Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

What are the uses of iptables

2025-03-30 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

This article shows you the usage of iptables, which is concise and easy to understand. It will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

Overview

Use iptables-ADC to specify chain rules,-An add-D delete-C modify

Iptables-[RI] chain rule num rule-specification [option]

Specify by the order of the rules with iptables-RI

Iptables-D chain rule num [option]

Delete the specified rule

Iptables-[LFZ] [chain] [option]

Use the iptables-LFZ chain name [option]

Iptables-[NX] chain

Specify the chain with-NX

Iptables-P chain target [options]

Specify the default target for the chain

Iptables-E old-chain-name new-chain-name

-E old chain name, new chain name

Replace the old chain name with a new chain name

Description

Iptalbes is used to set, maintain, and examine the IP packet filtering rules of the Linux kernel.

You can define different tables, each containing several internal chains or user-defined chains. Each chain is a list of rules that match the corresponding packages: each rule specifies how the matching package should be handled. This is called a 'target'' and can also jump to a user-defined chain within the same table.

TARGETS

The rules of the firewall specify the characteristics and targets of the packets being checked. If the packet does not match, it is sent to the next rule check in the chain; if so, the next rule is determined by the target value. The target value can be a user-defined chain name, or a specific value, such as ACCEPT [pass], DROP [delete], QUEUE [queue], or RETURN [return].

ACCEPT says to let the package pass. DROP says to discard the packet. QUEUE means to pass the package to user space. RETURN means to stop the matching of this chain and restart the rule of the previous chain. If a built-in chain is reached, or if the rule of the built-in chain is RETURN, the fate of the package will be determined by the goal specified by the chain guidelines.

TABLES

There are currently three tables (which table is current depending on the kernel configuration options and the current module).

-t table

This option specifies the table of the matching package that the command operates on. If the kernel is configured to load the module automatically, if the module is not loaded, it will try to load the appropriate module. These tables are as follows: filter, which is the default table, including the built-in chain INPUT (processing incoming packages), FORWORD (processing passed packages), and OUTPUT (processing locally generated packages). Nat, which is queried to indicate that a packet producing a new connection has been encountered, consists of three built-in chains: PREROUTING (modify incoming packet), OUTPUT (local packet before routing modification), and POSTROUTING (modify outgoing packet). The mangle table is used to modify the specified package. It has two built-in rules: PREROUTING (packets entered before routing modification) and OUTPUT (local packets before routing modification).

OPTIONS

These options that can be recognized by iptables can distinguish between different categories.

COMMANDS

These options specify to perform an explicit action: if there is no other provision under the instruction line, the line can specify only one option. For long-format commands and option names, the letter length is as long as ensuring that iptables can distinguish the instruction from other options.

-A-append

Add one or more rules to the end of the selected chain. When the source (address) or / and destination (address) are converted to multiple addresses, this rule is added to all possible addresses (combinations).

-D-delete

Removes one or more rules from the selected chain. This command can be done in two ways: you can specify the deleted rule as the sequence number in the chain (the first sequence number is 1), or you can specify the rule to match.

-R-replace

Replaces a rule from the selected chain. If the source (address) or / and destination (address) is converted to multiple addresses, the command will fail. The rule number starts with 1.

-I-insert

Inserts one or more rules into the selected chain according to the given rule number. So, if the rule number is 1, the rule is inserted into the head of the chain. This is also the default way when you do not specify a rule number.

-L-list

Displays all rules for the selected chain. If there is no selection chain, all chains will be displayed. It can also be used with the z option, where the chain is automatically listed and zeroed. The exact output is affected by other given parameters.

-F-flush

Empty the selected chain. This is tantamount to deleting all the rules one by one.

-Z-zero

Clear all the packets and byte counters of all chains. It can be used in conjunction with-L to view the counter in an unprecedented way, see above.

-N-new-chain

Create a new chain of user definitions based on the given name. This must ensure that no chain of the same name exists.

-X-delete-chain

Deletes the specified user custom chain. This chain must not be referenced, and if so, you must delete or replace the rules associated with it before deleting it. If no arguments are given, this command will try to delete each non-built-in chain.

-P-policy

Sets the target rule for the chain.

-E-rename-chain

Renaming the specified chain according to the name given by the user is only a modification and has no effect on the structure of the entire table. The TARGETS parameter gives a legal target. Only non-user custom chains can use rules, and neither the built-in chain nor the user custom chain can be the target of the rule.

-h Help.

Help. Give a very brief description of the current command syntax.

PARAMETERS

Parameters.

The following parameters make up the rule details, such as for the add, delete, replace, append, and check commands.

-p-protocal [!] protocol

The protocol for rules or packet checks (packets to be checked). The specified protocol can be one or all of tcp, udp, icmp, or a numeric value that represents one of these protocols. Of course, you can also use the protocol name defined in / etc/protocols. Add "!" before the name of the agreement. A rule that indicates the opposite. The number 0 is equivalent to all all. Protocol all matches all protocols, and this is the default option. All may not be used when combined with the check command.

-s-source [!] Address[ / mask]

Specify the source address, which can be a hostname, a network name, and a clear IP address. The mask description can be a netmask or a clear number, specifying the number of "1s" to the left of the netmask on the left side of the netmask, so a mask value of 24 equals 255.255.255.0. Adding "!" before the specified address indicates that the opposite address field is specified. the flag-src is an abbreviation for this option.

-d-destination [!] Address[ / mask]

Specify the destination address. For more information, see the description of the-s flag. Flag-dst is an abbreviation for this option.

-j-jump target

-j target jump

Specify the goal of the rule; that is, what should be done if the package matches. The goal can be a user-defined chain (which is not the rule), a dedicated built-in goal that immediately determines the fate of the package, or an extension (see EXTENSIONS below). If this option of the rule is ignored, the matching process will not affect the package, but the counter of the rule will be increased.

-I-in-interface [!] [name]

I-incoming (network) interface [!] [name]

This is the optional entry name that the packet receives via the interface, and the packet is received through the interface (packets entered in chains INPUT, FORWORD, and PREROUTING). When using "!" before the interface name When explained, it refers to the opposite name. If the interface name is followed by "+", all interfaces that begin with this interface name will be matched. If this option is ignored, it will be assumed to be "+" and will match any interface.

-o-out-interface [!] [name]

-o-output interface [name]

This is the optional exit name of the packet sent through this interface, and the packet is output through this port (packets sent in chains FORWARD, OUTPUT, and POSTROUTING). When using "!" before the interface name When explained, it refers to the opposite name. If the interface name is followed by "+", all interfaces that begin with this interface name will be matched. If this option is ignored, it will be assumed to be "+" and all interfaces will be matched.

[!]-f,-fragment

[!]-f-slice

This means that in a sliced package, the rule asks only the second and subsequent films. Since then, since it is impossible to determine the source or destination port (or ICMP type) of such packets, such packets will not be able to match any rules specified to match them. If "!" The explanation is used before the "- f" sign to express the opposite meaning.

OTHER OPTIONS

Other options

You can also specify the following additional options:

-v-verbose

-v-detailed

Detailed output. This option allows the list command to display the interface address, rule options (if any), and TOS (Type of Service) mask. Packets and byte counters will also be displayed, using K, M, G (prefix) for 1000, 1000000, and 1000000000 times, respectively (but see the-x flag to change it), for add, insert, delete, and replace commands, this causes the relevant details of one or more rules to be printed.

-n-numeric

-n-number

Digital output. IP addresses and ports are printed as numbers. By default, the program tries to display the hostname, network name, or service (as long as it is available).

-x-exact

-x-accurate

Expand the number. Displays the exact values of packets and byte counters instead of the divisor represented by K _ M _ M _ G. This option can only be used with the-L command.

-line-numbers

When the list displays rules, precede each rule with a line number that corresponds to the position of the rule in the chain.

MATCH EXTENSIONS

Corresponding extension

Iptables can use some expansion packs that match the module. Here are the extension packages included in the basic package, and most of them can be added in front of them! To express the opposite meaning.

Tcp

When-protocol tcp is specified and other matching extensions are not specified, these extensions are loaded. It provides the following options:

-source-port [!] [port [: port]]

Source port or port range specified. This can be the service name or port number. Use format port: the port can also specify the included (port) range. If the first port number is ignored, the default is "0", if the end number is ignored, the default is "65535", if the second port number is greater than the first, then they will be swapped. You can use the alias of-sport for this option.

-destionation-port [!] [port: [port]]

Destination port or port range specified. This option can be replaced with the-dport alias.

-tcp-flags [!] Mask comp

Matches the specified TCP tag. The first parameter is the tag we want to check, a list separated by commas, and the second parameter is a table of tags separated by commas, which must be set. The tag is as follows: SYN ACK FIN RST URG PSH ALL NONE. So this command: iptables-A FORWARD-p tcp- tcp-flags SYN, ACK, FIN, RST SYN only matches packets where the SYN tag is set and the ACK, FIN, and RST tags are not set.

[!]-syn

Matches only those TCP packets that have the SYN bit set and the ACK and FIN bits cleared. These packets are used to make requests when TCP connections are initialized; for example, a large number of such packets blocking incoming TCP connections when entering an interface, while outgoing TCP connections are not affected. This equals-tcp-flags SYN, RST, ACK SYN. If "- syn" is preceded by "!" The mark indicates the opposite meaning.

-tcp-option [!] Number

Matches those with the TCP option set.

Udp

When protocol udp is specified and other matching extensions are not specified, these extensions are loaded, which provides the following options:

-source-port [!] [port: [port]]

Source port or port range specified. For more information, see the-source-port option description of the TCP extension.

-destination-port [!] [port: [port]]

Destination port or port range specified. For more information, see the-destination-port option description of the TCP extension.

Icmp

When protocol icmp is specified and other matching extensions are not specified, the extension is loaded. It provides the following options:

-icmp-type [!] Typename

This option allows you to specify an ICMP type, which can be a numeric ICMP type or an ICMP type name displayed by the command iptables-p icmp-h.

Mac

-mac-source [!] Address

Matches the physical address. It must be in a format like XX:XX:XX:XX:XX. Note that it is only valid for packets from Ethernet devices that enter the PREROUTING, FORWORD, and INPUT chains.

Limit

This module matching flag is matched by a marker bucket filter one by one at a fixed speed, which is used in conjunction with LOG targets to give a limited number of landings. When this limit is reached, the rules that use this extension package will match. (unless "!" is used. Mark)

-limit rate

Maximum average matching rate: the value that can be assigned is'/ second','/ minute','/ hour', or'/ day'. The default is 3/hour.

-limit-burst number

The maximum of the initial number of packets to be matched: if the previously specified limit has not reached this value, the approximate number will be increased by 1. Default value is 5

Multiport

This module matches a set of source or destination ports and can specify up to 15 ports. Can only be used with-p tcp or-p udp.

-source-port [port [, port]]

Match if the source port is one of the given ports

-destination-port [port [, port]]

Match if the destination port is one of the given ports

-port [port [, port]]

If the source port and destination port are equal and equal to a given port, then match.

Mark

This module matches the netfilter filter tag field (which can be set below to use the MARK tag).

-mark value [/ mask]

Matches packages with unsigned tag values (if mask is specified, the mask is logically marked before comparison).

Owner

This module tries to generate packages locally to match the different characteristics of the package creator. It can only be used for OUTPUT chains, and even such packets (such as ICMP ping replies) may not have an owner, so they will never match.

-uid-owner userid

If a valid user id is given, it matches the package generated by its process.

-gid-owner groupid

If a valid group id is given, it matches the package generated by its process.

-sid-owner seessionid

Matches the packets generated by the process according to the given session group.

State

This module, when used in conjunction with connection tracking, allows access to the connection tracking status of the package.

-state state

Where state is a comma-separated list of matching connection states. The possible states are: INVALID indicates that the packet is an unknown connection, ESTABLISHED indicates a bi-directional connection, NEW indicates that the packet is a new connection, otherwise it is non-bidirectional, and RELATED indicates that the packet starts with a new connection but is associated with an existing connection, such as FTP data transfer, or an ICMP error.

Unclean

There is no option for this module, but it tries to match strange, unusual packages. In the middle of an experiment.

Tos

This module matches the 8-bit tos (type of service) field in the header of the IP package (that is, included in the priority bit).

-tos tos

This parameter can be a standard name (see the list with iptables-m tos-h), or a numeric value.

TARGET EXTENSIONS

Iptables can use the extended target module: the following are included in the standard edition.

LOG

Open kernel logging for matching packages. When this option is set in the rule, the linux kernel prints some information about all matching packets (such as the IP header field, etc.) through printk ().

-log-level level

Record level (numbers or see syslog.conf (5)).

-log-prefix prefix

Prefix the recording information with a specific prefix: up to 14 letters long to distinguish it from other information in the record.

-log-tcp-sequence

Record the TCP serial number. If the record can be read by the user, there will be a security risk.

-log-tcp-options

Record the options from the TCP package header.

-log-ip-options

Record the options from the IP package header.

MARK

Used to set the netfilter tag value of the package. Applies only to mangle tables.

-set-mark mark

REJECT

In response to a matching package, an incorrect package is returned: otherwise, it is the same as DROP.

This goal applies only to INPUT, FORWARD, and OUTPUT chains, and to user-defined chains that call these chains. These options control the characteristics of the returned error packets:

-reject-with type

Type can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-nreachable, icmp-proto-unreachable, icmp-net-prohibited, or icmp-host-prohibited, which returns the corresponding ICMP error message (the default is port-unreachable). The option echo-reply is also allowed; it can only be used to generate a ping response in a rule that specifies the ICMP ping package. Finally, the option tcp-reset can be used for rules invoked in or from the INPUT chain that match only the TCP protocol: a TCP RST packet will be responded to.

TOS

Used to set the first eight-bit tos of the IP package. Can only be used with mangle tables.

-set-tos tos

You can use a numeric TOS value, or use iptables-j TOS-h to view a list of valid TOS names.

MIRROR

This is a pilot demonstration target that can be used to translate the source and destination addresses in the IP header field, then deliver the packet, and apply only to INPUT, FORWARD, and OUTPUT chains, as well as user-defined chains that only call them.

SNAT

This goal applies only to the POSTROUTING chain of nat tables. It specifies that the source address of the packet is modified (all packets will be affected after this connection), stops checking the rule, and it contains options:

-to-source [-] [: port-port]

You can specify a single new IP address, a range of IP addresses, or you can attach a range of ports (only in the rules that specify-p tcp or-p udp). If no port range is specified, ports below 512 in the source port will be placed as other ports below 512; ports between 512 and 1024 will be placed below 1024, and other ports will be placed 1024 or above. If possible, the port will not be modified.

-to-destiontion [-] [: port-port]

You can specify a single new IP address, a range of IP addresses, or you can attach a range of ports (only in the rules that specify-p tcp or-p udp). If no port range is specified, the destination port is not modified.

MASQUERADE

Used only for POSTROUTING chains of nat tables. Can only be used to dynamically obtain IP (dial-up) connections: if you have a static IP address, you need to use SNAT. Camouflage is equivalent to setting an image to the IP address of the interface through which the packet is sent, and terminates when the interface closes the connection. This is because the current dial-up may not be the same interface address (all connections established later will be closed). It has an option:

-to-ports [- port >]

Specify the range of source ports to use, overriding the default SNAT source address selection (see above). This option applies only to rules that specify-p tcp or-p udp.

REDIRECT

Applies only to PREROUTING and OUTPUT chains of nat tables, and user-defined chains that only call them. It modifies the destination IP address of the packet to send the packet to the machine itself (the locally generated packet is placed at the address 127.0.0.1). It contains an option:

-to-ports []

Specify the destination port or port range to use: if not specified, the destination port will not be modified. Can only be used for rules that specify-p tcp or-p udp.

DIAGNOSTICS

Diagnosis

Different error messages are printed as standard error: exit code 0 indicates correct. Similar to incorrect or abusive command-line parameter errors return error code 2, and other error return codes are 1.

BUGS

Bug

Check is not implemented (yet).

The check is not finished yet.

COMPATIBILITY WITH IPCHAINS

Compatibility with ipchains

The ipchains of iptables and Rusty Russell is very similar. The main difference is that the INPUT chain is only used for packages that enter the local host, while OUTPUT is only used for packages generated from the local host. So each packet goes through only one of three chains; previously forwarded packets go through all three chains. The other major differences are-I references into the interface and-o references the output interface, both of which apply to packages that enter the FORWARD chain. Iptables is a pure packet filter when using the default filter table with optional extension modules. This greatly reduces the previous confusion about the combination of IP masquerading and packet filtering, so the following options are handled differently:

-j MASQ

-M-S

-M-L

There are several different chains in iptables.

What are the usage of iptables above? have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 280

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report