{"id":22336,"date":"2025-10-08T11:27:23","date_gmt":"2025-10-08T04:27:23","guid":{"rendered":"https:\/\/interdata.vn\/blog\/?p=22336"},"modified":"2025-10-08T11:27:43","modified_gmt":"2025-10-08T04:27:43","slug":"iptables-la-gi","status":"publish","type":"post","link":"https:\/\/interdata.vn\/blog\/iptables-la-gi\/","title":{"rendered":"IPtables l\u00e0 g\u00ec? H\u01b0\u1edbng D\u1eabn S\u1eed D\u1ee5ng IPtables Firewall Linux C\u01a1 B\u1ea3n"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">N\u1ed8I DUNG<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#IPtables-la-gi\" >IPtables l\u00e0 g\u00ec?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Netfilter-la-gi-Moi-quan-he-voi-IPtables\" >Netfilter l\u00e0 g\u00ec? M\u1ed1i quan h\u1ec7 v\u1edbi IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#IPtables-dung-de-lam-gi\" >IPtables d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Cau-truc-cua-IPtables-Tables-Chains-va-Targets\" >C\u1ea5u tr\u00fac c\u1ee7a IPtables: Tables, Chains v\u00e0 Targets<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Table-trong-IPtables\" >Table trong IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#-Chains-trong-IPtables\" >\u00a0Chains trong IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Targets-trong-IPtables\" >Targets trong IPtables<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Nguyen-ly-hoat-dong-cua-IPtables\" >Nguy\u00ean l\u00fd ho\u1ea1t \u0111\u1ed9ng c\u1ee7a IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Cac-tuy-chon-cua-IPtables-la-gi\" >C\u00e1c t\u00f9y ch\u1ecdn c\u1ee7a IPtables l\u00e0 g\u00ec?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Cac-tuy-chon-chi-dinh-thong-so-trong-IPtables\" >C\u00e1c t\u00f9y ch\u1ecdn ch\u1ec9 \u0111\u1ecbnh th\u00f4ng s\u1ed1 trong IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Cac-tuy-chon-de-thao-tac-voi-Chain-trong-IPtables\" >C\u00e1c t\u00f9y ch\u1ecdn \u0111\u1ec3 thao t\u00e1c v\u1edbi Chain trong IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Cac-tuy-chon-de-thao-tac-voi-Rule-trong-IPtables\" >C\u00e1c t\u00f9y ch\u1ecdn \u0111\u1ec3 thao t\u00e1c v\u1edbi Rule trong IPtables<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#So-sanh-IPtables-voi-Firewalld-va-UFW\" >So s\u00e1nh IPtables v\u1edbi Firewalld v\u00e0 UFW<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Cac-lenh-IPtables-thuong-dung\" >C\u00e1c l\u1ec7nh IPtables th\u01b0\u1eddng d\u00f9ng<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Tao-Rule-moi-trong-IPtables\" >T\u1ea1o Rule m\u1edbi trong IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Them-Rule-moi-vao-IPtables\" >Th\u00eam Rule m\u1edbi v\u00e0o IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Xoa-Rule-trong-IPtables\" >X\u00f3a Rule trong IPtables<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Huong-dan-su-dung-Iptables-Firewall-Linux-don-gian\" >H\u01b0\u1edbng d\u1eabn s\u1eed d\u1ee5ng Iptables Firewall Linux \u0111\u01a1n gi\u1ea3n<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Buoc-1-Cai-dat-IPtables\" >B\u01b0\u1edbc 1: C\u00e0i \u0111\u1eb7t IPtables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Buoc-2-Thiet-lap-cac-quy-tac-rules\" >B\u01b0\u1edbc 2: Thi\u1ebft l\u1eadp c\u00e1c quy t\u1eafc (rules)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Buoc-3-Luu-tat-ca-cac-thay-doi-tren-IPtables\" >B\u01b0\u1edbc 3: L\u01b0u t\u1ea5t c\u1ea3 c\u00e1c thay \u0111\u1ed5i tr\u00ean IPtables<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/#Cac-loi-thuong-gap-khi-dung-IPtables-va-cach-khac-phuc\" >C\u00e1c l\u1ed7i th\u01b0\u1eddng g\u1eb7p khi d\u00f9ng IPtables v\u00e0 c\u00e1ch kh\u1eafc ph\u1ee5c<\/a><\/li><\/ul><\/nav><\/div>\n<p>N\u1ebfu b\u1ea1n l\u00e0 ng\u01b0\u1eddi qu\u1ea3n tr\u1ecb m\u00e1y ch\u1ee7 Linux, \u0111\u1eb7c bi\u1ec7t l\u00e0 c\u00e1c m\u00e1y ch\u1ee7 \u1ea3o (VPS) ho\u1eb7c Dedicated Server, ch\u1eafc ch\u1eafn b\u1ea1n \u0111\u00e3 t\u1eebng nghe \u0111\u1ebfn IPtables. Trong b\u00e0i vi\u1ebft n\u00e0y, ch\u00fang ta s\u1ebd c\u00f9ng t\u00ecm hi\u1ec3u v\u1ec1 c\u1ea5u tr\u00fac v\u00e0 nguy\u00ean l\u00fd ho\u1ea1t \u0111\u1ed9ng c\u1ee7a IPtables, c\u00e1c t\u00f9y ch\u1ecdn v\u00e0 l\u1ec7nh c\u01a1 b\u1ea3n, c\u0169ng nh\u01b0 h\u01b0\u1edbng d\u1eabn c\u00e1ch thi\u1ebft l\u1eadp m\u1ed9t firewall Linux \u0111\u01a1n gi\u1ea3n \u0111\u1ec3 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n. \u0110\u1ecdc ngay!<\/p>\n<h2><span class=\"ez-toc-section\" id=\"IPtables-la-gi\"><\/span>IPtables l\u00e0 g\u00ec?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong><a href=\"https:\/\/interdata.vn\/blog\/iptables-la-gi\/\">IPtables<\/a> <\/strong>l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 t\u01b0\u1eddng l\u1eeda m\u1ea1nh m\u1ebd tr\u00ean Linux (ho\u1eb7c linux firewall) \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 qu\u1ea3n l\u00fd v\u00e0 ki\u1ec3m so\u00e1t lu\u1ed3ng d\u1eef li\u1ec7u m\u1ea1ng (network traffic). IPtables ho\u1ea1t \u0111\u1ed9ng b\u1eb1ng c\u00e1ch ki\u1ec3m tra c\u00e1c g\u00f3i tin (packet) \u0111i qua m\u00e1y ch\u1ee7 v\u00e0 \u00e1p d\u1ee5ng c\u00e1c lu\u1eadt (rule) \u0111\u00e3 \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp \u0111\u1ec3 quy\u1ebft \u0111\u1ecbnh xem g\u00f3i tin \u0111\u00f3 n\u00ean \u0111\u01b0\u1ee3c ch\u1ea5p nh\u1eadn (ACCEPT), lo\u1ea1i b\u1ecf (DROP), hay t\u1eeb ch\u1ed1i (REJECT).<\/p>\n<p>IPtables \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t s\u1eb5n v\u00e0 l\u00e0 giao di\u1ec7n m\u1eb7c \u0111\u1ecbnh cho vi\u1ec7c qu\u1ea3n l\u00fd c\u00e1c quy t\u1eafc l\u1ecdc g\u00f3i tin c\u1ee7a Linux kernel trong nhi\u1ec1u n\u0103m qua. Vai tr\u00f2 v\u00e0 t\u1ea7m quan tr\u1ecdng c\u1ee7a IPtables trong b\u1ea3o m\u1eadt h\u1ec7 th\u1ed1ng l\u00e0 kh\u00f4ng th\u1ec3 ph\u1ee7 nh\u1eadn, b\u1edfi n\u00f3 cung c\u1ea5p l\u1edbp ph\u00f2ng th\u1ee7 \u0111\u1ea7u ti\u00ean v\u00e0 hi\u1ec7u qu\u1ea3 nh\u1ea5t cho m\u1ecdi k\u1ebft n\u1ed1i.<\/p>\n<figure id=\"attachment_22345\" aria-describedby=\"caption-attachment-22345\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-22345\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/IPtables-la-gi.png\" alt=\"IPtables l\u00e0 g\u00ec?\" width=\"800\" height=\"384\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/IPtables-la-gi.png 988w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/IPtables-la-gi-300x144.png 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/IPtables-la-gi-768x368.png 768w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/IPtables-la-gi-750x360.png 750w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-22345\" class=\"wp-caption-text\">IPtables l\u00e0 g\u00ec?<\/figcaption><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"Netfilter-la-gi-Moi-quan-he-voi-IPtables\"><\/span>Netfilter l\u00e0 g\u00ec? M\u1ed1i quan h\u1ec7 v\u1edbi IPtables<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Khi t\u00ecm hi\u1ec3u v\u1ec1 IPtables l\u00e0 g\u00ec, b\u1ea1n ph\u1ea3i hi\u1ec3u v\u1ec1 Netfilter.<\/p>\n<p>Netfilter l\u00e0 m\u1ed9t framework \u0111\u01b0\u1ee3c t\u00edch h\u1ee3p s\u00e2u trong nh\u00e2n (kernel) c\u1ee7a h\u1ec7 \u0111i\u1ec1u h\u00e0nh Linux. N\u00f3 \u0111\u00f3ng vai tr\u00f2 l\u00e0 &#8220;khu v\u1ef1c&#8221; m\u00e0 c\u00e1c g\u00f3i tin m\u1ea1ng ph\u1ea3i \u0111i qua \u0111\u1ec3 \u0111\u01b0\u1ee3c x\u1eed l\u00fd. Netfilter cung c\u1ea5p c\u00e1c \u0111i\u1ec3m m\u00f3c (hook points) \u2013 c\u00e1c v\u1ecb tr\u00ed chi\u1ebfn l\u01b0\u1ee3c trong qu\u00e1 tr\u00ecnh x\u1eed l\u00fd g\u00f3i tin \u2013 n\u01a1i c\u00e1c module kernel c\u00f3 th\u1ec3 \u0111\u0103ng k\u00fd ch\u1ee9c n\u0103ng c\u1ee7a m\u00ecnh.<\/p>\n<p>IPtables kh\u00f4ng ph\u1ea3i l\u00e0 t\u01b0\u1eddng l\u1eeda theo ngh\u0129a \u0111en, IPtables th\u1ef1c ch\u1ea5t l\u00e0 m\u1ed9t ti\u1ec7n \u00edch d\u00f2ng l\u1ec7nh (command-line utility) \u0111\u00f3ng vai tr\u00f2 l\u00e0 giao di\u1ec7n\/c\u00f4ng c\u1ee5 gi\u00fap ng\u01b0\u1eddi d\u00f9ng d\u1ec5 d\u00e0ng qu\u1ea3n l\u00fd c\u00e1c rule (lu\u1eadt) cho framework Netfilter. N\u00f3i c\u00e1ch kh\u00e1c, Netfilter l\u00e0 c\u01a1 ch\u1ebf c\u1ed1t l\u00f5i, c\u00f2n IPtables l\u00e0 c\u00f4ng c\u1ee5 gi\u00fap b\u1ea1n n\u00f3i cho Netfilter bi\u1ebft ph\u1ea3i l\u00e0m g\u00ec v\u1edbi t\u1eebng g\u00f3i tin.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"IPtables-dung-de-lam-gi\"><\/span>IPtables d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Sau khi n\u1eafm \u0111\u01b0\u1ee3c <strong>IPtables l\u00e0 g\u00ec<\/strong>, ta c\u1ea7n bi\u1ebft c\u00f4ng c\u1ee5 n\u00e0y mang l\u1ea1i nh\u1eefng l\u1ee3i \u00edch thi\u1ebft th\u1ef1c n\u00e0o trong m\u00f4i tr\u01b0\u1eddng Linux. <strong>IPtables d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec<\/strong>? C\u00f4ng c\u1ee5 n\u00e0y th\u1ef1c hi\u1ec7n c\u00e1c ch\u1ee9c n\u0103ng ch\u00ednh sau:<\/p>\n<ol>\n<li><strong>Ki\u1ec3m so\u00e1t Truy c\u1eadp M\u1ea1ng (Access Control):<\/strong> Cho ph\u00e9p b\u1ea1n quy\u1ebft \u0111\u1ecbnh port (c\u1ed5ng) n\u00e0o \u0111\u01b0\u1ee3c m\u1edf, \u0111\u1ecba ch\u1ec9 IP n\u00e0o \u0111\u01b0\u1ee3c ph\u00e9p k\u1ebft n\u1ed1i v\u1edbi d\u1ecbch v\u1ee5 n\u00e0o (v\u00ed d\u1ee5: ch\u1ec9 cho ph\u00e9p IP v\u0103n ph\u00f2ng truy c\u1eadp port SSH 22), gi\u00fap ki\u1ec3m so\u00e1t truy c\u1eadp m\u1ea1ng m\u1ed9t c\u00e1ch chi ti\u1ebft.<\/li>\n<li><strong>L\u1ecdc G\u00f3i tin (Packet Filtering):<\/strong> \u0110\u00e2y l\u00e0 ch\u1ee9c n\u0103ng c\u01a1 b\u1ea3n nh\u1ea5t c\u1ee7a m\u1ecdi <strong>linux firewall<\/strong>. IPtables c\u00f3 th\u1ec3 ch\u1eb7n c\u00e1c g\u00f3i tin d\u1ef1a tr\u00ean nhi\u1ec1u ti\u00eau ch\u00ed: IP ngu\u1ed3n, IP \u0111\u00edch, port, giao th\u1ee9c (TCP\/UDP), hay th\u1eadm ch\u00ed l\u00e0 tr\u1ea1ng th\u00e1i k\u1ebft n\u1ed1i.<\/li>\n<li><strong>Ng\u0103n ch\u1eb7n T\u1ea5n c\u00f4ng M\u1ea1ng:<\/strong> B\u1eb1ng c\u00e1ch thi\u1ebft l\u1eadp c\u00e1c Rule th\u00f4ng minh (v\u00ed d\u1ee5: gi\u1edbi h\u1ea1n s\u1ed1 l\u01b0\u1ee3ng k\u1ebft n\u1ed1i m\u1edbi \u0111\u1ebfn m\u1ed9t port trong m\u1ed9t kho\u1ea3ng th\u1eddi gian), IPtables gi\u00fap server ch\u1ed1ng l\u1ea1i c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng Brute-Force, DoS (Denial of Service) v\u00e0 qu\u00e9t port t\u1eeb b\u00ean ngo\u00e0i.<\/li>\n<li><strong>Ch\u1ee9c n\u0103ng NAT\/Routing:<\/strong> IPtables kh\u00f4ng ch\u1ec9 d\u1eebng l\u1ea1i \u1edf vi\u1ec7c l\u1ecdc m\u00e0 c\u00f2n h\u1ed7 tr\u1ee3 c\u00e1c t\u00e1c v\u1ee5 \u0111\u1ecbnh tuy\u1ebfn ph\u1ee9c t\u1ea1p (v\u00ed d\u1ee5: chia s\u1ebb k\u1ebft n\u1ed1i internet, Port Forwarding).<\/li>\n<\/ol>\n<p>T\u00f3m l\u1ea1i, <strong>ch\u1ee9c n\u0103ng iptables<\/strong> l\u00e0 t\u1ea1o ra m\u1ed9t l\u1edbp b\u1ea3o v\u1ec7 v\u1eefng ch\u1eafc, gi\u1ea3m thi\u1ec3u b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng c\u1ee7a m\u00e1y ch\u1ee7, v\u00e0 \u0111\u1ea3m b\u1ea3o ch\u1ec9 c\u00f3 l\u01b0u l\u01b0\u1ee3ng truy c\u1eadp h\u1ee3p l\u1ec7 m\u1edbi \u0111\u01b0\u1ee3c x\u1eed l\u00fd.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cau-truc-cua-IPtables-Tables-Chains-va-Targets\"><\/span>C\u1ea5u tr\u00fac c\u1ee7a IPtables: Tables, Chains v\u00e0 Targets<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>IPtables ho\u1ea1t \u0111\u1ed9ng th\u00f4ng qua m\u1ed9t giao di\u1ec7n d\u00f2ng l\u1ec7nh \u0111\u01a1n gi\u1ea3n \u0111\u1ec3 t\u01b0\u01a1ng t\u00e1c v\u1edbi h\u1ec7 th\u1ed1ng packet filtering trong Linux. C\u00e1c th\u00e0nh ph\u1ea7n ch\u00ednh trong IPtables nh\u01b0: Tables (B\u1ea3ng), Chains (Chu\u1ed7i), Targets (M\u1ee5c ti\u00eau).<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Table-trong-IPtables\"><\/span>Table trong IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>IPtables s\u1eed d\u1ee5ng nhi\u1ec1u lo\u1ea1i b\u1ea3ng \u0111\u1ec3 x\u1eed l\u00fd c\u00e1c g\u00f3i tin m\u1ea1ng. Sau \u0111\u00e2y l\u00e0 c\u00e1c b\u1ea3ng ph\u1ed5 bi\u1ebfn m\u00e0 b\u1ea1n s\u1ebd g\u1eb7p khi c\u1ea5u h\u00ecnh IPtables:<\/p>\n<ul>\n<li><strong>Filter Table<\/strong>: \u0110\u00e2y l\u00e0 b\u1ea3ng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng ph\u1ed5 bi\u1ebfn nh\u1ea5t trong IPtables. N\u00f3 quy\u1ebft \u0111\u1ecbnh xem m\u1ed9t g\u00f3i tin c\u00f3 \u0111\u01b0\u1ee3c ph\u00e9p \u0111i qua hay b\u1ecb t\u1eeb ch\u1ed1i.<\/li>\n<li><strong>NAT Table<\/strong>: D\u00f9ng \u0111\u1ec3 thay \u0111\u1ed5i \u0111\u1ecba ch\u1ec9 IP c\u1ee7a g\u00f3i tin, th\u01b0\u1eddng d\u00f9ng trong c\u00e1c t\u00ecnh hu\u1ed1ng Network Address Translation (NAT), nh\u01b0 khi b\u1ea1n c\u1ea7n chuy\u1ec3n h\u01b0\u1edbng ho\u1eb7c \u0111\u1ed5i \u0111\u1ecba ch\u1ec9 IP ngu\u1ed3n ho\u1eb7c \u0111\u00edch.<\/li>\n<li><strong>Mangle Table<\/strong>: D\u00f9ng \u0111\u1ec3 ch\u1ec9nh s\u1eeda c\u00e1c th\u00f4ng tin c\u1ee7a g\u00f3i tin, v\u00ed d\u1ee5 nh\u01b0 gi\u00e1 tr\u1ecb TTL (Time To Live) ho\u1eb7c MTU (Maximum Transmission Unit).<\/li>\n<li><strong>Raw Table<\/strong>: Gi\u00fap b\u1ea1n x\u1eed l\u00fd g\u00f3i tin tr\u01b0\u1edbc khi h\u1ec7 th\u1ed1ng b\u1eaft \u0111\u1ea7u ki\u1ec3m tra tr\u1ea1ng th\u00e1i c\u1ee7a k\u1ebft n\u1ed1i. \u0110i\u1ec1u n\u00e0y gi\u00fap t\u1ed1i \u01b0u hi\u1ec7u su\u1ea5t v\u00e0 lo\u1ea1i b\u1ecf m\u1ed9t s\u1ed1 g\u00f3i tin kh\u00f4ng c\u1ea7n thi\u1ebft.<\/li>\n<li><strong>Security Table<\/strong>: M\u1ed9t s\u1ed1 phi\u00ean b\u1ea3n kernel Linux h\u1ed7 tr\u1ee3 b\u1ea3ng n\u00e0y \u0111\u1ec3 l\u00e0m vi\u1ec7c v\u1edbi c\u00e1c c\u00f4ng c\u1ee5 b\u1ea3o m\u1eadt nh\u01b0<a href=\"https:\/\/vi.wikipedia.org\/wiki\/SE_Linux\" rel=\"nofollow noopener\" target=\"_blank\"> SELinux (Security-Enhanced Linux)<\/a>.<\/li>\n<\/ul>\n<figure id=\"attachment_22347\" aria-describedby=\"caption-attachment-22347\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-22347\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cau-truc-cua-IPtables.png\" alt=\"C\u1ea5u tr\u00fac c\u1ee7a IPtables\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cau-truc-cua-IPtables.png 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cau-truc-cua-IPtables-300x188.png 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cau-truc-cua-IPtables-768x480.png 768w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cau-truc-cua-IPtables-750x469.png 750w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-22347\" class=\"wp-caption-text\">C\u1ea5u tr\u00fac c\u1ee7a IPtables<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"-Chains-trong-IPtables\"><\/span>\u00a0Chains trong IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Trong IPtables, Chains l\u00e0 c\u00e1c chu\u1ed7i quy t\u1eafc m\u00e0 b\u1ea1n s\u1ebd \u00e1p d\u1ee5ng v\u00e0o c\u00e1c g\u00f3i tin \u0111\u1ec3 quy\u1ebft \u0111\u1ecbnh xem ch\u00fang c\u00f3 \u0111\u01b0\u1ee3c ph\u00e9p \u0111i qua hay kh\u00f4ng. M\u1ed7i Chain t\u01b0\u01a1ng \u1ee9ng v\u1edbi m\u1ed9t lo\u1ea1i h\u00e0nh \u0111\u1ed9ng c\u1ee5 th\u1ec3 v\u00e0 \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng trong t\u1eebng b\u1ea3ng ri\u00eang bi\u1ec7t. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 c\u00e1c Chains ph\u1ed5 bi\u1ebfn trong IPtables:<\/p>\n<ul>\n<li><strong>Chain PREROUTING<\/strong>: Chu\u1ed7i n\u00e0y c\u00f3 m\u1eb7t trong c\u00e1c b\u1ea3ng NAT, Mangle, v\u00e0 Raw. C\u00e1c quy t\u1eafc trong PREROUTING s\u1ebd \u0111\u01b0\u1ee3c th\u1ef1c thi ngay khi m\u1ed9t g\u00f3i tin \u0111\u1ebfn giao di\u1ec7n m\u1ea1ng (Network Interface). \u0110\u00e2y l\u00e0 b\u01b0\u1edbc \u0111\u1ea7u ti\u00ean \u0111\u1ec3 x\u1eed l\u00fd g\u00f3i tin.<\/li>\n<li><strong>Chain INPUT<\/strong>: INPUT l\u00e0 built-in chain c\u1ee7a b\u1ea3ng filter (xu\u1ea5t hi\u1ec7n c\u1ea3 trong mangle tu\u1ef3 kernel). NAT kh\u00f4ng c\u00f3 chain INPUT; NAT c\u00f3 PREROUTING, POSTROUTING, OUTPUT.<\/li>\n<li><strong>Chain OUTPUT<\/strong>: \u0110\u01b0\u1ee3c t\u00ecm th\u1ea5y trong c\u00e1c b\u1ea3ng Raw, Mangle, v\u00e0 Filter. Quy t\u1eafc trong OUTPUT \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng sau khi g\u00f3i tin \u0111\u01b0\u1ee3c t\u1ea1o ra b\u1edfi m\u1ed9t ti\u1ebfn tr\u00ecnh tr\u00ean h\u1ec7 th\u1ed1ng, tr\u01b0\u1edbc khi n\u00f3 r\u1eddi kh\u1ecfi m\u00e1y.<\/li>\n<li><strong>Chain FORWARD<\/strong>: C\u00f3 m\u1eb7t trong Mangle v\u00e0 Filter, chu\u1ed7i n\u00e0y \u00e1p d\u1ee5ng cho c\u00e1c g\u00f3i tin \u0111\u01b0\u1ee3c \u0111\u1ecbnh tuy\u1ebfn qua h\u1ec7 th\u1ed1ng m\u00e0 kh\u00f4ng \u0111\u1ebfn m\u00e1y ch\u1ee7 \u0111\u00f3 tr\u1ef1c ti\u1ebfp.<\/li>\n<li><strong>Chain POSTROUTING<\/strong>: Chu\u1ed7i n\u00e0y ch\u1ec9 c\u00f3 trong c\u00e1c b\u1ea3ng Mangle v\u00e0 NAT. C\u00e1c quy t\u1eafc trong POSTROUTING s\u1ebd \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng khi g\u00f3i tin r\u1eddi kh\u1ecfi giao di\u1ec7n m\u1ea1ng, t\u1ee9c l\u00e0 tr\u01b0\u1edbc khi r\u1eddi kh\u1ecfi h\u1ec7 th\u1ed1ng.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Targets-trong-IPtables\"><\/span>Targets trong IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Trong IPtables, Target l\u00e0 h\u00e0nh \u0111\u1ed9ng \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n \u0111\u1ed1i v\u1edbi c\u00e1c g\u00f3i tin n\u1ebfu ch\u00fang \u0111\u00e1p \u1ee9ng c\u00e1c quy t\u1eafc \u0111\u00e3 \u0111\u1ecbnh s\u1eb5n. C\u00e1c Target trong IPtables s\u1ebd quy\u1ebft \u0111\u1ecbnh li\u1ec7u m\u1ed9t g\u00f3i tin c\u00f3 \u0111\u01b0\u1ee3c ch\u1ea5p nh\u1eadn, t\u1eeb ch\u1ed1i, ghi log hay l\u00e0m g\u00ec kh\u00e1c. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 Target ph\u1ed5 bi\u1ebfn:<\/p>\n<ul>\n<li>\u00a0<strong>ACCEPT Target<\/strong>: Ch\u1ea5p nh\u1eadn v\u00e0 cho ph\u00e9p g\u00f3i tin \u0111i v\u00e0o h\u1ec7 th\u1ed1ng. N\u1ebfu kh\u00f4ng c\u00f3 rule n\u00e0o kh\u1edbp, h\u00e0nh \u0111\u1ed9ng s\u1ebd theo policy m\u1eb7c \u0111\u1ecbnh c\u1ee7a chain (v\u00ed d\u1ee5 ACCEPT ho\u1eb7c DROP).<\/li>\n<li><strong>DROP Target<\/strong>: Lo\u1ea1i b\u1ecf g\u00f3i tin m\u00e0 kh\u00f4ng tr\u1ea3 l\u1eddi g\u00ec v\u1ec1 n\u00f3. G\u00f3i tin b\u1ecb lo\u1ea1i s\u1ebd kh\u00f4ng nh\u1eadn \u0111\u01b0\u1ee3c b\u1ea5t k\u1ef3 ph\u1ea3n h\u1ed3i n\u00e0o.<\/li>\n<li><strong>REJECT Target<\/strong>: Lo\u1ea1i b\u1ecf g\u00f3i tin nh\u01b0ng tr\u1ea3 l\u1ea1i m\u1ed9t th\u00f4ng \u0111i\u1ec7p \u0111\u1ec3 cho ng\u01b0\u1eddi g\u1eedi bi\u1ebft g\u00f3i tin \u0111\u00e3 b\u1ecb t\u1eeb ch\u1ed1i. V\u00ed d\u1ee5, v\u1edbi g\u00f3i TCP, b\u1ea1n c\u00f3 th\u1ec3 tr\u1ea3 l\u1eddi b\u1eb1ng th\u00f4ng \u0111i\u1ec7p &#8220;connection reset&#8221;.<\/li>\n<li>\u00a0<strong>LOG Target<\/strong>: Cho ph\u00e9p g\u00f3i tin \u0111i qua, nh\u01b0ng s\u1ebd ghi l\u1ea1i th\u00f4ng tin c\u1ee7a g\u00f3i tin trong log \u0111\u1ec3 b\u1ea1n c\u00f3 th\u1ec3 ki\u1ec3m tra sau.<\/li>\n<li><strong>C\u00e1c Target kh\u00e1c<\/strong>: Ngo\u00e0i nh\u1eefng h\u00e0nh \u0111\u1ed9ng c\u01a1 b\u1ea3n nh\u01b0 tr\u00ean, b\u1ea1n c\u00f2n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng c\u00e1c Target nh\u01b0 SNAT (Source NAT), DNAT (Destination NAT) \u0111\u1ec3 thay \u0111\u1ed5i \u0111\u1ecba ch\u1ec9 IP c\u1ee7a g\u00f3i tin khi c\u1ea7n thi\u1ebft.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Nguyen-ly-hoat-dong-cua-IPtables\"><\/span>Nguy\u00ean l\u00fd ho\u1ea1t \u0111\u1ed9ng c\u1ee7a IPtables<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Khi m\u1ed9t g\u00f3i tin \u0111\u01b0\u1ee3c g\u1eedi \u0111i tr\u00ean internet, d\u1eef li\u1ec7u b\u00ean trong n\u00f3 s\u1ebd \u0111\u01b0\u1ee3c \u0111\u1ecbnh d\u1ea1ng theo m\u1ed9t chu\u1ea9n nh\u1ea5t \u0111\u1ecbnh. Sau \u0111\u00f3, nh\u00e2n Linux s\u1ebd ki\u1ec3m tra g\u00f3i tin n\u00e0y d\u1ef1a tr\u00ean m\u1ed9t h\u1ec7 th\u1ed1ng c\u00e1c b\u1ed9 l\u1ecdc \u0111\u01b0\u1ee3c t\u1ed5 ch\u1ee9c th\u00e0nh b\u1ea3ng. IPtables l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 d\u00f2ng l\u1ec7nh, \u0111\u1ed3ng th\u1eddi c\u0169ng l\u00e0 t\u01b0\u1eddng l\u1eeda c\u1ee7a Linux, cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng c\u1ea5u h\u00ecnh, qu\u1ea3n l\u00fd v\u00e0 duy tr\u00ec h\u1ec7 th\u1ed1ng b\u1ea3ng n\u00e0y.<\/p>\n<p>Ng\u01b0\u1eddi d\u00f9ng c\u00f3 th\u1ec3 t\u1ea1o nhi\u1ec1u b\u1ea3ng l\u1ecdc kh\u00e1c nhau, m\u1ed7i b\u1ea3ng l\u1ea1i ch\u1ee9a nhi\u1ec1u chu\u1ed7i quy t\u1eafc. M\u1ed7i chu\u1ed7i quy t\u1eafc n\u00e0y s\u1ebd bao g\u1ed3m m\u1ed9t t\u1eadp h\u1ee3p c\u00e1c \u0111i\u1ec1u ki\u1ec7n. Khi m\u1ed9t g\u00f3i tin kh\u1edbp v\u1edbi m\u1ed9t quy t\u1eafc n\u00e0o \u0111\u00f3, h\u00e0nh \u0111\u1ed9ng t\u01b0\u01a1ng \u1ee9ng v\u1edbi quy t\u1eafc \u0111\u00f3 s\u1ebd \u0111\u01b0\u1ee3c th\u1ef1c thi.<\/p>\n<p>M\u1ed9t m\u1ee5c ti\u00eau (target) s\u1ebd \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n khi g\u00f3i tin \u0111\u00e3 \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh. M\u1ee5c ti\u00eau n\u00e0y c\u00f3 th\u1ec3 l\u00e0 m\u1ed9t trong c\u00e1c gi\u00e1 tr\u1ecb sau: ACCEPT (cho ph\u00e9p g\u00f3i tin \u0111i qua), DROP (ch\u1eb7n g\u00f3i tin), ho\u1eb7c RETURN (quay l\u1ea1i quy t\u1eafc ti\u1ebfp theo trong chu\u1ed7i).<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cac-tuy-chon-cua-IPtables-la-gi\"><\/span>C\u00e1c t\u00f9y ch\u1ecdn c\u1ee7a IPtables l\u00e0 g\u00ec?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Cac-tuy-chon-chi-dinh-thong-so-trong-IPtables\"><\/span>C\u00e1c t\u00f9y ch\u1ecdn ch\u1ec9 \u0111\u1ecbnh th\u00f4ng s\u1ed1 trong IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Khi c\u1ea5u h\u00ecnh IPtables, b\u1ea1n c\u1ea7n s\u1eed d\u1ee5ng c\u00e1c l\u1ec7nh v\u00e0 t\u00f9y ch\u1ecdn \u0111\u1ec3 thi\u1ebft l\u1eadp quy t\u1eafc m\u1ed9t c\u00e1ch chi ti\u1ebft. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 t\u00f9y ch\u1ecdn c\u01a1 b\u1ea3n trong IPtables:<\/p>\n<ul>\n<li><strong>-t<\/strong>: Ch\u1ec9 \u0111\u1ecbnh t\u00ean b\u1ea3ng.<\/li>\n<li><strong>-p<\/strong>: Ch\u1ec9 \u0111\u1ecbnh giao th\u1ee9c (v\u00ed d\u1ee5: TCP, UDP).<\/li>\n<li><strong>-i<\/strong>: Ch\u1ec9 \u0111\u1ecbnh giao di\u1ec7n m\u1ea1ng v\u00e0o.<\/li>\n<li><strong>-o<\/strong>: Ch\u1ec9 \u0111\u1ecbnh giao di\u1ec7n m\u1ea1ng ra.<\/li>\n<li><strong>-s<\/strong>: Ch\u1ec9 \u0111\u1ecbnh \u0111\u1ecba ch\u1ec9 IP ngu\u1ed3n.<\/li>\n<li><strong>-d<\/strong>: Ch\u1ec9 \u0111\u1ecbnh \u0111\u1ecba ch\u1ec9 IP \u0111\u00edch.<\/li>\n<li><strong>\u2013sport<\/strong>: Ch\u1ec9 \u0111\u1ecbnh c\u1ed5ng ngu\u1ed3n.<\/li>\n<li><strong>\u2013dport<\/strong>: Ch\u1ec9 \u0111\u1ecbnh c\u1ed5ng \u0111\u00edch.<\/li>\n<\/ul>\n<figure id=\"attachment_22346\" aria-describedby=\"caption-attachment-22346\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-22346\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cac-tuy-chon-cua-IPtables.png\" alt=\"C\u00e1c t\u00f9y ch\u1ecdn c\u1ee7a IPtables\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cac-tuy-chon-cua-IPtables.png 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cac-tuy-chon-cua-IPtables-300x188.png 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cac-tuy-chon-cua-IPtables-768x480.png 768w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2024\/12\/Cac-tuy-chon-cua-IPtables-750x469.png 750w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-22346\" class=\"wp-caption-text\">C\u00e1c t\u00f9y ch\u1ecdn c\u1ee7a IPtables<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"Cac-tuy-chon-de-thao-tac-voi-Chain-trong-IPtables\"><\/span>C\u00e1c t\u00f9y ch\u1ecdn \u0111\u1ec3 thao t\u00e1c v\u1edbi Chain trong IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Qu\u1ea3n l\u00fd chains trong IPtables l\u00e0 m\u1ed9t ph\u1ea7n quan tr\u1ecdng c\u1ee7a vi\u1ec7c c\u1ea5u h\u00ecnh t\u01b0\u1eddng l\u1eeda. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 l\u1ec7nh th\u00f4ng d\u1ee5ng \u0111\u1ec3 thao t\u00e1c v\u1edbi chains:<\/p>\n<ul>\n<li><strong>IPtables -N<\/strong>: T\u1ea1o m\u1ed9t chu\u1ed7i m\u1edbi.<\/li>\n<li><strong>IPtables -X<\/strong>: X\u00f3a m\u1ed9t chu\u1ed7i.<\/li>\n<li><strong>IPtables -P<\/strong>: \u0110\u1eb7t ch\u00ednh s\u00e1ch cho chu\u1ed7i built-in (nh\u01b0 INPUT, OUTPUT, FORWARD).<\/li>\n<li><strong>IPtables -L<\/strong>: Li\u1ec7t k\u00ea c\u00e1c quy t\u1eafc trong m\u1ed9t chu\u1ed7i.<\/li>\n<li><strong>IPtables -F<\/strong>: X\u00f3a t\u1ea5t c\u1ea3 c\u00e1c quy t\u1eafc trong m\u1ed9t chu\u1ed7i.<\/li>\n<li><strong>IPtables -Z<\/strong>: Reset b\u1ed9 \u0111\u1ebfm g\u00f3i tin v\u1ec1 0.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Cac-tuy-chon-de-thao-tac-voi-Rule-trong-IPtables\"><\/span>C\u00e1c t\u00f9y ch\u1ecdn \u0111\u1ec3 thao t\u00e1c v\u1edbi Rule trong IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Khi mu\u1ed1n thao t\u00e1c v\u1edbi c\u00e1c rule trong IPtables, b\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng c\u00e1c l\u1ec7nh sau:<\/p>\n<ul>\n<li><strong>-A<\/strong>: Th\u00eam m\u1ed9t quy t\u1eafc v\u00e0o cu\u1ed1i chu\u1ed7i (append).<\/li>\n<li><strong>-D<\/strong>: X\u00f3a m\u1ed9t quy t\u1eafc (delete).<\/li>\n<li><strong>-R<\/strong>: Thay th\u1ebf m\u1ed9t quy t\u1eafc (replace).<\/li>\n<li><strong>-I<\/strong>: Ch\u00e8n m\u1ed9t quy t\u1eafc v\u00e0o \u0111\u1ea7u chu\u1ed7i (insert).<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"So-sanh-IPtables-voi-Firewalld-va-UFW\"><\/span>So s\u00e1nh IPtables v\u1edbi Firewalld v\u00e0 UFW<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Khi c\u1ea5u h\u00ecnh t\u01b0\u1eddng l\u1eeda tr\u00ean Linux, ng\u01b0\u1eddi d\u00f9ng th\u01b0\u1eddng ph\u00e2n v\u00e2n gi\u1eefa IPtables v\u00e0 c\u00e1c c\u00f4ng c\u1ee5 kh\u00e1c. \u0110\u1ec3 gi\u00fap b\u1ea1n \u0111\u01b0a ra l\u1ef1a ch\u1ecdn ph\u00f9 h\u1ee3p, InterData so s\u00e1nh ba c\u00f4ng c\u1ee5 ph\u1ed5 bi\u1ebfn nh\u1ea5t qua b\u1ea3ng d\u01b0\u1edbi \u0111\u00e2y:<\/p>\n<table style=\"width: 100%; border-collapse: collapse; font-family: Arial, Helvetica, sans-serif; border: 1px solid #0D6EFD;\">\n<thead>\n<tr>\n<th style=\"background: #0D6EFD; color: #ffffff; padding: 12px 10px; text-align: left; border-right: 1px solid rgba(255,255,255,0.2); font-weight: 600;\">T\u00ednh n\u0103ng \/ C\u00f4ng c\u1ee5<\/th>\n<th style=\"background: #0D6EFD; color: #ffffff; padding: 12px 10px; text-align: left; border-left: 1px solid rgba(255,255,255,0.2); font-weight: 600;\">IPtables<\/th>\n<th style=\"background: #0D6EFD; color: #ffffff; padding: 12px 10px; text-align: left; border-left: 1px solid rgba(255,255,255,0.2); font-weight: 600;\">Firewalld<\/th>\n<th style=\"background: #0D6EFD; color: #ffffff; padding: 12px 10px; text-align: left; border-left: 1px solid rgba(255,255,255,0.2); font-weight: 600;\">UFW (Uncomplicated Firewall)<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"background: #ffffff;\">\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff; font-weight: 600; width: 22%;\">Ki\u1ebfn tr\u00fac<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Qu\u1ea3n l\u00fd Rule t\u0129nh, th\u1ee7 c\u00f4ng<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Qu\u1ea3n l\u00fd b\u1eb1ng Zone v\u00e0 Service \u0111\u1ed9ng<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Giao di\u1ec7n d\u00f2ng l\u1ec7nh \u0111\u01a1n gi\u1ea3n, qu\u1ea3n l\u00fd Rule d\u1ec5 d\u00e0ng h\u01a1n<\/td>\n<\/tr>\n<tr style=\"background: rgba(13,110,253,0.03);\">\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff; font-weight: 600;\">\u0110\u1ed9 ph\u1ee9c t\u1ea1p<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Cao, c\u00fa ph\u00e1p ph\u1ee9c t\u1ea1p, d\u1ec5 m\u1eafc l\u1ed7i<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Trung b\u00ecnh, d\u00f9ng t\u00ean Service thay v\u00ec Port<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Th\u1ea5p, r\u1ea5t th\u00e2n thi\u1ec7n v\u1edbi ng\u01b0\u1eddi m\u1edbi<\/td>\n<\/tr>\n<tr style=\"background: #ffffff;\">\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff; font-weight: 600;\">Ph\u00f9 h\u1ee3p v\u1edbi<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Qu\u1ea3n tr\u1ecb vi\u00ean gi\u00e0u kinh nghi\u1ec7m, y\u00eau c\u1ea7u c\u1ea5u h\u00ecnh ph\u1ee9c t\u1ea1p<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Qu\u1ea3n tr\u1ecb vi\u00ean c\u1ea7n thay \u0111\u1ed5i Rule linh ho\u1ea1t, d\u00f9ng tr\u00ean CentOS\/RHEL<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff;\">Ng\u01b0\u1eddi m\u1edbi b\u1eaft \u0111\u1ea7u, d\u00f9ng tr\u00ean Ubuntu\/Debian<\/td>\n<\/tr>\n<tr style=\"background: rgba(13,110,253,0.03);\">\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff; font-weight: 600; border-bottom: 1px solid #e6f0ff;\">C\u1eadp nh\u1eadt Rule<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff; border-bottom: 1px solid #e6f0ff;\">Ph\u1ea3i x\u00f3a v\u00e0 th\u00eam Rule m\u1edbi, c\u1ea7n l\u01b0u l\u1ea1i sau khi kh\u1edfi \u0111\u1ed9ng l\u1ea1i<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff; border-bottom: 1px solid #e6f0ff;\">Thay \u0111\u1ed5i trong Zone, t\u1ef1 \u0111\u1ed9ng c\u1eadp nh\u1eadt m\u00e0 kh\u00f4ng c\u1ea7n kh\u1edfi \u0111\u1ed9ng l\u1ea1i d\u1ecbch v\u1ee5<\/td>\n<td style=\"padding: 10px; border-top: 1px solid #e6f0ff; border-bottom: 1px solid #e6f0ff;\">\u0110\u01a1n gi\u1ea3n, d\u00f9ng l\u1ec7nh tr\u1ef1c quan<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>S\u1ef1 kh\u00e1c bi\u1ec7t l\u1edbn nh\u1ea5t l\u00e0 c\u00fa ph\u00e1p. Trong khi IPtables y\u00eau c\u1ea7u b\u1ea1n ch\u1ec9 \u0111\u1ecbnh r\u00f5 Chain v\u00e0 tham s\u1ed1 chi ti\u1ebft, UFW (nh\u01b0 t\u00ean g\u1ecdi: Uncomplicated) \u0111\u01a1n gi\u1ea3n h\u00f3a vi\u1ec7c n\u00e0y th\u00e0nh c\u00e1c l\u1ec7nh nh\u01b0 ufw allow 22. So s\u00e1nh iptables cho th\u1ea5y, n\u1ebfu b\u1ea1n l\u00e0 SysAdmin mu\u1ed1n ki\u1ec3m so\u00e1t tuy\u1ec7t \u0111\u1ed1i, h\u00e3y ch\u1ecdn IPtables; n\u1ebfu b\u1ea1n \u01b0u ti\u00ean s\u1ef1 ti\u1ec7n l\u1ee3i, UFW l\u00e0 l\u1ef1a ch\u1ecdn t\u1ed1t h\u01a1n.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cac-lenh-IPtables-thuong-dung\"><\/span>C\u00e1c l\u1ec7nh IPtables th\u01b0\u1eddng d\u00f9ng<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>IPtables l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 t\u01b0\u1eddng l\u1eeda m\u1ea1nh m\u1ebd gi\u00fap b\u1ea1n qu\u1ea3n l\u00fd l\u01b0u l\u01b0\u1ee3ng m\u1ea1ng v\u00e0 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng Linux kh\u1ecfi c\u00e1c m\u1ed1i \u0111e d\u1ecda m\u1ea1ng. \u0110\u1ec3 l\u00e0m vi\u1ec7c v\u1edbi IPtables, b\u1ea1n s\u1ebd s\u1eed d\u1ee5ng c\u00e1c l\u1ec7nh \u0111\u1ec3 c\u1ea5u h\u00ecnh v\u00e0 qu\u1ea3n l\u00fd c\u00e1c quy t\u1eafc. C\u00e1c l\u1ec7nh trong IPtables \u0111\u01b0\u1ee3c chia th\u00e0nh hai lo\u1ea1i ch\u00ednh: c\u01a1 b\u1ea3n v\u00e0 n\u00e2ng cao.<\/p>\n<p>D\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 l\u1ec7nh c\u01a1 b\u1ea3n gi\u00fap b\u1ea1n d\u1ec5 d\u00e0ng c\u1ea5u h\u00ecnh v\u00e0 qu\u1ea3n l\u00fd t\u01b0\u1eddng l\u1eeda Linux c\u1ee7a m\u00ecnh.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Tao-Rule-moi-trong-IPtables\"><\/span>T\u1ea1o Rule m\u1edbi trong IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>L\u1ec7nh \u0111\u1ec3 th\u00eam m\u1ed9t quy t\u1eafc m\u1edbi v\u00e0o IPtables c\u00f3 c\u1ea5u tr\u00fac nh\u01b0 sau:<\/p>\n<pre>iptables -A INPUT -i lo -j ACCEPT<\/pre>\n<p>\u00dd ngh\u0129a c\u1ee7a l\u1ec7nh tr\u00ean l\u00e0:<\/p>\n<ul>\n<li><strong>-A<\/strong>: Th\u00eam (append) quy t\u1eafc v\u00e0o cu\u1ed1i chu\u1ed7i.<\/li>\n<li><strong>INPUT<\/strong>: Quy t\u1eafc \u00e1p d\u1ee5ng cho c\u00e1c g\u00f3i tin v\u00e0o m\u00e1y ch\u1ee7.<\/li>\n<li><strong>-i lo<\/strong>: Quy t\u1eafc \u00e1p d\u1ee5ng cho giao di\u1ec7n loopback.<\/li>\n<li><strong>-j ACCEPT<\/strong>: Ch\u1ea5p nh\u1eadn c\u00e1c g\u00f3i tin ph\u00f9 h\u1ee3p v\u1edbi quy t\u1eafc.<\/li>\n<\/ul>\n<p>Sau khi th\u00eam quy t\u1eafc, b\u1ea1n c\u00f3 th\u1ec3 ki\u1ec3m tra l\u1ea1i c\u00e1c quy t\u1eafc \u0111\u00e3 \u00e1p d\u1ee5ng b\u1eb1ng l\u1ec7nh:<\/p>\n<pre>iptables -L -v<\/pre>\n<p>Sau \u0111\u00f3, b\u1ea1n s\u1ebd th\u1ea5y m\u1ed9t quy t\u1eafc m\u1edbi xu\u1ea5t hi\u1ec7n, c\u00f3 t\u00ean l\u00e0 \u201c<strong>after-created-iptables-rule<\/strong>\u201d.<\/p>\n<p>Ti\u1ebfn h\u00e0nh l\u01b0u l\u1ea1i v\u00e0 kh\u1edfi \u0111\u1ed9ng l\u1ea1i t\u01b0\u1eddng l\u1eeda \u0111\u1ec3 \u00e1p d\u1ee5ng c\u00e1c thay \u0111\u1ed5i, b\u1ea1n c\u1ea7n ch\u1ea1y:<\/p>\n<pre>service iptables save\r\nservice iptables restart<\/pre>\n<p>\u0110\u1ec3 \u0111\u1ea3m b\u1ea3o c\u00e1c k\u1ebft n\u1ed1i hi\u1ec7n t\u1ea1i kh\u00f4ng b\u1ecb gi\u00e1n \u0111o\u1ea1n v\u00e0 m\u00e1y ch\u1ee7 c\u00f3 th\u1ec3 k\u1ebft n\u1ed1i ra ngo\u00e0i, b\u1ea1n c\u1ea7n th\u00eam m\u1ed9t quy t\u1eafc m\u1edbi v\u1edbi l\u1ec7nh sau:<\/p>\n<pre>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<\/pre>\n<p>Mu\u1ed1n cho ph\u00e9p k\u1ebft n\u1ed1i t\u1eeb b\u00ean ngo\u00e0i v\u00e0o m\u00e1y ch\u1ee7 th\u00f4ng qua c\u1ed5ng s\u1eed d\u1ee5ng giao th\u1ee9c TCP, b\u1ea1n h\u00e3y ch\u1ea1y l\u1ec7nh:<\/p>\n<pre> iptables -A INPUT -p tcp --dport 22 -j ACCEPT<\/pre>\n<p>Trong \u0111\u00f3,<\/p>\n<ul>\n<li>-p tcp x\u00e1c \u0111\u1ecbnh giao th\u1ee9c TCP<\/li>\n<li>-dport 22 ch\u1ec9 \u0111\u1ecbnh c\u1ed5ng 22, th\u01b0\u1eddng d\u00f9ng cho SSH.<\/li>\n<\/ul>\n<p>\u0110\u1ec3 ch\u1eb7n m\u1ecdi k\u1ebft n\u1ed1i \u0111\u1ebfn m\u00e1y ch\u1ee7 kh\u00f4ng \u0111\u00e1p \u1ee9ng c\u00e1c quy t\u1eafc \u0111\u00e3 thi\u1ebft l\u1eadp, h\u00e3y s\u1eed d\u1ee5ng l\u1ec7nh:<\/p>\n<pre>iptables -A INPUT -j DROP<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Them-Rule-moi-vao-IPtables\"><\/span>Th\u00eam Rule m\u1edbi v\u00e0o IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Ngo\u00e0i vi\u1ec7c th\u00eam quy t\u1eafc v\u00e0o cu\u1ed1i danh s\u00e1ch, b\u1ea1n c\u00f3 th\u1ec3 ch\u00e8n quy t\u1eafc v\u00e0o m\u1ed9t v\u1ecb tr\u00ed c\u1ee5 th\u1ec3 b\u1eb1ng c\u00e1ch thay th\u1ebf -A b\u1eb1ng -I trong l\u1ec7nh. V\u00ed d\u1ee5, \u0111\u1ec3 ch\u00e8n quy t\u1eafc m\u1edbi v\u00e0o v\u1ecb tr\u00ed th\u1ee9 2 trong chain INPUT, ta d\u00f9ng l\u1ec7nh:<\/p>\n<pre>iptables -I INPUT 2 -p tcp --dport 8080 -j ACCEPT<\/pre>\n<p>L\u1ec7nh n\u00e0y cho ph\u00e9p k\u1ebft n\u1ed1i \u0111\u1ebfn c\u1ed5ng 8080 s\u1eed d\u1ee5ng giao th\u1ee9c TCP.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Xoa-Rule-trong-IPtables\"><\/span>X\u00f3a Rule trong IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>N\u1ebfu b\u1ea1n mu\u1ed1n x\u00f3a m\u1ed9t quy t\u1eafc \u0111\u00e3 t\u1ea1o \u1edf v\u1ecb tr\u00ed , b\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng l\u1ec7nh v\u1edbi tham s\u1ed1 -D, b\u1ea1n s\u1eed d\u1ee5ng:<\/p>\n<pre>IPtables -D INPUT 4<\/pre>\n<p>N\u1ebfu b\u1ea1n mu\u1ed1n x\u00f3a t\u1ea5t c\u1ea3 c\u00e1c quy t\u1eafc DROP trong chu\u1ed7i INPUT, b\u1ea1n ch\u1ec9 c\u1ea7n th\u1ef1c hi\u1ec7n l\u1ec7nh sau:<\/p>\n<pre>iptables -D INPUT -j DROP<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Huong-dan-su-dung-Iptables-Firewall-Linux-don-gian\"><\/span>H\u01b0\u1edbng d\u1eabn s\u1eed d\u1ee5ng Iptables Firewall Linux \u0111\u01a1n gi\u1ea3n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Buoc-1-Cai-dat-IPtables\"><\/span>B\u01b0\u1edbc 1: C\u00e0i \u0111\u1eb7t IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>H\u1ea7u h\u1ebft c\u00e1c b\u1ea3n ph\u00e2n ph\u1ed1i Linux hi\u1ec7n nay, bao g\u1ed3m Ubuntu, \u0111\u1ec1u \u0111\u00e3 t\u00edch h\u1ee3p s\u1eb5n IPtables. Tuy nhi\u00ean, n\u1ebfu v\u00ec l\u00fd do n\u00e0o \u0111\u00f3 m\u00e0 h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n ch\u01b0a c\u00f3, b\u1ea1n c\u00f3 th\u1ec3 c\u00e0i \u0111\u1eb7t b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng c\u00e1c l\u1ec7nh sau:<\/p>\n<pre>sudo apt-get update\r\nsudo apt-get install iptables<\/pre>\n<p>\u0110\u1ec3 ki\u1ec3m tra tr\u1ea1ng th\u00e1i hi\u1ec7n t\u1ea1i c\u1ee7a IPtables, b\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng l\u1ec7nh:<\/p>\n<pre>sudo iptables -L -v<\/pre>\n<p>Trong \u0111\u00f3:<\/p>\n<ul>\n<li><strong>-L<\/strong>: Li\u1ec7t k\u00ea t\u1ea5t c\u1ea3 c\u00e1c quy t\u1eafc (rule) hi\u1ec7n c\u00f3.<\/li>\n<li><strong>-v<\/strong>: Hi\u1ec3n th\u1ecb th\u00f4ng tin chi ti\u1ebft v\u1ec1 c\u00e1c quy t\u1eafc.<\/li>\n<\/ul>\n<p>K\u1ebft qu\u1ea3 tr\u1ea3 v\u1ec1 s\u1ebd hi\u1ec3n th\u1ecb danh s\u00e1ch c\u00e1c chain (INPUT, FORWARD, OUTPUT) v\u00e0 c\u00e1c quy t\u1eafc (n\u1ebfu c\u00f3) trong m\u1ed7i chain. V\u00ed d\u1ee5:<\/p>\n<pre><strong>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<\/strong>\r\n\r\n<strong>pkts bytes target prot opt in out source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/strong>\r\n\r\n<strong>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<\/strong>\r\n\r\n<strong>pkts bytes target prot opt in out source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/strong>\r\n\r\n<strong>Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)<\/strong>\r\n\r\n<strong>pkts bytes target prot opt in out source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/strong><\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Buoc-2-Thiet-lap-cac-quy-tac-rules\"><\/span>B\u01b0\u1edbc 2: Thi\u1ebft l\u1eadp c\u00e1c quy t\u1eafc (rules)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>C\u00fa ph\u00e1p chung c\u1ee7a l\u1ec7nh IPtables:<\/p>\n<pre>sudo iptables -A &lt;chain&gt; -i &lt;interface&gt; -p &lt;protocol&gt; -s &lt;source&gt; --dport &lt;port&gt; -j &lt;target&gt;<\/pre>\n<p>Trong \u0111\u00f3:<\/p>\n<ul>\n<li><strong>-A<\/strong>: Th\u00eam quy t\u1eafc v\u00e0o cu\u1ed1i chain.<\/li>\n<li><strong>&lt;chain&gt;<\/strong>: T\u00ean c\u1ee7a chain (INPUT, OUTPUT, FORWARD).<\/li>\n<li><strong>-i &lt;interface&gt;<\/strong>: Giao di\u1ec7n m\u1ea1ng (v\u00ed d\u1ee5: eth0, wlan0).<\/li>\n<li><strong>-p &lt;protocol&gt;<\/strong>: Giao th\u1ee9c (tcp, udp, icmp).<\/li>\n<li><strong>-s &lt;source&gt;<\/strong>: \u0110\u1ecba ch\u1ec9 IP ngu\u1ed3n.<\/li>\n<li><strong>&#8211;dport &lt;port&gt;<\/strong>: C\u1ed5ng \u0111\u00edch.<\/li>\n<li><strong>-j &lt;target&gt;<\/strong>: H\u00e0nh \u0111\u1ed9ng c\u1ea7n th\u1ef1c hi\u1ec7n (ACCEPT, DROP, REJECT).<\/li>\n<\/ul>\n<p><strong>Cho ph\u00e9p l\u01b0u l\u01b0\u1ee3ng truy c\u1eadp tr\u00ean localhost<\/strong><\/p>\n<pre>sudo iptables -A INPUT -i lo -j ACCEPT<\/pre>\n<p>L\u1ec7nh n\u00e0y cho ph\u00e9p t\u1ea5t c\u1ea3 l\u01b0u l\u01b0\u1ee3ng truy c\u1eadp tr\u00ean giao di\u1ec7n loopback (lo), t\u1ee9c l\u00e0 giao ti\u1ebfp n\u1ed9i b\u1ed9 tr\u00ean m\u00e1y ch\u1ee7.<\/p>\n<p>K\u1ebft qu\u1ea3:<\/p>\n<pre><strong>Chain INPUT (policy ACCEPT 7 packets, 488 bytes)<\/strong>\r\n\r\n<strong>pkts bytes target prot opt in out source\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 destination<\/strong>\r\n\r\n<strong>0 0 ACCEPT all\u00a0 \u2014\u00a0 lo any anywhere\u00a0 \u00a0 \u00a0\u00a0anywhere<\/strong><\/pre>\n<p>L\u1ec7nh -A \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 th\u00eam c\u00e1c quy t\u1eafc v\u00e0o chains INPUT, cho ph\u00e9p t\u1ea5t c\u1ea3 c\u00e1c k\u1ebft n\u1ed1i tr\u00ean giao di\u1ec7n lo (localhost).<\/p>\n<p>C\u00e1c c\u1ed5ng \u0111\u01b0\u1ee3c ph\u00e9p truy c\u1eadp bao g\u1ed3m HTTP, SSH,\u00a0SSL:<\/p>\n<pre>sudo iptables -A INPUT -p tcp \u2013dport 22 -j ACCEPT\r\n\r\nsudo iptables -A INPUT -p tcp \u2013dport 80 -j ACCEPT\r\n\r\nsudo iptables -A INPUT -p tcp \u2013dport 443 -j ACCEPT<\/pre>\n<p>C\u00e1c l\u1ec7nh n\u00e0y cho ph\u00e9p truy c\u1eadp v\u00e0o c\u00e1c c\u1ed5ng 22 (SSH), 80 (HTTP) v\u00e0 443 (HTTPS) t\u1eeb b\u1ea5t k\u1ef3 \u0111\u1ecba ch\u1ec9 IP ngu\u1ed3n n\u00e0o.<\/p>\n<p><strong>L\u1ecdc c\u00e1c g\u00f3i tin d\u1ef1a tr\u00ean ngu\u1ed3n<\/strong><\/p>\n<p>\u0110\u1ec3 l\u1ecdc c\u00e1c g\u00f3i tin d\u1ef1a tr\u00ean ngu\u1ed3n, b\u1ea1n c\u00f3 th\u1ec3 th\u00eam tham s\u1ed1 -s \u0111\u1ec3 cho ph\u00e9p ho\u1eb7c t\u1eeb ch\u1ed1i c\u00e1c g\u00f3i tin d\u1ef1a tr\u00ean \u0111\u1ecba ch\u1ec9 IP ngu\u1ed3n.<\/p>\n<pre>sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT<\/pre>\n<p>C\u00e1c g\u00f3i tin t\u1eeb \u0111\u1ecba ch\u1ec9 IP ngu\u1ed3n 192.168.1.3 s\u1ebd \u0111\u01b0\u1ee3c ch\u1ea5p nh\u1eadn.<\/p>\n<pre>sudo iptables -A INPUT -s 192.168.1.3 -j DROP<\/pre>\n<p>C\u00e1c g\u00f3i tin t\u1eeb \u0111\u1ecba ch\u1ec9 IP ngu\u1ed3n 192.168.1.3 s\u1ebd b\u1ecb t\u1eeb ch\u1ed1i.<\/p>\n<pre>sudo iptables -A INPUT -m iprange \u2013src-range 192.168.1.100-192.168.1.200 -j DROP<\/pre>\n<p>\u0110\u00e2y l\u00e0 l\u1ec7nh \u0111\u1ec3 t\u1eeb ch\u1ed1i c\u00e1c g\u00f3i tin t\u1eeb m\u1ed9t d\u00e3y \u0111\u1ecba ch\u1ec9 IP, s\u1eed d\u1ee5ng tham s\u1ed1 iprange \u2013src-range v\u1edbi d\u00e3y IP \u0111\u01b0\u1ee3c ch\u1ec9 \u0111\u1ecbnh sau-src-range.<\/p>\n<p><strong>Ch\u1eb7n t\u1ea5t c\u1ea3 truy c\u1eadp<\/strong><\/p>\n<p>\u0110\u1ec3 ch\u1eb7n t\u1ea5t c\u1ea3 truy c\u1eadp, b\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng l\u1ec7nh sau:<\/p>\n<pre>sudo iptables -A INPUT -j DROP<\/pre>\n<p>Sau khi thi\u1ebft l\u1eadp, b\u1ea1n c\u00f3 th\u1ec3 ki\u1ec3m tra l\u1ea1i b\u1eb1ng l\u1ec7nh:<\/p>\n<pre>sudo iptables -L -v<\/pre>\n<p>L\u01b0u \u00fd: \u0110\u1ec3 ng\u0103n ch\u1eb7n truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o c\u00e1c c\u1ed5ng \u0111ang m\u1edf tr\u00ean m\u00e1y ch\u1ee7, b\u1ea1n n\u00ean s\u1eed d\u1ee5ng DROP \u0111\u1ec3 ch\u1eb7n t\u1ea5t c\u1ea3 c\u00e1c g\u00f3i tin t\u1eeb nh\u1eefng ngu\u1ed3n kh\u00f4ng \u0111\u01b0\u1ee3c cho ph\u00e9p.<\/p>\n<p><strong>X\u00f3a c\u00e1c rules<\/strong><\/p>\n<p>\u0110\u1ec3 x\u00f3a c\u00e1c quy t\u1eafc, b\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng l\u1ec7nh sau:<\/p>\n<pre>sudo iptables -F<\/pre>\n<p>L\u1ec7nh n\u00e0y s\u1ebd x\u00f3a to\u00e0n b\u1ed9 c\u00e1c quy t\u1eafc hi\u1ec7n c\u00f3, cho ph\u00e9p b\u1ea1n thi\u1ebft l\u1eadp l\u1ea1i t\u1eeb \u0111\u1ea7u.<\/p>\n<p>N\u1ebfu mu\u1ed1n x\u00f3a t\u1eebng quy t\u1eafc m\u1ed9t, b\u1ea1n c\u00f3 th\u1ec3 d\u00f9ng tham s\u1ed1 -D k\u00e8m theo s\u1ed1 th\u1ee9 t\u1ef1 c\u1ee7a quy t\u1eafc \u0111\u00f3. \u0110\u1ec3 xem danh s\u00e1ch c\u00e1c quy t\u1eafc v\u00e0 s\u1ed1 th\u1ee9 t\u1ef1 t\u01b0\u01a1ng \u1ee9ng, h\u00e3y s\u1eed d\u1ee5ng l\u1ec7nh sau:<\/p>\n<pre>sudo iptables -L \u2013line-numbers<\/pre>\n<p>K\u1ebft qu\u1ea3 s\u1ebd hi\u1ec3n th\u1ecb c\u00e1c s\u1ed1 th\u1ee9 t\u1ef1 c\u1ee7a c\u00e1c quy t\u1eafc trong m\u1ed7i chain.<\/p>\n<p>V\u00ed d\u1ee5:<\/p>\n<pre><strong>Chain INPUT (policy ACCEPT)<\/strong>\r\n\r\n<strong>num\u00a0 target prot opt source\u00a0 \u00a0 \u00a0 \u00a0\u00a0destination<\/strong>\r\n\r\n<strong>ACCEPT all\u00a0 \u2014\u00a0 192.168.0.4 \u00a0\u00a0anywhere<\/strong>\r\n\r\n<strong>ACCEPT tcp\u00a0 \u2014\u00a0 anywhere\u00a0 \u00a0 \u00a0\u00a0anywhere\u00a0 \u00a0 \u00a0\u00a0tcp dpt:https<\/strong>\r\n\r\n<strong>ACCEPT tcp\u00a0 \u2014\u00a0 anywhere\u00a0 \u00a0 \u00a0\u00a0anywhere\u00a0 \u00a0 \u00a0\u00a0tcp dpt:http<\/strong>\r\n\r\n<strong>ACCEPT tcp\u00a0 \u2014\u00a0 anywhere\u00a0 \u00a0 \u00a0\u00a0anywhere\u00a0 \u00a0 \u00a0\u00a0tcp dpt:ssh<\/strong><\/pre>\n<p>Sau \u0111\u00f3, \u0111\u1ec3 x\u00f3a m\u1ed9t quy t\u1eafc, h\u00e3y d\u00f9ng l\u1ec7nh sau:<\/p>\n<pre>sudo iptables -D INPUT 3<\/pre>\n<p>V\u1edbi l\u1ec7nh tr\u00ean s\u1ebd x\u00f3a quy t\u1eafc c\u00f3 s\u1ed1 th\u1ee9 t\u1ef1 3 trong chain INPUT.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Buoc-3-Luu-tat-ca-cac-thay-doi-tren-IPtables\"><\/span>B\u01b0\u1edbc 3: L\u01b0u t\u1ea5t c\u1ea3 c\u00e1c thay \u0111\u1ed5i tr\u00ean IPtables<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>C\u00e1c quy t\u1eafc IPtables m\u00e0 b\u1ea1n v\u1eeba t\u1ea1o ch\u1ec9 \u0111\u01b0\u1ee3c l\u01b0u t\u1ea1m th\u1eddi trong b\u1ed9 nh\u1edb. V\u00ec v\u1eady, khi m\u00e1y ch\u1ee7 kh\u1edfi \u0111\u1ed9ng l\u1ea1i, nh\u1eefng quy t\u1eafc n\u00e0y s\u1ebd b\u1ecb m\u1ea5t. \u0110\u1ec3 l\u01b0u ch\u00fang v\u00e0o h\u1ec7 th\u1ed1ng v\u00e0 \u0111\u1ea3m b\u1ea3o ch\u00fang lu\u00f4n ho\u1ea1t \u0111\u1ed9ng, b\u1ea1n c\u1ea7n s\u1eed d\u1ee5ng l\u1ec7nh sau:<\/p>\n<pre>sudo \/sbin\/iptables-save<\/pre>\n<p>\u0110\u1ec3 t\u1eaft firewall, b\u1ea1n c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng c\u00e1c l\u1ec7nh sau:<\/p>\n<pre>sudo iptables -F\r\n\r\nsudo \/sbin\/iptables-save<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Cac-loi-thuong-gap-khi-dung-IPtables-va-cach-khac-phuc\"><\/span>C\u00e1c l\u1ed7i th\u01b0\u1eddng g\u1eb7p khi d\u00f9ng IPtables v\u00e0 c\u00e1ch kh\u1eafc ph\u1ee5c<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Ng\u01b0\u1eddi d\u00f9ng m\u1edbi r\u1ea5t d\u1ec5 g\u1eb7p ph\u1ea3i sai s\u00f3t khi c\u1ea5u h\u00ecnh IPtables. Vi\u1ec7c n\u00e0y c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn c\u00e1c t\u00ecnh hu\u1ed1ng nghi\u00eam tr\u1ecdng nh\u01b0 kh\u00f4ng th\u1ec3 truy c\u1eadp server.<\/p>\n<div style=\"overflow-x: auto; margin: 20px 0;\">\n<table style=\"width: 100%; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 15px; border: 1px solid #ddd;\">\n<thead>\n<tr style=\"background-color: #0d6efd; color: #fff; text-align: left;\">\n<th style=\"padding: 12px; border: 1px solid #0d6efd; text-align: center;\">L\u1ed7i th\u01b0\u1eddng g\u1eb7p<\/th>\n<th style=\"padding: 12px; border: 1px solid #0d6efd; text-align: center;\">Nguy\u00ean nh\u00e2n<\/th>\n<th style=\"padding: 12px; border: 1px solid #0d6efd; text-align: center;\">C\u00e1ch kh\u1eafc ph\u1ee5c<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr style=\"background-color: #f9f9f9;\">\n<td style=\"padding: 10px; border: 1px solid #ddd; font-weight: 600;\">Kh\u00f4ng truy c\u1eadp \u0111\u01b0\u1ee3c SSH (Self-lockout)<\/td>\n<td style=\"padding: 10px; border: 1px solid #ddd;\">Thi\u1ebft l\u1eadp Policy m\u1eb7c \u0111\u1ecbnh l\u00e0 <b>DROP\/REJECT<\/b> tr\u01b0\u1edbc khi th\u00eam Rule <b>ACCEPT<\/b> cho port 22.<\/td>\n<td style=\"padding: 10px; border: 1px solid #ddd;\">Truy c\u1eadp server qua Console (VNC, KVM) c\u1ee7a nh\u00e0 cung c\u1ea5p, sau \u0111\u00f3 x\u00f3a Rule l\u1ed7i ho\u1eb7c Flush (x\u00f3a s\u1ea1ch) t\u1ea5t c\u1ea3 Rule b\u1eb1ng <b>iptables -F<\/b>. (T\u1eeb kh\u00f3a: <i>iptables ssh error<\/i>).<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px; border: 1px solid #ddd; font-weight: 600;\">Rule b\u1ecb ghi \u0111\u00e8 khi reboot<\/td>\n<td style=\"padding: 10px; border: 1px solid #ddd;\">Qu\u00ean kh\u00f4ng l\u01b0u l\u1ea1i Rule sau khi c\u1ea5u h\u00ecnh (xem m\u1ee5c 5).<\/td>\n<td style=\"padding: 10px; border: 1px solid #ddd;\">C\u00e0i \u0111\u1eb7t v\u00e0 s\u1eed d\u1ee5ng g\u00f3i <b>persistent<\/b> (<i>iptables-persistent<\/i> ho\u1eb7c t\u01b0\u01a1ng \u0111\u01b0\u01a1ng) \u0111\u1ec3 t\u1ef1 \u0111\u1ed9ng n\u1ea1p Rule khi kh\u1edfi \u0111\u1ed9ng.<\/td>\n<\/tr>\n<tr style=\"background-color: #f9f9f9;\">\n<td style=\"padding: 10px; border: 1px solid #ddd; font-weight: 600;\">Xung \u0111\u1ed9t v\u1edbi Firewalld<\/td>\n<td style=\"padding: 10px; border: 1px solid #ddd;\">C\u1ea3 hai d\u1ecbch v\u1ee5 (<b>IPtables<\/b> v\u00e0 <b>Firewalld<\/b>) \u0111\u1ec1u \u0111ang ch\u1ea1y v\u00e0 c\u00f9ng qu\u1ea3n l\u00fd Netfilter.<\/td>\n<td style=\"padding: 10px; border: 1px solid #ddd;\">T\u1eaft v\u00e0 v\u00f4 hi\u1ec7u h\u00f3a v\u0129nh vi\u1ec5n d\u1ecbch v\u1ee5 <b>Firewalld<\/b> n\u1ebfu b\u1ea1n mu\u1ed1n d\u00f9ng IPtables thu\u1ea7n:<br \/>\n<code>systemctl stop firewalld<\/code><br \/>\n<code>systemctl disable firewalld<\/code>.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 10px; border: 1px solid #ddd; font-weight: 600;\">L\u1ed7i Rule kh\u00f4ng ho\u1ea1t \u0111\u1ed9ng<\/td>\n<td style=\"padding: 10px; border: 1px solid #ddd;\">Th\u1ee9 t\u1ef1 Rule b\u1ecb sai. IPtables \u0111\u1ecdc Rule theo th\u1ee9 t\u1ef1. N\u1ebfu Rule chung (v\u00ed d\u1ee5: <b>DROP ALL<\/b>) n\u1eb1m tr\u00ean Rule c\u1ee5 th\u1ec3 (<b>ACCEPT SSH<\/b>), Rule c\u1ee5 th\u1ec3 s\u1ebd kh\u00f4ng bao gi\u1edd \u0111\u01b0\u1ee3c th\u1ef1c thi.<\/td>\n<td style=\"padding: 10px; border: 1px solid #ddd;\">Lu\u00f4n \u0111\u1eb7t Rule c\u1ee5 th\u1ec3 (ACCEPT) l\u00ean \u0111\u1ea7u v\u00e0 Rule chung (DROP\/REJECT) xu\u1ed1ng cu\u1ed1i Chain \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o \u0111\u00fang th\u1ee9 t\u1ef1 x\u1eed l\u00fd.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Nh\u01b0 v\u1eady, IPtables l\u00e0 g\u00ec v\u00e0 c\u00e1ch s\u1eed d\u1ee5ng n\u00f3 \u0111\u00e3 kh\u00f4ng c\u00f2n l\u00e0 m\u1ed9t c\u00e2u h\u1ecfi kh\u00f3. V\u1edbi nh\u1eefng ki\u1ebfn th\u1ee9c tr\u00ean, b\u1ea1n \u0111\u00e3 c\u00f3 th\u1ec3 hi\u1ec3u r\u00f5 c\u00e1ch IPtables ho\u1ea1t \u0111\u1ed9ng \u0111\u1ec3 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng c\u1ee7a m\u00ecnh kh\u1ecfi c\u00e1c m\u1ed1i \u0111e d\u1ecda t\u1eeb m\u1ea1ng. B\u1eb1ng c\u00e1ch \u00e1p d\u1ee5ng c\u00e1c l\u1ec7nh c\u01a1 b\u1ea3n nh\u01b0 t\u1ea1o, th\u00eam, v\u00e0 x\u00f3a quy t\u1eafc, b\u1ea1n c\u00f3 th\u1ec3 d\u1ec5 d\u00e0ng duy tr\u00ec h\u1ec7 th\u1ed1ng an to\u00e0n.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>N\u1ebfu b\u1ea1n l\u00e0 ng\u01b0\u1eddi qu\u1ea3n tr\u1ecb m\u00e1y ch\u1ee7 Linux, \u0111\u1eb7c bi\u1ec7t l\u00e0 c\u00e1c m\u00e1y ch\u1ee7 \u1ea3o (VPS) ho\u1eb7c Dedicated Server, ch\u1eafc ch\u1eafn b\u1ea1n \u0111\u00e3 t\u1eebng nghe \u0111\u1ebfn IPtables. Trong b\u00e0i vi\u1ebft n\u00e0y, ch\u00fang ta s\u1ebd c\u00f9ng t\u00ecm hi\u1ec3u v\u1ec1 c\u1ea5u tr\u00fac v\u00e0 nguy\u00ean l\u00fd ho\u1ea1t \u0111\u1ed9ng c\u1ee7a IPtables, c\u00e1c t\u00f9y ch\u1ecdn v\u00e0 l\u1ec7nh c\u01a1 b\u1ea3n,<\/p>\n","protected":false},"author":11,"featured_media":34198,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[],"class_list":["post-22336","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-server"],"_links":{"self":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/22336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/comments?post=22336"}],"version-history":[{"count":2,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/22336\/revisions"}],"predecessor-version":[{"id":34200,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/22336\/revisions\/34200"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/media\/34198"}],"wp:attachment":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/media?parent=22336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/categories?post=22336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/tags?post=22336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}