Shulou(Shulou.com)06/01 Report--

1. Iptables installation

General system has its own, there is no installation, please refer to the following installation (redhat system): Yum install iptables (debian system) Sudo apt-get install iptables iptables-version view version iptables v1.4.14 is OK, has been installed normally. Iptables v1.x.x is the version number.

Two, three tables and five chains

Three tables: Filter, NAT, Mangle. Filter is used by default.

Filter: used for general packet filtering, including INPUT, OUTPUT, FORWARD chains.

NAT: used for packets to be forwarded (NAT), including OUTPUT, PREROUTING, POSTROUTING.

Mangle: contains rules to mark for advanced routing, including PREROUTING and OUTPUT chains. Use this table if any changes have been made in the packet and its header.

Five built-in chains:

PREROUTING packets are used to modify the destination address (DNAT) before entering the routing table.

After the INPUT passes through the routing table, the destination is the native, and the matching destination IP is the native packet.

After the FORWARD passes through the routing table, the destination is not native and matches packets that pass through the local machine.

OUTPUT is generated by this machine and forwarded to the outside.

POSTROUTING is used to modify the source address (SNAT) before it is sent to the Nic interface.

The relationship between the five chains of iptables (netfilter)

The position in the process of three tables and five chains

III. Goal (target)

ACCEPT (- j ACCEPT) when the packet exactly matches the rules of the ACCEPT target, it will be accepted and allowed to go to the destination and will stop traversing the chain.

DROP (- j DROP) when a packet exactly matches the rules of the DROP target, it blocks the packet and discards it.

REJECT (- j REJECT) this target works in the same way as the DROP target, but better than DROP, REJECT does not leave dead sockets on the server and client and sends error messages back to the sender of the packet.

RETURN (- j RETURN) the goal is to make packets that match the rule stop traversing all chains, and if the chain is a chain such as INPUT, use the default policy for that chain to process the packet.

There are other advanced point targets, such as LOG, REDIRECT, MARK, MIRROR and MASQUERADE.

IV. Commands and grammar

Iptables basic syntax iptables [- t table name]-command-match-j action / target iptables has built-in filter, nat and mangle tables. We can use the-t parameter to set which table is effective, or the-t parameter can be omitted, then the filter table is operated by default. Command (command):-I (--insert) insert-A (--append) append-D (--delete) delete-P (--policy) policy match (match):-p (--protocol) protocol-s (--source) source-- d (--destination) destination-- in-interface eth2 short format:-I eth2 indicates entering from eth2

-- out-interface eth0 short format:-o eth0 means the source port and destination port add-in from eth0 (--sport,-- dport) use-m to match

Match by package status (state)

Match by source MAC (mac)

Match by packet rate (limit)

Multi-port matching (multiport)

Configure the basic syntax of SNAT commands

Iptables-t nat-A POSTROUTING-o network interface-j SNAT-- to-source IP address

Configure the basic syntax of DNAT commands

Iptables-t nat-A PREROUTING-I network interface-p protocol-dport port-j DNAT-to-destination IP address

Fifth, policy preservation

Saving and automatic startup of iptables automatic startup service with chkconfig iptables on all iptables commands entered are valid at that time and are invalid after the system is rebooted. # service iptables save prompt to save iptables rules to / etc/sysconfig/iptables file iptables also provides a saving tool iptables-save. In fact, service iptables save also calls iptables-save and provides a tool to restore iptables rules, iptables-restore. It is recommended that you use a unified iptables rules file / etc/sysconfig/iptables (which can be another location such as / etc/iptables.d/iptables.rule). Iptables-save > / etc/sysconfig/iptables iptables-restore

> / etc/rc.d/rc.local

VI. Common practical strategies

The content comes from its Internet.

Note: make sure the rules are correct, understand the logical relationship, and learn to use-vnL all the time.

Enable forwarding first: echo 1 > / proc/sys/net/ipv4/ip_forward

Iptables-F clears rules for all rule chains in the preset table filter

Iptables-X clears the rules in the user-customized chain in the preset table filter

Iptables-Z clears the use counters in the preset table filter

Iptables-F-t nat

Iptables-X-t nat

Iptables-Z-t nat

Default policy can be set according to demand

Iptables-P INPUT DROP

Iptables-P FORWARD DROP

Iptables-P OUTPUT ACCEPT

By default, INPUT and FORWARD are set to DROP, and only OUTPUT is ACCEPT. If necessary, it can also be set to DROP.

(finish later) make a case setup according to the topology diagram:

FTP

SSH

MYSQL

NAT1-3389

NAT2-web

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.