Shulou(Shulou.com)06/01 Report--

How to understand Linux iptables, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The so-called firewall, in essence, refers to a protection barrier constructed between internal and external networks, which is composed of software and hardware. It is an isolation technology. Therefore, physically, it can be divided into software and hardware firewalls, logically, it can be divided into host and network firewalls, and the iptables we are talking about now belongs to the category of software firewalls in firewalls, but it is only a command line tool or a client agent, not a real firewall. Users use this agent to implement security settings into the real firewall framework. This framework is called Netfilter.

Principle

Netfilter is a sub-project of Linux, its main functions are packet filtering, connection tracking, address translation, etc., while iptables is a command line tool provided by netfilter to filter and modify user packets. When a packet enters the kernel through a network card, it must first go through the five chains of iptables, all of which have corresponding rules for processing packets. And we control the management packet by setting rules on these chains, so as to achieve the function of the firewall. Whenever a packet reaches a chain, iptables verifies whether the packet meets the conditions defined in the rules, starting with all the rules in the chain. If it is satisfied, the system processes the packet according to the method defined by each rule; if not, iptables continues to check the next rule, and if the packet does not meet any of the rules in the chain, iptables processes the packet by the default policy of the chain.

Four tables

The structure of iptables is composed of tables, while tables is made up of chains, which in turn are made up of specific rules. So when we write the rules for iptables, we specify the table first and then the chain. The role of tables is to distinguish rules for different functions and to store those rules.

The types of tables are:

Five chains

Chain, also known as hook function, is a combination of a series of rules, and when a packet passes through these dog functions, it must exactly match all the rules in each hook function in order to move on to the next hook function.

The types of hook functions are:

rule of grammar

Syntax: iptables [- t table name] command option [chain name] [condition match] [- j target action or jump]

1) commonly used command options:

-t: specify the table to manipulate (four tables);-A: add entries to the rule chain;-D: delete entries from the rule chain;-I: insert entries into the rule chain;-R: replace entries in the rule chain;-L: display existing entries in the rule chain;-F: clear existing entries in the rule chain;-Z: clear packet calculators and byte counters in the rule chain -N: create a new user-defined rule chain;-P: define the default destination in the rule chain;-h: display help information;-p: specify the type of packet protocol to match;-s: specify the packet source to match

2) commonly used processing actions:

ACCEPT: allow the packet to pass through DROP: discard the packet directly without giving any response information REJECT: deny the packet to pass, and give the data sender a response message if necessary. LOG: log in the / var/log/messages file and pass the packet to the next rule REDIRECT: Port mapping. SNAT: source address translation. Change the packet source IP to a certain IP or IP range, and do the translation between private network and public network. DNAT:: destination address translation. Modify the packet destination IP to an Ip or IP range.

3) commonly used condition matching:

1. State matching:-m state-- state connection status NEW: ESTABLISHED that is independent of any connection: RELATED that responds to a request or established connection: related to an existing connection For example, FTP data connection 2, MAC address matching:-m mac--mac-source MAC address eg:iptables-An INPUT-m mac--mac-source f0:1b:12:12:22:4f-j DROP3, IP range matching:-m iprange-- src-range IP range eg:iptables-A FORWARD-p tcp-m iprange-- src-range 192.168.0.1-192.168.0.10-j ACCEPT4, Multi-port matching:-m multiport-- sports source port list and-m multiport-- sports destination port list eg:iptables-An INPUT-p tcp-m multiport-- dport 11 29116121-j ACCEPT

4) some commonly used iptables strategies:

1. Refuse to forward data from the 192.168.2.33 host iptables-A FORWARD-s 192.168.2.33-j REJECT2, allow to forward data from the 192.168.2.1 Universe 99 network segment iptables-A FORWARD-s 192.168.2.1 Universe 99-j ACCEPT3, and allow the local machine to open the application services provided from TCP ports 20-1024. Iptables-An INPUT-p tcp-- dport 20tcp 1024-j ACCEPTiptables-An OUTPUT-p tcp-- sport 20holism 1024-j ACCEPT4, only allows administrators to remotely log in to firewall hosts using SSH from the 202.13.0.0amp 16 network segment. Iptables-An INPUT-p tcp-- dport 22-s 202.13.0.0 ACCEPTiptables 16-j ACCEPTiptables-An INPUT-p tcp-- dport 22-j DROP5, allowing forwarding of DNS parsing request packets from the 192.168.0.0 Universe 24 LAN segment. Iptables-A FORWARD-s 192.168.0 FORWARD 24-p udp-- dport 53-j ACCEPTiptables-A FORWARD-d 192.168.0 sport 24-p udp-- sport 53-j ACCEPT6, shield ip 110.1.1.1 access to iptables-I INPUT-s 110.1.1.1-j DROP7, shield from 123.0.0.1 to 123.255.255.254iptables-I INPUT-s 123.0.0.0max 8-j DROP8, Shield from 123.45.0.1 to 123.45.255.254iptables-I INPUT-s 124.45.0.0 INPUT 16-j DROP9, shield from 123.45.6.1 to 123.45.6.254iptables-I INPUT-s 123.45.6.0 DROP10 24-j DROP10, allow all native outward access to iptables-An OUTPUT-j ACCEPT11, allow access to port 22 iptables-An INPUT-p tcp-- dport 22-j ACCEPT

5) commonly used iptables commands:

1. Look at the current IPTABLES rule service iptables status2, display iptables-L-n-- line-numbers3 for all iptables with serial number, for example, to delete the rule iptables-D INPUT 22 with serial number 22 in INPUT. After reading the above, do you know how to understand the iptables of Linux? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.