Shulou(Shulou.com)06/02 Report--

What is the definition and deletion of iptables-- rules of software firewall under linux? This problem may be often seen in our daily study or work. I hope you can gain a lot from this question. The following is the reference content that the editor brings to you, let's take a look at it!

Preparatory work

Before making the rules, we first turn off the firewalld service, turn on the iptables service, and then clear the existing rules.

# systemctl stop firewalld# systemctl start iptables# iptables-F# iptables-X# iptables-Z

New rule chain

There are many options for adding rule chains to iptables. Let's take a look at the basic usage:

Iptables [- t tables]-A | I chain name [- I | o network interface] [- m state] [--state packet status]\ > [- p network protocol] [- s source address-- sport port range] [- d destination address-- dport port range]\ >-j [ACCEPT | DROP | REJECT]

Options and parameters:

-A | I chain name A means to add a rule after the existing rule, while I inserts the rule first

-I | o network interface I indicates the network interface into which the packet enters, which needs to be used with INPUT or PREROUTING chain; o indicates the interface where the packet goes out, which needs to be used in conjunction with OUTPUT chain

The common network protocols are tcp, upd, icmp and all.

Status of-m state packet

-- the common state packet states are INVALID (invalid packet), ESTABLISHED (status that has been successfully connected), NEW (newly established packet), and RELATED (new connection associated with existing connection)

-s source address can be an ip address, such as 192.168.1.110 or network address 192.168.1.0

-d destination address

-j is followed by operations, such as ACCEPT (accept), DROP (discard) and REJECT (reject).

Rule-making for ip, network and network card interfaces

Next, several cases of rule chain are given. We allow data from 192.168.1.110 and reject data from 192.168.1.111.

# iptables-An INPUT-s 192.168.1.110-j ACCEPT# iptables-I INPUT-s 192.168.1.111-j DROP# iptables-vnLChain INPUT (policy ACCEPT 33 packets 3048 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all-- * * 192.168.1.111 0.0.0.0 Chain FORWARD-- * * 192.168.1.110 0.0.0.0 Chain FORWARD (policy ACCEPT 0 packets) 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 18 packets, 1844 bytes) pkts bytes target prot opt in out source destination

Allow access to the 192.168.1.0 Compact 24 network address

# iptables-An INPUT-s 192.168.1.0 policy ACCEPT 24-j ACCEPT# iptables-vnLChain INPUT (policy ACCEPT 29 packets 2328 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all-- * * 192.168.1.111 0.0.0.0 ACCEPT all-- * * 192.168.1.110 0.0.0.0 0 0 ACCEPT all-- * * 192.168.1.0 Chain FORWARD (policy ACCEPT 0 packets) 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 15 packets, 1460 bytes) pkts bytes target prot opt in out source destination

Consider whether the packet of 192.168.1.111 will be accepted or rejected. From the first rule of INPUT, it will be rejected, but from the last one, it will be accepted. The answer is that it will be rejected, and when one of the rules is met, it will not follow the following rules, so the order of the rule chain is also very important.

Continue to look at the case: as long as it is a local loopback address lo is allowed

# iptables-An INPUT-I lo-j ACCEPT

Rule-making for ports

Block all 21-port packets entering the local area.

# iptables-An INPUT-I eth0-p tcp-- dport 21-j DROP

Open ports between 1024 and 65534, and you can use port number: Port number to represent a continuous port number.

# iptables-An INPUT-I eth0-p tcp-- dport 1024 eth0 65534-j ACCEPT

Let's look at two comprehensive rules.

The 3306 port of this machine is not open to the 192.168.1.0 Universe 24 network.

The ssh service of this machine does not accept packets on port 1024 of the network 192.168.1.0 Universe 24.

# iptables-An INPUT-I eth0-s 192.168.1.0 dport 24-p tcp-- dport 3306-j DROP# iptables-An INPUT-I etc0-p tcp-s 192.168.1.0 DROP 24\ >-sport 1024 dport 22-j DROP

Rule-making for the connection status of packets

Common packet states are INVALID (invalid packet), ESTABLISHED (status that has been successfully connected), NEW (newly established packet), and RELATED (new connection associated with an existing connection).

Packets for ESTABLISHED and RELATED status are all accepted, and packets for INVALID status are all discarded

# iptables-t filter-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT # iptables-An INPUT-m state-- state INVALID-j DROP

Delete rule chain

Deleting a rule chain is basically the same as adding a rule chain, except that-A can be replaced by-D. let's delete a few rules together.

# iptables-save# Generated by iptables-save v1.4.21 on Sun Nov 15 22:36:41 2020*filter:INPUT ACCEPT [42020*filter:INPUT ACCEPT 1920]: FORWARD ACCEPT [0:0]: OUTPUT ACCEPT [162020*filter:INPUT ACCEPT 1380]-An INPUT-s 192.168.1.111 DROP-An INPUT-s 192.168.1.110 ACCEPT 32-j ACCEPT-An INPUT-s 192.168.1.0 ACCEPT... # iptables-t filter-D INPUT-s 192.168.1.111 DROP# iptables 32-j DROP# iptables-D INPUT-s 192.168.1.110 ACCEPT

Note: the above iptables settings will only be saved in memory and will disappear when the system is restarted. So, as long as you don't keep yourself out, please go ahead and practice.

If you want to save the rules, type / usr/libexec/iptables/iptables.init save to save them.

Thank you for reading! After reading the above, do you have a general understanding of the definition and deletion of iptables-- rules for software firewalls under linux? I hope the content of the article will be helpful to all of you. If you want to know more about the relevant articles, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.