Shulou(Shulou.com)06/03 Report--

For more information about the status of iptables, please see http://os.51cto.com/art/201108/285209.htm

We often see these rules on the firewall of the server.

2106K 8294K ACCEPT all-0.0.0.0 state RELATED,ESTABLISHED, I think it is necessary to get this iptables.

Let's talk about iptables.

one。 First of all, iptables has four states.

NEW,ESTABLISHED,RELATED,INVALID .

NEW status: the host connects to the target host, and the first packet you want to connect to is seen on the target host

ESTABLISHED status: the host has communicated with the target host, and the criterion is to enter this state as long as the target host responds to the first packet.

RELATED status: the host has communicated with the target host, and the target host initiates a new link method, such as ftp

INVALID status: invalid packet, such as packet status of data corruption

two。 Secondly, let's talk about the role of the above rules.

You'll find this one.

2 106K 8294K ACCEPT all-0.0.0.0Uniplex 0 0.0.0.0Uniplex 0 state RELATED,ESTABLISHED

I often see this rule again.

300 REJECT all-0.0.0.0 REJECT all 0 0.0.0.0 Universe 0 reject-with icmp-host-prohibited # if other hosts do not meet RELATED, it will be returned with host-prohibited

Add method: iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An INPUT-j REJECT-- reject-with icmp-host-prohibited

The second rule actually means: call the status module to match all packets with the status of RELATED and ESTABLISHED, in other words, allow all established connections, which means that the host can ping other hosts, but other hosts cannot ping the host and only accept the response packets sent by themselves. this is an omnipotent sentence, allowing all packets sent out by themselves to come in. Followed by specific rules

The third rule actually means that according to the second rule, all those that do not meet the second rule will be rejected and a host-prohibited message will be returned to the host. It should be noted that all the rules under the third rule will not take effect, and those above the rule will take effect.

three。 There is no evidence for it. Let's do an experiment.

Only adding iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT has no effect at all.

[root@iZuf62ds2bbsfbvox5ivxdZ] # iptables-t filter-nvL-- line-number

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

1 14892 ACCEPT tcp-- 0.0.0.0 state NEW tcp dpt:1212 0 0.0.0.0 state NEW tcp dpt:1212

2 106K 8294K ACCEPT all-0.0.0.0Uniplex 0 0.0.0.0Uniplex 0 state RELATED,ESTABLISHED

two。 Add two rules. If the firewall rule is shown in the figure, it will create a situation in which you can ping other hosts, but the ping of other hosts cannot reach you.

[root@iZuf62ds2bbsfbvox5ivxdZ] # iptables-t filter-nvL-- line-number

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

1 14892 ACCEPT tcp-- 0.0.0.0 state NEW tcp dpt:1212 0 0.0.0.0 state NEW tcp dpt:1212

2 106K 8294K ACCEPT all-0.0.0.0Uniplex 0 0.0.0.0Uniplex 0 state RELATED,ESTABLISHED

300 REJECT all-0.0.0.0 REJECT all 0 0.0.0.0 Universe 0 reject-with icmp-host-prohibited # if other hosts do not meet RELATED, it will be returned with host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 37 packets, 10438 bytes)

Num pkts bytes target prot opt in out source destination

Effect picture:

[root@iZuf62ds2bbsfbvox5ivxdZ ~] # ping 123.56.16.77

PING 123.56.16.77 (123.56.16.77) 56 (84) bytes of data.

64 bytes from 123.56.16.77: icmp_seq=1 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=2 ttl=55 time=24.6 ms

64 bytes from 123.56.16.77: icmp_seq=3 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=4 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=5 ttl=55 time=24.6 ms

64 bytes from 123.56.16.77: icmp_seq=6 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=7 ttl=55 time=24.6 ms

64 bytes from 123.56.16.77: icmp_seq=8 ttl=55 time=24.6 ms

64 bytes from 123.56.16.77: icmp_seq=9 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=10 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=11 ttl=55 time=24.7 ms

64 bytes from 123.56.16.77: icmp_seq=12 ttl=55 time=24.7 ms

^ C

-123.56.16.77 ping statistics

13 packets transmitted, 12 received, 7 packet loss, time 12039ms

Rtt min/avg/max/mdev = 24.660 ms 24.720 ms

[root@iZuf62ds2bbsfbvox5ivxdZ ~] # exit

Logout

Connection to 101.132.109.227 closed.

Welcome to aliyun Elastic Compute Service!

[root@xz-server1 ~] # ping 101.132.109.227

PING 101.132.109.227 (101.132.109.227) 56 (84) bytes of data.

From 101.132.109.227 icmp_seq=1 Destination Host Prohibited

From 101.132.109.227 icmp_seq=2 Destination Host Prohibited

From 101.132.109.227 icmp_seq=3 Destination Host Prohibited

From 101.132.109.227 icmp_seq=4 Destination Host Prohibited

From 101.132.109.227 icmp_seq=5 Destination Host Prohibited

From 101.132.109.227 icmp_seq=6 Destination Host Prohibited

From 101.132.109.227 icmp_seq=7 Destination Host Prohibited

From 101.132.109.227 icmp_seq=8 Destination Host Prohibited

From 101.132.109.227 icmp_seq=9 Destination Host Prohibited

From 101.132.109.227 icmp_seq=10 Destination Host Prohibited

From 101.132.109.227 icmp_seq=11 Destination Host Prohibited

From 101.132.109.227 icmp_seq=12 Destination Host Prohibited

From 101.132.109.227 icmp_seq=13 Destination Host Prohibited

From 101.132.109.227 icmp_seq=14 Destination Host Prohibited

^ C

-101.132.109.227 ping statistics-

14 packets transmitted, 0 received, + 14 errors, 100% packet loss, time 13480ms

Conclusion: the following two rules must be used together (when the filter table INPUT chain rule is ACCEPT), other hosts reject the ping packet directly and return it host-prohibited information.

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An INPUT-j REJECT-- reject-with icmp-host-prohibited

Then it is also important to note that when the default rule of filter table INPUT chain is DROP, if you hit iptables-An INPUT-j REJECT-reject-with icmp-host-prohibited, the host-prohibited information will still be returned. If there is no hit rule, no information will be returned and will be dropped by drop directly.

Modify the INPUT default rules:

Iptables-P INPUT DROP

[root@iZuf62ds2bbsfbvox5ivxdZ ~] # service iptables status

Table: filter

Chain INPUT (policy DROP)

Num target prot opt source destination

1 ACCEPT tcp-- 0.0.0. 0. 0. 0. 0. 0. 0

2 ACCEPT all-- 0.0.0.0Universe 0 0.0.0.0Uniplex 0 state RELATED,ESTABLISHED

3 REJECT all-- 0.0.0.0Universe 0 0.0.0.0Uniplex 0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

Num target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Num target prot opt source destination

Table: nat

Chain PREROUTING (policy ACCEPT)

Num target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

Num target prot opt source destination

1 MASQUERADE all-- 192.168.0.0Universe 16 0.0.0.0Universe 0

Chain OUTPUT (policy ACCEPT)

Num target prot opt source destination

[root@xz-server1 ~] # ping 101.132.109.227

PING 101.132.109.227 (101.132.109.227) 56 (84) bytes of data.

From 101.132.109.227 icmp_seq=1 Destination Host Prohibited

From 101.132.109.227 icmp_seq=2 Destination Host Prohibited

From 101.132.109.227 icmp_seq=3 Destination Host Prohibited

From 101.132.109.227 icmp_seq=4 Destination Host Prohibited

From 101.132.109.227 icmp_seq=5 Destination Host Prohibited

From 101.132.109.227 icmp_seq=6 Destination Host Prohibited

From 101.132.109.227 icmp_seq=7 Destination Host Prohibited

From 101.132.109.227 icmp_seq=8 Destination Host Prohibited

From 101.132.109.227 icmp_seq=9 Destination Host Prohibited

From 101.132.109.227 icmp_seq=10 Destination Host Prohibited

From 101.132.109.227 icmp_seq=11 Destination Host Prohibited

From 101.132.109.227 icmp_seq=12 Destination Host Prohibited

From 101.132.109.227 icmp_seq=13 Destination Host Prohibited

^ C

-101.132.109.227 ping statistics-

13 packets transmitted, 0 received, + 13 errors, 100% packet loss, time 12441ms

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.