Summary of basic operations of Iptables firewall and some commonly used commands

It is very difficult for novices to configure Iptables firewall. In many cases, Iptables rules are the default, hehe! It is good to know some basic operations of Iptables and some commonly used commands. Of course, if you want to be proficient, you will have to spend a lot of time and energy to learn, and you will have to practice continuously! Now this site collects and organizes some very practical basic knowledge of Iptables!

1. Install iptables firewall

If iptables is not installed, you need to install it first

CentOS execution:

yum install iptables

Debian/Ubuntu execution:

apt-get install iptables

2. Basic operations of Iptables

Start iptables: service iptables start

Close iptables: service iptables stop

Restart iptables: service iptables restart

View iptables status: service iptables status

Save iptables configuration: service iptables save

Iptables service configuration file: /etc/sysconfig/iptables-config

Iptables rule saving file: /etc/sysconfig/iptables

Open iptables forwarding: echo "1"> /proc/sys/net/ipv4/ip_forward

3. Common commands of Iptables

a) Delete existing iptables rules

 iptables -F
 iptables-X
 iptables -Z

b) View iptables rules

iptables –L (iptables –L –v -n)

c) Add a rule to the end

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

d) Add a rule to the specified location

iptables -I INPUT 2 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

e) Delete a rule

iptabels -D INPUT 2

f) Modify a rule

iptables -R INPUT 3 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

g) Set default policy

iptables -P INPUT DROP

h) Allow SSH connections to remote hosts

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

i) Allow SSH connections to localhost

iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INTPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

j) Allow HTTP requests

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

k) Limit the number of data packets for pinging the 192.168.xxx.x host, an average of 2/s, and a maximum of 3 packets

iptables -A INPUT -i eth0 -d 192.168.xxx.x -p icmp --icmp-type 8 -m limit --limit 2/second --limit-burst 3 -j ACCEPT

l) Limit SSH connection rate (default policy is DROP)

iptables -I INPUT 1 -p tcp --dport 22 -d 192.168.xxx.x -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 22 -d 192.168.xxx.x -m limit --limit 2/minute --limit-burst 2 -m state --state NEW -j ACCEPT

4. Use iptables to resist common attacks

Prevent syn attacks

Idea 1: Limit the request speed of syn (this method needs to adjust a reasonable speed value, otherwise it will affect the requests of normal users)

iptables -N syn-flood

iptables -A INPUT -p tcp --syn -j syn-flood

iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN

iptables -A syn-flood -j DROP

Idea 2: Limit the maximum number of syn connections for a single IP

iptables –A INPUT –i eth0 –p tcp --syn -m connlimit --connlimit-above 15 -j DROP

Prevent DOS attacks

Use the recent module to resist DOS attacks

iptables -I INPUT -p tcp -dport 22 -m connlimit --connlimit-above 3 -j DROP

A single IP can connect up to 3 sessions

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

As long as it is a new connection request, add it to the SSH list

Iptables -I INPUT -p tcp --dport 22 -m state NEW -m recent --update --seconds 300 --hitcount 3 --name SSH -j DROP

If you try three times within 5 minutes, the IP service in the SSH list will be refused. Access can be restored after being restricted for 5 minutes.

Preventing excessive traffic from a single IP

iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 30 -j DROP

Trojan bounce

iptables –A OUTPUT –m state --state NEW –j DROP

Prevent ping attacks

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/m -j ACCEPT

Recommended site search: Alibaba Cloud free virtual host, how to register a company domain name, purchase space, IP address query virtual space free trial, private server rental, domain name registration information query, US host purchase, mainland China virtual host,