Shulou(Shulou.com)06/01 Report--

This article mainly explains "the detailed tutorial of linux Firewall iptables". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn the detailed tutorial of linux Firewall iptables.

2.1 frame diagram

-- > PREROUTING-- > [ROUTE]-> FORWARD-- > POSTROUTING-- >

Mangle | mangle ^ mangle

Nat | filter | nat

| | |

| | |

V |

INPUT OUTPUT

| | mangle ^ mangle |

| | filter | nat |

V-> local- > | filter

2.2 chains and tables

Table

Filter: as the name implies, it is used for filtering

Nat: as the name implies, it is used when doing NAT

NAT:Network Address Translator

Chain

INPUT: located in the filter table, the matching destination IP is a native packet

FORWARD: located in the filter table, matching packets passing through the machine

PREROUTING: located in the nat table and used to modify the destination address (DNAT)

POSTROUTING: located in the nat table, used to modify the source address (SNAT)

3.1 Overview of iptables syntax

Iptables [- t table to be manipulated]

[chain to operate]

[rule number]

[matching condition]

[- j matches to future actions]

3.2 Overview of commands

Operation commands (- A,-I,-D,-R,-P,-F)

View command (- [vnx] L)

3.2.1-A

A

APPEND, add a rule (to the end)

For example:

Iptables-t filter-An INPUT-j DROP

Append a rule to the INPUT chain of the filter table (as the last rule)

Matches all packets that access the native IP and discards the packets that are matched

3.2.2-I

-I [rule number]

INSERT, insert a rule

For example:

Iptables-I INPUT-j DROP

Insert a rule in the INPUT chain of the filter table (insert as Article 1)

Iptables-I INPUT 3-j DROP

Insert a rule in the INPUT chain of the filter table (insert as Article 3)

Note: 1.-t filter can not be written. If it is not written, it automatically defaults to filter table.

2.-I chain name [rule number]. If the rule number is not written, the default is 1.

3. Make sure that the rule number is ≤ (the number of existing rules + 1), otherwise an error will be reported.

3.2.3-D

-D

DELETE, delete a rule

For example:

Iptables-D INPUT 3 (match by number)

Delete the third rule in the INPUT chain of the filter table (regardless of its contents)

Iptables-D INPUT-s 192.168.0.1-j DROP (match by content)

Delete the rule "- s 192.168.0.1-j DROP" in the INPUT chain of the filter table

(no matter where it is located)

Note:

1. If there are multiple identical rules in the rule list, only the one with the lowest serial number will be deleted by content matching.

2. When deleting by number matching, make sure that the rule number ≤ already has the number of rules, otherwise an error will be reported.

3. When deleting by content matching, make sure that the rule exists, otherwise an error will be reported.

3.2.3-R

-R

REPLACE, replace a rule

For example:

Iptables-R INPUT 3-j ACCEPT

Replace the rule content originally numbered 3 with "- j ACCEPT"

Note:

Make sure that the rule number ≤ already has the number of rules, otherwise an error will be reported

3.2.4-P

-P

POLICY, which sets the default rules for a chain

For example:

Iptables-P INPUT DROP

The default rule for setting the INPUT chain of filter tables is DROP

Note:

When the packet is not matched by any rule in the rule list, it is processed according to this default rule.

3.2.5-F

-F [chain name]

FLUSH, emptying rules

For example:

Iptables-F INPUT

Clear all rules in the INPUT chain of the filter table

Iptables-t nat-F PREROUTING

Clear all rules in the PREROUTING chain of the nat table

Note:

1.-F only empties the rules in the chain and does not affect the default rules set by-P

2.-P after setting DROP, be careful when using-F!

3. If you do not write the chain name, by default clear all the rules in all chains in a table

3.2.6-[vxn] L

-L [chain name]

LIST, listing rules

V: displays details, including the number of matching packets and bytes for each rule

X: automatic unit conversion (K, M) is prohibited on the basis of v

N: displays only the IP address and port number, not the domain name and service name

For example:

Iptables-L

Roughly list all the chains and all the rules of the filter

Iptables-t nat-vnL

List all the rules for all chains of the nat table in detail, showing only the IP address and port number

Iptables-t nat-vxnL PREROUTING

List all the rules and detailed numbers of the PREROUTING chain of the nat table in a detailed manner.

3.3 matching conditions

Inflow and outflow interfaces (- I,-o)

Source, destination address (- s,-d)

Protocol type (- p)

Source and destination port (--sport,-- dport)

3.3.1 match by network interface

-I

For example:

-I eth0

Match whether to come in from the network interface eth0

-I ppp0

Match whether to come in from the network interface ppp0

-o matches the network interface of the data outflow

For example:

-o eth0

-o ppp0

3.3.2 match by source destination address

S

Can be IP, NET, DOMAIN, or empty (any address)

For example:

-s 192.168.0.1 matches packets from 192.168.0.1

-s 192.168.1.0 hand 24 matches packets from the 192.168.1.0 hand 24 network

-s 192.168.0.0amp 16 matches packets from the 192.168.0.0amp 16 network

-d

Can be IP, NET, DOMAIN, or empty

For example:

-d 202.106.0.20 matches packets destined for 202.106.0.20

-d 202.106.0.0amp 16 matches packets destined for the 202.106.0.0amp 16 network

-d www.abc.com matches packets destined for the domain name www.abc.com

3.3.3 match by protocol type

-p

Can be TCP, UDP, ICMP, etc., or empty

For example:

-p tcp

-p udp

-p icmp--icmp-type type

Ping: type 8 pong: type 0

3.3.4 match by source destination port

-- sport

Can be an individual port, can be a port range

For example:

-- sport 1000 matches packets with source port 1000

-- sport 1000UR 3000 matches packets with source ports of 1000-3000 (including 1000, 3000)

-- sport: 3000 matches packets with source ports below 3000 (including 3000)

-- sport 1000: matches packets with source ports above 1000 (including 1000)

-- dport

Can be an individual port, can be a port range

For example:

-- dport 80 matches packets with source port 80

-- dport 6000 8000 matching source ports are 6000-8000 packets (including 6000, 8000)

-- dport: 3000 matches packets with source ports below 3000 (including 3000)

-- dport 1000: matches packets with source ports above 1000 (including 1000)

Note:-- sport and-- dport must be used with the-p parameter

3.3.5 examples of matching applications

1. Port matching

-p udp-- dport 53

Match a UDP protocol packet with a destination address of 53 in the network

2. Address matching

-s 10.1.0.0 Universe 24-d 172.17.0.0 Universe 16

Match all packets from 10.1.0.0amp 24 to 172.17.0.0amp 16

3. Joint matching of port and address

-s 192.168.0.1-d www.abc.com-p tcp-- dport 80

Match the TCP protocol packet from 192.168.0.1 destined for port 80 of www.abc.com

Note:

1.-- sport and-- dport must be used in conjunction with-p, and the protocol type must be specified.

2. The more conditions are written, the more meticulous the matching is, and the smaller the matching range is.

3.4 Action (handling)

ACCEPT

DROP

SNAT

DNAT

MASQUERADE

3.4.1-j ACCEPT

-j ACCEPT

Pass, allowing the packet to pass through this chain without intercepting it

Similar to permit in ACL in Cisco

For example:

Iptables-An INPUT-j ACCEPT

Allow all packets accessing the native IP to pass through

3.4.2-j DROP

-j DROP

Discard, prevent a packet from passing through this chain and discard it

Similar to deny in ACL in Cisco

For example:

Iptables-A FORWARD-s 192.168.80.39-j DROP

Block packets with source address 192.168.80.39 from passing through this machine

3.4.3-j SNAT

-j SNAT-- to IP [- IP] [: Port-Port] (POSTROUTING chain of the nat table)

Source address translation, SNAT supports translation to a single IP, also supports translation to IP address pool

(a set of consecutive IP addresses)

For example:

Iptables-t nat-A POSTROUTING-s 192.168.0.0 Universe 24\

-j SNAT-- to 1.1.1.1

Modify the original address of the intranet 192.168.0.0Universe 24 to 1.1.1.1 for NAT

Iptables-t nat-A POSTROUTING-s 192.168.0.0 Universe 24\

-j SNAT-- to 1.1.1.1-1.1.1.10

Same as above, but changed to an IP in an address pool

3.4.4-j DNAT

-j DNAT-- to IP [- IP] [: Port-Port] (PREROUTING chain of the nat table)

Destination address translation, DNAT supports translation to a single IP, and also supports translation to IP address pool

(a set of consecutive IP addresses)

For example:

Iptables-t nat-A PREROUTING-I ppp0-p tcp-- dport 80\

-j DNAT-- to 192.168.0.1

Change the destination address of packets coming in from ppp0 to access TCP/80 to 192.168.0.1

Iptables-t nat-A PREROUTING-I ppp0-p tcp-- dport 81\

-j DNAT-- to 192.168.0.2

Iptables-t nat-A PREROUTING-I ppp0-p tcp-- dport 80\

-j DNAT-- to 192.168.0.1-192.168.0.10

3.4.5-j MASQUERADE

-j MASQUERADE

Dynamic source address translation (used in the case of dynamic IP)

For example:

Iptables-t nat-A POSTROUTING-s 192.168.0.0 Universe 24-j MASQUERADE

Camouflage the address of a packet with a source address of 192.168.0.0plus 24.

3.5 add-in

Match by package status (state)

Match by source MAC (mac)

Match by packet rate (limit)

Multi-port matching (multiport)

3.5.1 state

-m state-- state status

Status: NEW, RELATED, ESTABLISHED, INVALID

NEW: syn different from tcp

ESTABLISHED: connected state

RELATED: derived ecology, associated with conntrack (FTP)

INVALID: cannot be identified as belonging to which connection or without any state

For example:

Iptables-An INPUT-m state-- state RELATED,ESTABLISHED\

-j ACCEPT

3.5.2 mac

-m mac--mac-source MAC

Match a MAC address

For example:

Iptables-A FORWARD-m-- mac-source xx:xx:xx:xx:xx:xx\

-j DROP

Block packets from a MAC address and pass through the local machine

Note:

The MAC address is just a route. Don't try to match a MAC address behind the route.

3.5.3 limit

-m limit-- limit matching rate [--number of burst buffers]

Match packets at a certain rate

For example:

Iptables-A FORWARD-d 192.168.0.1-m limit-- limit 50 Universe\

-j ACCEPT

Iptables-A FORWARD-d 192.168.0.1-j DROP

Note:

Limit only uses a certain rate to match packets, not "limit"

3.5.4 multiport

-m multiport port 1 [, port 2je.., port n]

Match multiple ports at once, you can distinguish between source port, destination port or unspecified port

For example:

Iptables-An INPUT-p tcp-m multiports-- ports\

21, ACCEPT, 22, 25, 80110-j

Note:

Must be used with the-p parameter

4. Case analysis

Protection of single server

How to make a gateway

How to limit intranet users

How to act as an external server in the intranet

Connection tracking module

4.1 Protection of a single server

Find out the object of external service.

Writing rules

Processing of Network Interface lo

Treatment of condition monitoring

Protocol + Port processing

Example: an ordinary web server

Iptables-An INPUT-I lo-j ACCEPT

Iptables-An INPUT-p tcp-m multiport 22 ACCEPT 80-j ACCEPT

Iptables-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

Iptables-P INPUT DROP

Note: make sure the rules are correct, understand the logical relationship, and learn to use-vnL all the time.

4.2 how to make a gateway

Figure out the network topology

Surf the Internet on this computer

Set up nat

Enable routing forwarding

Address camouflage SNAT/MASQUERADE

Example: ADSL dial-up topology

Echo "1" > / proc/sys/net/ipv4/ip_forward

Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-o ppp0\

-j MASQUERADE

4.3 how to limit intranet users

Filter location filer FORWARD chain

Matching condition-s-d-p-- s/dport

Processing Action ACCEPT DROP

Example:

Iptables-A FORWARD-s 192.168.0.3-j DROP

Iptables-A FORWARD-m mac--mac-source 11 mac- 22 purl 33 44 purl 55 purl 66\

-j DROP

Iptables-A FORWARD-d bbs.chinaunix.net-j DROP

4.4 how to act as an external server in the intranet

Service Agreement (TCP/UDP)

External service port

Internal server private network IP

Internal real service port

Example:

Iptables-t nat-A PREROUTING-I ppp0-p tcp-- dport 80\

-j DNAT-- to 192.168.1.1

Iptables-t nat-A PREROUTING-I ppp0-p tcp-- dport 81\

-j DNAT-- to 192.168.1.2

4.5 connection tracking module

Why use the connection tracking module

Transmission principle of FTP Protocol

The practice of traditional firewalls

How to use

4.5.1 principle of FTP protocol transmission

Use Port

Command port

Data port

Transmission mode

Active mode (ACTIVE)

Passive mode (PASSIVE)

4.5.1 principle of FTP protocol transmission

Active mode

Client server

Xxxx |-- > | 21

Yyyy | | 21

Yyyy |-- > | zzzz

FW1 FW2

4.5.2 practices of traditional firewalls

Open TCP/20 in active mode only

Firewall opens high range port

Configure FTP services to reduce port range in passive mode

4.5.3 how to use the connection tracking module

Modprobe ipt_conntrack_ftp

Modprobe ipt_nat_ftp

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-m state-- state\

RELATED,ESTABLISHED-j ACCEPT

Iptables-P INPUT DROP

5. Network management strategy

Afraid of what?

What can I do?

Let what vs not let what?

Three "disciplines" and five "attentions"

Other considerations

5.1 required additions

Echo "1" > / proc/sys/net/ipv4/ip_forward

Echo "1" > / proc/sys/net/ipv4/tcp_syncookies

Echo "1" >\

/ proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

5.2 options

Jam:

Iptables-A FORWARD-p tcp-- dport xxx-j DROP

Iptables-A FORWARD-p tcp-- dport yyy:zzz-j DROP

Pass through:

Iptables-A FORWARD-p tcp-- dport xxx-j ACCEPT

Iptables-A FORWARD-p tcp-- dport yyy:zzz-j ACCEPT

Iptables-A FORWARD-m state-- state RELATED,ESTABLISHED\

-j ACCEPT

Iptables-P FORWARD DROP

5.3 three "disciplines" and five "notices"

Three "disciplines"-- for special tables

Filter

Nat

Mangle

Five items of "attention"-- pay attention to the direction of the data packet

PREROUTING

INPUT

FORWARD

OUTPUT

POSTROUTING

5.4 other considerations

Form good habits

Iptables-vnL

Iptables-t nat-vnL

Iptables-save

Pay attention to the logical order

Iptables-An INPUT-p tcp-- dport xxx-j ACCEPT

Iptables-I INPUT-p tcp-- dport yyy-j ACCEPT

At this point, I believe you have a deeper understanding of the "detailed tutorial of linux Firewall iptables". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.