16 tips for system administrators to use iptables

iptables It is a powerful configuration tool to control the flow in and out of the system .

modern Linux The kernel comes with a program called Netfilter Packet filtering framework for .Netfilter Offers permission to 、 Discard and modify operations to control the flow of data packets in and out of the system . be based on Netfilter User level command line tools of the framework iptables It provides powerful firewall configuration function , Allows you to add rules to build firewall policies .iptables The rich and complex functions and its Baroque imperative grammar may be difficult to control . Let's discuss some of these functions , Provide some skills that system administrators need to solve some problems .

Avoid blocking yourself

Application scenarios ： Suppose you will be interested in the company The server Modify the firewall rules on , You need to avoid blocking the situation of yourself and other colleagues （ This will bring a certain loss of time and money , Maybe once it happens, a department will call you immediately ）

skill #1: Back up before you start iptables The configuration file .

Back up the configuration file with the following command ：

1. /sbin/iptables-save >/root/iptables-works

skill #2: A more appropriate approach , Time stamp the file .

Timestamp with the following command ：

1. /sbin/iptables-save >/root/iptables-works-`date +%F`

Then you can generate a file with the following name ：

1. /root/iptables-works-2018-09-11

In case the system doesn't work , You can also quickly use the backup file to restore the original ：

1. /sbin/iptables-restore </root/iptables-works-2018-09-11

skill #3: Each creation iptables When configuring a copy of a file , Create a link to the latest file .

1. ln–s /root/iptables-works-`date +%F`/root/iptables-works-latest

skill #4: Put specific rules at the top of the policy , General rules for placing at the bottom .

Avoid using the following general rules at the top of the policy ：

1. iptables -A INPUT -p tcp --dport 22-j DROP

The more conditions you specify in the rule , The less likely you are to block yourself . Don't use the very general rules above , Instead, use the following rules ：

1. iptables -A INPUT -p tcp --dport 22–s 10.0.0.0/8–d 192.168.100.101-j DROP

This rule is expressed in INPUT A new rule is added at the end of the chain , Set the source address to 10.0.0.0/8、 The destination address is 192.168.100.101、 The destination port number is 22 （--dport 22 ） Of TCP（-p tcp ） All packets are discarded .

There are many ways to set more specific rules . for example , Use -i eth0 This rule will be limited to eth0 network card , Yes eth1 The network card does not work .

skill #5: Put your IP Put on the white list .

This is an effective way to avoid blocking your own settings ：

1. iptables -I INPUT -s <your IP>-j ACCEPT

You need to add this rule to the first position of the policy .-I Indicates that the policy header inserts rules ,-A Means to append rules at the end of the policy .

skill #6: Understand all the rules in the existing strategy .

Half the success is achieved without making mistakes . If you know iptables The working principle behind the strategy , It is more handy to use . If necessary , You can draw a flow chart to clarify the direction of the packet . And remember ： The expected effect and actual effect of the strategy may be completely different .

Set firewall policy

Application scenarios ： You want to configure the workstation with a firewall with restrictive policies .

skill #1: Set the default rule to discard

1. #Set a default policy of DROP
2. *filter
3. :INPUT DROP [0:0]
4. :FORWARD DROP [0:0]
5. :OUTPUT DROP [0:0]

skill #2: Set the minimum number of services required by the user to complete the work to allow

This strategy needs to allow the workstation to pass DHCP（-p udp --dport 67:68 -sport 67:68） To get IP Address 、 Subnet mask and other information . For remote operation , Permission required SSH service （-dport 22）, The mail service （--dport 25）,DNS service （--dport 53）,ping function （-p icmp）,NTP service （--dport 123 --sport 123） as well as HTTP service （-dport 80） and HTTPS service （--dport 443）.

1. #Set a default policy of DROP
2. *filter
3. :INPUT DROP [0:0]
4. :FORWARD DROP [0:0]
5. :OUTPUT DROP [0:0]
6. #Accept any related or established connections
7. -I INPUT  1-m state --state RELATED,ESTABLISHED -j ACCEPT
8. -I OUTPUT 1-m state --state RELATED,ESTABLISHED -j ACCEPT
9. #Allow all traffic on the loopback interface
10. -A INPUT -i lo -j ACCEPT
11. -A OUTPUT -o lo -j ACCEPT
12. #Allow outbound DHCP request
13. -A OUTPUT –o eth0 -p udp --dport 67:68--sport 67:68-j ACCEPT
14. #Allow inbound SSH
15. -A INPUT -i eth0 -p tcp -m tcp --dport 22-m state --state NEW  -j ACCEPT
16. #Allow outbound email
17. -A OUTPUT -i eth0 -p tcp -m tcp --dport 25-m state --state NEW  -j ACCEPT
18. #Outbound DNS lookups
19. -A OUTPUT -o eth0 -p udp -m udp --dport 53-j ACCEPT
20. #Outbound PING requests
21. -A OUTPUT –o eth0 -p icmp -j ACCEPT
22. #OutboundNetworkTimeProtocol(NTP) requests
23. -A OUTPUT –o eth0 -p udp --dport 123--sport 123-j ACCEPT
24. #Outbound HTTP
25. -A OUTPUT -o eth0 -p tcp -m tcp --dport 80-m state --state NEW -j ACCEPT
26. -A OUTPUT -o eth0 -p tcp -m tcp --dport 443-m state --state NEW -j ACCEPT
27. COMMIT

Limit IP Address range

Application scenarios ： Your company's CEO Think employees are Facebook Spend too much time on , Some restrictive measures need to be taken .CEO The order is given to CIO,CIO command CISO, The final task is for you . You decide to stop everything until Facebook Access connection . First you use host perhaps whois Command to get Facebook Of IP Address .

1. host -t a www.facebook.com
2. www.facebook.com is an aliasfor star.c10r.facebook.com.
3. star.c10r.facebook.com has address 31.13.65.17
4. whois 31.13.65.17|grep inetnum
5. inetnum:31.13.64.0-31.13.127.255

And then use CIDR To IPv4 transformation Page to convert it into CIDR notation . And then you get 31.13.64.0/18 The address of . Enter the following command to block Facebook The interview of ：

1. iptables -A OUTPUT -p tcp -i eth0 –o eth1 –d 31.13.64.0/18-j DROP

Set time limits - scene 1

Application scenarios ： The employees of the company are strongly opposed to restricting everything to Facebook The interview of , This led to the CEO Relaxed requirements （ Considering the opposition of the staff and his assistant's reminder that she is responsible for updating his Facebook page ）. then CEO Decided to allow access during lunch time Facebook（ At noon, 12 Point to the afternoon 1 Between points ）. Suppose the default rule is discard , Use iptables The time function of can be realized .

1. iptables –A OUTPUT -p tcp -m multiport --dport http,https -i eth0 -o eth1 -m time--timestart 12:00–timestop 13:00–d 31.13.64.0/18-j ACCEPT

The command specifies at noon 12 spot （--timestart 12:00） In the afternoon 1 spot （--timestop 13:00） Allow between （-j ACCEPT） To Facebook.com （-d [31.13.64.0/18][5]） Of http as well as https （-m multiport --dport http,https） The interview of .

Set time limits - scene 2

Application scenarios ： During planned system maintenance , You need to set the morning 2 Point to 3 Reject all... Between points TCP and UDP visit , In this way, the maintenance task will not be disturbed . Use two iptables Rules can be implemented ：

1. iptables -A INPUT -p tcp -m time--timestart 02:00--timestop 03:00-j DROP
2. iptables -A INPUT -p udp -m time--timestart 02:00--timestop 03:00-j DROP

This rule prohibits （-j DROP） In the morning 2 spot （--timestart 02:00） Into the morning 3 spot （--timestop 03:00） Between TCP and UDP （-p tcp and -p udp） Data access to （-A INPUT） visit .

Limit the number of connections

Application scenarios ： Yours web The server It is possible to receive from all over the world DoS attack , To avoid these attacks , You can limit a single IP Address to your web The number of connections created by the server ：

1. iptables –A INPUT –p tcp –syn -m multiport -–dport http,https –m connlimit -–connlimit-above 20–j REJECT -–reject-with-tcp-reset

Analyze the command above . If a single host is newly established within one minute （-p tcp -syn） exceed 20 individual （-connlimit-above 20） To your web The server （--dport http,https） The connection of , The server will reject （-j REJECT） Establish a new connection , Then notify the other party that the new connection is rejected （--reject-with-tcp-reset）.

monitor iptables The rules

Application scenarios ： Because the packet will traverse the rules in the chain ,iptables follow “ The first match wins ” Principles , Therefore, rules that often match should be close to the top of the strategy , Rules that don't match too often should be close to the bottom . How do you know which rules are used most or least , It can be monitored near the top or bottom ？

skill #1: View how many times the rule has been accessed

Use command ：

1. iptables -L -v -n –line-numbers

use -L Option lists all rules in the chain . Because no specific chain is specified , All chain rules will be output , Use -v Options display details ,-n Option displays data packets and byte counters in digital format , The value at the beginning of each rule indicates the position of the rule in the chain .

According to the result of packet and byte count , You can put the most frequently visited rules on the top , Put the rule with the lowest access frequency at the bottom .

skill #2: Delete unnecessary rules

Which rule has never been visited ？ These can be removed . Use the following command to view ：

1. iptables -nvL |grep-v "0     0"

Be careful ： Two figures 0 Not between Tab key , It is 5 A space .

skill #3: Monitor what is happening

Maybe you also want to use top Command to monitor in real time iptables The situation of . Use the following command to dynamically monitor iptables Activities in , And show only the rules that are traversing ：

1. watch--interval=5'iptables -nvL | grep -v "0     0"'

watch The command passes parameters iptables -nvL | grep -v “0 0“ every other 5 A second output iptables The dynamics of the . This command allows you to view changes in packet and byte counts .

Output log

Application scenarios ： The manager thinks that your work quality as a firewall employee is extremely high , But it's best to have a network traffic activity log . Sometimes this is more effective than writing a report about work .

Using tools FWLogwatch be based on iptables Firewall records to generate log reports .FWLogwatch The tool supports many forms of reports and also provides many analysis functions . The logs and monthly reports it generates allow administrators to save a lot of time and better manage the network , Even reduce unnoticed potential attacks .

Here is a FWLogwatch Example report generated ：

Don't be satisfied with the rules of allowing and discarding

This article has covered iptables Many aspects of , Avoid blocking yourself 、 To configure iptables Firewall and monitoring iptables The activities in iptables. You can start exploring here iptables Even get more tips .

via: https://opensource.com/article/18/10/iptables-tips-and-tricks

author ：Gary Smith Topic selection ：lujun9972 translator ：jrg proofreading ：wxy

This paper is written by LCTT Original compilation ,Linux China Honor roll out