Shulou(Shulou.com)06/01 Report--

This article mainly explains "what are the iptables-related configurations and commands under Linux". The explanation in the article is simple and clear and easy to learn and understand. Please follow the editor's train of thought to study and learn what iptables-related configurations and commands are under Linux.

Start and stop

1. Command:

The code is as follows:

Service iptables start/stop/restart

Or go directly to / etc/init.d/

2. Configuration file:

/ etc/sysconfig/iptables

If not, you can use iptables-save to generate

Framework: tables > chains > rules (target)

On the whole, it can be thought that iptables is made up of many chain, otherwise its old version would not be called ipchains. But the levels are as follows:

A table can consist of multiple chain, and a chain can consist of multiple rules (one rule corresponds to one target).

The advantage of the target concept is that the system presets some target, such as ACCEPT,DROP,REJECT,LOG, which means that if the package matches the rule, the way to deal with it is target. The advantage of introducing target here is that it allows the user to customize a chain and then use the chain name as the new target, so that some rule can be aggregated! A hierarchical rule is formed, that is, if the rule is satisfied, then look at the rule in its target.

1. Iptables consists of four table, and each table is composed of the default chain:

(1) filter: there are three chain--INPUT,OUTPUT and FORWARD by default

(2) nat: do NAT work. Default is three chain--OUTPUT,PREROUTING,POSTROUTING.

(3) mangle: modify some parameters of the package. There are five chain--INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING by default.

(4) raw: the function is unknown. There are two chain--OUTPUT,PREROUTING by default.

Different table is responsible for different aspects. The default command for iptables is to take effect on filter. You can specify that it takes effect for nat with-t nat.

2. The so-called configuration firewall is:

(1) add rule to chain:

Each chain is made up of a series of rule, for example, you need to change the INPUT chain to allow users to access a port on your machine.

For example, this INPUT has two rule, one to allow users to access your port 5901 and one to allow users to access your port 5902

General security policy:

1. Start with the most stringent safety measures, and relax your limits a little bit when you find something useful that doesn't work.

2. The firewall can not be used as the main means to prevent intrusion, it can only be used as a supplement to the independent protection measures on each host. Independent protection measures on each host include crack,tcpd,nmap,COPS,tripwire and corresponding policies.

Rules and commands:

The rule is simple: the corresponding package is handed over to the corresponding built-in chain, and then the rules in chain is matched from top to bottom, just like the break statement. So, for example, if you want to open some ports, write on them, and then close all ports at last.

Static rules:

1. Iptables-F chain-name:

Clear all rule in the chain named chain-name, write-F to clear all rule in all chain, but keep chain.

By default, this is only for filter table. If you want to clear things such as nat table, use iptables-t nat-F

2. Iptables-P chain-name target:

Set the default rule for the chain named chain-name. This is usually placed at the beginning of all the rule set for the chain. Is equivalent to default in a break statement. Note that if you set chain in nat or mangle, don't forget to use-t table. Note, however, that the target here can only use the built-in

3. Iptables-A chain-name rule

Add a rule to the chain named chain-name, followed by a combination of the following rule:

-j target preset target or user-defined chain

-I interface such as eth0

-p proto protocol with tcp,udp

-s source-ip source ip

-d dest-ip destination ip

-- sport source-port source port

-- dport dest-port destination port

-- icmp-type type matches ICMP types, such as which types of ICMP packets you allow to pass, followed by a number

! Negation

-t table

4. Iptables-I chain-name rulenum rule:

The difference between this and-An is that it is inserted, not added at the end. A rulenum of 1 means that it is added first.

5. Iptables-X chain-name:

Delete non-system built-in (user-defined) chain, this is different from-F, this is to delete the whole chain, the name is gone, that is, you can't see it with iptables-L-v.

6. Iptables-D chain-name rule/rulenum

This is the exact opposite of iptable-A chain-name rule. If you want to delete a rule in chain-name, you can delete it as-A. Or use rulenum, that is, the number of num from top to bottom of the chain, and the rulenum of the first rule is 1.

7. Iptables-L chain-name

Print the rules of the chain named chain-name. If no chain-name is given, all chain will be printed.

8. Iptables-L-v chain-name

Add some useful information on the basis of 6, such as the number of packets that match each rule from boot to now!

Dynamic rules: for connection (TCP connections)

1. There are three dynamic parameters:

NEW: refers to the first TCP connection received

ESTABLISHED: the package that belongs to the connection when the connection is established

RELATED: when a connection is established, a related connection is established (typically ftp's passive mode, where client initiates a data connection to server, and this port is specified by server but initiated by client)

2. Command:

The code is as follows:

Iptables-An INPUT-m state-- state NEW-j DROP

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

The above two commands reject all NEW outbound packets. But allow your own connection to receive external data (ESTABLISHED)

Plus:

The code is as follows:

Iptables-An INPUT-p tcp-dport 21-j ACCEPT

Iptables-An INPUT-p udp-dport 21-j ACCEPT

It means that the outside world can access port 21 (FTP, and assuming passive mode). Combined with the above state, it allows the outside world to initiate its own ftp data connection-it may be any port, but there is no need to write here!

So, in general, by writing dynamic rules first and then static rules, you can handle situations like FTP Passive mode where you don't know which port the user will access.

3. Note:

Stateful rules need to be supported by the corresponding kernel modules, and if they are not compiled or loaded, they will not take effect.

Iptables performs IP access control on the requested URL

Let's look at an example.

The server running environment is Tomcat, and now the goal is to allow only a specific IP to access a directory

One way is to use RemoteAddrValve to control the access of the virtual host in the tomcat configuration file server.conf.

Another method can be done through iptables rules. Personally, I prefer iptables

For example, access to http://192.168.137.254:10000/managersns is prohibited and only 192.168.137.101 is allowed.

The code is as follows:

/ sbin/iptables-An INPUT-I eth0-p tcp-- dport 10000-s 192.168.137.101-m string-- string "/ managersns"-- algo bm-j ACCEPT / sbin/iptables-An INPUT-I eth0-p tcp-- dport 10000-m string-- string "/ managersns"-algo bm-j DROP

/ sbin/iptables-An INPUT-I eth0-p tcp-dport 10000-s 192.168.137.101-m string-string "/ managersns"-algo bm-j ACCEPT

/ sbin/iptables-An INPUT-I eth0-p tcp-- dport 10000-m string-- string "/ managersns"-- algo bm-j DROP

The above rules are correct for eth0 NICs, and you can track your own requirements changes.

Parameter description:

-m string

Using the string function, string is a module of iptables, that is, string matching.

-string "xxxx"

Define the content of the string, can be any character in URL, if you need block to download certain types of files or requests, this has a lot of room to play, you can freely imagine.

-algo bm

Set the query algorithm for character matching, generally default to use the bm algorithm, and you can also set the kmp algorithm, which is a more complex algorithm. For details, you can refer to the materials in higher mathematics. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)

-j DROP

This is very effective in disabling video sites on the corporate network, which is set on the gateway server:

The code is as follows:

Iptables-A FORWARD-m string-- string "ku6.com"-- algo bm-j DROP iptables-A FORWARD-m string-- string "tudou.com"-- algo bm-j DROP iptables-A FORWARD-m string-- string "ouou.com"-algo bm-j DROP

Iptables-A FORWARD-m string-string "ku6.com"-algo bm-j DROP

Iptables-A FORWARD-m string-string "tudou.com"-algo bm-j DROP

Iptables-A FORWARD-m string-string "ouou.com"-algo bm-j DROP

The meanings of the parameters are as follows:

-A FORWARD

Add the rule of forward chain, which is for the routing function enabled (i.e.: echo 1 > / proc/sys/net/ipv4/ip_forward)

If it is direct access, you can use INPUT or OUTPUT.

Set the processing method of packets that meet this condition. DROP means discarding and reject.

The code is as follows:

Iptables-An INPUT-m string-string "stringname"-algo bm-j DROP

Thank you for your reading, the above is the content of "what are the relevant configurations and commands of iptables under Linux". After the study of this article, I believe you have a deeper understanding of the relevant configuration and commands of iptables under Linux, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.