Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use the iptables command in Linux. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Iptables is a command-line tool that Linux administrators use to set IPv4 packet filtering criteria and NAT. The iptables tool runs in user mode, mainly to set up various rules. Netfilter, on the other hand, runs the kernel state and enforces the rules that are set up.

View the chain and rules of iptables

The command format for viewing rules is:

Iptables [- t tables] [- L] [- nv]

-t: followed by table, such as nat or filter. If this item is omitted, the default filter is used.

-L: a rule that lists all chains or chains of a table

-n: directly display IP, the speed will be much faster

-v: list more information, including the total number of packets passing through the rule, related network interfaces, etc.

List the rules for the filter table INPUT chain:

$sudo iptables-L INPUT

List the rules for the three chains of nat table:

$sudo iptables-t nat-L-n

List the rules for the three chains of filter table:

$sudo iptables-L

The content in the red box is the name of the chain and its default policy, which is ACCEPT for all chains in the filter table. What does the line under the red box represent?

Target: represents the action performed. ACCEPT is released, REJECT is rejected, and DROP is to discard the packet.

Port: the protocols used by representatives, mainly tcp, udp and icmp.

Opt: additional option description.

Source: the source IP for which the rule is targeted.

Destination: the target IP for which the rule is targeted.

Because there are no custom rules added by default, the lines in the above figure are empty below.

Clear native firewall rules

The command format for clearing the rule is as follows:

Iptables [- t tables] [- FXZ]

-F: clear all established rules

-X: delete all user-customized chain (which is tables)

-Z: zero all chain counts and traffic statistics

If we are going to develop a set of firewall rules, we usually clean up the existing rules and then create new ones from scratch. Let's clear all the rules in the native filter table:

$sudo iptables-F$ sudo iptables-X$ sudo iptables-Z

Define the default policy (policy)

If a packet does not match any of the rules in a chain, the default policy for the chain (default policy) is enforced on the packet, which can be ACCEPT or DROP.

The existence of the default policy in the chain gives us two options when designing a firewall:

Set the default policy DROP all packets, and then add rules to accept (ACCEPT) packets from trusted IP addresses, or packets accessing ports that our service listens on, such as bittorrent, FTP server, Web server, Samba file server, and so on.

Set the default policy ACCEPT all packets, and then add rules to discard (DROP) specific packets. For example, packets from some malicious IP, or packets accessing certain ports, on which we do not provide public services.

In general, the first option above is for the INPUT chain because we want to have permission control over the resources we access. The second option is often used for OUTPUT chains because we usually trust packets that leave the machine (the packet comes from the local machine).

The command format for setting the default policy is as follows:

Iptables [- t table]-P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]

The-P option defines the default policy (Policy). Note that this is the capital letter P. ACCEPT means to accept the packet, and DROP means to discard the packet.

In general, we will make the default policy of the INPUT chain of the filter table stricter, such as DROP. FORWARD and OUTPUT can be looser and set to ACCEPT. For example, we can set the default policy of the INPUT chain of the filter table to DROP with the following command:

$sudo iptables-P INPUT DROP

Add Rul

We can match packets through rules, including IP, network segment, network interface (interface) and transport protocols (tcp, udp, etc.).

The format of the command to add rules is as follows:

Iptables [- AI chain] [- io interface] [- p protocol] [- s source IP] [- d target IP]-j [ACCEPT,DROP,REJECT,LOG]

-A: add a rule for a rule chain, and the newly added rule comes after the existing rule.

-I: insert a rule for a rule chain, and you can specify the sequence number in the chain for the newly inserted rule. If you do not specify a sequence number, the new rule becomes the first rule.

-I: specify the network interface into which the packet enters, such as eth0, lo, etc., which should be used in conjunction with the INPUT chain.

-o: specifies the network interface for outgoing packets, which needs to be used in conjunction with the OUTPUT chain.

-p: specify which network protocols this rule applies to (common protocols such as tcp, udp, and icmp,all apply to all protocols).

-s: specify the source IP/ network segment of the packet. You can specify a single IP, such as 192.168.1.100, or a network segment, such as 192.168.1.0 IP 24. It can still pass! It means no, for example,! 192.168.1.0 Universe 24 represents a packet other than 192.168.1.0 Universe 24.

-d: specifies the destination IP/ segment of the packet, and the rest is the same as the-s option.

-j: specify the behavior after a successful match, such as ACCEPT, DROP, REJECT and LOG.

Let's take a look at some examples.

Release the native interface lo:

$sudo iptables-An INPUT-I lo-j ACCEPT

The above command assumes that the lo interface is a trusted device and that all packets entering and leaving the interface are accepted.

Note that parameters such as-s and-d are not set in the above command, but no specified parameter means that any value of the parameter is acceptable.

Completely release an interface

Similar to the lo interface, if you trust an interface completely, you can set it just like setting lo:

$sudo iptables-An INPUT-I eth2-j ACCEPT

Only packets from a certain network segment in the intranet are accepted:

$sudo iptables-An INPUT-I eth3-s 192.168.10.0bat 24-j ACCEPT

Accept / discard packets from the specified IP:

$sudo iptables-An INPUT-I eth4-s 192.168.100.5-j ACCEPT$ sudo iptables-An INPUT-I eth4-s 192.168.100.6-j DROP

Then look at the rules of the filter table:

$sudo iptables-L-v

The iptables-save command provides another style of output:

$sudo iptables-save

Use port numbers in rules

In the rules we added, we often need to specify the network protocol (tcp, udp, etc.) and the relevant port number. The basic command format is as follows:

Iptables [- AI chain] [- io interface] [- p tcp,udp] [- s source IP] [--sport port range] [- d destination IP] [--dport port range]-j [ACCEPT,DROP,REJECT]

-- sport: limit the port number of the source, which can be a single port or a range, such as 1024

-- dport: the port number of the restricted destination.

Note that because only tcp and udp protocols use port numbers, be sure to specify the type of protocol (- p tcp or-p udp) when using-- sport and-- dport.

Let's look at a few examples.

Drop all packets accessing native port 21 through the tcp protocol:

$sudo iptables-An INPUT-I eth0-p tcp-- dport 21-j DROP

Drop packets that access the native ssh port from port 1024 virtual 65535 of 192.168.1.0 Universe 24:

$sudo iptables-An INPUT-I eth0-p tcp-s 192.168.1.0 dport ssh 24-- sport 1024 purl 65535-- dport ssh-j DROP

Common plug-in modules

Before linux kernel 2.2, when using ipchains to manage the firewall, it was necessary to control the incoming and outgoing direction of the data packet.

For example, when you want to connect to port 22 of a remote host, you must set two rules:

The local 1024purl port 65535 to the remote port 22 must be released (OUTPUT chain)

Port 22 of the remote host must be released (INPUT chain) to port 1024 of the machine.

This is troublesome, for example, if you want to connect port 22 of 10 remote hosts, even if your local OUTPUT is set to ACCEPT

You still need to add 10 INPUT ACCEPT rules to accept packets from port 22 from these 10 remote hosts (the default policy for INPUT is DROP).

Iptables solves this problem by analyzing through a status module: is the packet you want to enter a response to a request you have sent? If it is determined to be a response to your request, release the packet.

The basic command format for using the status module is as follows:

Iptables-An INPUT [- m state] [--state INVALID,ESTABLISHED,NEW,RELATED]

-m: specify the plug-in module of iptables. Common modules are:

State: status module

Mac: a module for dealing with the hardware address (hardware address) of the network card

-- state: specifies the status of the packet. Common statuses are:

INVALID: invalid packet status

ESTABLISHED: the status of the packet that has been successfully connected

NEW: the status of packets that want to establish a new connection

RELATED: this is the most commonly used. It indicates that the packet is related to the packet sent by our host.

Let's look at a few examples.

As long as a connection is established or related packets are accepted:

$sudo iptables-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPT

Drop as long as the packet is illegal:

$sudo iptables-An INPUT-m state-- state INVALID-j DROP

Save the configuration of iptables

Note that the rules we set with the iptables command are saved in memory, which means that all configurations will be lost if the system is rebooted.

We can save the configuration of iptables to a file with the iptables-save command:

$sudo touch / etc/iptables.conf$ sudo chmod 666 / etc/iptables.conf$ sudo iptables-save > / etc/iptables.conf

Import the configuration information from the file through the iptables-restore command as needed:

$sudo iptables-restore < / etc/iptables.conf what is the Linux system Linux is a free to use and freely spread UNIX-like operating system, is a POSIX-based multi-user, multi-tasking, multi-threading and multi-CPU operating system, using Linux to run major Unix tools, applications and network protocols.

On how to use the iptables command in Linux to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.