Although Linux is indeed equivalent to Windows in terms of security to be more reliable, but we generally use it as a server, can not be careless, but also need to strictly limit the access rules in the process of network transmission. In this article, we will take a look at the well-known firewall Iptables, which has been around for more than a decade and is one of the true heroes of Linux.

1. Introduction to commands

The iptables command can make rules about which ports other computers can use to connect to your computer (for in), which ports your computer can connect to (for out), and even filter by IP address if the granularity is finer.

Use iptables to block port 3306. Iptables is usually installed by default. If not, install the following command to complete the installation.

# in Centos
$sudo yum install iptables

#in Ubuntu/Debian
$sudo apt install iptables
Copy the code

In the actual operation that follows, it is important to note that to use this command, you need to use root privileges.

Two, operation examples

Iptables -l Displays all firewall rules.

$iptables -L
Copy the code

As you can clearly see, for my server, the obvious firewall rules are divided into several areas, including:

  • Chain INPUT: Rules that govern incoming network traffic
  • Chain FORWARD: Indicates the rule that controls the network transmission of forwarding
  • Chain OUTPUT: Rules for controlling outgoing network traffic
  • Chain DOCKER: The rules corresponding to the control of Docker network transmission, including other block areas starting with Docker, are Docker specific subdivision rules, such as user, isolation, etc.

This command brings us to the current firewall filtering rules, but what about CRUD rules?

Clear all rules

$iptables -F 
$iptables -X 
$iptables -Z
Copy the code

Shielding IP

$iptables -i INPUT -s 121.45.6.7 -j DROP $iptables -I INPUT -s 121.0.0.0/8 -j DROPCopy the code

Deleting a specified rule

$iptables -l -n --line-numbers $iptables -d INPUT 10Copy the code

Its function is very powerful, can read the official syntax in-depth operation.

Three, extension,

The iptables configuration and usage rules are complex and costly for the average user to learn. Another command that can help is the Uncomplicated Firewall (UFW), which, as its name implies, is simply a Firewall. Many Linux distributions do not support it, so go to the official UFW to learn how to use it. Further, if your system supports graphical interfaces, GUFW is recommended. Iptables has been around for so many years that since Linux 3.13, the official nftables command has actually been released to replace the former, The new command is a new firewall subsystem/packet filtering engine that provides a simpler Kernel ABI (Application Binary Interface), reduces duplicate code, improves error reporting, and supports filtering rules more effectively.