[For Beginners] How to apply/not apply access restrictions using the iptables command
table of contents
Hello! I'm Shimeji from the System Solutions Department.
It's been three months since I joined the company, but I'm still overwhelmed by all the things I don't understand.
However, the seniors at Beyond are very kind and give me various insights every day.
I'm truly grateful to everyone.
Today I would like to briefly explain how to restrict access using the iptables command used in CentOS 6
What is iptables?
It is a packet filter implemented in Linux.
It is also known as a firewall.
It has the function to restrict or allow specific access.
In simple terms,
- We do not allow access from bad people
- Access from good people is welcome
That's it!!
And the command to operate iptables is the iptables command!
Just as it sounds.
Restricting with iptables
First, please see below
[root@localhost vagrant]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
The above is the result of executing the [iptables -L] command
You can see that it is divided into three fields from the top.
[ INPUT ] is the chain related to input, [ FORWARD ] is the chain related to forwarding, and [ OUTPUT ] is the chain related to output.
Think of a chain as a rule that inspects packets.
Look next to Chain INPUT.
You will see (policy ACCEPT).
This is called
policy A policy is a rule that applies to the entire chain.
ACCEPT means that all input is allowed.
On the other hand, if you want to restrict it, change this to DROP.
The command is
iptables -P INPUT DROP
That's it!!
(You will also be unable to connect via SSH. Please run the command below to allow access via iptables first.)
Let's check it with the command [iptables -L]!
[root@localhost vagrant]# iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
It has changed to DROP
Now you have restricted all access from outside!
Allow access with iptables
Please see below
[root@localhost vagrant]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.33.1 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
【ACCEPT all -- 192.168.33.1 anywhere】
You'll see an increase in statements like this!
This means "All access from 192.168.33.1 is permitted."
This is called rule
To add a rule to allow access, run the following command:
iptables -A INPUT -s [IP address to allow access to] -j ACCEPT
Now you can block all access and allow access from specific IP addresses
By the way, it is also possible to set it to "allow access to a specific port"
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
This is the command to allow access to port 80 (web server).
You can change the port by changing the number after --dport!!
These setting changes will be reverted when you reboot your machine.
If you want to make the settings permanent,
service iptables save
Save the settings with this command:
Prohibiting all such access and then allowing only specific access is
called the "whitelist method."
summary
This is a very rough and concise explanation, but that's the basics of how to use the iptables command.
There are configuration methods that don't use the iptables command, and more detailed configuration methods, but I won't go into that here.
Please use the iptables command to enjoy a better computer life!
6
Loading...6 
The person who wrote this article
About the author
