Shulou(Shulou.com)06/01 Report--

This article mainly introduces the iptables basic knowledge points what the relevant knowledge, the content is detailed and easy to understand, the operation is simple and fast, has a certain reference value, I believe you will have some gains after reading this iptables basic knowledge points, let's take a look at it.

Iptables can be applied to all Linux distributions, so we must understand how to configure iptables in order to manage firewalls effectively.

First of all, the structure of iptables is introduced: iptables-> Tables-> Chains-> Rules. To put it simply, tables is made up of chains, while chains is made up of rules. This is shown in the following figure.

Figure: IPTables Table, Chain, and Rule Structure

I. tables and chains of iptables

Iptables has four built-in tables: Filter, NAT, Mangle, and Raw:

1. Filter table

Filter represents the default table for iptables, so if you don't have a custom table, use the filter table by default, which has the following three built-in chains:

INPUT chain-handles data from outside.

OUTPUT chain-handles data sent out.

FORWARD chain-forwards data to other Nic devices on this machine.

2. NAT table

There are three built-in chains for NAT tables:

PREROUTING chain-processes packets that have just arrived on the local machine and are forwarded before routing. It translates the destination IP address (destination ip address) in the packet, usually for DNAT (destination NAT).

POSTROUTING chain-processes packets that are about to leave the machine. It translates the source IP address (source ip address) in the packet, usually for SNAT (source NAT).

OUTPUT chain-processes packets generated by the machine.

3. Mangle table

The Mangle table is used to specify how packets are handled. It can change the QoS bit in the TCP header. The Mangle table has 5 built-in chains:

PREROUTING

OUTPUT

FORWARD

INPUT

POSTROUTING

4. Raw table

The Raw table is used to handle exceptions and has two built-in chains:

PREROUTING chain

OUTPUT chain

5. Summary

The following figure shows the three built-in tables of iptables:

Figure: IPTables built-in table

II. IPTABLES rules (Rules)

Keep in mind the following three-point keys to understanding iptables rules:

Rules includes a condition and a goal (target)

If the condition is met, the rule or specific value in the target (target) is executed.

If the condition is not met, the next Rules is determined.

Target value (Target Values)

Here are the special values you can specify in target:

ACCEPT-allows the firewall to receive packets

DROP-Firewall drop packet

QUEUE-Firewall transfers packets to user space

RETURN-the firewall stops executing subsequent Rules in the current chain and returns to the call chain (the calling chain).

If you execute iptables-list, you will see the rules available on the firewall. The following example shows that there is no firewall defined in the current system. As you can see, it shows the default filter table, as well as the default input chain, forward chain and output chain in the table.

# iptables-t filter-list Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

View the mangle table:

# iptables-t mangle-list

View the NAT table:

# iptables-t nat-list

View the RAW table:

# iptables-t raw-list

! Note: if you do not specify the-t option, only the default filter table will be displayed. Therefore, the following two forms of command have the same meaning:

# iptables-t filter-list (or) # iptables-list

The following example shows that there are rules in the input chain, forward chain, and output chain of the filter table:

# iptables-list Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all- 0.0.0.0 Universe 0 0.0.0.0 Universe 0

Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all- 0. 0. 0. 0. 0. 0

Chain OUTPUT (policy ACCEPT) num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all- 0.0.0.0 ACCEPT esp 0 0.0.0 0 2 ACCEPT icmp-0.0.0.0 ACCEPT esp 0 0.0.0.0 ACCEPT esp 0 icmp type 255 3 ACCEPT ah-0.0.0.0 ACCEPT esp 0 0.0.0.0 ACCEPT ah 0 4 ACCEPT ah-0.0.0.0 ACCEPT ah 0 0.0.0.0 ACCEPT udp-0.0.0.0 / 0 224.0.0.251 udp dpt:5353 6 ACCEPT udp-0.0.0.0 0 0.0.0.0 0 udp dpt:631 7 ACCEPT tcp-0.0.0.0 0 0.0.0.0Compare 0 tcp dpt:631 8 ACCEPT all-0.0.0.0 0 0.0.0.0 0 state RELATED ESTABLISHED 9 ACCEPT tcp-0.0.0.0 ACCEPT tcp 0 0.0.0.0 reject-with icmp-host-prohibited 0 state NEW tcp dpt:22 10 REJECT all-0.0.0.0

The above output contains the following fields:

Num-specify the rule number in the chain target-Special value of the target mentioned earlier prot-Protocol: tcp, udp, icmp, etc. Source-Source IP address of the packet destination-destination IP address of the packet

Clear all iptables rules

Before configuring iptables, you usually need to use the iptables- list command or the iptables-save command to see if there are existing rules, because sometimes you need to delete existing iptables rules:

Iptables-flush or iptables-F

The two commands are equivalent. But everything will not be all right after implementation. You still need to check that the rules are really empty, because on some linux distributions this command does not clear the rules in the NAT table, so you can only clear them manually:

Iptables-t NAT-F

IV. Permanent entry into force

When you delete or add rules, these changes will not take effect forever, and these rules are likely to be restored after the system is rebooted. In order for the configuration to take effect permanently, the specific operation varies from platform to platform. Here is a brief introduction:

1.Ubuntu

First, save the existing rules:

Iptables-save > / etc/iptables.rules

Then create a new bash script and save it to the / etc/network/if-pre-up.d/ directory:

#! / bin/bash iptables-restore

In this way, iptables rules are loaded automatically each time the system is rebooted.

! Note: do not try to execute the above command in .bashrc or .profile, because the user is usually not root, and this can only load iptables rules when logging in.

2.CentOS, RedHat

# Save iptables rule service iptables save

# restart iptables service service iptables stop service iptables start

View the current rule:

Cat / etc/sysconfig/iptables

5. Additional iptables rules

You can append a new rule using the iptables-A command, where-A represents Append. Therefore, the new rule will be appended to the end of the chain.

In general, the last rule is used to DROP all packets. If you already have such a rule and use the-A parameter to add a new rule, it is useless.

1. Grammar

Iptables-A chain firewall-rule

-A chain-specifies the chain to append the rule

Firewall-rule-specific rule parameters

two。 Describe the basic parameters of a rule

The following rule parameters describe the protocol of the packets, the source address, the destination address, the network interface that is allowed to pass through, and how to handle these packets. These descriptions are basic descriptions of the rules.

-p Protocol (protocol)

Protocols that specify rules, such as tcp, udp, icmp, etc., can use all to specify all protocols.

If you do not specify the-p parameter, the default is the all value. This is unwise, please always specify the protocol name explicitly.

You can use a protocol name (such as tcp) or a protocol value (such as 6 for tcp) to specify the protocol. For mapping relations, please see / etc/protocols.

You can also use the-protocol parameter instead of the-p parameter

-s source address (source)

Specify the source address of the packet

Parameters can make IP address, network address, and hostname

For example:-s 192.168.1.101 specifies the IP address

For example:-s 192.168.1.10 take 24 to specify a network address

If you do not specify the-s parameter, it represents all addresses

You can also use-src or-source

-d destination address (destination)

Specify destination address

The parameter is the same as-s

You can also use-dst or-destination

-j execution goal (jump to target)

-j stands for "jump to target"

-j specifies how to handle packets when they match a rule (Rule)

Possible values are ACCEPT, DROP, QUEUE, RETURN,MASQUERADE

You can also specify another chain (Chain) as the target

Note: MASQUERADE, address camouflage, is a special case of snat, which can achieve automated snat (see the previous article for details).

-I input interface (input interface)

-I stands for input interface (input interface)

-I specifies which interface packets are to be processed

These packets are about to enter the INPUT, FORWARD, PREROUTE chain.

For example:-I eth0 specifies to process incoming packets via eth0

If the-I parameter is not specified, packets entering all interfaces will be processed

If!-I eth0 appears, then all packets entering through interfaces other than eth0 will be processed

If-I eth+, appears, then all packets entering through the interface at the beginning of eth will be processed.

You can also use the-in-interface parameter

-o output (out interface)

-O stands for "output interface"

-o specifies which interface the packet is output by.

These packets are about to enter the FORWARD, OUTPUT, POSTROUTING chain.

If the-o option is not specified, all interfaces on the system can be used as output interfaces

If!-o eth0 appears, it will be output from an interface other than eth0

If-I eth+, appears, it will only be output from the interface at the beginning of eth

You can also use the-out-interface parameter

3. Extended parameters that describe rules

Once we have a basic description of the rules, sometimes we want to specify ports, TCP flags, ICMP types, and so on.

-sport source port (source port) for-p tcp or-p udp

By default, all ports will be matched

You can specify a port number or port name, such as "- sport 22" and "- sport ssh".

The / etc/services file describes the above mapping.

In terms of performance, using port numbers is better.

Use colons to match the port range, such as "- sport 22pur100"

You can also use "- source-port"

-- dport destination port (destination port) for-p tcp or-p udp

The parameter is similar to-sport

You can also use "- destination-port"

-- the tcp-flags TCP flag is for-p tcp

You can specify multiple parameters separated by commas

Valid values can be: SYN, ACK, FIN, RST, URG, PSH

You can use ALL or NONE

-- icmp-type ICMP type for-p icmp

-icmp-type 0 means Echo Reply

-icmp-type 8 means Echo

4. Complete instance of append rules: only SSH services are allowed

The rules implemented in this example will only allow SSH packets to pass through the local computer, and all other connections, including ping, will be denied.

# 1. Clear all iptables rules iptables-F

# 2. Receive packet iptables-An INPUT-I eth0-p tcp-dport 22-j ACCEPT with destination port 22

# 3. Reject all other packets iptables-An INPUT-j DROP

Change the default policy

The example above only filters the received packets, but there are no restrictions on the packets to be sent. This section focuses on how to change the chain policy to change the behavior of the chain.

1. Default chain strategy

/!\ warning: do not test on remotely connected servers and virtual machines!

When we use the-L option to verify that the current rule is found, there are policy ACCEPT tags next to all chains, which indicates that the default policy for the current chain is ACCEPT:

# iptables-L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp-anywhere anywhere tcp dpt:ssh DROP all-anywhere anywhere

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

In this case, if the DROP rule is not explicitly added, the ACCEPT policy will be used for filtering by default. Unless:

A) add DROP rules separately for the above three chains:

Iptables-An INPUT-j DROP iptables-An OUTPUT-j DROP iptables-A FORWARD-j DROP

B) change the default policy:

Iptables-P INPUT DROP iptables-P OUTPUT DROP iptables-P FORWARD DROP

Crap! If you have configured iptables strictly according to the example in the previous section, and you are now using SSH to connect, then the session may have been forced to terminate!

Why? Because we have changed the OUTPUT chain policy to DROP. At this point, although the server can receive data, it cannot send data:

# iptables-L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp-anywhere anywhere tcp dpt:ssh DROP all-anywhere anywhere

Chain FORWARD (policy DROP) target prot opt source destination

Chain OUTPUT (policy DROP) target prot opt source destination

7. Configure application rules

Although Section 5.4 has described how to initially restrict connections other than SSH, that is achieved when the chain default policy is ACCEPT, and there are no restrictions on output packets. Based on the previous section, this section takes the ports used by SSH and HTTP as an example to teach you how to set the firewall when the default chain policy is DROP. Here, we will introduce a new parameter, m state, and check the status field of the packet.

1.SSH

# 1. Allow receiving SSH requests from remote hosts iptables-An INPUT-I eth0-p tcp-dport 22-m state-state NEW,ESTABLISHED-j ACCEPT

# 2. Allow SSH response of local host to be sent iptables-An OUTPUT-o eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

-m state: enable state matching module (state matching module)

-- state: parameters of the state matching module. When the first packet of the SSH client arrives at the server, the status field is NEW;. The status field of the packet after the connection is established is ESTABLISHED.

-sport 22: sshd listens on port 22, and also establishes connections and transmits data with the client through this port. So for the SSH server, the source port is 22

-dport 22: the ssh client program can establish a connection to port 22 of the SSH server from the local random port. So for SSH clients, the destination port is 22

If the server also needs to use SSH to connect to other remote hosts, you need to add the following configuration:

# 1. The destination port of the outgoing packet is 22 iptables-An OUTPUT-o eth0-p tcp-dport 22-m state-state NEW,ESTABLISHED-j ACCEPT

# 2. The source port of the received packet is 22 iptables-An INPUT-I eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

2.HTTP

The configuration of HTTP is similar to SSH:

# 1. Allow receiving HTTP requests from remote hosts iptables-An INPUT-I eth0-p tcp-dport 80-m state-state NEW,ESTABLISHED-j ACCEPT

# 1. Allow HTTP response of local host to be sent iptables-An OUTPUT-o eth0-p tcp-sport 80-m state-state ESTABLISHED-j ACCEPT

3. Complete configuration

# 1. Delete existing rule iptables-F

# 2. Configure the default chain policy iptables-P INPUT DROP iptables-P FORWARD DROP iptables-P OUTPUT DROP

# 3. Allow remote hosts to SSH connect iptables-An INPUT-I eth0-p tcp-dport 22-m state-state NEW,ESTABLISHED-j ACCEPT iptables-An OUTPUT-o eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

# 4. Allow the local host to SSH connect iptables-An OUTPUT-o eth0-p tcp-dport 22-m state-state NEW,ESTABLISHED-j ACCEPT iptables-An INPUT-I eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

# 5. Allow HTTP to request iptables-An INPUT-I eth0-p tcp-dport 80-m state-state NEW,ESTABLISHED-j ACCEPT iptables-An OUTPUT-o eth0-p tcp-sport 80-m state-state ESTABLISHED-j ACCEPT

The iptables command is a commonly used firewall software on Linux and is part of the netfilter project. It can be configured directly or through many front-end and graphical interfaces.

Syntax iptables (options) (parameters) option-t: specify the table to manipulate;-A: add entries to the rule chain;-D: delete entries from the rule chain;-I: insert entries into the rule chain;-R: replace entries in the rule chain;-L: display existing entries in the rule chain;-F: know the existing entries in the rule chain -Z: clear the packet calculator and byte counter in the rule chain;-N: create a new user-defined rule chain;-P: define the default destination in the rule chain;-h: display help information;-p: specify the packet protocol type to match;-s: specify the packet source ip address to match;-j: specify the destination to jump -I: specifies the network interface on which the packet enters the machine;-o: specifies the network interface on which the packet is to leave the machine. Iptables command options entry order:

Iptables-t table name rule chain name [rule number]-p protocol name-sport source port-dport destination port-j action table name includes:

Raw: advanced features, such as URL filtering.

Mangle: packet modification (QOS), used to achieve quality of service.

Net: address translation for gateway routers.

Filter: packet filtering for firewall rules.

The name of the rule chain includes:

INPUT chain: processes input packets.

OUTPUT chain: processes output packets.

PORWARD chain: handles forwarding packets.

PREROUTING chain: used for destination address translation (DNAT).

POSTOUTING chain: for source address translation (SNAT).

Actions include:

Accept: receives a packet.

DROP: drop the packet.

REDIRECT: redirect, mapping, transparent proxy.

SNAT: source address translation.

DNAT: destination address translation.

MASQUERADE:IP camouflage (NAT) for ADSL.

LOG: logging.

Instance clears existing iptables rules

Iptables-F iptables-X iptables-Z opens the designated port

Iptables-An INPUT-s 127.0.0.1-d 127.0.0.1-j ACCEPT # allows local loopback interface (i.e. running native access native) iptables-An INPUT-m state-- state ESTABLISHED RELATED-j ACCEPT # allows established or related traffic iptables-An OUTPUT-j ACCEPT # allows all native access to iptables-An INPUT-p tcp-- dport 22-j ACCEPT # allows access to port 22 iptables-An INPUT-p tcp-- dport 80-j ACCEPT # allows access to port 80 iptables-An INPUT-p tcp-dport 21-j ACCEPT # allows ftp service port 21 iptables-A INPUT-p tcp-- dport 20-j ACCEPT # allows 20-port iptables-An INPUT-j reject # for FTP services to prohibit other unauthorized rule access iptables-A FORWARD-j REJECT # prohibit other unauthorized rule access blocking IP

Iptables-I INPUT-s 123.45.6.7-j DROP # commands for shielding a single IP iptables-I INPUT-s 123.0.0.0 DROP # seal the entire segment, that is, from 123.0.0.1 to 123.255.255.254, the command iptables-I INPUT-s 124.45.0.0 DROP # block the IP section, that is, from 123.45.0.1 to 123.45.255.254 iptables- I INPUT-s 123.45.6.0 to 24-j DROP # the command for the IP segment from 123.45.6.1 to 123.45.6.254 is to view the added iptables rules

Iptables-L-n-v Chain INPUT (policy DROP 48106 packets 2690K bytes) pkts bytes target prot opt in out source destination 5075 589K ACCEPT all-- lo * 0.0.0.0max 0 0.0.0.0max 0191K 90m ACCEPT tcp-- * * 0.0.0.0max 0 0.0.0.0max 0 Tcp dpt:22 1499K 133m ACCEPT tcp-- * * 0.0.0.0 0 0.0.0.0 state RELATED 0 tcp dpt:80 4364K 6351M state RELATED ESTABLISHED 6256 327K ACCEPT icmp-- * * 0.0.0.0 packets 0 0.0.0.0 ACCEPT icmp 0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 3382K packets) 1819m bytes) pkts bytes target prot opt in out source destination 5075 589K ACCEPT all-- * lo 0.0.0.0Uniplet00.0.0.0amp0 delete the added iptables rule

Display all iptables with serial numbers, execute:

Iptables-L-n-- line-numbers for example, to delete the rule with serial number 8 in INPUT, execute:

Iptables-D INPUT 8 premise: 1. When the host receives a packet, the packet is first processed in the kernel space. If it is found that the destination address is itself, it will be sent to the user space and handed over to the corresponding application for processing. If it is found that the destination is not for itself, the packet will be discarded or forwarded.

2. The principle of iptables to realize firewall function is that there are five key points in the process of packet passing through the kernel, namely, PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING, which are called hook functions. Iptables, a software in user space, can write rules in these five places and process the data packets. The rules are generally defined as "if the packet header meets such conditions, the data packets will be processed in this way."

3. There are five chains defined in iptables, which means the five hook functions mentioned above, because multiple rules can be defined in each hook function. Every time a packet arrives at a hook function, iptables will check from the first rule in the hook function to see whether the packet meets the conditions defined by the rule. If it is satisfied, the system will process the packet according to the method defined by the rule; otherwise, iptables will continue to check the next rule, and if the packet does not meet any of the rules in the hook function, iptables will process the packet according to the default policy pre-defined by the function.

4. Tables are defined in iptables, which represent the functions provided, including filter table (for packet filtering), nat table (for network address translation), mangle table (for packet modification) and raw table (for data tracking). These tables have a certain priority: raw- > mangle- > nat- > filter

Rules on a chain that define different functions, and packets are checked according to the priority order above

1. If the destination address is local, send it to INPUT and let INPUT decide whether to receive it and send it to user space. The process is ①-> ②.

2. If the forwarding rules on the nat table of PREROUTING are met, send it to FORWARD, and then send it through POSTROUTING. The process is: ①-> ③-> ④-> ⑥.

When the host sends a packet, the process is ⑤-> ⑥

Iptables installation configuration

Generally speaking, linux has installed iptables by default. You only need to enable the service.

Service iptables start / / start

Service iptables restart / / restart

Service iptables stop / / close

Iptables rule writing:

Basic syntax: iptables [- t table] [operation command] [chain] [rule matcher] [- j target action]

The table shows that the supported chain raw is generally designed to prevent iptables from tracking packets. Improve performance PREROUTING, OUTPUTmangle modify packets five chains can be nat address translation PREROUTING, OUTPUT, POSTROUTINGfilter (default) to filter packets INPUT, FORWARD, OUTPUT common operation command description-An add rules at the end of the specified chain-D delete matching rules-R replace matching rules-I insert rules at the specified location (for example: iptables-I INPUT 1-dport 80-j ACCEPT (insert rules into the first place in the INPUT chain of the filter table)-LACCEPT S lists rules for the specified chain or all chains-F Delete rules for the specified chain or all chains-N create user customization Semantic chain [example: iptables-N allowed]-X deletes the specified user custom chain-P sets the default rule policy for the specified chain Does not work for custom chains-Z clears the counters of the specified chain or all chains-E changes the name of the custom chain [example: iptables-E allowed disallowed]-nip address and port number are displayed numerically [example: iptables-nL] Common rule matcher description-p tcp/udp/icmp/all matching protocol All will match all protocols-s addr [/ mask] match source address-d addr [/ mask] match destination address-sport port1 [: port2] match source port (contiguous port can be specified)-dport port1 [: port2] match destination port (contiguous port can be specified)-o interface match egress network card. Only FORWARD, POSTROUTING, OUTPUT (for example: iptables-A FORWARD-o eth0)-I interface match ingress network card, only use PREROUTING, INPUT, FORWARD. -icmp-type matches icmp types (use iptables-p icmp- h to see the available ICMP types)-tcp-flags mask comp matches TCP tags, mask indicates the check range, and comp indicates which tags in mask match. (for example, iptables-A FORWARD-p tcp- tcp-flags ALL SYN,ACK-j ACCEPT represents packets that match SYN and ACK tags.) the destination action indicates that ACCEPT allows packets to be dropped via DROP. REJECT discards packets. And send rejection message to sender SNAT source address translation (on nat table) example: iptables-t nat-A POSTROUTING-d 192.168.0.102-j SNAT-to 192.168.0.1DNAT destination address translation (on nat table) example: iptables-t nat-A PREROUTING-d 202.202.202.2-j DNAT-to-destination 192.168.0.102REDIRECT destination port translation (on nat table) example: iptables-t nat-D PREROUTING -p tcp-dport 8080-I eth3.2-j REDIRECT-to 80MARK Mark the packet For example: iptables-t mangle-A PREROUTING-s 192.168.1.3-j MARK-set-mark 60PS: 1, destination address translation is generally operated on PREROUTING chain 2, source address translation is generally operated on POSTROUTING chain

Save and restore iptables rules

Use iptables-save to save to a specific file

Iptables-save > / etc/sysconfig/iptables_save

Use iptables-restore to restore rules

Iptables-restore/sysconfig/iptables_save

The advanced iptables uses 1, limit to limit traffic:-m limit- limit 1000lb # sets the maximum average matching rate-m limit- limit-burst 15 # sets the maximum number of big data packets to match at the beginning-m limit- limit 5 limit- limit-limit-burst 15 # indicates that the number of packets that can be matched at the beginning is 15, and the value of limit-burst is reduced by 1 for each match, so when the match reaches 15, the value is 0, and then every 12 seconds The value of limit-burst will be added by 1, which means that it can match another packet example:

Iptables-An INPUT-I eth0-m limit- limit 5AGAC-limit-burst 15-j ACCEPT

Iptables-An INPUT-I eth0-j DROP

Key points to be noted:

The value of A,-limit-burst is larger than that of-limit.

B, limit itself does not have the function of discarding packets, so the second rule is needed to realize the function of speed limit.

2. Time: match within a specific time

-m time description-monthdays day1 [, day2] match on a specific day of each month-timestart hh:mm:ss starts matching at a specified time of day-timestop hh:mm:ss stops matching at a specified time of day-weekdays day1 [, day2] matches on a specified working day of each week. The value can be 1-7 examples:

Iptables-An INPUT-I eth0-m time-weekdays 1, jACCEPT 2, 3, jACCEPT

Iptables-An INPUT-I eth0-j DROP

3. Ttl: packets that match the TTL value of the rule

Parameter description-ttl-eq 100 matches packets with TTL values of 100-ttl-gt 100 matches packets with TTL values greater than 100-ttl-lt 100 matches packets with TTL values less than 100:

Iptables-An OUTPUT-m ttl- ttl-eq 100-j ACCEPT

4. Multiport: match multiple discrete ports

Parameter description-sports port1 [, port2,port3] match source port-dports port1 [, port2,port3] match destination port-ports port1 [, port2,port3] match source port or destination port example:

Iptables-An INPUT-m multiport-sports 22pr 80dre 808080-j DROP

5. State: matches the specified status packet

Parameter description-state valuevalue can be NEW, RELATED (associated), ESTABLISHED, INVALID (unknown connection) examples:

Iptables-An INPUT-m state-state NEW,ESTABLISHED-j ACCEPT

6. Mark: matches the packet with the specified mark value

Parameter description-mark value matches an example of a packet marked value by mark:

Iptables-t mangle-An INPUT-m mark-mark 1-j DROP

7. Mac: match a specific mac address

Example:

Iptables-A FORWARD-m mac- mac-source 00:0C:24:FA:19:80-j DROP

This is the end of the article on "what are the basic knowledge points of iptables". Thank you for reading! I believe you all have a certain understanding of "what are the basic knowledge points of iptables". If you want to learn more knowledge, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.