In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
I. Foundation of iptables
1. Container: a relationship that contains or belongs to
2. Netfilter/iptables is a container for tables, and each table contained in iptables
(filter,NAT,MANGLE,RAW)
3. Tables of iptables are containers of chains.
Chain chains:INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING
4. Chain chains is a rule container:
5. Rule Policy: filtered statements.
Second, check the loading of firewall function modules in the system kernel.
Lsmod | egrep "nat | filter"
[root@server_02 ~] # lsmod | egrep "nat | filter" nf_nat_ftp 3507 0 nf_conntrack_ftp 12913 1 nf_nat_ftpiptable_nat 6158 1 nf_nat 22759 2 nf_nat_ftp,iptable_natnf_conntrack_ipv4 9506 3 iptable_nat,nf_natnf_conntrack 79758 6 xt_state,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat Nf_conntrack_ipv4iptable_filter 2793 0 ip_tables 17831 2 iptable_nat,iptable_filter
If not, you can load the relevant modules with the following command
Modprobe ip_tables
Modprobe iptable_filter
Modprobe iptable_nat
Modprobe ip_conntrack
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
Modprobe ipt_state
III. Use of iptables
Iptables-F / / clears all rules and does not process the default rules.
Iptables-X / / removes the user-defined chain.
The counter of the iptables-Z / / chain is cleared.
(2) disable the current host SSH function. Here the ssh port uses 52113.
[root@ipt] # iptables-t filter-An INPUT-p tcp-- dport 52113-j DROP
Command syntax:
Usage:
Iptables-t [table]-[AD] chain rule-specification [options]
Examples of specific commands:
Iptables-An INPUT-p tcp-- dport 52113-j DROP
Iptables-t filter-An INPUT-p tcp-- dport 52113-j DROP
Description:
1.iptables uses the filter table by default, so the above two commands are equivalent.
two。 The INPUT DROP should be capitalized.
3.-jump-j target
Target for rule (may load target extension)
Basic processing behavior: ACCEPT (accept), DROP (discard), REJECT (reject)
Comparison: DROP is better than REJECT
(3) display the serial number of the filter filtering rule
[root@ipt] # iptables-L-n-- line-numbers
Chain INPUT (policy ACCEPT)
Num target prot opt source destination
1 DROP tcp-- 0.0.0. 0. 0. 0. 0. 0. 0
Chain FORWARD (policy ACCEPT)
Num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Num target prot opt source destination
[root@ipt] # iptables-t filter-D INPUT 1
Seal according to source address:
[root@ipt] # iptables-t filter-An INPUT-I eth0-s 10.0.0.104-j DROP
Iptables-t filter-An INPUT-I eth0!-s 10.0.0.104-j DROP
Iptables-t filter-I INPUT-p icmp--icmp-type 8-I eth0!-s 10.0.0.0 DROP 24-j
[root@ipt] # iptables-t filter-I INPUT-p icmp--icmp-type 8-I eth0-s 10.0.0.0 DROP 24-j DROP
Block port 3306
Iptables-An INPUT-p tcp-- dport 3306-j DROP
Matches all protocols other than the specified protocol
Iptables-An INPUT-p! Tcp
Match the host source IP
Iptables-An INPUT-s 10.0.0.14
Iptables-An INPUT-s! 10.0.0.14
Match the network segment
Iptables-An INPUT-s 10.0.0.0Mab 24
Iptables-An INPUT-s! 10.0.0.0Can 24
Match a single port
Iptables-An INPUT-p tcp-- sport 53
Iptables-An INPUT-p udp-- dport 53
Match a port other than the specified port
Iptables-An INPUT-p tcp-- dport! 22
Iptables-I INPUT-p tcp!-- dport 22-s 10.0.0.123-j DROP
Match a single port
Iptables-An INPUT-p tcp-- sport 53
Iptables-An INPUT-p udp-- dport 53
Match a port other than the specified port
Iptables-An INPUT-p tcp-- dport! 22
Iptables-I INPUT-p tcp!-- dport 22-s 10.0.0.123-j DROP
Match port range:
Iptables-I INPUT-p tcp-- dport 52000 tcp 53000-j DROP / / Port range 52000-53000
Iptables-An INPUT-p tcp-- sport 22:80 / / Port range 22-80
Iptables-I INPUT-p tcp-- dport 21 22 22 22 24-j ACCEPT=== "erroneous grammar"
Iptables-I INPUT-p tcp-m multiport-- the correct way to write "dport 21, 22, 22, 23, 24-j ACCEPT==="
Iptables-I INPUT-p tcp-dport 3306 tcp 8809-j ACCEPT
Iptables-I INPUT-p tcp-- dport 18:80-j DROP
Match ICMP type
Iptables-An INPUT-p icmp--icmp-type 8
Example: iptables-An INPUT-p icmp--icmp-type 8-j DROP
Iptables-An INPUT-p icmp- m icmp--icmp-type any-j ACCEPT
Matches the specified network interface
Iptables-An INPUT-I eth0
Iptables-A FORWARD-o eth0
Memory method:
-- in-interface-I [!] Input name [+]
Network interface name ([+] for wildcard)
-- out-interface-o [!] Output name [+]
Network interface name ([+] for wildcard)
Match network statu
-m state-- state
NEW: a new connection has been or will be started
ESTABLISHED: established connection
RELATED: starting a new connection
INVALID: illegal or unrecognized
FTP services are special and require stateful connections.
7. Allow associated state packets to pass (web services do not use FTP services)
# others RELATED ftp protocol
# allow associated status packages
Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT
Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT
# _ _ ipconfig conf end _ _
Analogy: go to the cinema and go out to WC or answer the phone, but you have to be allowed to come back.
-m limit
-- limit n / {second/minute/hour}: the request rate "n" within the specified time is the rate, followed by seconds, minutes and hours, respectively.
-- limit-burst [n]: the request "n" allowed to pass at the same time is a number, and the default is 5.
Fg: local address: 172.16.14.1, allows 172.16.0.0swap 16 network ping native, but the limit is no more than 20 requests per minute, and no more than 6 concurrency at a time
Iptables-An INPUT-s 172.16.0 ACCEPT 16-d 172.16.14.1-p icmp--icmp-type 8-m limit--limit 20/min-limit-burst 6-j ACCEPT
Iptables-An OUTPUT-s 172.16.14.1-d 172.16.0.0Universe 16-p icmp--icmp-type 0-j ACCEPT
Configure an example of an enterprise firewall rule:
[root@ipt] # iptables-F
[root@ipt] # iptables-X
[root@ipt] # iptables-Z
[root@ipt] # iptables-An INPUT-p tcp-- dport 52113-s 10.0.0.0 24-j ACCEPT
[root@ipt] # iptables-An INPUT-I lo-j ACCEPT
[root@ipt] # iptables-An INPUT-o lo-j ACCEPT
[root@ipt] # iptables-An OUTPUT-o lo-j ACCEPT
To allow legal entry:
Iptables-An INPUT-s 124.43.62.96 all 27-p all-j ACCEPT
Iptables-An INPUT-s 192.168.1.0 iptables 24-p all-j ACCEPT
Iptables-An INPUT-s 10.0.0.0 all 24-p all-j ACCEPT
Iptables-An INPUT-s 203.83.24.0 all 24-p all-j ACCEPT
Iptables-An INPUT-s 201.82.34.0 all 24-p all-j ACCEPT
Iptables-An INPUT-p icmp--icmp-type 8-j ACCEPT
# others RELATED ftp protocol
# allow associated status packages
Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT
Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT
Iptables forbids ping
Iptables-An INPUT-p icmp--icmp-type 8-j ACCEPT
# others RELATED ftp protocol
# allow associated status packages
Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT
Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT
Modify the default policy of the linked list:
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD DROP
Iptables-An INPUT-s 124.43.62.96 all 27-p all-j ACCEP
Iptables-An INPUT-s 192.168.1.0 iptables 24-p all-j ACCEPT
Iptables-An INPUT-s 10.0.0.0 all 24-p all-j ACCEPT
Iptables-An INPUT-s 203.83.24.0 all 24-p all-j ACCEPT
Iptables-An INPUT-s 201.82.34.0 all 24-p all-j ACCEPT
Iptables-An INPUT-p tcp-- dport 80-j ACCEPT
Iptables-An INPUT-p icmp--icmp-type 8-j ACCEPT
Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT
Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT
Enterprise iptables interview questions: custom chain processing syn***
Iptables-N syn-flood
Iptables-An INPUT-I eth0-syn- j syn-flood
Iptables-A syn-flood-m limit- limit 5000 RETURN s-limit-burst 200-j RETURN
Iptables-A syn-flood-j DROP
Save the configuration of iptables
Iptables-save > / etc/sysconfig/iptables
Two command methods for LAN sharing:
Method 1: suitable for those with fixed external network address:
Iptables-t nat-A POSTROUTING-s 192.168.1.0 to-source 24-o eth0-j SNAT-- to-source 10.0.0.7
(1)-s 192.168.1.0 take 24 office or IDC intranet segment.
(2)-o eth0 is the external network card interface of the gateway.
(3)-j SNAT-- to-source 10.0.0.19 is the IP address of the gateway external network card.
Method 2: suitable for changing the public network address (ADSL):
Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-j MASQUERADE camouflage source address
Common scenarios for iptables production:
1) realize the firewall function of the server itself, using filter table.
2) to realize the local area network gateway, the nat table is used, and the filter table can also be used as the firewall on the gateway.
3) implement NAT functions, such as mapping from external IP to internal server IP (including ports), using nat table.
Example of port mapping configuration:
Iptables-t nat-A PREROUTING-d 10.0.0.7-p tcp-- dport 80-j DNAT-- to-destination 192.168.1.8
7. Mapping multiple external networks IP to the Internet
Iptables-t nat-A POSTROUTING-s 10.0.0.0Universe 255.255.240.0-o eth0-j SNAT-- to-source 124.42.60.11-124.42.60.16
Iptables-t nat-A POSTROUTING-s 172.16.1.0 to-source 255.255.255.0-o eth0-j SNAT-- to-source 124.42.60.103-124.42.60.106
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.