Tìm hiểu Iptables
Tìm hiểu Iptables
1./ Tìm hiểu Iptables.
Iptables có 5 chain
The PREROUTING chain: Rules in this chain apply to packets as they just arrive on the network interface. This chain is present in the nat, mangle and raw tables.
Input – This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.
Forward – This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.
Output – This chain is used for outgoing connections. For example, if you try to ping fixloinhanh.com, iptables will check its output chain to see what the rules are regarding ping and fixloinhanh.com before making a decision to allow or deny the connection attempt.
The POSTROUTING chain: The rules in this chain apply to packets as they just leave the network interface. This chain is present in the nat and mangle tables.
Kiểm tra các Rule và các Chain
iptables -L -v
Xử lý trong Iptables
ACCEPT: This causes iptables to accept the packet.
DROP: iptables drops the packet. To anyone trying to connect to your system, it would appear like the system didn’t even exist.
REJECT: iptables “rejects” the packet. It sends a “connection reset” packet in case of TCP, or a “destination host unreachable” packet in case of UDP or ICMP.
Lưu ý: Mode NAT sẽ là “khiên chắn” đầu tiên và rất quan trọng. Nếu bạn có 1 rule NAT với IP bên trong hoặc IP container thì dù bạn có chặn IP public của server cũng không có tác dụng với IP NAT bên trong. do đó cần kiểm tra thật cẩn thận Mode NAT của iptables.
2./ Ví dụ:
iptables -t filter -A INPUT -s 126.96.36.199 -j REJECT
The -t switch specifies the table in which our rule would go into — in our case, it’s the filter table
The -A switch tells iptables to “append” it to the list of existing rules in the INPUT chain. However, if this is the first time you’re working with iptables, there won’t be any other rules, and this will be the first one.
As you might have guessed, the -s switch simply sets the source IP that should be blocked. Finally, the -j switch tells iptables to “reject” traffic by using the REJECT target. If you want iptables to not respond at all, you can use the DROP target instead.
có thể viết
iptables -A INPUT -s 188.8.131.52 -j REJECT
Block Range IP
iptables -A INPUT -s 184.108.40.206/24 -j REJECT
Chặn 1 Port từ 1 IP nào đó
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
Chặn kết nối đến Port
iptables -A INPUT -p tcp --dport ssh -j DROP
Cuối cùng luôn luôn đặt Deny all
iptables -P INPUT DROP
Lưu cấu hình iptables