptables rule to help you deepen and consolidate the knowledge you have learned.

The application rules are as follows:

• Clear existing rules and clear all original rules.

• Set the default strategy, set the default strategy of the filter's input chain to drop, and set everything else to accept.

• Trust this machine, and the loopback network card lo must be set to trustworthy.

• Response data packets, the data packets that the host actively requests from the outside and respond can enter the local machine (establish/related)

• Reject Invalid data packets, invalid data packets are rejected (INVALID)

• White list, trust certain IPs or network addresses, etc.

• Black List, untrusted IP or network address, etc.

• Allow icmp packets, and release icmp packets

• Open some ports, some service ports It must be open to the outside world, such as ports 80, 443, 22, etc.

We are going to make three shell script files: iptables.rule, iptables.allow (whitelist), iptables .deny (blacklist) file. For these three files, I usually create a directory /etc/iptables first, and these three files exist in this directory.

Next, let’s look at the script content of this iptables.rule:

#!/bin/bash
# iptables rule

# 清楚默认规则
iptables -F
iptables -X
iptables -Z

# 修改默认策略
iptables -P INPUT  DROP
iptables -P FORWARD  ACCEPT
iptables -P OUTPUT  ACCEPT

# 信任本机
iptables -A INPUT -i lo -j ACCEPT 

# 响应数据包
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

# 拒绝无效数据包
iptables -A INPUT  -m state --state INVALID -j DROP

# 白名单
if [ -f "/etc/iptables/iptables.allow" ];then
    sh /etc/iptables/iptables.allow
fi

# 黑名单
if [ -f "/etc/iptables/iptables.deny" ];then
    sh /etc/iptables/iptables.deny
fi

# 允许icmp包
iptables -A INPUT -p icmp -j ACCEPT

# 开放部分端口
iptables -A INPUT -p tcp --dport 22  -j ACCEPT # ssh服务
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # www服务
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # ssl

# 保存规则
/usr/libexec/iptables/iptables.init save

For iptables.allow, we usually write the trusted IP or network address to this file, such as where the host is located The LAN is 192.168.1.0/24. If you want to trust the hosts in this LAN, you can write

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

in this file and iptables.deny is used to block certain malicious IP traffic from entering this file. For example, to block the IP address 8.210.247.5, you can write

iptables -A INPUT -s 8.210.247.5/32 -j DROP

in the file. At the end of iptables.rule, we use the command to save the firewall rules. Note that if you do not add this command, the The rules will only take effect at zero time. When iptables is restarted or the system is restarted, the rules we set before will become invalid.

Related recommendations: "linux course"

The above is the detailed content of Software firewall iptables under linux - firewall design. For more information, please follow other related articles on the PHP Chinese website!