Backup First(export)
Before you do any vital operation, you must to backup the file.
The iptables configuration file on CentOS is located at /etc/sysconfig/iptables.
Remeber to open SSH port, if we made an accident in our configuration, we may have blocked ourselves from accessing the VPS. If we locked out, we need a console access.
The iptables-save command writes the current iptables rules to stdout (standard out). This gives us an easy way to export the firewall rules to file, by redirecting stdout to a file.
export rules
iptables-save > iptables-export
import rules
sudo iptables-restore < /tmp/iptables-export
CentOS 中默认iptables规则如下:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
逐条解释
:INPUT ACCEPT [0:0]
该规则表示INPUT表默认策略是ACCEPT
:FORWARD ACCEPT [0:0]
该规则表示FORWARD表默认策略是ACCEPT
:OUTPUT ACCEPT [0:0]
该规则表示OUTPUT表默认策略是ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
意思是允许进入的数据包只能是刚刚我发出去的数据包的回应,ESTABLISHED:已建立的链接状态。RELATED:该数据包与本机发出的数据包有关。
-A INPUT -p icmp -j ACCEPT
进来的icmp请求通过
-A INPUT -i lo -j ACCEPT
由lo(loopback)接口进来的全部通过
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
新建的22端口请求通过
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
这两条的意思是在INPUT表和FORWARD表中拒绝所有其他不符合上述任何一条规则的数据包。并且发送一条host prohibited的消息给被拒绝的主机。
Useful Commands
service iptables start
service iptables restart
service iptables stop
# save rules
service iptables save
# restore to default rules
iptables-restore < /etc/sysconfig/iptables
# save and back rules to a file
If iptables is stoped, there are no rules will be shown.
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Caution
If you have some rules are wrong or no recognized by iptables, it will not start. This is the error:
Iptables: Applying firewall rules: iptables-restore v1.4.7: Couldn't load match `stste':/lib64/xtables/libipt_stste.so: cannot open shared object file: No such file or directory
Error occurred at line: 21
Try 'iptables-restore -h' or 'iptables-restore --help' for more information.
To solve this, we need to flush or clear all rules and save it, then iptables will start. But this operation is dangrous, if you flush, port 22 will not open any more.
[root@host2 ~]# iptables -F; iptables -X; iptables -Z
[root@host2 ~]#
[root@host2 ~]# service iptables start
iptables: Applying firewall rules: [ OK ]
[root@host2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
A better way is to restore the rules to be defaults.
Save the following lines into a file, called iptables.default
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
then restore it
# iptables-restore < ./iptables.default
save the rules
[root@h2 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
You need a stable network environment to these operation.
Others Rules
Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Allow ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
Allow HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Allow DNS query
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
Accept all established inbound connections:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ports
web 80 and 443 (SSL port)
For sending emai: port 25 (regular SMTP) and 465 (secure SMTP)
To let users receive email(allow the users read email on their server:): port 110 (POP3) and 995 (secure POP3 port).
Security Rules
Blocking null packets. Drppping all incoming packets with tcp flags NONE.
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
To reject syn-flood attack. Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever).They just want to take up our servers’ resources. We won’t accept such packages.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Now we move on to one more common pattern: XMAS packets, also a recon packet.
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
You can create the firewall rule to only allow traffic to SSH port if it comes from one source: your IP address(not recommended):
iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT
Replace YOUR_IP_ADDRESS with the actuall IP.