Security has no single right answer, so use every tool available to bolster(支持) security. And Layered security is always the best approach.
If the linux host with iptables has 2 interfaces, it shall be a Network firewall between protected network and external network, or it shall be a Host firewall defenses external network.
Tables Chains&Rules
Three types of tables: FILTER, NAT, MANGLE.A table consists of chains: INPUT, OUTPUT, FORWARD. INPUT chain applies for all packets destined to firewall.OUTPUT chain applies for all packets originating(来自于) from firewall.FORWARD chain applies for all packets passing through firewall. A chain consists of a set of rules.It means:
Sets a rule that: Accepts packets that enter from interface eth0 and have source address in 140.14.4.0/24.Adds rule to bottom of list of existing rules.Remember to Kernel applies the rules in order, for: The first rule that matches packet determines the action for that packet.
iptables -L list current rules. iptables -F flush all rules. iptables -D INPUT 2 deletes 2nd rule in INPUT chain. iptables -I INPUT 1 -p tcp-tcp-flags SYN -s 140.114.4.0/24 -d 0/0:22 -j ACCEPT Sets a rule that: Accept TCP SYNs from 140.114.4.0/24 to firewall port 20(ssh).Insert INPUT rule at top. etc. -p protocol type(tcp, udp, icmp) -s source IP address & port number -d dest IP address & port number -i interface name(lo, pppo, eth0) -j target(ACCEPT, DENY) -l log this packet --sport source port --dport dest port --imcp-typeCommand like iptables.
- A INPUT -i eth0 -s 2001:6789::/32 -j ACCEPT Sets a rule that: Accepts packets that enter from interface eth0 and have source address in 2001:6789::/32想了解更多关于计算机网络架构与网络安全:计算机网络架构与网络安全专栏
