Shulou(Shulou.com)06/01 Report--

This article mainly introduces "what is the use of Linux's iptables command". In daily operation, I believe many people have doubts about the use of Linux's iptables command. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the question of "what is the use of Linux's iptables command?" Next, please follow the editor to study!

Linux Common Command iptables command is a commonly used firewall software on Linux, which is a part of netfilter project. It can be configured directly or through many front-end and graphical interfaces.

Firewall Software commonly used on iptablesLinux

Supplementary note

Grammar

Option

Basic parameters

Clear all current rules and counts

Configure to allow ssh port connections

Allow local loopback addresses to be used normally

Set default rules

Configure whitelist

Open the corresponding service port

Save the rule to the configuration file

List rules that have been set

Clear existing rules

Delete added rules

Open the designated port

Shielding IP

Specify the network interface on which the packet goes out

View rules that have been added

Start network forwarding rules

Port mapping

String matching

Stop the attack of Windows worm

Prevent SYN flood attacks

Command option input order

Working mechanism

The strategy of firewall

The strategy of firewall

Example

Syntax iptables (option) (parameter) option-t,-- table table operates on the specified table table, table must be one of raw, nat,filter,mangle. If this option is not specified, the default is the filter table. # Universal matching: matching of source address and destination address-p: specify the type of packet protocol to match;-s,-source [!] Address [/ mask]: filter according to this rule by using a specified address / set of addresses as the source address. When there is no mask after it, address is an address, such as 192.168.1.1; when specified by mask, it can represent a set of addresses in the range, such as 192.168.1.0 amp 255.255.255.0. -d,-- destination [!] Address [/ mask]: the address format is the same as above, but here you specify the address as the destination address, and filter it here. -I,-- in-interface [!]: specifies that the packet comes from a network interface, such as the most common eth0. Note: it only works on the three chains of INPUT,FORWARD,PREROUTING. If this option is not specified, it can come from any network interface. Similar to the previous one, "!" Denotes rebellion. -o,-- out-interface [!]: specifies the network interface on which the packet goes out. Only three strands of OUTPUT,FORWARD,POSTROUTING work. # View the management command-L,-- list [chain] list all the rules above the chain chain, and if no chain is specified, list all the rules for all chains on the table. # the rule management command-A,-append chain rule-specification inserts the specified rule at the end of the specified chain chain, that is, the rule will be placed last before it will be executed. The rules are specified by subsequent matches. -I,-- insert chain [rulenum] rule-specification inserts one or more rules at the specified location in the chain chain. If the specified rule number is 1, it is inserted at the head of the chain. This is also the default if no rule number is specified. -D,-- delete chain rule-specification-D,-- delete chain rulenum deletes one or more specified rules in the specified chain chain. -R num:Replays replaces / modifies rule # chain management commands (all effective immediately)-P,-- policy chain target: sets the policy target for the specified chain chain. Note that only built-in chains allow policies, and user-defined ones are not allowed. -F,-- flush [chain] clears all rules on the specified chain chain. If no chain is specified, clear all rules for all chains on the table. -N,-- new-chain chain creates a new chain with the specified name. -X,-- delete-chain [chain]: delete the specified chain, which must not be referenced by any other rules, and there must be no rules on this one. If no chain name is specified, all non-built-in chains in the table are deleted. -E,-- rename-chain old-chain new-chain: renames the specified chain with the specified new name. This does not have any impact on the interior of the chain. -Z,-- zero [chain]: zeros all counters on the specified chain, or all chains in the table. -j,-- jump target: what kind of action should be performed when a certain condition is met. Target can be a built-in target, such as ACCEPT, or a user-defined chain. -h: display help information; basic parameters function-P set default policy: iptables-P INPUT (DROP-F clear rule chain-L view rule chain-An adds a new rule at the end of the rule chain-Inum adds a new rule at the head of the rule chain-Dnum deletes a rule-s matches the source address IP/MASK, with an exclamation point "!" In addition to this IP. -d match destination address-I network card name matches data inflow from this network card-o network card name matches data outflow from this network card-p matching protocol, such as tcp,udp Icmp-dport num match destination port number-sport num match source port number command option enter order iptables-t table name rule chain name [rule number]-p protocol name-sport source port-dport target port-j action working mechanism rule chain name includes (also known as five hook functions (hook functions):

INPUT chain: processes input packets.

OUTPUT chain: processes output packets.

FORWARD chain: handles forwarding packets.

PREROUTING chain: used for destination address translation (DNAT).

POSTOUTING chain: for source address translation (SNAT).

Firewall policies are generally divided into two types, one is called communication policy, the other is called blocking policy, and the default door is closed, so it is necessary to define who can enter. The blocking strategy is that the door is open, but you must have authentication, or you can't enter. So we have to define, let those who come in come in, let those who go out go out, so pass through, and jam, it is a choice. When we define the policy, we need to define multiple functions, among which: define the policy allowed or disallowed in the packet, the function of filter filtering, and define the function of address translation is the nat option. In order to make these functions work alternately, we have developed the definition of "table" to define and distinguish different work functions and processing methods.

We are now using three of the more features:

If the definition of filter is allowed or not, it can only be done on three chains: INPUT, FORWARD, OUTPUT

Nat defines address translation and can only do it on three chains: PREROUTING, OUTPUT, POSTROUTING.

Mangle function: modify the original data of the message, which can be done with five chains: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

We modify the original data of the message to modify the TTL. It is possible to split the metadata of the packet and mark / modify the content in it. The firewall tag, in fact, is realized by mangle.

Small expansion:

For filter, it can only be done on three chains: INPUT, FORWARD, and OUTPUT.

Generally speaking, nat can only be done on three chains: PREROUTING, OUTPUT, and POSTROUTING.

And mangle can be done with all five chains: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

Iptables/netfilter (this software) works in user space, it allows rules to take effect, it is not a service in itself, and the rules take effect immediately. And our iptables is now made into a service that can be started and stopped. If it starts, the rule will take effect directly, and if it stops, the rule will be revoked.

Iptables also supports self-defining chains. But the self-defined chain must be associated with a particular chain. In a level setting, specify to find a specific chain to deal with when data is available, and then return when that chain is finished. Then continue to check in a specific chain.

Note: the order of the rules is very critical. The stricter the rules are, the higher they should be, and when checking the rules, they are checked in a top-down manner.

Table names include:

Raw: advanced features, such as URL filtering.

Mangle: packet modification (QOS), used to achieve quality of service.

Nat: address translation for gateway routers.

Filter: packet filtering for firewall rules.

Actions include:

ACCEPT: receives a packet.

DROP: drop the packet.

REDIRECT: redirect, mapping, transparent proxy.

SNAT: source address translation.

DNAT: destination address translation.

MASQUERADE: IP camouflage (NAT) for ADSL.

LOG: logging.

SEMARK: add a SEMARK tag for mandatory access control within a domain (MAC)

┏╍┓ ┌─┐ ┃ Network ┃ │ table: filter │ ┗━┳━┛ │ chain: INPUT │◀────┐ │ └─┬─┘ │ ▼ │ │ ┌─┐ ┌ ▼ ┐ │ │ table: nat │ │ local process │ chain: PREROUTING │ └ ┘ │ └─┬──── ─┘ │ ▼ │ ▼ ┌─┐ ┅ │ ┅ │ table: nat │ Routing decision └─ outing decision ─▶│ chain: PREROUTING │ ┅┳┅ ┅ └─┬─┘ │ │ ▼ │ ┌─┐ │ │ table: nat │ ┅ │ │ chain: OUTPUT │ ┌─▶ outing decision ◀─┘ └─┬─┘ │ ┅┳┅ │ ▼ │ ▼ ┌─┐ │ ┌─┐ │ table: filter │ chain: POSTROUTING │ │ chain: OUTPUT ├────┘ └─┬─┘ └─┘ The │ ▼ ┏╍┓ ┃ Network ┃ ┗━┛ instance clears the current All rules and counts iptables-F # clear all firewall rules iptables-X # remove user-defined empty chain iptables-Z # empty count configuration allows the ssh port to connect to iptables-An INPUT-s 192.168.1.0 dport 24-p tcp-- dport 22-j ACCEPT # 22 as your ssh port -s 192.168.1.0 ip 24 means that the machines of this network segment are allowed to connect, and the addresses of other network segments cannot log in to your machine. -j ACCEPT means to accept such a request to allow the local loopback address to be used normally iptables-An INPUT-I lo-j ACCEPT # the local ring address is that 127.0.0.1 It is used on this machine. It is set to allow iptables-An OUTPUT-o lo-j ACCEPT to set default rules iptables-P INPUT DROP # configure default do not let in iptables-P FORWARD DROP # default do not allow forwarding iptables-P OUTPUT ACCEPT # default can configure whitelist iptables-An INPUT-p all-s 192.168.1.0max 24-j ACCEPT # allow computers in the computer room to access iptables-An INPUT-p all- S 192.168.140.0 ACCEPT 24-j ACCEPT # allows computers in the computer room to access iptables-An INPUT-p tcp-s 183.121.3.7-- dport 3380-j ACCEPT # allows 183.121.3.7 access to port 3380 of this machine to open the corresponding service port iptables-An INPUT-p tcp-- dport 80-j ACCEPT # Open port 80 Because web is the external port iptables-An INPUT-p icmp--icmp-type 8-j ACCEPT # allowed by pingiptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT # already established connections have to let it in to save the rules to the configuration file cp / etc/sysconfig/iptables / etc/sysconfig/iptables.bak # backup before any changes Please keep this excellent habit of iptables-save > / etc/sysconfig/iptablescat / etc/sysconfig/iptables list the set rules iptables- L [- t table name] [chain name]

Four table names raw,nat,filter,mangle

Five rule chain names INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING

The filter table contains three rule chains: INPUT, OUTPUT and FORWARD.

Iptables-L-t nat # lists all rules above nat # ^-t parameter specified, must be raw, an iptables-L-t nat in nat,filter,mangle-- line-numbers # rules are numbered iptables-L INPUTiptables-L-nv # View This list seems to clear in more detail all existing rules iptables-F INPUT # empty all rules on the specified chain iptables-X INPUT # delete the specified chain, this chain must not be referenced by any other rules, and there must be no rules on this one. # if no chain name is specified, all non-built-in chains in the table are deleted. Iptables-Z INPUT # zeros all counters on the specified chain, or all chains in the table. Delete the added rule # add a rule iptables-An INPUT-s 192.168.1.5-j DROP to display all iptables as serial numbers, execute:

Iptables-L-n-- line-numbers for example, to delete the rule with serial number 8 in INPUT, execute:

Iptables-D INPUT 8 opens the designated port iptables-An INPUT-s 127.0.0.1-d 127.0.0.1-j ACCEPT # to allow the local loopback interface (that is, to run the native access native) iptables-An INPUT-m state-- state ESTABLISHED RELATED-j ACCEPT # allows established or related traffic iptables-An OUTPUT-j ACCEPT # allows all native access to iptables-An INPUT-p tcp-- dport 22-j ACCEPT # allows access to port 22 iptables-An INPUT-p tcp-- dport 80-j ACCEPT # allows access to port 80 iptables-An INPUT-p tcp-dport 21-j ACCEPT # allows ftp service port 21 iptables-A INPUT-p tcp-- dport 20-j ACCEPT # allows 20-port iptables-An INPUT-j reject # of FTP service to prohibit other unauthorized rule access iptables-A FORWARD-j REJECT # prohibit other unauthorized rule access mask IPiptables-An INPUT-p tcp-m tcp-s 192.168.0.8-j DROP # block malicious hosts (such as 192.168.0.8iptables-I INPUT-s 123.45.6.7-j DROP # masks a single IP command iptables-I INPUT-s 123.0.0.0 iptables-I INPUT-s 124.45.0.0max 16-j DROP # blocks the IP segment from 123.45.0.1 to 123.45.255.254. The command iptables-I INPUT-s 123.45.6.0 to 24-j DROP # seal the IP segment from 123.45.6.1 to 123.45.6.254 to specify that the network interface out of the packet is only for OUTPUT The three strands of FORWARD,POSTROUTING work.

Iptables-A FORWARD-o eth0 to view the added rule iptables-L-n-vChain INPUT (policy DROP 48106 packets 2690K bytes) pkts bytes target prot opt in out source destination 5075 589K ACCEPT all-- lo * 0.0.0.0max 00.0.0.0max 0191K 90m ACCEPT tcp-- * 0.0.0.0max 00.0.0.0max 0tcp dpt:221499K 133m ACCEPT Tcp-- * * 0.0.0.0amp 0 0.0.0.0amp 0 tcp dpt:804364K 6351M ACCEPT all-- * * 0.0.0.0According to 00.0.0.0amp 0 state RELATED ESTABLISHED 6256 327K ACCEPT icmp-* 0.0.0.0 bytes 0 0.0.0.0/0Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destinationChain OUTPUT (policy ACCEPT 3382K packets 1819m bytes) pkts bytes target prot opt in out source destination 5075 589K ACCEPT all-- * lo 0.0.0.0Uniq0 0.0.0.0Uniq0 start the network forwarding rules public network 210.14.67.7 let the intranet 192.168.188.0 Universe 24 go online

Iptables-t nat-A POSTROUTING-s 192.168.188.0 take 24-j SNAT-- to-source 210.14.67.127 Port Mapping Port 2222 of this machine is mapped to port 22 of the intranet virtual machine

Iptables-t nat-A PREROUTING-d 210.14.67.127-p tcp-- dport 2222-j DNAT-- to-dest 192.168.188.115 tcp 22 string matching for example, we want to filter the string test in all TCP connections, and once it occurs, we terminate the connection. We can do this:

Iptables-An INPUT-p tcp- m string-- algo kmp-- string "test"-j REJECT-reject-with tcp-resetiptables-L# Chain INPUT (policy ACCEPT) # target prot opt source destination# REJECT tcp--anywhere anywhere STRING match "test" ALGO name kmp TO 65535 reject-with tcp-reset## Chain FORWARD (policy ACCEPT) # target prot opt source destination## Chain OUTPUT (policy ACCEPT) # target prot opt source destination prevents Windows worm from attacking iptables-I INPUT-j DROP-p tcp-s 0.0.0.0Universe 0-m string-- algo kmp-- string "cmd.exe" prevent SYN flood attacks iptables-An INPUT-p tcp-- syn-m limit-- limit 5/second-j ACCEPT add SECMARK record iptables-t mangle-An INPUT-p tcp-- src 192.168.1.2-- Dport 443-j SECMARK-- selctx system_u:object_r:myauth_packet_t# adds MAC security context to packets sent to the machine by TCP from 192.168.1.2 SECMARK 443 more examples use iptables to build a powerful security shield http://www.imooc.com/learn/389

Iptables: application layer Firewall tool under linux

Iptables 5 chain: corresponding to Hook point netfilter: a packet processing module within the core layer of the linux operating system: Hook point: the mount point of the packet in netfilter; PRE_ROUTING / INPUT / OUTPUT / FORWARD / POST_ROUTING

Iptables & netfilter

Iptables 4 Table 5 chain

Iptables rules

4 tables

Filter: access control / rule matching nat: address forwarding mangle / raw

Rules

Data access control: ACCEPT / DROP / REJECT packet rewriting (nat-> address translation): snat / dnat information record: log

Use scene instance scenario one

Open tcp 10-22 port 80 open icmp other ports not allowed to access

Problem: this machine cannot access this machine; this machine cannot access other hosts

Scene two

Ftp: default passive mode (the server generates a random port to tell the client that the client actively connects to this port to pull data) vsftpd: make ftp support active mode (the client generates a random port to notify the server, and the server actively connects to this port to send data)

Scene 3

Allow access to the public network: web http-> 80 TCPs; https-> 443/tcp mail smtp-> 25 143/tcp; smtps-> 465/tcp pop3-> 110 143/tcp; pop3s-> 995/tcp imap-> 143/tcp

Internal use: file nfs-> 123/udp samba-> 137/138/139/445/tcp ftp-> 20/21/tcp remote ssh-> 22/tcp sql mysql-> 3306/tcp oracle-> 1521/tcp

Scene 4

Nat forwarding

Scene 5

Defense against CC attacks

Iptables-L-F-A-D # list flush append delete# scenario-iptables-I INPUT-p tcp-- dport 80-j ACCEPT # allows tcp 80 port iptables-I INPUT-p tcp-- dport 10:22-j ACCEPT # allows tcp 10-22 port iptables-I INPUT-p icmp-j ACCEPT # allows icmpiptables-An INPUT-j REJECT # to add a rule All # optimization scenarios-iptables-I INPUT-I lo-j ACCEPT # allow native access to iptables-I INPUT-m state-- state ESTABLISHED RELATED-j ACCEPT # allows access to the public network iptables-I INPUT-p tcp-- dport 80-s 10.10.188.233-j ACCEPT # allows only fixed ip access to scene II vi / etc/vsftpd/vsftpd.conf # enable ftp active mode port_enable=yesconnect_from_port_20=YESiptables-I INPUT-p tcp-dport 21-j ACCEPTvi / etc/vsftpd/vsftpd.conf # ftp passive mode pasv_min_port=50000pasv_max is recommended _ port=60000iptables-I INPUT-p tcp-- dport 21-j ACCEPTiptables-I INPUT-p tcp-- dport 50000tcp 60000-j ACCEPT# can also use the iptables module to track the corresponding port for automatic development # scene 3 iptables-I INPUT-I lo-j ACCEPT# allows local access to iptables-I INPUT-m state-- state ESTABLISHED RELATED-j ACCEPT # allows access to the public network iptables-I INPUT-s 10.10.155.0 ACCEPT 24-j ACCEPT # allows intranet access to iptables-I INPUT-p tcp-m multiport-- dports 80ml1723-j ACCEPT # allows port, 80-> http, 1723-> vpniptables-An INPUT-j REJECT # adds a rule Do not allow all iptables-save # to save settings to the configuration file # scenario 4 IptabLes-t nat-L # View nat configuration iptables- t nat-A POST_ROUTING-s 10.10.177.0 to 24-j SNAT-- to 10.188.232 # SNATvi / etc/sysconfig/network # configure the gateway iptables- t nat-A POST_ROUTING-d 10.10.188.232-p tcp-- dport 80-j DNAT-- to 10.10.10. 177.232 INPUT 80 # DNAT# scenario 5 iptables-I INPUT-p tcp-- syn-- dport 80-m connlimit--connlimit-above 100-j REJECT # limit the number of concurrent connection accesses iptables-I INPUT-m limit--limit 3/hour-- limit-burst 10-j ACCEPT # limit module -- limit-burst defaults to 5. At this point, the study on "what is the use of Linux's iptables command" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.