Shulou(Shulou.com)06/01 Report--

The function of the rule:

Four tables

Filter

Nat

Mangle

Raw

Five built-in chains:

PREROUTING

INPUT

FORWARD

OUTPUT

POSTROUTING

Properties of the rule:

1. Network layer protocol attributes:

Ip

2. Transport layer protocol attributes:

Tcp

Udp

Icmp

Iptables

Uppercase option: subcommand

Lowercase letter option: used to match criteria and other

-t {filter | nat | mangle | raw}

-L: list

-n: display IP and PORT in digital format

-v: details,-vv,-vvv where the later options are more detailed than the previous ones

-- line-numbers: displays the line number of the rule in the chain

-x: display the exact value, do not do unit conversion

Both the rule and default policy have two counters:

Packets:

Bytes:

The correspondence between the table and the chain:

Filter

INPUT, FORWARD, OUTPUT

Nat

PREROUTING, POSTROUTING, OUTPUT

Mangle

PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

Raw

PREROUTING, OUTPUT

Each chain has its default policy: policy ACCEPT

Usually only the default policy of the filter table needs to be modified

Other subcommands:

Management chain:

-F: empty chain

Iptables-F means to clear all chains

-P: set the default policy

Iptables-t filter-P INPUT {DROP | ACCEPT}

-N: create a new custom chain

Iptables-N FILTER_WEB

-X: delete a custom empty chain

-Z: calculator zeroing

Iptables-Z

-E: rename custom chain

Management rules:

-A: append: append a rule to the end of the chain

-I [n]: insert as rule n

-D [n]: delete rule n

-R [n]: replace rule n

Write rule syntax:

Iptables [- t table] uppercase option subcommand [rule number] chain name matching standard-j target

Goal:

DROP: discard

REJECT: reject

ACCEPT: allow

RETURN: return to jump

REDIRECT: Port redirection

DNAT: destination address translation

SNAT: source address translation

LOG: logging

MARK: marking

Custom chain

Matching criteria:

Universal matching

-s |-- src |-- source [!] IP/NETWORK

-d |-- dst |-- destination [!] IP/NETWORK

# iptables-t filter-An INPUT-s 172.16.0.0Universe 16-d 172.16.100.1-j ACCEPT

-I incoming_interface: specified Datagram inflow API; INPUT, PREROUTING, FORWARD

-o outing_interface: specify Datagram outflow API; OUTPUT, POSTROUTING, FORWARD

-p {tcp | udp | icmp}

Extension matching: to use the "- m extension name" to reference, and each extension module generally has its own unique options; some of these options are required

Implied expansion

-p tcp

-- sport specifies source port

-- dport specifies the destination port

-- the flag to be checked by tcp-flags must be a 1 flag

-- tcp-flags SYN,ACK,RST,FIN SYN said: the first time of tcp's three-way handshake

ALL: all marker bits

NONE: no flag bit

-- tcp-flags ALL SYN,FIN illegal message

-- syn

Exercise: release access to the web service:

# iptables-An INPUT-d 172.16.100.1-p tcp-- dport 80-j ACCEPT

# iptables-An OUTPUT-s 172.16.100.1-p tcp-- sport 80-j ACCEPT

Because messages are received and sent through the firewall, we need to set access control in both INPUT and OUTPUT.

-- sport

-- dport

For example, native DNS server needs to do recursive query for local client; INPUT and OUTPUT of iptables defaults to DROP; native address: 172.16.100.1

# iptables-An INPUT-d 172.16.100.1-p udp-- dport 53-j ACCEPT

# iptables-An OUTPUT-s 172.16.100.1-p udp-- sport 53-j ACCEPT

# iptables-An OUTPUT-s 172.16.100.1-p udp-- dport 53-j ACCEPT

# iptables-An INPUT-d 172.16.100.1-p udp-- sport 53-j ACCEPT

-p icmp

-- icmp-type

Request: 8

Response: 0

Example: native 172.16.100.1, which can ping all hosts in 172.16.0.0Universe 16

Explicit expansion:

-m state-- state

NEW, ESTABLISHED, RELATED, INVALID

The ftp service needs to be loaded: the nf_conntrack_ftp module, which can be implemented using the modprobe command or editing the / etc/sysconfig/iptables-config file.

-m mulitport: you can specify less than 15 discrete ports; for example, 21-23pc80

-- source-ports source port

-- destination-ports target port

-- ports

-m iprange: specify a matching range of IP addresses, such as 172.16.100.1-172.16.109.254

-m iprange

-- src-range source ip address

-- dst-range destination ip address

-m limit

-- limit 20/min limits the maximum number of requests allowed per minute

-- how many token buckets does limit-burst 2 collect

-m string

-- fill in the string to be matched in string "" quotation marks

-- algo {bm | kmp}

-m time

-- datestart

-- datestop

-- timestart

-- timestop

-- weekdays

-- monthdays

Save the rule:

# service iptables save

Save to / etc/sysconfig/iptables

# iptables-save > / path/to/iptables.rules

Rules in the effective rules file:

# iptables-restore < / path/to/ipables.rules

Subcommand:

Chain:-N,-X,-Z,-F,-P,-E

Rule:-A,-I,-D,-R

Exercise: the default policy for INPUT and OUTPUT is DROP

1. Restrict access to the web server of the local host on Monday; the rate of new requests cannot exceed 100s per second; the web server does not allow access to pages containing admin strings; and the web server only allows response messages to leave the machine.

# iptables-I INPUT 1-m state-- state ESTABLISHED-j ACCEPT

# iptables-An INPUT-d 172.16.100.1-p tcp-- dport 80-m time-- weekdays Tue,Wed,Thu,Fri,Sat,Sun

-m limit-- limit 100/sec-m string-- algo kmp!-- string "admim"-m state-- state NEW-j ACCEPT

For Monday access is not allowed can also be expressed as-m time! -- weekdays Mon

# iptables-I OUTPUT 1-m state-- state ESTABLISHED-j ACCEPT

2. During working hours, that is, from 8:30 to 18:00 from Monday to Friday, open the local ftp service to hosts in the 172.16.0.0 network; the number of data download requests should not exceed 5 per minute.

# iptables-An INPUT-s 172.16.0.0 ACCEPT 16-d 172.16.100.1-p tcp-- dport 21-m time-- weekdays Mon,Tue,Wed,Thu,Fri-- timestart 08:30:00-timestop 18:00:00-j ACCEPT

# iptables-An INPUT-s 172.16.0.0 ACCEPT 16-d 172.16.100.1-p tcp-m state-- state RELATED-m limit-- limit 5/min-j ACCEPT

3. Open the local ssh service to the host in 172.16.x.1-172.16.x.100. X is your seat number. The rate at which new requests are created must not exceed 2 per minute. Only response messages are allowed to leave the machine through their service ports.

# iptables-An INPUT-m iprange-src-range 172.16.100.1-172.16.100.100-m limit-- limit 2/min-p tcp-- dport 22-d 172.16.100.1-I eth0-m state-- state NEW-j ACCEPT

4. Deny access to this machine for messages with TCP flag bits of all 1s and all zeros

# iptables-N clean_in

# iptables-A clean_in-p tcp--tcp-flags ALL ALL-j DROP

# iptables-A clean_in-p tcp--tcp-flags ALL NONE-j DROP

# iptables-A clean_in-d 172.16.100.1-j RETURN

# iptables-I INPUT 1-d 172.16.100.1-j clean_in

5. Allow other hosts to ping locally, but do not open other hosts ping native machines.

# iptables-An OUTPUT-s 172.16.100.1-p icmp--icmp-type 8-j ACCEPT

# iptables-An INPUT-I lo-j ACCEPT

# iptables-An OUTPUT-o lo-j ACCEPT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.