Summary: This article describes how to use the "iptables -A" command to add iptables firewall rules.
This article is shared from the Huawei Cloud Community " Linux IPTables: How to add firewall rules (using the example of allowing SSH) ", author: Tiamo_T.
This article describes how to use the "iptables -A" command to add iptables firewall rules.
"-A" is used for appending. If it makes it easier for you to remember "-A" as an additional rule (rather than an additional rule), then it's okay. However, remember that "-A" adds a rule at the end of the chain.
Also, it is important to remember that -A adds the rule at the end.
Usually, the last rule is to drop all packets. If you already have a rule to drop all packets, and if you try to use "-A" in the command line to create a new rule, you will end up adding a new rule after the current "drop all packets" rule, which will Make your new rules almost useless.
Once you have mastered iptables, and when you implement it in production, you should use a shell script, where you can add all the rules using the -A command. In that shell script, your last line should always be the "drop all packets" rule. When you want to add any new rules, modify the shell script and add your new rules to the "drop all packets" rule.
syntax:
iptables -A chain firewall-rule
• -A chain-Specify the chain to which the rule should be attached. For example, use the INPUT chain for incoming packets and OUTPUT for outgoing packets.
• firewall-rule-Various parameters constitute firewall rules.
If you don't know what chain means, it is best to read the basics of iptables first.
Firewall rule parameters
The following parameters can be used for all types of firewall rules.
-p for protocol
• An agreement indicating the rules.
• Possible values are tcp, udp, icmp
• Use "all" to allow all protocols. When you do not specify -p, the "all" protocol will be used by default. It is not a good practice to use "all" and always specify the protocol.
• Use name (for example: tcp) or number (for example: 6 for tcp) as the protocol.
• The /etc/protocols file contains all allowed protocol names and numbers.
• You can also use --protocol
-s is the source
• Indicates the source of the data packet.
• This can be an IP address, network address or host name
• For example: -s 192.168.1.101 indicates a specific ip address
• For the netmask, use /mask. For example: "-s 192.168.1.0/24" means that the netmask of the network is 255.255.255.0. This matches the 192.168.1.x network.
• When you do not specify a source, it will match all sources.
• You can also use –src or –source
-d is the destination
• Indicates the destination of the data packet.
• This is the same as "-s" (except that it represents the target host, IP address, or network)
• You can also use –dst or –destination
-j is the target
• j stands for "jump to target"
• This specifies what needs to happen to packets matching this firewall rule.
• Possible values are ACCEPT, DROP, QUEUE, RETURN
• You can also specify other user-defined chains as the target value.
-i for interface
• i stands for "input interface"
• You may ignore this and assume that "-i" is used for the interface. Please note that both -i and -o are used for interfaces. However, -i is used for the input interface, and -o is used for the output interface.
• Indicate the interface that the incoming data packet enters through the INPUT, FORWARD, and PREROUTING chain.
• For example: -i eth0 indicates that this rule should consider incoming packets through interface eth0.
• If you do not specify the -i option, all available interfaces on the system will be considered for input packets.
• You can also use –in-interface
-o for output interface
• o stands for "output interface"
• Indicate the interface for sending outgoing data packets through the INPUT, FORWARD, and PREROUTING chains.
• If you do not specify the -o option, all available interfaces on the system will be treated as output packets.
• You can also use --out-interface
Additional options for firewall parameters
Some of the above firewall parameters in turn have their own options that can be passed along with them. Here are some of the most common options.
To use these parameter options, you should specify the corresponding parameters in the firewall rules. For example, to use the "-sport" option, you should specify the "-p tcp" (or "-p udp") parameter in the firewall rule.
Note: All these options are preceded by two dashes. For example, there are two hyphens in front of sport.
-Sport for source port (for -p tcp or -p udp)
• By default, all source ports are matched.
• You can specify the port number or name. For example, to use the SSH port in firewall rules, use "–sport 22" or "–sport ssh".
• The /etc/services file contains all allowed port names and numbers.
• It is better to use port numbers in rules than port names (for performance).
• To match the port range, use a colon. For example, 22:100 matches port numbers from 22 to 100.
• You can also use –source-port
-Dport for the target port (for -p tcp or -p udp)
• Everything is the same as –sport, except this is for the target port.
• You can also use –destination-port
–Tcp-flags for TCP flags (for -p tcp)
• This can contain multiple values separated by commas.
• The possible values are: SYN, ACK, FIN, RST, URG, PSH. You can also use ALL or NONE
–Icmp-type for ICMP type (for -p icmp)
• When you use the icmp protocol "-p icmp", you can also use the "-icmp-type" parameter to specify the ICMP type.
• For example: "-icmp-type 0" is used for "Echo Reply", and "-icmp-type 8" is used for "Echo".
Example firewall rule to allow incoming SSH connections
Now that you understand the various parameters (and their options) of firewall rules, let's build an example firewall rule.
In this example, let us only allow incoming SSH connections to the server. All other connections will be blocked (including ping).
Warning: Using firewall rules may make your system inaccessible. If you don't know what you are doing, you may lock yourself (and everyone else) out of the system. Therefore, do all learning only on a test system that no one uses, and if you are locked out, you can access the console to restart iptables.
1. Delete existing rules
If you already have some iptables rules, please make a backup before deleting the existing rules.
Delete all existing rules and allow the firewall to accept all content. Use the iptables flush we discussed earlier to clean up all existing rules and start from scratch.
Test to make sure you can ssh and ping this server from outside.
After completing this example, you will only be able to connect to this server via SSH. You will not be able to ping this server from the outside.
2. Only allow SSH
Only allow incoming SSH connections to this server. You can connect to this server via ssh from anywhere.
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPTThe above iptables command has the following 4 components.
• "-A INPUT"-This indicates that we are appending (or adding) a new rule to the INPUT chain. Therefore, this rule applies to incoming traffic.
• "-i eth0"-Incoming packets passing through interface eth0 will be checked according to this rule.
• "-p tcp –dport 22"-This rule applies to TCP packets. There is a tcp option named "-dport 22", which means that the target port of this rule on the server is 22 (that is, ssh).
• "-j ACCEPT"-jump to accept, it just accepts data packets.
To put it simply, the above rule can be expressed as: all packets sent through eth0 for ssh will be accepted.
3. Discard all other packets
Once you have specified a custom rule for accepting packets, you should also have a default rule to drop any other packets.
This should be your last rule in the INPUT chain.
To discard all incoming packets, do the following.
iptables -A INPUT -j DROP
4. View SSH rules and tests
To view the current iptables firewall rules, use the "iptables -L" command.
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhereAs can be seen from the above output, it has the following two rules in sequence.
• Accept all incoming ssh connections
• Discard all other packets.
Instead of adding firewall rules from the command line, create a shell script containing the rules as shown below.
# vi iptables.sh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
# sh -x iptables.sh
+ iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+ iptables -A INPUT -j DROP
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhereSimilar to the iptables append/add command, there are few other commands available for iptables.
Click to follow and learn about Huawei Cloud's fresh technology for the first time~
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。