Shulou(Shulou.com)06/01 Report--

This article introduces to you what the basic knowledge of Linux system iptables is, the content is very detailed, interested friends can use it for reference, hope to be helpful to you.

Iptables firewall can be used to create filtering (filter) and NAT rules. All Linux distributions can use iptables, so understanding how to configure iptables will help you manage Linux firewalls more effectively.

one。 Concept

A typical firewall setting has two network cards: one inflow and one outflow. Iptables reads the headers of incoming and outgoing packets, compares them with rule sets (Ruleset), forwards acceptable packets from one network card to another, and can discard or process rejected packets in a defined way.

Rules control packet filtering by providing firewalls with instructions on what to do with packets from a source address, to a destination, or with a specific protocol type. These rules are established by using the special command iptables provided by the iptables system and added to the chain in the kernel space-specific packet filter table. For commands to add, remove, and edit rules, the general syntax is as follows:

Iptables [- t table] command [match] [target]

1. Table (table)

The [- t table] option allows you to use any table other than the standard table. A table is a packet filtering table that contains rules and chains that handle only specific types of packets. There are three table options available: filter, nat, and mangle. This option is not required, and if not specified, filter is the default table.

. command (command)

The command part is the most important part of the iptables command. It tells the iptables command what to do, such as inserting a rule, adding a rule to the end of the chain, or deleting a rule.

-N:new New-x: delete one-F:flush-z: zero-P:policy-E: rename

3. Match (match)

The optional match section of the iptables command specifies the characteristics (such as source address, destination address, protocol, and so on) that a packet should have to match a rule. Matching can be divided into two categories: general matching and protocol-specific matching. Here is an introduction to general matching of packets that can be used with any protocol:

Basic match:-srecom talk srcverse source: source address of the matching packet-djinger talk talk destination: destination address of the match packet-I: specify the inflow interface of the packet-o: specify the outflow interface of the packet-p: protocol matching (tcp,udp,icmp) extension matching: implied extension:-p tcp- sport source port-dport destination port-tcp-flags flag bit Match packet type SYN,ACK,RST,FIN,URG,PSH,ALL,NONE-syn-p udp-sport-dport-p icmp- icmp-type echo-request,8 echo-reply,0

Display extension:-m state-state: detect NEW,ESTABLISHED,RELATED,INVALID for packet status rules (unrecognized)

-m multiport-sports 225080 90 (specify multiple source ports, separated by "," up to 15)-dports specify multiple destination ports-ports-m conlimit (number of concurrent connections)-cornlimit-above 5 (more than 5)! -cornlimit-above 5 (less than 5)-m string (based on string matching)-algo (kmp | bm)-string pattern-m time-timestart 07:10-timestop 23:59:59

4. Target (target)

The goal is the actions specified by the rules that are performed on packets that match those rules. In addition to allowing user-defined goals, there are many target options available:

-j ACCEPT: when a packet exactly matches a rule with an ACCEPT target, it is accepted. DROP: recall blocking a packet when it exactly matches a rule with a DROP target without doing any processing

REJECT: this destination works the same way as DROP, but does not directly discard the packet, but returns an error message.

What is Linux system Linux is a free-to-use and free-spread UNIX-like operating system, is a POSIX-based multi-user, multi-task, multi-threaded and multi-CPU operating system, using Linux can run major Unix tools, applications and network protocols.

On the Linux system iptables basic knowledge shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.