[For beginners] How to restrict access using the iptables command.
table of contents
Hello! This is Shimeji from the System Solutions Department.
It's been three months since I joined the company, but I'm still confused by all the things I don't understand.
However, the seniors at beyond are very kind and give me various "realizations" every day.
I'm really grateful to everyone.
Today, I will briefly write about access restrictions using the iptables command used in CentOS6.
What is iptables?
It's a packet filter implemented in Linux.
It's called a firewall.
This feature allows you to restrict or allow specific access.
Simply put,
- Access from unauthorized persons is prohibited.
- We welcome access from good people.
That's what it means! !
And the command to operate iptables is the iptables command!
It's just like that.
Apply restrictions with iptables
Please see below first.
[root@localhost vagrant]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
The above is the execution result of the [iptables -L] command.
You can see that it is divided into three fields from the top, and in order,
[ INPUT ] is the chain related to input, [ FORWARD ] is the chain related to transfer, and [ OUTPUT ] is the chain related to output.
Think of a chain as a rule that inspects packets.
Look next to Chain INPUT.
(policy ACCEPT).
This is called
policy Policies are rules that apply to the entire chain.
ACCEPT means allow all input.
Conversely, if you want to limit it, change this to DROP.
The command is
iptables -P INPUT DROP
OK!!
(You will also not be able to make your own SSH connection. Please run the command to allow access with iptables listed at the bottom first.)
Let's check it with the [iptables -L] command!
[root@localhost vagrant]# iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
It has changed to DROP.
Now you can restrict all access from outside! !
Allow access with iptables
See below.
[root@localhost vagrant]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.33.1 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
【ACCEPT all -- 192.168.33.1 anywhere】
The number of such descriptions is increasing!
This means "All access from 192.168.33.1 is allowed."
This is called rule
Run the following command to add a rule to allow access.
iptables -A INPUT -s [IP address to allow access] -j ACCEPT
Now you can prohibit all access and allow access from specific IP addresses.
By the way, you can also set things like ``allow access to a specific port.''
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
This is a command that allows access to port 80 (WEB server).
You can also change to another port by changing the number after --dport! !
Changes to these settings will be undone if you restart the machine.
If you want to make the settings permanent,
service iptables save
Save your settings using this command.
This method of prohibiting all accesses and allowing only specific accesses
is called the "whitelist method."
summary
Although I have described it in a very rough and concise manner, the above is a simple way to use the iptables command.
There are configuration methods that do not use the iptables command, and there are more detailed configuration methods, but I will omit them here.
Everyone, please use the iptables command and have a good computer life!