[For Beginners] How to apply/not apply access restrictions using the iptables command
table of contents
Hello! This is Shimeji from the Systems Solutions Department.
Three months have passed since I joined the company, but I'm still overwhelmed by all the things I don't understand.
However, my senior colleagues at beyond are very kind and give me various "insights" every day.
I'm truly grateful to everyone.
Today I would like to briefly explain how to restrict access using the iptables command used in CentOS 6
What is iptables?
This is a packet filter implemented in Linux.
It's what's commonly known as a firewall.
It's a function that allows you to restrict or, conversely, allow specific access.
Simply put,
- We do not allow access from bad people
- Access from good people is welcome
So that's it!
And the command to manipulate iptables is the iptables command!
It's exactly as it sounds.
Restricting with iptables
First, please see below
[root@localhost vagrant]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
The above is the result of executing the [iptables -L] command
You can see that it's divided into three fields from the top. In order,
[INPUT] is the input, [FORWARD] is the forwarding, and [OUTPUT] is the output chain.
Think of a chain as a rule for inspecting packets.
Look next to Chain INPUT.
You'll see (policy ACCEPT).
This ispolicycalled
A policy is a rule that applies to the entire chain.
ACCEPT means that all inputs are allowed.
Conversely, if you want to restrict it, change this to DROP.
The command is:
iptables -P INPUT DROP
That's OK!!
(Note: You will no longer be able to connect to your own SSH network. Please first execute the iptables command listed below to allow access.)
Let's check it with the command [iptables -L]!
[root@localhost vagrant]# iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
It has changed to DROP
Now you have restricted all access from outside!
Allow access with iptables
Please see below
[root@localhost vagrant]# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 192.168.33.1 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
【ACCEPT all -- 192.168.33.1 anywhere】
This kind of description is becoming more common!
This means "All access from 192.168.33.1 is allowed."
Thisruleis called
To add a rule to allow access, run the following command:
iptables -A INPUT -s [IP address to allow access to] -j ACCEPT
Now you can block all access and allow access from specific IP addresses
By the way, it is also possible to set it to "allow access to a specific port"
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
This command allows access to port 80 (web server).
You can change the port by changing the number after --dport!
These setting changes will revert to their original state after restarting the machine.
If you want to make the settings permanent,
service iptables save
Save the settings with this command:
This method of prohibiting all access and allowing only specific access
the "whitelist method."is called
summary
This is a very rough and concise explanation, but that's the basic way to use the iptables command.
There are other configuration methods that don't use the iptables command, as well as more detailed configuration methods, but I'll omit those for now.
Please use the iptables command to enjoy a better computer life!
6
Loading...6 
The person who wrote this article
About the author
