Shulou(Shulou.com)06/01 Report--

It is believed that many inexperienced people have no idea about how to configure the firewall in iptables. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Introduction to iptables

Iptables is a kernel-based firewall, very powerful, iptables built-in filter,nat and mangle three tables.

Filter is responsible for filtering packets, including rule chains such as input,output and forward

Nat involves network address translation, including rule chains such as prerouting,postrouting and output.

The mangle table is mainly used to modify the content of the packet, which is used to do traffic × × ×. The default rule chain is: INPUT,OUTPUT,NAT,POSTROUTING,PREROUTING

The input matching destination IP is the local packet, the forward matches the local packet, and the prerouting is used to modify the destination address to be used as DNAT,postrouting, to modify the source address to be used as SNAT.

Main parameters of iptables

-An adds a rule to the rule chain, which is added to the end by default

-T specifies the table to be operated on. Default is filter.

-D removes a rule from the rule chain. You can specify a sequence number or a matching rule to delete it.

-R for rule replacement

-I insert a rule, which is inserted into the header by default

-F clear the selected chain and restore it after restart

-N New user-defined rule chain

-X removes a user-defined rule chain

-p is used to specify a protocol number that can be tcp,udp,icmp, etc., or a number

-s specify source address

-d specify destination address

-I enter the interface

-o outflow interface

-j actions taken, accept,drop,snat,dnat,masquerade

-- sport source port

-- dport destination port, which must be used with the protocol

Note: all chain names must be capitalized, indicating that they must be lowercase, actions must be uppercase, matches must be lowercase

Iptable configuration instance

Basic operation of iptable

Iptables-L lists iptables rules

Iptables-F clears iptables built-in rules

Iptables-X clears iptables custom rules

Set default rules

If there is no match in the iptables rule, the default rule is used for processing.

Iptables-P INPUT DROP

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD DROP

Configure SSH rules

Iptables-An INPUT-p tcp-- dport 22-j ACCEPT

Iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT if you set OUTPUT to DROP, you need to add this rule, otherwise SSH will not be able to log in because the SSH service can only enter and not exit.

Only 192.168.0.3 machines are allowed to make SSH connections

Iptables-An INPUT-s 192.168.0.3-p tcp-- dport 22-j ACCEPT

If you want to allow or restrict a segment of IP address, you can use 192.168.0. 0.

Allow loopback loopback communication

IPTABLES-An INPUT-I lo-p all-j ACCEPT

IPTABLES-An OUTPUT-o lo-p all-j ACCEPT

Destination address translation, mapping internal address

Iptables-t nat-A PREROUTING-I ppp0-p tcp-- dprot 81-j DNAT-- to 192.168.0.2

Iptables-t nat-A PREROUTING-I ppp0-p tcp-- dprot 81-j DNAT-- to 192.168.0.1-192.168.0.10

Source address translation, hiding internal address

Iptables-t nat-A POSTROUTING-s 192.168.0 to 24-j SNAT-- to 1.1.1.1

Iptables-t nat-A POSTROUTING-s 192.168.0 to 24-j SNAT-- to 1.1.1.1-1.1.1.10

Address camouflage, NAT of dynamic ip

Iptables-t nat-A POSTROUTING-s 192.168.0.0 Universe 24-j MASQUERADE

The main difference between masquerade and snat is that snat translates the source address into a fixed IP address or address pool, while masquerade is very useful when dialing the Internet in ways such as adsl. Because it is dial-up access, the extranet IP of the network card often changes, so it is necessary to modify the ip in the translation strategy every time when doing address translation. Using masquerade can solve this problem very well. He will detect the ip address obtained by the external network card and translate the address automatically, so that even if the ip obtained by the external network changes frequently, there is no need for human intervention.

Enable forwarding function

Iptables-A FORWARD-I eth0-o eth2-m state-- state RELATED,ESTABLISHED-j ACCEPT only allows internal forwarding of established connections and related links

Ptables-A FORWARD-I eth2-o eh0-j ACCEPT allows forwarding

Filter a MAC

Iptables-A FORWARD-m mac-- mac-source MAC address-j DROP

After the message is routed, the original MAC information in the packet will be replaced, so it is meaningless to use mac matching in the routed iptables.

Packet rectification

Iptables-A FORWARD-d 192.168.0.1-m limit-- limit 50 Universe s-j ACCEPT

Iptables-A FORWARD-d 192.168.0.1-j DROP

Multi-port matching

Used to match multiple ports at a time

Iptables-An INPUT-p tcp-m muliport-- dport s 21 ACCEPT

Discard illegal connection

Iptables-An INPUT-m state-- state INVALID-j DROP

Iptables-An OUTPUT-m state-- state INVALID-j DROP

Iptables-A FORWARD-m state-- state INVALID-j DROP

Stored in recovery iptables rules

Iptables-save > somefile

Iptables-restore < somefile

After reading the above, have you mastered how to configure the firewall in iptables? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.