Iptables is familiar to anyone who has used Linux. It is a firewall built into the Linux kernel from version 2.4.x. Today, the Linux kernel has been updated to version 5.11.x, and Linux firewalls have generalized UFW and Firewalld based on iptables, and have replaced iptables in some distributions.
Netfilter/Iptables
Netfilter/Iptables is the firewall of Linux. Iptables manages rules and Netfilter implements rules. Together, Netfilter and Iptables constitute the Linux packet filtering firewall.
Iptables provides four built-in tables, namely filter table, NAT table, Mangle table, and RAW table, which are used for packet filtering, network address translation, packet reconstruction (modification), and data tracing respectively. Each table has its own chain. Here are the four tables and five chains in Iptables:
Chains are the paths through which packets travel. Each chain can have one or more rules, and when a packet arrives at a chain, Iptables checks from the first rule in the chain to see if the packet meets the criteria defined by the rule. If yes, the system processes the packet according to the method defined in this rule. Otherwise iptables will continue to check for the next rule. If the packet does not match any of the rules in the chain, Iptables processes the packet according to the default policy predefined for the chain.
On the principle of the iptables made it clear: this article blog.csdn.net/tennysonsky…
In Linux, you can use the following commands to enable or disable iptables
// Start iptables systemctl start iptables // Stop iptables systemctl stop iptablesCopy the code
The following are common commands:
Iptables -l INPUT // Allow TCP access on port 3306 iptables -I INPUT -p TCP --dport 3306 -j ACCEPT // Iptables -I INPUT -p udp --dport 500 -s XXX.XXX.xxx. XXX -j ACCEPT // -A indicates that the rule is added to the end of the table with the lowest priority. Iptables -a INPUT -p TCP -j REJECT // Delete the first rule in the INPUT table iptables -d INPUT 1 // Clear the rule list iptables -FCopy the code
Iptables can also do kernel-based packet forwarding. There are so many articles on the Internet about the use of Iptables that I won’t write more.
It is important to note that the iptables rules, while effective immediately, are not saved. It will be lost after boot.
RedHat Save:
service iptables save
Copy the code
The Debian system runs iptables-save to list all the rules and saves them in a file. Use iptables-restore to restore the system when it is started.
// Save iptables-save > /etc/iptables.conf // Restore iptables-restore < /etc/iptables.confCopy the code
The UFW and Firewalld
Iptables is powerful and complex, hence the UFW and Firewalld. Their commands are much simpler and clearer, with underlying calls to iptables.
- UFW
UFW is the Ubuntu firewall:
// Start ufw systemctl start ufw // Stop ufw systemctl stop ufwCopy the code
The following are common commands:
// Query the uFW status. Print rules UFW status // Allow port 80 to access the UFW allow 80 // Deny port 8000 to access the UFW deny 9000 // Deny the ACCESS from the UFW with the IP address xxx.XXX.xxx.xxx Xxx.xxx.xxx. XXX // Allow access to the UFW through TCP, 9000-9002 allow 99:9002 / TCP // Delete rule ufw delete allow HTTPCopy the code
- Firewalld
Firewalld is a built-in firewall for Fedora/CentOS 8 or later:
// Start firewalld systemctl start firewalld // Stop firewalld systemctl stopCopy the code
The following are common commands:
// Allow TCP port 8161 access, --zone, --permanent firewall-cmd --zone=public --add-port=8161/ TCP --permanent // Reloading the rule firewall-cmd --reload // Run the following command to forward the traffic on port 80 to 8080 firewall-cmd --add-forward-port=port=80:proto= TCP :toport=8080 // Run the following command to forward the traffic on port 80 to 192.168.0.1 firewall-cmd --add-forward-port=proto=80:proto= TCP :toaddr=192.168.1.0.1 // Forward the traffic on port 80 to port 8080 at 192.168.0.1 firewall-cmd - add - forward - port = proto = 80: proto = TCP: toaddr = 192.168.0.1: toport = 8080Copy the code
Firewalld also has a graphical interface:
All original articles on “Siege Lion · Zheng” unless otherwise noted.
Link to this article: engr-z.com/402.html