Shulou(Shulou.com)06/02 Report--

The filter table contains the following three chains:

INPUT chain: filter all packets whose destination address is native

Forward chain: filters all packets passing through the machine, that is, packets whose destination address and source address are not native

OUTPUT chain: filter all packets generated by the machine, that is, packets whose source address is local

Nat table

The nat table is used for network address translation, and iptables can do the following nat forwarding:

DNAT: mainly used to change the destination address of a packet so that the packet can be rerouted to a host

SNAT: mainly used to change the source address of packets to help the internal network connect to the internet

MASQUERADE is exactly the same as SNAT, except that MASQUERADE looks up available ip addresses, unlike SNAT, which requires a fixed ip, so MASQUERADE is generally used for dialing and sharing the Internet, such as adsl/ppp.

The nat table contains the following three chains:

PREROUTING chain: the destination address of a packet can be changed when it reaches the firewall

Postrouting chain: change the source address of a packet when it is about to leave the firewall

OUTPUT chain: can change the destination address of locally generated packets

Using nat table to realize port forwarding

Cat / proc/sys/net/ipv4/ip_forward 1 indicates that the 0 flag is not valid.

Vi / etc/sysctl.conf modified net.ipv4.ip_forward to 1

Make the changes effective

Sysctl-p

Example: forward access to IP192.168.169.112 port 8080 to port 80 of 192.168.169.111

Execute on 112 machine

Iptables-t nat-A PREROUTING-- dst 192.168.169.112-p tcp-- dport 8080-j DNAT-- to-destination 192.168.169.111

Iptables-t nat-A POSTROUTING-- dst 192.168.169.111-p tcp-- dport 80-j SNAT-- to-source 192.168.169.112

Drop the icmp request from 192.168.169.101

Iptables syntax:

Iptables-t filter-An INPUT-p icmp-s 192.168.169.101-j DROP

Prohibit icmp

Iptables-t filter-An INPUT-p icmp-j DROP

-An INPUT

-p icmp

-p Protocol (protocol)

Match a specific protocol packet

Syntax:-p icmp,-p tcp,-p udp-p all

-s 192.168.1.10

-s address[ / mask] source address

-d address [/ mask] destination address

-j target processing rules

Common processing rules

ACCEPT allows passing through

DROP discards the packet, which causes the source to mistake the packet for loss and keep sending the packet again and again. This action will continue until the Timeout is connected.

REJECT discards the packet and sends back a DestinationUnreachable ICMP packet to the sender. After receiving the error message packet, the sender's application will terminate the connection.

Restrict 192.168.169.94 access to port 80 of this machine

Iptables-t filter-An INPUT-p tcp-s 192.168.169.94-- dport 80-j DROP

Allow access to port 80

Iptables-t filter-An INPUT-p tcp-- dport 80-j ACCEPT

Clear filter rules

Iptables-F

Clear nat rules

Iptables-t nat-F

Delete a rule according to its line number

Iptables-nvL-- line-number

Delete the rule with line number 2

Iptables-D INPUT 2

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.