Shulou(Shulou.com)06/01 Report--

One, three, Table 5 chain

4 Table (rule table): Filter, NAT, Mangle, Raw

Filter: packet filtering

Nat: network address translation

Mangle: tagging packets

Raw: state tracking of packets

5 chains: INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING

Input: packets destined for locally running daemons

Forward: packets from the remote host destined for the remote host

Output: packets originating from locally running daemons

Filter (default): INPUT, OUTPUT, FORWARD

NAT table: PREROUTING, POSTROUTING, OUTPUT

Mangle (saboteur): there were only PREROUTING and OUTPUT chains in the early days, and INPUT and FORWARD chains were added after kernel 2.4.18

II. Iptables grammar

1. Viewing and clearing of rules

Iptables [- t table] [- L] [- nv]

-t: followed by table, such as nat or filter. Default is filter.

-L: list the rules for table

-n: no IP and HOSTNAME reverse check

-v: list more information

2. List the complete firewall rules

Iptables-save [- t table]

3. Clear rules

Iptables [- t table] [- FXZ]

-F: clear all established rules

-Z: clear all custom tables

-X: return all chain counts and traffic statistics to zero

4. Define the default policy (policy)

Iptables [- t nat]-P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]

5. Settings for IP, network and interface devices

Iptables [- AI chain name] [- io network interface] [- p protocol] [- s source IP/ network] [- d destination IP/ network]

-j [ACCEPT | DROP | REJECT | LOG]

-A: add a rule

-I; insert a rule

-I: the network interface into which the packet enters, such as eth0,lo, etc. Need to combine with INPUT chain

-o: the network interface of the packet, which needs to be combined with the OUTPUT chain

-p: protocol

6. Settings for the port

Iptables [- AI chain] [- io interface] [- p tcp,udp] [- s source IP/ network] [--sport port range]

[- d destination IP/ network] [--dport port range]-j [ACCEPT | DROP | REJECT | LOG]

7. Iptables plug-in module: mac and state

Iptables-An INPUT [- m state] [--state status]

-m: plug-in module of iptables

State: status module

Mac: Nic hardware address

-- mac-source: source host mac

-- state: the status of some packets

INVALID: invalid packet

ESTABLISHED: the connection status that has been successfully connected

NEW: packet status of the newly established connection

RELATED: packets are related to packets sent by the host

8. Set rules for ICMP packets

Iptables-An INPUT [- p icmp] [--icmp-type type]-j ACCEPT

9. Save the rules

/ etc/init.d/iptables save

10. Kernel management function of IPV4: / proc/sys/net/ipv4/*

1) / proc/sys/net/ipv4/tcp_syncookies (blocking SYN Flooding)

Echo "1" > / proc/sys/net/ipv4/tcp_syncookies

2) / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Echo "1" > / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

3) / proc/sys/net/ipv4/conf/ network interface / *

Rp_filter: reverse path filtering

Log_martians: record illegal IP sources

Note: you can modify the system settings, i.e. / etc/sysctl.conf

Vi / etc/sysctl.conf

……

Sysctl-P

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.