- Linux Networking Cookbook
- Gregory Boyce
- 414字
- 2021-07-02 16:32:44
Setting up a firewall with IPtables
We touched upon iptables a little while discussing NAT, but now we're going to go a bit deeper into configuring a secure firewall for your network.
How to do it…
A properly configured firewall should be configured in a default deny configuration with specific allows (Whitelist) for what you want to accept:
# iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p tcp --dport 22 -j ACCEPT # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -A FORWARD -i eth0 -j ACCEPT # iptables -t nat -A POSTROUTING -o eth2 \ -j MASQUERADE # iptables -A FORWARD -i eth2 -o eth0 -m \ state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A FORWARD -i eth0 -j ACCEPT
How it works…
We start off by setting an ACCEPT policy on traffic destined to the local system on the localhost adapter (-i lo). A lot of software expects to be able to communicate over the localhost adapter, so we want to make sure we don't inadvertently filter it.
Next, we set an ACCEPT policy for any packet that matches a state (-m state) of ESTABLISHED, RELATED. This command accepts packets which are a part of, or related to, an established connection. ESTABLISHED should be pretty straightforward. RELATED packets are special cases that the connection tracking module needs to have a prior knowledge of. An example of this is the FTP protocol operating in active mode. The FTP client in active mode connects to the server on port 21. Data transfers however, operate on a second connection originating from the ftp server from port 20. During the operation of the connection, the port 21 packets are ESTABLISHED, while the port 20 packets are RELATED.
The third command accepts any TCP connection (-p tcp) destined for port 22 (--dport 22) that is destined for your system. This rule allows you to SSH into the machine.
Next, we will define the default policies. By default, we drop packets on the INPUT and FORWARD chains and accept packets on the OUTPUT chain.
The last three lines you'll recognize from the NAT section, which tells the firewall to allow any packets starting on the internal network and heading out to the Internet.
Additional ACCEPT rules based upon destination ports can be opened as needed as INPUT lines, like the port 22 one.
- Building Modern Web Applications Using Angular
- Microsoft Application Virtualization Cookbook
- PHP程序設(shè)計(jì)(慕課版)
- 算法精粹:經(jīng)典計(jì)算機(jī)科學(xué)問題的Java實(shí)現(xiàn)
- 從程序員到架構(gòu)師:大數(shù)據(jù)量、緩存、高并發(fā)、微服務(wù)、多團(tuán)隊(duì)協(xié)同等核心場景實(shí)戰(zhàn)
- 微服務(wù)設(shè)計(jì)原理與架構(gòu)
- Java程序員面試算法寶典
- Instant Typeahead.js
- 精通API架構(gòu):設(shè)計(jì)、運(yùn)維與演進(jìn)
- Web程序設(shè)計(jì)(第二版)
- Integrating Facebook iOS SDK with Your Application
- 微信小程序全棧開發(fā)技術(shù)與實(shí)戰(zhàn)(微課版)
- iPhone應(yīng)用開發(fā)從入門到精通
- Python機(jī)器學(xué)習(xí)之金融風(fēng)險(xiǎn)管理
- Laravel Application Development Blueprints