Shulou(Shulou.com)06/01 Report--

I. Foundation of iptables

1. Container: a relationship that contains or belongs to

2. Netfilter/iptables is a container for tables, and each table contained in iptables

(filter,NAT,MANGLE,RAW)

3. Tables of iptables are containers of chains.

Chain chains:INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING

4. Chain chains is a rule container:

5. Rule Policy: filtered statements.

Second, check the loading of firewall function modules in the system kernel.

Lsmod | egrep "nat | filter"

[root@server_02 ~] # lsmod | egrep "nat | filter" nf_nat_ftp 3507 0 nf_conntrack_ftp 12913 1 nf_nat_ftpiptable_nat 6158 1 nf_nat 22759 2 nf_nat_ftp,iptable_natnf_conntrack_ipv4 9506 3 iptable_nat,nf_natnf_conntrack 79758 6 xt_state,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat Nf_conntrack_ipv4iptable_filter 2793 0 ip_tables 17831 2 iptable_nat,iptable_filter

If not, you can load the relevant modules with the following command

Modprobe ip_tables

Modprobe iptable_filter

Modprobe iptable_nat

Modprobe ip_conntrack

Modprobe ip_conntrack_ftp

Modprobe ip_nat_ftp

Modprobe ipt_state

III. Use of iptables

Iptables-F / / clears all rules and does not process the default rules.

Iptables-X / / removes the user-defined chain.

The counter of the iptables-Z / / chain is cleared.

(2) disable the current host SSH function. Here the ssh port uses 52113.

[root@ipt] # iptables-t filter-An INPUT-p tcp-- dport 52113-j DROP

Command syntax:

Usage:

Iptables-t [table]-[AD] chain rule-specification [options]

Examples of specific commands:

Iptables-An INPUT-p tcp-- dport 52113-j DROP

Iptables-t filter-An INPUT-p tcp-- dport 52113-j DROP

Description:

1.iptables uses the filter table by default, so the above two commands are equivalent.

two。 The INPUT DROP should be capitalized.

3.-jump-j target

Target for rule (may load target extension)

Basic processing behavior: ACCEPT (accept), DROP (discard), REJECT (reject)

Comparison: DROP is better than REJECT

(3) display the serial number of the filter filtering rule

[root@ipt] # iptables-L-n-- line-numbers

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 DROP tcp-- 0.0.0. 0. 0. 0. 0. 0. 0

Chain FORWARD (policy ACCEPT)

Num target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Num target prot opt source destination

[root@ipt] # iptables-t filter-D INPUT 1

Seal according to source address:

[root@ipt] # iptables-t filter-An INPUT-I eth0-s 10.0.0.104-j DROP

Iptables-t filter-An INPUT-I eth0!-s 10.0.0.104-j DROP

Iptables-t filter-I INPUT-p icmp--icmp-type 8-I eth0!-s 10.0.0.0 DROP 24-j

[root@ipt] # iptables-t filter-I INPUT-p icmp--icmp-type 8-I eth0-s 10.0.0.0 DROP 24-j DROP

Block port 3306

Iptables-An INPUT-p tcp-- dport 3306-j DROP

Matches all protocols other than the specified protocol

Iptables-An INPUT-p! Tcp

Match the host source IP

Iptables-An INPUT-s 10.0.0.14

Iptables-An INPUT-s! 10.0.0.14

Match the network segment

Iptables-An INPUT-s 10.0.0.0Mab 24

Iptables-An INPUT-s! 10.0.0.0Can 24

Match a single port

Iptables-An INPUT-p tcp-- sport 53

Iptables-An INPUT-p udp-- dport 53

Match a port other than the specified port

Iptables-An INPUT-p tcp-- dport! 22

Iptables-I INPUT-p tcp!-- dport 22-s 10.0.0.123-j DROP

Match a single port

Iptables-An INPUT-p tcp-- sport 53

Iptables-An INPUT-p udp-- dport 53

Match a port other than the specified port

Iptables-An INPUT-p tcp-- dport! 22

Iptables-I INPUT-p tcp!-- dport 22-s 10.0.0.123-j DROP

Match port range:

Iptables-I INPUT-p tcp-- dport 52000 tcp 53000-j DROP / / Port range 52000-53000

Iptables-An INPUT-p tcp-- sport 22:80 / / Port range 22-80

Iptables-I INPUT-p tcp-- dport 21 22 22 22 24-j ACCEPT=== "erroneous grammar"

Iptables-I INPUT-p tcp-m multiport-- the correct way to write "dport 21, 22, 22, 23, 24-j ACCEPT==="

Iptables-I INPUT-p tcp-dport 3306 tcp 8809-j ACCEPT

Iptables-I INPUT-p tcp-- dport 18:80-j DROP

Match ICMP type

Iptables-An INPUT-p icmp--icmp-type 8

Example: iptables-An INPUT-p icmp--icmp-type 8-j DROP

Iptables-An INPUT-p icmp- m icmp--icmp-type any-j ACCEPT

Matches the specified network interface

Iptables-An INPUT-I eth0

Iptables-A FORWARD-o eth0

Memory method:

-- in-interface-I [!] Input name [+]

Network interface name ([+] for wildcard)

-- out-interface-o [!] Output name [+]

Network interface name ([+] for wildcard)

Match network statu

-m state-- state

NEW: a new connection has been or will be started

ESTABLISHED: established connection

RELATED: starting a new connection

INVALID: illegal or unrecognized

FTP services are special and require stateful connections.

7. Allow associated state packets to pass (web services do not use FTP services)

# others RELATED ftp protocol

# allow associated status packages

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

# _ _ ipconfig conf end _ _

Analogy: go to the cinema and go out to WC or answer the phone, but you have to be allowed to come back.

-m limit

-- limit n / {second/minute/hour}: the request rate "n" within the specified time is the rate, followed by seconds, minutes and hours, respectively.

-- limit-burst [n]: the request "n" allowed to pass at the same time is a number, and the default is 5.

Fg: local address: 172.16.14.1, allows 172.16.0.0swap 16 network ping native, but the limit is no more than 20 requests per minute, and no more than 6 concurrency at a time

Iptables-An INPUT-s 172.16.0 ACCEPT 16-d 172.16.14.1-p icmp--icmp-type 8-m limit--limit 20/min-limit-burst 6-j ACCEPT

Iptables-An OUTPUT-s 172.16.14.1-d 172.16.0.0Universe 16-p icmp--icmp-type 0-j ACCEPT

Configure an example of an enterprise firewall rule:

[root@ipt] # iptables-F

[root@ipt] # iptables-X

[root@ipt] # iptables-Z

[root@ipt] # iptables-An INPUT-p tcp-- dport 52113-s 10.0.0.0 24-j ACCEPT

[root@ipt] # iptables-An INPUT-I lo-j ACCEPT

[root@ipt] # iptables-An INPUT-o lo-j ACCEPT

[root@ipt] # iptables-An OUTPUT-o lo-j ACCEPT

To allow legal entry:

Iptables-An INPUT-s 124.43.62.96 all 27-p all-j ACCEPT

Iptables-An INPUT-s 192.168.1.0 iptables 24-p all-j ACCEPT

Iptables-An INPUT-s 10.0.0.0 all 24-p all-j ACCEPT

Iptables-An INPUT-s 203.83.24.0 all 24-p all-j ACCEPT

Iptables-An INPUT-s 201.82.34.0 all 24-p all-j ACCEPT

Iptables-An INPUT-p icmp--icmp-type 8-j ACCEPT

# others RELATED ftp protocol

# allow associated status packages

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables forbids ping

Iptables-An INPUT-p icmp--icmp-type 8-j ACCEPT

# others RELATED ftp protocol

# allow associated status packages

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Modify the default policy of the linked list:

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD DROP

Iptables-An INPUT-s 124.43.62.96 all 27-p all-j ACCEP

Iptables-An INPUT-s 192.168.1.0 iptables 24-p all-j ACCEPT

Iptables-An INPUT-s 10.0.0.0 all 24-p all-j ACCEPT

Iptables-An INPUT-s 203.83.24.0 all 24-p all-j ACCEPT

Iptables-An INPUT-s 201.82.34.0 all 24-p all-j ACCEPT

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

Iptables-An INPUT-p icmp--icmp-type 8-j ACCEPT

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Enterprise iptables interview questions: custom chain processing syn***

Iptables-N syn-flood

Iptables-An INPUT-I eth0-syn- j syn-flood

Iptables-A syn-flood-m limit- limit 5000 RETURN s-limit-burst 200-j RETURN

Iptables-A syn-flood-j DROP

Save the configuration of iptables

Iptables-save > / etc/sysconfig/iptables

Two command methods for LAN sharing:

Method 1: suitable for those with fixed external network address:

Iptables-t nat-A POSTROUTING-s 192.168.1.0 to-source 24-o eth0-j SNAT-- to-source 10.0.0.7

(1)-s 192.168.1.0 take 24 office or IDC intranet segment.

(2)-o eth0 is the external network card interface of the gateway.

(3)-j SNAT-- to-source 10.0.0.19 is the IP address of the gateway external network card.

Method 2: suitable for changing the public network address (ADSL):

Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-j MASQUERADE camouflage source address

Common scenarios for iptables production:

1) realize the firewall function of the server itself, using filter table.

2) to realize the local area network gateway, the nat table is used, and the filter table can also be used as the firewall on the gateway.

3) implement NAT functions, such as mapping from external IP to internal server IP (including ports), using nat table.

Example of port mapping configuration:

Iptables-t nat-A PREROUTING-d 10.0.0.7-p tcp-- dport 80-j DNAT-- to-destination 192.168.1.8

7. Mapping multiple external networks IP to the Internet

Iptables-t nat-A POSTROUTING-s 10.0.0.0Universe 255.255.240.0-o eth0-j SNAT-- to-source 124.42.60.11-124.42.60.16

Iptables-t nat-A POSTROUTING-s 172.16.1.0 to-source 255.255.255.0-o eth0-j SNAT-- to-source 124.42.60.103-124.42.60.106

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.