That little knowledge of iptables

2011-05-24  来源:本站原创  分类:OS  人气:81 

Learn to play the server firewall server must be on the lesson.

Security linux firewall iptables configuration was good or bad is how the main, I think.

Ever since, into the theme of the configuration of iptables. (Environment is centos 5.5)

iptables need to understand a few basic concepts: TARGET, CHAINS (user-defined and built-in chains), TABLE

1. TABLE

Described as follows:

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

TABLE is stored in a variety of built-in or user-defined chain. There are many different iptables table, such as: filter, nat, mangle, raw.

2. CHAINS

Described as follows:

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches.

This is called a 'target', which may be a jump to a user-defined chain in the same table.

chain contains the rules (rule), rules to match packets (packet), while the rule specifies that if a match is on the packet (packet) What will we do, this is called the target. If the match is successful, to the taget treatment.

3. TARGETS

Described as follows:

A firewall rule specifies criteria for a packet, and a target. (Negligible)

If the packet does not match, the next rule in the chain is the examined;

if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ​​ACCEPT, DROP, QUEUE, or RETURN. (this sentence was seriously see)

If the match is successful, the data packet to be determined by the Target deal next rule. The Target specifies what? Target can be a user-defined chain, it can be ACCEPT, DROP, QUEUE, RETURN.

Then look at this horse four word is God?

ACCEPT means to let the packet through.

DROP means to drop the packet on the floor.

QUEUE means to pass the packet to userspace. (How the packet can be received by a userspace process differs by the particular queue handler. 2.4.x and 2.6.x kernels up to 2.6.13 include the ip_queue queue handler. Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler. Packets with a target of QUEUE will be sent to queue number '0 'in this case. Please also see the NFQUEUE target as described later in this man page.) (ignore this at this!! !)

RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.

The other three do not have to explain.

Cleared the basic concept and began to write the script

#!/bin/bash
#
# iptables example configuration script
#
#
# If connecting remotely we must first temporarily set the default policy on the INPUT chain to ACCEPT
# otherwise once we flush the current rules we will be locked out of our server.
#
iptables -P INPUT ACCEPT
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#
# Allow Httpd on tcp port 22
#
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Create a new CHAIN called LOGNDROP
#
iptables -N LOGNDROP
#
# the standard DROP at the bottom of the INPUT chain is replaceed with LOGNDROP
#
iptables -A INPUT -j LOGNDROP
#
#
# add protocol descriptions so it makes sense looking at the log
#
iptables -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "Denied TCP: " --log-level 4
iptables -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "Denied UDP: " --log-level 4
iptables -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "Denied ICMP: " --log-level 4

#
# drop the traffic at the end of the LOGNDROP chain.
#
iptables -A LOGNDROP -j DROP

# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v

Comments should be very detailed, and remind you that a LOGNDROP chain defined above, and added a 3 for the chain rules.

Additional changes in the configuration file syslog.conf

#
#config syslog
#

iptableslog=`cat /etc/syslog.conf | awk '{print $2}' | grep iptables.log`

if [ "$iptableslog"="/var/log/iptables.log" ]; then
        echo "setup for iptables log Have already exists"
else
        echo "# Save Denied messages  to  iptalbes.log" > /etc/syslog.conf
        echo "kern.warning                                            /var/log/iptables.log" > /etc/syslog.conf
fi

Then tail-f / var / log / iptables.log View is Denied the Packet, you can see the source IP.

These are trivial little things iptables, iptables there is much still to continue learning.

Reference:

http://wiki.ubuntu.org.cn/IptablesHowTo # More_detailed_Logging_.E5.85.B3.E4.BA.8E.E6.97.A5.E5.BF.97.E8.AE.B0.E5.BD. 95.E7.9A.84.E6.9B.B4.E5.A4.9A.E7.BB.86.E8.8A.82

Basic Iptables How to for Ubuntu Server Edition Ubuntu Server Edition Iptables Basic Setup Guide

http://wiki.centos.org/HowTos/Network/IPTables

  • HowTos>
  • Network>
  • IPTables (centos)
  • http://hi.baidu.com/duxf/blog/item/1ec6b00e14ce3dcd7acbe14e.html Iptables configuration + access log records
相关文章
  • That little knowledge of iptables 2011-05-24

    Learn to play the server firewall server must be on the lesson. Security linux firewall iptables configuration was good or bad is how the main, I think. Ever since, into the theme of the configuration of iptables. (Environment is centos 5.5) iptables

  • iptables in such a small knowledge 2011-05-24

    Understand the server firewall server must be playing on the lesson. Security linux firewall iptables configuration is good or bad is how well, I think. Ever since, into the theme of the configuration of iptables. (Environment is centos 5.5) iptables

  • IDC server administrator must have knowledge of LINUX 2010-04-28

    1, password cracking 1. Generally, we use single-user mode into the system we used to crack the system password. Because sometimes customers forget their password or the machine was hacked. When you start linux in the grub menu of options by E enter

  • Android iptables Today Summary 2010-07-02

    Spent the day today, try a lot of iptables command, found in Linux, iptables and normal order of many different, some of the Android under the command does not work. This may be new to this piece of knowledge, or the command may need to set other set

  • Linux Knowledge VI: Detailed package documentation 2010-11-12

    tar Knowledge: tar zvxf file name / tar-xzvf file name-C / file directory. tar-cvf file name after the original package file or directory: pack operation (c: Create, x: extract, v: View, f: file, z: tar.gz type), option: -C create new archive -R appe

  • Linux knowledge Six: Detailed package documentation 2010-11-12

    knowledge of tar: tar zvxf filename / tar-xzvf filename-C / directory. tar-cvf file name after the original package file or directory: packaging operations (c: create, x: extract, v: View, f: file, z: tar.gz type), Option: -C create new archive -R ap

  • Basic knowledge of CSS 2009-03-13

    In this paper, the source for the original http://www.blueidea.com/tech/site/2006/3358.asp Near the time for the preparation of CSS Reference Manual First, with regard to CSS style sheets 1. In the study before css What you should master the basic kn

  • Knowledge of software testing 2009-03-31

    Software Testing is a complicated systematic project, from a different point of view can be divided into different methods to classify the test is to better clear the process of testing to find out how to test what kind of work to complete, as far as

  • Knowledge explosion troubles 2009-05-11

    Dear programmers: I am a java development to do, please listen to my upset: 1. Java knowledge too much, difficult to master all of them. Say java only j2ee aspects included: jsp, jstl, servlet, multi-threaded, ejb, struts, hibernate, spring, acegi, a

  • The knowledge explosion of trouble 2009-05-14

    Dear programmers: I am a java development to do, please listen to my upset: 1. Java knowledge too much, not all are proficient. Java only j2ee aspects included: jsp, jstl, servlet, multi-threaded, ejb, struts, hibernate, spring, acegi, ajax, flex, we

  • Engaged in mobile phone software developers need to know what knowledge? 2009-06-19

    What better hands than prior knowledge, might as well say that there is no learning and acquiring new knowledge and prepare the mind and thought, physical preparation is even more important. Give themselves the most important find in one direction. F

  • Analyst knowledge 2009-07-02

    Analyst knowledge 1. Information System Engineering 1. System 2. Demand for access to 3. Analysis Analysis of the organizational structure and function analysis of business process data collection and data flow analysis system and data resources into

  • Basic knowledge of learning 2009-07-10

    Learning to learn Java first line j2se To learn j2ee must first learn j2se, just beginning to learn is not recommended to use j2se first IDE, then gradually transition to the use of the IDE development, after all, why use it conveniently. J2se study

  • knowledge hibernate Review II: combination of mapping 2009-07-29

    knowledge hibernate Review II: combination of mapping

  • hibernate knowledge 2009-08-01

    hibernate knowledge

  • Finishing the principles of software development knowledge 2009-08-30

    Finishing the principles of software development knowledge Maintainability Support System (Maintainability), to enhance reusability of the system (Reuseability) ---------------------> For object-oriented software system design is a core issue. 1. The

  • Mobile communications software and technical personnel of the knowledge structure 2009-09-15

    Mobile communications software and technical personnel of the knowledge structure Mobile communications products are divided into four main categories The first category is equipment. Including switches, routers, base stations, such as wired and wire

  • SP messaging development - basic knowledge 2009-09-27

    SP messaging development - the basis of knowledge articles Source: Unknown The topic is soil, but recently helped a friend do this thing, so write something up for reference for beginners. First, prepare the information SP development site there are

  • Basic knowledge of JAVA-related 2009-11-14

    Basic knowledge of JAVA-related 1, object-oriented aspects of the characteristics of which 1. Abstract: Abstract is that it has overlooked a theme has nothing to do with the current objectives of those aspects in order to more fully with the current

  • Ejb interview frequently test the knowledge of knowledge, and Weblogic 2010-03-29

    Interviews often test the knowledge of the EJB The difference between EJB and JAVA BEAN? Answer: Java Bean is a reusable component of the Java Bean does not strictly regulated, in theory, any Java class can be a Bean. But typically, due to Java Bean