Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to implement iptables to establish rules and links". In the operation process of actual cases, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations! I hope you can read carefully and learn something!

Rules control packet filtering by providing instructions to firewalls about what to do with packets coming from a certain source, going to a certain destination, or having a particular protocol type. These rules are established by using the special command iptables provided by the netfilter/iptables system and added to the chain within the kernel-space specific packet filter table. The general syntax for commands to add/remove/edit rules is as follows:

The code is as follows:

$ iptables [-t table] command [match] [target]

table (table)

[-t The table] option allows you to use any table other than the standard table. A table is a packet filtering table that contains rules and chains that process only certain types of packets. There are three table options available: filter, nat, and mangle. This option is not required; if not specified, filter is used as the default table.

The filter table is used for general packet filtering and contains INPUT, OUTPUT, and FORWARD chains. The nat table is used for packets to be forwarded and contains chains of PREROUTING, OUTPUT, and POSTROUTING. The mangle table is used if any changes are made within the packet and its header. This table contains rules for marking packets for advanced routing and contains chains of PREROUTING and OUTPUT.

Note: The PREROUTING chain consists of rules specifying that packets change as soon as they arrive at the firewall, while the POSTROUTING chain consists of rules specifying that packets change just as they intend to leave the firewall.

Command (command)

The mandatory command part of the command above is the most important part of the iptables command. It tells iptables what to do, for example, insert rules, add rules to the end of a chain, or delete rules. Here are some of the most common commands:

-A or-append: This command appends a rule to the end of the chain.

Examples:

The code is as follows:

$ iptables -A INPUT -s 205.168.0.1 -j ACCEPT

The example command appends a rule to the end of the INPUT chain that determines that packets from the source address 205.168.0.1 can be ACCEPT.

-D or-delete: This command removes a rule from the chain by specifying the rule to match with-D or by specifying the number of the position of the rule in the chain. The following example shows both methods.

Examples:

The code is as follows:

$ iptables -D INPUT –dport 80 -j DROP

$ iptables -D OUTPUT 3

The first command removes the rule from the INPUT chain, which specifies DROP packets destined for port 80. The second command simply removes rule number 3 from the OUTPUT chain.

-P or-policy: This command sets the default target of the chain, which is policy. All packets that do not match any rule in the chain will be forced to use the chain's policy.

Examples:

The code is as follows:

$ iptables -P INPUT DROP

This command specifies DROP as the default destination of the INPUT chain. This means that all packets that do not match any rule in the INPUT chain will be discarded.

-N or-new-chain: Creates a new chain with the name specified in the command.

Examples:

The code is as follows:

$ iptables -N allowed-chain

-F or-flush: This command deletes all rules in the chain if a chain name is specified, or all rules in the chain if no chain name is specified. This parameter is used for quick cleanup.

Examples:

The code is as follows:

$ iptables -F FORWARD

$ iptables -F

-L or-list: Lists all rules in the specified chain.

Examples:

The code is as follows:

$ iptables -L allowed-chain

Match (match)

The optional match section of the iptables command specifies characteristics (such as source and destination addresses, protocols, and so on) that packets should have to match rules. Matches fall into two broad categories: generic matches and protocol-specific matches. Here, I'll look at generic matching that can be used for packets in any protocol. Here are some important and commonly used generic matches with examples and descriptions:

-p or-protocol: This generic protocol match is used to check certain protocols. Examples of protocols are TCP, UDP, ICMP, a comma-separated list of any combination of these three protocols, and ALL (for all protocols). ALL is the default match. It can be used! Symbol that indicates no match for the item.

Examples:

The code is as follows:

$ iptables -A INPUT -p TCP, UDP

$ iptables -A INPUT -p ! ICMP

In the example above, both commands perform the same task-they specify that all TCP and UDP packets will match the rule. By designation! ICMP, we intend to allow all other protocols (TCP and UDP in this case) to the exclusion of ICMP.

-s or-source: This source match is used to match packets based on their source IP address. This matching also allows matching IP addresses within a certain range, using! Symbol indicating no match for the item. The default source match matches all IP addresses.

Examples:

The code is as follows:

$ iptables -A OUTPUT -s 192.168.1.1

$ iptables -A OUTPUT -s 192.168.0.0/24

$ iptables -A OUTPUT -s ! 203.16.1.89

The second command specifies that the rule matches all packets from the IP address range 192.168.0.0 to 192.168.0.24 The third command specifies that the rule will match any packet except from the source address www.example.com. 203.16.1.89

-d or-destination: This destination match is used to match packets based on their destination IP address. The match also allows matching IP addresses within a range, using! Symbol indicating no match for the item.

Examples:

The code is as follows:

$ iptables -A INPUT -d 192.168.1.1

$ iptables -A INPUT -d 192.168.0.0/24

$ iptables -A OUTPUT -d ! 203.16.1.89

Target (target)

We already know that targets are actions specified by rules, and that these actions are performed on packets that match those rules. In addition to allowing user-defined goals, there are many goal options available. Here are some common goals and examples and descriptions:

ACCEPT: When a packet exactly matches a rule with an ACCEPT target, it is accepted (allowing it to go to its destination) and it stops traversing the chain (although the packet may traverse other chains in another table and possibly be dropped there). The target is designated as-j ACCEPT.

DROP: When a packet exactly matches a rule with a DROP target, the packet is blocked and not processed further. The target is designated as-j DROP.

REJECT: This target works the same way as DROP target, but it is better than DROP. Unlike DROP, REJECT does not leave dead sockets on the server and client. In addition, REJECT sends error messages back to the sender of the packet. The target is designated as-j REJECT.

Examples:

The code is as follows:

$ iptables -A FORWARD -p TCP –dport 22 -j REJECT

RETURN: The RETURN target set in a rule stops packets matching the rule from traversing the chain containing the rule. If the chain is a main chain such as INPUT, packets are processed using the chain's default policy. It is specified as-jump RETURN. Examples:

The code is as follows:

$ iptables -A FORWARD -d 203.16.1.89 -jump RETURN

There are many other goals for establishing high-level rules, such as LOG, REDIRECT, MARK, MIRROR, and MASQUERADE.

save the rule

You have now learned how to establish basic rules and chains and how to add or remove them from the packet filter table. However, you should remember that the rules established in this way are saved to the kernel and lost when the system is rebooted. So, if you add an error-free and valid rule set to the packet filtering table and you want to use those rules again after a reboot, you must save the rule set in a file. This can be done using the iptables-save command:

The code is as follows:

$ iptables-save > iptables-script

All rules in the packet filter table are now stored in the file iptables-script. Whenever the system boots again, you can use the iptables-restore command to restore the rule set from the script file to the packet filter table, as follows:

The code is as follows:

$ iptables-rest

"How to implement iptables to establish rules and links" content is introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.