Shulou(Shulou.com)06/01 Report--

Iptables: located at / sbin/iptables, it is a command tool for managing firewalls.

The packet filtering firewall works at the network layer.

Rule chain: a rule chain is a collection of firewall rules / policies

INPUT: processing inbound packet

OUTPUT: processing outbound packet

FORWARD: processing forwarded packet

POSTROUTING chain: processing packets after routing

PREROUTING chain: processing packets before routing

II. Rule table: a rule table is a collection of rule chains (priority: raw, mangle, nat, filter)

Raw table: determines whether the packet is status tracked (OUTPUT, PREROUTING)

Mangle table: sets tags for packets (PREROUNTING, POSTROUTING, INPUT, OUPUT, FORWARD)

Nat table: modify the source and destination IP address or port (PREROUTING, POSTROUTIN, OUTPUT) in the packet

Filter table: determines whether the packet is released (filtered) (INPUT FOREARD, OUTPUT)

Matching order between rule chains

Inbound data: PREROUTING, INPUT

Outbound data: OUTPUT, POSTROUTING

Forwarded data: PREROUTING, FORWARD, POSTROUTING

Syntax format of iptables command

Iptables [- t table name] manage options [chain name] [condition matching] [- j target action or jump]

Note: when no table name is specified, it represents the filter table by default

When a chain name is not specified, the default represents all chains in the table

Unless you set the default policy for the rule chain, you need to specify matching conditions

IV. Command option

-A: add (--apped) a new rule at the end of the specified chain (note the difference from the insertion position of-I)

-D: delete (--delete) specify a rule in the chain, and determine the rule to be deleted by the rule serial number or content

-I: insert (--insert) a new rule in the specified chain. If the insertion position is not specified, it will be inserted at the beginning of the chain by default.

-R: modify, replace (--replace) specify a rule of the chain, and determine the rule to be replaced by the rule serial number or content

-L: list (--list) all the rules in the specified chain to view. If no chain name is specified, the contents of all chains in the table are listed.

-F: clear (--flush) all rules in the specified chain. If no chain name is specified, the contents of all chains in the table are cleared.

-N: create (--new-chain) a user-defined rule chain

-X: delete the user-defined rule chain in the specified table

-P: sets the default policy for the specified chain (--policy)

-n: display the output result in digital form (--numeric)

-v: displays detailed (--verbose) information when viewing a list of rules

-V: view the version (--version) information of the iptables command tool

-h: view command help information (--help)

-- line-numbers: when viewing the rule table, the sequence number of the rule in the chain is also displayed

V. General conditional matching

Can be used directly and does not depend on other conditions or extension modules

Including network protocol, IP address, network interface and other matching methods

1. Protocol matching

Use the form of "- p protocol name"

The protocol name can use the name defined in the "/ etc/protocols" file

Commonly used protocols include tcp, udp, icmp, etc.

Example: packets of all icmp protocols that are denied access to the firewall

Iptables-I INPUT-p icmp-j REJECT

two。 Address matching

Use the form of "- s source address (--source)" and "- d destination address (--destination)"

The address can be a single IP address, a network address (with mask length)

Example: refuse to forward data from 192.168.1.11 host

Iptables-A FORWARD-s 192.168.1.11-j REJECT

3. Network port matching

Use the form of "- I network interface name (--in-interface)" and "- o network interface name (--out-interface)" to correspond to the network interface that receives and sends data packets, respectively.

Example: discard 10.20.30.0amp 24 network segment and unblock it 2 hours later

Iptables-I INPUT-s 10.20.30.0 REJECT 24-j

Iptables-I FORWARD-s 10.20.30.0 DROP 24-j

At now + 2 hours

At > iptables-D INPUT 1

At > iptables-D FORWARD 1

(end of crtl + D)

VI. Implicit conditional matching

1. Port matching

Use the form of "--sport source port" and "--dport destination port"

You can specify a range of ports in the form of "Port 1: Port 2"

Example: only administrators are allowed to use ssh from 202.13.0.

Iptables-An INPUT-p tcp-- dport 22-s 202.13.0.0 ACCEPT 16-j

Iptables-An INPUT-p tcp-- dport 22-j DROP

2.TCP tag matching

Use the form of "--tcp-flags check the flag whose range is set"

For example, "--tcp-flags SYN,RST,ACK SYN" means to check the three tags SYN, RST and ACK. Only if SYN is 1, the condition is satisfied.

Example: deny direct access to firewall standby data packets from the eth2, but allow response to firewall TCP please

The requested data packet enters

Iptables-P INPUT DROP

Iptables-I INPUT-I eth2-p tcp--tcp-flags SYN, RST, ACK SYN-j REJECT

Iptables-I INPUT-I eth2-p tcp--tcp-flags! -- syn-j ACCEPT

(--the use of syn is compatible with older versions of iptables, where it equals-- tcp-flags SYN, RST, ACK SYN)

3.ICMP type matching

Use the form of "--icmp-type ICMP type"

ICMP types can use type strings or corresponding numeric values, such as Echo-Request, Echo-Reply

Example: disable other hosts ping firewall hosts, but allow ping of other hosts from the firewall (allow receiving ICMP

Response data)

Iptables-An INPUT-p icmp--icmp-type Echo-Request-j DROP

Iptables-An INPUT-p icmp--icmp-type Echo-Reply-j ACCEPT

Iptables-An INPUT-p icmp--icmp-type destination-Unreachable-j ACCEPT

Seven. display condition matching

1.MAC address matching

Use the form of "- m mac" combined with "--mac-source MAC address"

For example, packets from hosts with MAC address 00:0C:29:27:55:3F are prohibited from forwarding.

Iptables-A FORWARD-m mac--mac-source 00:0C:29:27:55:3F-j DROP

two。 Multi-port matching

Use the form of "- m multiport" combined with "--sports source port list" or "--dports destination port list"

Multiple ports are separated by commas, and consecutive ports can also be separated by colons:

Example: allow the firewall to open TCP ports 20,21,25,110 and passive mode FTP ports 1250-1280 natively.

Iptables-An INPUT-p tcp-m multiport-- dport 20, 21, 25, 110, 1250, tcp, 1280-j ACCEPT

3.IP address range matching

Use the form of "- m iprange" combined with "--src-range source IP range" or "--dst-range destination IP range"

Start the IP address and end the IP address with a "-" symbol

For example, it is forbidden to forward TCP packets with the source IP address of 192.168.1.20 "192.168.1.99"

Iptables-A FORWARD-p tcp-m iprange-- src-range 192.168.1.20-192.168.1.99-j DROP

4. Packet status matching

Use the form of "- m state" combined with "--state state type"

Multiple states are separated by commas "," at the same time.

Common packet states include: NEW, ESTABLISHED, RELATED

Example: deny access to new packets from the firewall, but allow responses to connections or packets related to existing connections

Iptables-An INPUT-p tcp-m state-- state NEW-j DROP

Iptables-An INPUT-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

Eight. packet control

Common packet processing methods

ACCEPT: release packet

DROP: discards packets without giving any response information

REJECT: reject the packet and send a response message to the data sender if necessary

LOG: log information is recorded and passed to the next rule for processing

User-defined chain name: passed to the rules in the custom chain for processing

SNAT: modify the source address information of a packet

DNAT: modify the destination address information of a packet

IX. Import and export firewall rules

Export Rul

Iptables-save

Save rule information with redirect output ">" symbol

Import Rul

Iptables-restore

Combined with redirected input "

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.