Iptables foundation and Samba configuration examples

• iptable Basic concepts
• Iptables Watch chain rules
• iptables The process of transmitting packets
• iptables Command format
• iptables Common options OPTIONS explain
  • Common commands COMMANDS explain
  • Common parameters PARAMETERS explain
  • Use MATCH EXTENSIONS Extension module
  • other
• Take an example to build samba The server
  • To configure samba The server
  • add to samba Account
  • close SELinux A firewall
  • To configure iptables
    • First, check the current rules
    • Add rules to enable samba Port used
    • See the added rules
  • Save the current rule and enable samba

iptable Basic concepts

iptables The firewall consists of two parts , Located in user space iptables Modules and are located in kernel space netfilter modular . The user space module provides insertion 、 Modify and remove the rules in the packet filter table , The kernel module performs actual filtering , So the more accurate name should be iptables/netfilter.

• surface （tables）： Provide specific functions ,iptables Built in 4 Tables , namely filter surface 、nat surface 、mangle Table and raw surface , They are used to realize Packet filtering , Network address translation 、 Package refactoring ( modify ) and Data tracking processing .
• The rules （rules）： In fact, it is the pre-defined conditions of network administrators .
• chain （chains）： Is the path of packet propagation , Each chain is actually one of many rules Checklist , There can be one or more rules in each chain . When a packet reaches a chain ,iptables It starts with the first rule in the chain , See if the packet meets the conditions defined by the rules . common 5 A chain , namely INPUT、OUTPUT、FORWARD、PREROUTING and POSTROUTING.

Iptables surface 、 chain 、 The rules ：

iptables The process of transmitting packets

iptables Command format

iptables Common options OPTIONS explain

Common commands COMMANDS explain ：

• -A, –append chain： Add a rule to the end of the chain
• -D, –delete chain： Delete a rule
• -I, –insert chain [rulenum]： Given rule Number , Insert rules on the selected chain
• -R, –replace chain rulenum： Replace a rule
• -L, –list [chain]： View the list of rules for the specified table and chain
• -F, –flush [chain]： Delete [ Appoint ] All rules in the table

Common parameters PARAMETERS explain ：

• -p Protocol type ： You can specify the protocol to which the rule applies , namely TCP、UDP and ICMP etc.
• -s source address ： The address can be hostname, It can also be IP etc.
• -d The goal is IP Address
• -j action
• –line-numbers： and -L Use it together , Show rules rulenum Number
• -n： Output in digital form IP Address and port

Use MATCH EXTENSIONS Extension module

• -m, –match module_name： Enable the expansion module , Such as state、tcp 、udp、multiport 、string 、addrtype 、mac etc.
• iptables -m module_name -h： Check the help information of the extension module ; Such as ：iptables -m mac -h

other

• If do not have -t Options , Default table by filter surface
• The default is saved in /etc/sysconfig/iptables In file
• service iptables save： Save the changed iptables

Take an example to build samba The server

To configure samba The server

modify /etc/samba/smb.conf file , First, add the directory to be shared ：

[workspace] writable = yes path = /root/

If you plan to make symbolic links accessible , It's in smb.conf Of [global] part , Add the following configuration ：

follow symlinks = yes wide links = yes unix extensions = no

add to samba Account

smbpasswd -a smbpasswd -e

close SELinux A firewall

 # sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config # setenforce 0 # reboot

To configure iptables

First, check the current rules ：

[[email protected] ~]# iptables -L --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT icmp -- anywhere anywhere 3 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 4 ACCEPT tcp -- anywhere anywhere tcp dpt:http 5 ACCEPT tcp -- anywhere anywhere tcp dpt:https 6 ACCEPT udp -- anywhere anywhere udp dpt:bootpc 7 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 8 DROP all -- anywhere anywhere 

Add rules to enable samba Port used

After checking , To add to 8 In front of rule number , otherwise samba It doesn't work ：

iptables -I INPUT 8 -p udp -m multiport --dport 137,138 -j ACCEPT iptables -I INPUT 8 -p tcp -m state --state NEW -m multiport --dport 139,445 -j ACCEPT

See the added rules

[[email protected] ~]# iptables -L --line-number -n Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0        2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 139,445 9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 137,138 10 DROP all -- 0.0.0.0/0 0.0.0.0/0

Save the current rule and enable samba：

# Preservation rules  service iptables save # Enable smb： service smb restart # send smb Randomizer start  chkconfig smb on

You can also use iptables -F Delete rule completely