Home Trung tâm tải phần mềm cho máy tính, laptop, iPhone, Android, Window... » News » Phần mềm chống DDoS » Configuring iptables firewall

Configuring iptables firewall

Thứ Hai, 26 tháng 5, 2014
In the Linux environment and common software firewall is the most basic iptables, through it you can easily understand the working principles of a general firewall systems. Here is the most basic knowledge of iptables I summarized 
consists of three basic iptables FILTER table, Mangle, NAT and the chain in each table, with our administrators can create rules to allow packets in the system (protected by iptables) at the pleasure of themselves.  Their specific functions as follows. 
Mangle: used to modify QOS (qulity of service) bit in the TCP header of the packet 
Filter: exactly as its name suggests, is used to filter packets, including build-in chain 
+ Forward chain: Filters packets go through the system (go to another system). 
+ Input chain: Filters packets go into the system. 
+ Output chain: the packets going out from the system. 

Nat: fix packet address includes build-in chain 
+ Pre-routing: edit the destination address of the packet before it is routing by the system's routing table (destination NAT or DNAT). 
+ Post-routing: Pre-routing opposite, it edits the source address of the packet after packet routing by the system were (SNAT). 
Every rule that you create must correspond to a chain, certain table. If you do not specify how the tables as the default iptables FILTER table. 

These can be summarized sequence of iptables packet processing in the following figure 
packets from the outside come in to be checked by the Pre-routing chain first see if it does not then need DNAT packet routing. If the packet needs to go to a different system (protected network) it will be filtered by the FORWARD chain of FILTER table and if needed it can be SNAT by the Post-routing chain before reaching the target system. 
Similarly when the target system to be answered, the packet will follow this order, but in the opposite direction. Note in the figure and Post-routing the FORWARD chain of the mangle table only impact on the characteristics of QOS (Quality of Service) of the packet. 
If the packet is sent to the system (the system contains iptables) it will be processed by the INPUT chain and filter otherwise it will be handled by a service (System Service) that run on the system. When the system sends replies, it sends packets that are processed by the OUTPUT chain and can be processed by the Post-routing sign chain of FILTER table and table SNAT or Mangle if it needs QoS. 


Targets and Jumps 
iptables rules to check the ip packet and try to identify it will be handled in any manner (target), has been identified as IP packets will be handled that way. Here are some build-in targets are often used. 
-ACCEPT: iptables to accept packets, put it through the system without continuing to test it again. 
- DROP: iptables packet removed, no further processing it again. 
- LOG:'s information packet will be recorded by the system syslog, iptables packet processing continues with the following rules. 
- REJECT: its function is the same as DROP however it will send an error message to the host that sent the packet. 
- DNAT: used to edit the destination address of the packet. 
- SNAT: used to edit the source address of the packet 
- MASQUERADE: is a type used to modify the source address of the packet. 

to build the rules you have to use options to facilitate comparison sanh.Sau here are some commonly used options. 
-T: specify the name of the table to which the rule will be written to (default is FILTER). 
-J: jump to a processor type (target) respectively, as defined above, if comparable conditions satisfied. 
- A: record serial rule in a chain tails 
- P: comparison protocol packets. 
- S: compare the source address of the packet. 
- D: Compare the destination address of the packet 
- I: compare the packet network interface name that goes into the system through which 
- O: Compare name card from the network that packets go out through that system. 
-P tcp - sport: identifying the source port of the TCP packet. 
-P tcp - dport: determines the packet's destination TCP port 
-P udp - sport: identifying the source port of the UDP packet 
-P udp - dport: determine the destination port of the UDP packet 
- Syn: determine whether the packet is a request to create a new TCP connection. 
- Icmp-type: ICMP packet type defined (echo-reply and echo-request). 
-M multiport - sport <port, port>: specify a range of source port value 
-M multiport - dport <port, port>: specify a range of destination port value. 
-M multiport - port <port, port>: define a range of port values ​​(regardless of source or destination). 
-M - state <state>: determining that the connection status shows packets 
ESTABLISHED: packets of a connection has been established. 
NEW: packet represents a connection request. 
RELATED: packet represents a second connection requirements (related to the first connector, usually appear in the FPT protocol or ICMP) 
INVALID: demonstrate an invalid packet 

The following are some examples illustrate the rule. 

iptables-A INPUT-s 0/0-i eth0-d 192.168.1.1-p TCP-j ACCEPT 
accept packets from any ip address (-s 0/0) go on from eth0, the system sent to the address 192.168.1.1 

iptables-A FORWARD-s 0/0-i eth0-d 192.168.1.58-o eth1-p TCP \ 
- Sport 1024:65535 - dport 80-j ACCEPT 
allow packets from any ip address from eth0 to go out on to the system eth1 to 192.168.1.58 address, source port value of the packet in 1024 to 65535 and the destination port value is 80 ( www / http). 

iptables-A OUTPUT-p icmp - icmp-type echo-request-j ACCEPT 
iptables-A INPUT-p icmp - icmp-type echo-reply-j ACCEPT 
system is allowed to surf out. 

iptables-A INPUT-p icmp - icmp-type echo-request \ 
-M limit - limit 1 / s-i eth0-j ACCEPT 
limited to only get a ping packets per second. 

iptables-A INPUT-p tcp - syn-m limit - limit 5 / s-i eth0-j ACCEPT 
limited to only get 5 seconds in a TCP connection request (SYN Flood attacks against) 

iptables-A FORWARD-s 0/0-i eth0-d 192.168.1.58-o eth1-p TCP \ 
- Sport 1024:65535-m multiport - dports 80,443-j ACCEPT 

iptables-A FORWARD-d 0/0-o eth0-s 192.168.1.58-i eth1-p TCP \ 
-M state - state ESTABLISHED-j ACCEPT 
Open the web service on the system 192.168.1.58. 
only allows the packet source port value in the range 1024:65535, destination port value 80,443 (http, https) from any ip address on your network card to network card eth0 to eth1 to 192.168.1.58 system. 
allows the system to send the address 192.168.1.58 (sending replies) TCP packets going through the network card network card eth0 eth1. 

Normally iptables store its current configuration at / etc / sysconfig / iptables, each time the system reboot it will use iptables-restore command to read the configuration from this file and it's active. To view the current iptables configuration you can use the command 
cat / etc / sysconfig / iptables or iptables-save 
# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 
* Filter 
: INPUT ACCEPT [0:0] 
: FORWARD ACCEPT [0:0] 
: OUTPUT ACCEPT [144:12748] 
: RH-Firewall-1-INPUT - [0:0] 
-A INPUT-j RH-Firewall-1-INPUT 
-A FORWARD-j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT-i lo-j ACCEPT 
-A RH-Firewall-1-INPUT-p icmp-m icmp - icmp-type 255-j ACCEPT 
-A RH-Firewall-1-INPUT-p esp-j ACCEPT 
-A RH-Firewall-1-INPUT-p ah-j ACCEPT 
-A RH-Firewall-1-INPUT-m state - state RELATED, ESTABLISHED-j ACCEPT 
-A RH-Firewall-1-INPUT-p tcp-m state - state NEW-m tcp - dport 22-j ACCEPT 
-A RH-Firewall-1-INPUT-j REJECT - reject-with icmp-host-prohibited 
COMMIT 
# Completed on Mon Nov 8 11:00:07 2004 

to edit your iptables configuration should not directly edit the file / etc / sysconfig / iptables this instead you should up your current configuration to a temporary file which is as follows 
iptables-save> firewall-config 
cat firewall-config 

# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 
* Filter 
: INPUT ACCEPT [0:0] 
: FORWARD ACCEPT [0:0] 
: OUTPUT ACCEPT [144:12748] 
: RH-Firewall-1-INPUT - [0:0] 
-A INPUT-j RH-Firewall-1-INPUT 
-A FORWARD-j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT-i lo-j ACCEPT 
-A RH-Firewall-1-INPUT-p icmp-m icmp - icmp-type 255-j ACCEPT 
-A RH-Firewall-1-INPUT-p esp-j ACCEPT 
-A RH-Firewall-1-INPUT-p ah-j ACCEPT 
-A RH-Firewall-1-INPUT-m state - state RELATED, ESTABLISHED-j ACCEPT 
-A RH-Firewall-1-INPUT-p tcp-m state - state NEW-m tcp - dport 22-j ACCEPT 
-A RH-Firewall-1-INPUT-j REJECT - reject-with icmp-host-prohibited 
COMMIT 
# Completed on Mon Nov 8 11:00:07 2004 

edit firewall-config file as you like (add delete edit rules) 
then reload it using iptables to see if its working properly with no command attention 
iptables-restore <firewall-config 

if the system works well you can be assured that the configuration file save command 
service iptables save.
Chia sẻ bài viết ^^
Other post

All comments [ 0 ]


Your comments