Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about the useful examples commonly used in iptables, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Format

Iptables [- t table name] option [chain name] [condition] [- j control type] parameter

-P sets the default policy: iptables-P INPUT (DROP | ACCEPT)

-F clear the rule chain

-L View Rule chain

-An adds a new rule to the end of the rule chain

-I num adds a new rule to the head of the rule chain

-D num deletes a rule

-s matches the source address IP/MASK, with an exclamation point "!" In addition to this IP.

-d matches the destination address

-I the name of the network card matches the inflow of data from this network card

-o the name of the network card matches the data outflow from this network card.

-p matching protocols, such as tcp,udp,icmp

-dport num matches the destination port number

-sport num matches the source port number

Example 1. Delete an existing rule

Before you start creating iptables rules, you may need to delete existing rules. The command is as follows:

Iptables-F (or) iptables-flush

two。 Set the default policy for the chain

The default policy for the chain is "ACCEPT" (accept), and to set the INPUT,FORWARD,OUTPUT chain to "DROP", the command is as follows:

Iptables-P INPUT DROPiptables-P FORWARD DROPiptables-P OUTPUT DROP

When both the INPUT chain and the OUTPUT chain are set to DROP, we should define two rules for each firewall rule. For example: one goes in and the other goes out. In all the examples below, since we have set DROP as the default policy for INPUT and OUTPUT chains, we will make two rules in each case. Of course, if you trust your internal users, you can omit the last line above. For example, all outbound packets are not discarded by default. In this case, for each firewall rule requirement, you only need to make one rule-- only for inbound packets.

3. Block the specified IP address

Example: discard packets from IP address x.x.x.x

BLOCK_THIS_IP= "x.x.x.x" iptables-An INPUT-s "$BLOCK_THIS_IP"-j DROP

Note: when you find an exception record from an ip address in log, you can temporarily block access to that address through this command for more in-depth analysis.

Example: block packets from IP address x.x.x.x eth0 tcp

Iptables-An INPUT-I eth0-s "$BLOCK_THIS_IP"-j DROPiptables-An INPUT-I eth0-p tcp-s "$BLOCK_THIS_IP"-j DROP

4. Allow all SSH connection requests

Example: allow all external SSH connection requests, that is, only packets that enter the eth0 interface and have a destination port of 22

Iptables-An INPUT-I eth0-p tcp-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 22-m state-- state ESTABLISHED-j ACCEPT

5. Only SSH connection requests from the specified network are allowed

Example: only ssh connection requests from users from the 192.168.100.0 / 24 domain are allowed

Iptables-An INPUT-I eth0-p tcp-s 192.168.100.0 state 24-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 22-m state-- state ESTABLISHED-j ACCEPT

6. Allow connection requests for http and https

Example: allow all connection requests from web-http

Iptables-An INPUT-I eth0-p tcp-- dport 80-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 80-m state-- state ESTABLISHED-j ACCEPT

Example: allow all connection requests from web-https

Iptables-An INPUT-I eth0-p tcp-- dport 443m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 443m state-- state ESTABLISHED-j ACCEPT

7. Use multiport to combine multiple rules

Multiple ports are allowed to connect from the outside world. In addition to writing a separate rule for each port, we can use multiport to combine it into a single rule. As follows:

Example: allow all ssh,http,https traffic to access

Iptables-An INPUT-I eth0-p tcp-m multiport-- dports 22pr 80443-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-m multiport-- sports 22pr 80443-m state-- state ESTABLISHED-j ACCEPT

8. Allow locally initiated SSH requests iptables-An OUTPUT-o eth0-p tcp-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An INPUT-I eth0-p tcp-- sport 22-m state-- state ESTABLISHED-j ACCEPT

Note that this is slightly different from the rule that allows ssh connections. In this case, on the OUTPUT chain, we allow NEW and ESTABLISHED states. On the INPUT chain, we only allow ESTABLISHED status. The rules for ssh connections are the opposite.

9. Only locally initiated SSH requests to a specified network domain are allowed

Example: only allow internal connection to the domain 192.168.100.0ax 24

Iptables-An OUTPUT-o eth0-p tcp-d 192.168.100.0 state 24-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An INPUT-I eth0-p tcp-- sport 22-m state-- state ESTABLISHED-j ACCEPT

10. Allow locally initiated HTTPS connection requests

The following rules allow you to output secure network traffic. If you want to allow users to access the Internet, this is very necessary. On the server, these rules allow you to download files from outside using wget

Iptables-An OUTPUT-o eth0-p tcp-- dport 443m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An INPUT-I eth0-p tcp-- sport 443m state-- state ESTABLISHED-j ACCEPT

Note: for HTTP web traffic outreach requests, you only need to change the port in the above command from 443 to 80.

11. Load balancing incoming network traffic

We can use iptables to achieve load balancing of incoming web traffic, and we can use iptables firewall rules to load balance incoming web traffic.

Example: use iptables nth to load balance HTTPS traffic to three different ip addresses.

Iptables-A PREROUTING-I eth0-p tcp-- dport 443m state-- state NEW-m nth-- counter 0-- every 3-- packet 0-j DNAT-- to-destination 192.168.1.101:443iptables-A PREROUTING-I eth0-p tcp-- dport 443m state-- state NEW-m nth-- counter 0-- every 3-- packet 1-j DNAT-to-destination 192.168.1.102:443iptables-A PREROUTING-I eth0-p tcp-dport 443-m State-- state NEW-m nth-- counter 0-- every 3-- packet 2-j DNAT-- to-destination 192.168.1.103

twelve。 Allow external host ping internal host iptables-An INPUT-p icmp--icmp-type echo-request-j ACCEPTiptables-An OUTPUT-p icmp--icmp-type echo-reply-j ACCEPT

13. Allow internal host ping external host iptables-An OUTPUT-p icmp--icmp-type echo-request-j ACCEPTiptables-An INPUT-p icmp--icmp-type echo-reply-j ACCEPT

14. Allow loopback access

Example: 127.0.0.1 loopback access is allowed on the server.

Iptables-An INPUT-I lo-j ACCEPTiptables-An OUTPUT-o lo-j ACCEPT

15. Allow communication between external networks in the internal network domain

One of the network cards on the firewall server is connected to the external, and the other is connected to the internal server, using the following rules to allow the internal network to communicate with the external network. In this example, eth2 is connected to the external network (the Internet) and eth0 is connected to the internal network (for example: 192.168.1.x).

Iptables-A FORWARD-I eth0-o eth2-j ACCEPT

16. Allow outbound DNS connection iptables-An OUTPUT-p udp-o eth0-- dport 53-j ACCEPTiptables-An INPUT-p udp-I eth0-- sport 53-j ACCEPT

17. Allow NIS connections

If you use NIS to manage user accounts, you need to allow NIS connections. If you do not allow NIS-related ypbind connection requests, users will not be able to log in even if SSH connection requests have been allowed. The port of NIS is dynamic, so first use the command rpcinfo-p to know the port number, in this case ports 853 and 850.

Rpcinfo-p | grep ypbind

Example: allow connection requests from ports 111and ports used by ypbind

Iptables-An INPUT-p tcp-- dport 111j ACCEPTiptables-An INPUT-p udp-- dport 111j ACCEPTiptables-An INPUT-p tcp-- dport 853-j ACCEPTiptables-An INPUT-p udp-- dport 853-j ACCEPTiptables-An INPUT-p tcp-dport 850-j ACCEPTiptables-An INPUT-p udp-dport 850-j ACCEPT

Note: the port will be different when you restart ypbind, and the above command will have no effect. There are two solutions: 1) use your NIS's static IP 2) write a shell script to automatically obtain the dynamic port number through the "rpcinfo-p" command, and use it in the above iptables rules.

18. Allow rsync connection requests from the specified network

Example: allow rsync connection requests from network 192.168.101.0 Universe 24

Iptables-An INPUT-I eth0-p tcp-s 192.168.101.0 state 24-- dport 873-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 873-m state-- state ESTABLISHED-j ACCEPT

19. Allow MySQL connection requests from the specified network

In many cases, the MySQL database runs on the same server as the web service. Sometimes we just want DBA and developers to log in directly to the database from the internal network (192.168.100.0Uniple 24). Try the following command:

Iptables-An INPUT-I eth0-p tcp-s 192.168.100.0 state 24-- dport 3306-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 3306-m state-- state ESTABLISHED-j ACCEPT

20. Allow Sendmail, Postfix mail services

Both Sendmail and postfix use port 25, so we only need to allow connection requests from port 25.

Iptables-An INPUT-I eth0-p tcp-- dport 25-m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 25-m state-- state ESTABLISHED-j ACCEPT

21. Allow IMAP and IMAPS

Example: allow IMAP/IMAP2 traffic, port is 143,

Iptables-An INPUT-I eth0-p tcp-- dport 143m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 143m state-- state ESTABLISHED-j ACCEPT

Example: allow IMAPS traffic, port is 993

Iptables-An INPUT-I eth0-p tcp-- dport 993m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 993m state-- state ESTABLISHED-j ACCEPT

twenty-two。 Allow POP3 and POP3S

Example: allow POP3 access

Iptables-An INPUT-I eth0-p tcp-- dport 110m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 110m state-- state ESTABLISHED-j ACCEPT

Example: allow POP3S access

Iptables-An INPUT-I eth0-p tcp-- dport 995m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 995-m state-- state ESTABLISHED-j ACCEPT

23. Prevent DoS attacks on iptables-An INPUT-p tcp-- dport 80-m limit--limit 25/minute-- limit-burst 100-j ACCEPT

In the above example:

-m limit: enable limit extension

-limit 25/minute: allows up to 25 connections per minute (depending on demand).

-limit-burst 100: the above limit/minute limit is enabled only when the connection reaches the limit-burst level (in this case, 100).

24. Port forwarding

Example: all traffic from port 422 is transferred to port 22.

This means that we can make ssh connections through both port 422 and port 22. Enable DNAT forwarding.

Iptables-t nat-A PREROUTING-p tcp-d 192.168.102.37-- dport 422-j DNAT-- to 192.168.102.37

In addition, you need to allow requests to connect to port 422

Iptables-An INPUT-I eth0-p tcp-- dport 422m state-- state NEW,ESTABLISHED-j ACCEPTiptables-An OUTPUT-o eth0-p tcp-- sport 422m state-- state ESTABLISHED-j ACCEPT

25. Record discarded data tables

Step 1: create a new chain named LOGGING

Iptables-N LOGGING

Step 2: jump all packets from the INPUT chain to the LOGGING chain

Iptables-An INPUT-j LOGGING

Step 3: customize a prefix for these packages and name them "IPTables Packet Dropped"

Iptables-A LOGGING-m limit-- limit 2/min-j LOG-- log-prefix "IPTables Packet Dropped:"-- log-level 7

Step 4: discard these packets

Iptables-A LOGGING-j DROP after reading the above, do you have any further understanding of the useful common examples of iptables? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.