Shulou(Shulou.com)06/01 Report--

1. Iptables command

The iptables command is a commonly used firewall software on Linux and is part of the netfilter project. It can be configured directly or through many front-end and graphical interfaces.

2. Iptables's "four tables and five chains:"

The four tables include:

Raw: advanced features, such as URL filtering.

Mangle: packet modification (QOS), used to achieve quality of service.

Net: address translation for gateway routers.

Filter: packet filtering for firewall rules.

The five rule chain names include: (five functions on the netfilter kernel module)

INPUT chain: processes input packets.

OUTPUT chain: processes output packets.

PORWARD chain: handles forwarding packets.

PREROUTING chain: used for destination address translation (DNAT).

POSTOUTING chain: for source address translation (SNAT).

3. The process of packet filtering and matching is as follows

4. The actions for processing data packets include:

ACCEPT: receives a packet.

DROP: drop the packet.

REDIRECT: redirect, mapping, transparent proxy.

SNAT: source address translation.

DNAT: destination address translation.

MASQUERADE:IP camouflage (NAT) for ADSL.

LOG: logging.

5. Iptables syntax

Iptables (option) (parameter)

1. View the default rules:

Iptables [- t table] [- L] [- nv]

2. View firewall rules:

Iptables-save [- t table]

3. Clear firewall rules:

Iptables [- t tables] [- FXZ]

4. Define default rules:

Iptables [- t table]-P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]

5. Packet alignment settings

Iptables [- AI chain name] [- io network interface] [- p protocol] [- s source IP/ network] [- d destination IP/ network]-j [ACCEPT | DROP | REJECT | LOG]

6. Iptables module (state,mac):

Iptables-An INPUT [- m state] [--state status] iptables-An INPUT-m state-- state RELATED,ESTABLISHED-j ACCEPTiptables-An INPUT-m mac--mac-source aa:bb:cc:dd:ee:ff-j ACCEPT

7. Icmp packet planning comparison:

Iptables-An INPUT [- p icmp] [--icmp-type type]-j ACCEPT

Common types of ICMP:

0 Echo Reply-- echo reply (Ping reply)

8 Echo request-- echo request (Ping request)

Options:

-t: specify the table to manipulate

-A: add an entry to the rule chain

-D: remove entries from the rule chain

-I: insert an entry into the rule chain

-R: replace entries in the rule chain

-L: displays existing entries in the rule chain

-F: clear the existing entries in the rule chain

-Z: clear packet calculators and byte counters in the rule chain

-N: create a new user-defined rule chain

-P: define the default target in the rule chain

-h: displays help information

-p: specifies the type of packet protocol to match

-s: specify the packet source ip address to match

-j: specify the target to jump

-I: specifies the network interface on which the packet enters the machine

-o: specifies the network interface on which the packet is to leave the machine.

6. In general, the order in which firewall rules are created:

1. Clear firewall rules

2. Set the default policy of the firewall

3. Trust the native: (since lo is very important to the native, lo must be set to trust the device)

4. Response packet: (allows packets that respond to requests from the local machine to enter the local machine (ESTABLISHED, RELATED))

5. Add specific rules

7. Iptables to view a simple example:

# iptables-nL View Firewall Settings # iptables-t nat-nL View nat Table # iptables-t mangle-nL View mangle Table # iptables-t raw-nL View raw Table # iptables-t filter-P FORWARD DROP set FORWARD default policy to discard,-t filter can be omitted; # iptables-P INPUT DROP set INPUT default policy; # iptables-P OUTPUT DROP set OUTPUT default policy; # iptables-nL INPUT view rules on a specified chain; # iptables-nvL view details # iptables-nvxL to view details in bytes; # iptables-nvxL-- line-number to display rule numbers; # iptables-nvvxL-- line-number to display more details; # iptables-nvvvxL-- line-number to display more and more details; # iptables-S to display added rule commands; # iptables-S INPUT to display added rule commands on input chains; # iptables-F to empty rules

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.