Tìm hiểu Iptables

1./ Tìm hiểu Iptables.

Iptables có 5 chain

The PREROUTING​​ chain: Rules in this chain apply to packets as they just arrive on the network interface. This chain is​​ present in the nat, mangle and raw tables.

Input – This chain is used to control the behavior for incoming connections. For example, if a user attempts to SSH into your PC/server, iptables will attempt to match the IP address and port to a rule in the input chain.

Forward – This chain is used for incoming connections that aren’t actually being delivered locally. Think of a router – data is always being sent to it but rarely actually destined for the router itself; the data is just forwarded to its target. Unless you’re doing some kind of routing, NATing, or something else on your system that requires forwarding, you won’t even use this chain.

Output – This chain is used for outgoing connections. For example, if you try to ping cloudx.com.vn, iptables will​​ check its output chain to see what the rules are regarding ping and cloudx.com.vn before making a decision to allow or deny the connection attempt.

The POSTROUTING​​ chain: The rules in this chain apply to packets as they just leave the network interface.​​ This chain is present in the nat and mangle tables.

Kiểm tra các Rule và các Chain

iptables -L -v

Xử​​ lý trong Iptables

• ACCEPT: This causes iptables to accept the packet.

• DROP: iptables drops the packet. To anyone trying to connect to your system, it would appear like the system didn’t even exist.

• REJECT: iptables “rejects” the packet. It sends a “connection reset” packet in case of TCP, or a “destination host unreachable” packet in case of UDP or ICMP.

Lưu ý: Mode NAT sẽ là “khiên chắn” đầu tiên và rất quan trọng. Nếu bạn có 1 rule NAT với IP bên trong hoặc IP container thì dù bạn có chặn IP public của server cũng không có tác dụng với IP NAT bên trong. do đó cần kiểm tra thật cẩn thận Mode NAT của iptables.

2./ Ví dụ:

Block Ips

iptables -t filter -A INPUT -s​​ 59.45.175.62 -j REJECT

The -t switch specifies the table in which our rule would go into — in our case, it’s the filter table

The -A switch tells iptables to “append” it to the list of existing rules in the INPUT chain. However, if this is the first time​​ you’re working with iptables, there won’t be any other rules, and this will be the first one.

As you might have guessed, the -s switch simply sets the source IP that should be blocked. Finally, the -j switch tells iptables to “reject” traffic by using the​​ REJECT target. If you want iptables to not respond at all, you can use the DROP target instead.

có thể​​ viết​​ 

iptables -A INPUT -s 59.45.175.62 -j REJECT

Block Range IP

iptables -A INPUT -s 59.45.175.0/24 -j REJECT

Chặn 1 Port từ​​ 1 IP nào đó

iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP

Chặn kết nối đến Port

iptables -A INPUT -p tcp --dport ssh -j DROP

Cuối cùng luôn luôn đặt Deny all

iptables -P INPUT DROP

Lưu cấu hình iptables

sudo /sbin/iptables-save