Pages

Thursday, 24 March 2016

iptables入门

We will use following iptables arguments:
-Aappend a rule to the end of chain (a chain is a list of rules which can match a set of packets)
-Papply a default policy to a chain (DROP, ACCEPT, QUEUE or RETURN targets)
-tspecifies a packet matching table (filter is the default table, which contains INPUT, FORWARD and OUTPUT packet chains). You can skip this option.
-pprotocol of the packets to match (tcp, udp, icmp)
-i / -oinput and output interfaces (lo for local)
-japply a target (ACCEPT, DROP, QUEUE or RETURN)
--dportdestination port (http:80, ftp:21 ....)
If you are running a web server, then you may want to add rules to deny all traffic and to accept communications only on ports commonly used by your web server such as http, dns, mail (smtp, pop, imap), ping (icmp), ssh and NTP (network time protocol).
#Reset all rules (F) and chains (X), necessary if have already defined iptables rules
iptables -t filter -F 
iptables -t filter -X 
#Start by blocking all traffic, this will allow secured, fine grained filtering
iptables -t filter -P INPUT DROP 
iptables -t filter -P FORWARD DROP 
iptables -t filter -P OUTPUT DROP 
#Keep established connexions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
#Allow loopback
iptables -t filter -A INPUT -i lo -j ACCEPT 
iptables -t filter -A OUTPUT -o lo -j ACCEPT 
#HTTP
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
#FTP 
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
#SMTP 
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
#POP3
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
#IMAP
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT 
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT 
#ICMP
iptables -t filter -A INPUT -p icmp -j ACCEPT 
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
#SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
#DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
#NTP
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
You can see the manual page of iptables for more information (man iptables) or read the iptables documentation on centos.org wiki.
https://wiki.centos.org/HowTos/Network/IPTables