iptables 详解

参考：iptables

refer https://www.jianshu.com/p/ee4ee15d3658

iptables的规则表和链：

表（tables）提供特定的功能，iptables内置了4个表：

• filter
  • 包过滤
• nat
  • 网络地址转换
• mangle
  • 包重构/修改
• raw
  • 数据跟踪处理

Write rules for the following situations apply them to the firewall and check if they work

1. Block all incoming network traffic.

iptables -A INPUT -j REJECT

2. Block all incoming network traffic but allow HTTP traffic.

iptables -A INPUT -p tcp --dport www -j ACCEPT
iptables -A INPUT -j REJECT

3. Block all incoming Telnet traffic but allow SSH.

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport telnet -j REJECT
iptables -A INPUT -j REJECT

4. Block all incoming network traffic but allow HTTP and SSH access from the address range that the client machine is on.

iptables -A INPUT -p tcp -m multiport --dports www,ssh -j ACCEPT
iptables -A INPUT -j REJECT

5. Block all incoming network traffic from the client PC but allow pings. (ICMP)

iptables -I INPUT -s 192.168.56.107 -j REJECT
iptables -I INPUT -s 192.168.56.107 -p icmp -j ACCEPT

6. Block all incoming network traffic but allow FTP from the client (Hint you will need to allow more than 1 port)

iptables -I INPUT -j REJECT
iptables -I INPUT -s 192.168.56.102 -p tcp -m multiport --dports 21,20 -j ACCEPT

7. There is a command which allows you to specify multiple ports in one rule, find it out.

-m multiport --dports 

8. Block all incoming network traffic but permit HTTP traffic from an established session

iptables -A INPUT -p tcp --dport www -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT

9. Set the default INPUT policy to REJECT but allow SSH.

10. Block all outgoing traffic but allow HTTP traffic to Google’s IP address.

sudo iptables -A FORWARD -j REJECT
sudo iptables -A OUTPUT -j REJECT
sudo iptables -I FORWARD -d 216.58.192.164 -p tcp --dport 80 -j ACCEPT
sudo iptables -I OUTPUT -d 216.58.192.164 -p tcp --dport 80 -j ACCEPT

11. Block all outgoing HTTP traffic to Googles IP address but allow all other HTTP traffic.

sudo iptables -I FORWARD -d 216.58.192.164 -p tcp --dport 80 -j REJECT
sudo iptables -I OUTPUT -d 216.58.192.164 -p tcp --dport 80 -j REJECT

12. Block all incoming and outgoing UDP traffic

sudo iptables -A INPUT -p udp -j REJECT
sudo iptables -A OUTPUT -p udp -j REJECT
sudo iptables -A FORWARD -p udp -j REJECT

Advanced

1. Block a brute force attack targeting SSH

2. Block a DOS attack targeting the HTTP server

3. MqSQL runs on port 3306 write a rule which will allow access to it from IP 87.65.43.21

4. Write a rule that would block someone using an internal IP to try to get into your network

5. Write a rule to block invalid packets

6. Write a rule that blocks outgoing pings

REJECT和 DROP的区别

1.、REJECT动作会返回一个拒绝(终止)数据包(TCP FIN或UDP-ICMP-PORT-UNREACHABLE)，明确的拒绝对方的连接动作。

连接马上断开，Client会认为访问的主机不存在。

REJECT在IPTABLES里面有一些返回参数，参数如下：ICMP port-unreachable、ICMP echo-reply 或是 tcp-reset（这个封包会要求对方关闭联机），进行完此处理动作后，将不再比对其它规则，直接中断过滤程序。

2、DROP动作只是简单的直接丢弃数据，并不反馈任何回应。需要Client等待超时，Client容易发现自己被防火墙所阻挡。