Shulou(Shulou.com)06/01 Report--

Linux system iptables command how to use, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Many people think that iptables is a protective wall, but in fact, iptables is a command line tool, and the netfilter behind it is the firewall. We just use iptables to operate the firewall.

Iptables-An INPUT-s 192.168.109.10-j DROP: deny 192.168.109.10 host access to this server

Note:-A: add a rule, which is added last by default.

Note: "deny services to 192.168.109.10 hosts", preferably using the INPUT chain. Using PREROUTING, you can also meet the requirements, but if the user's request is for the server to provide the forwarding function and add it to the PREROUTING chain, the "forwarding" function will also be rejected.

Note: chain names should be capitalized

Note:-s: specify the source address, which can be the IP address or the network segment "192.168.109.10 Compact 24"; "- s is empty", which denies all

Note:-j: specify the required operation

Note: there are two ways to refuse, one is "REJECT" and the other is "DROP"; DROP does not respond and REJECT refuses

Note: iptables-An INPUT-j DROP denies all. But when adding rules, don't reject your ssh.

Iptables-nvL-t mangle: view firewall rules in the mangle table

Note:-t: specify the table name, which is "fliter" table by default

Note:-v: view details

Pkts: the number of messages matched by local messages

Prot: what kind of protocol is released?

Opt: extra option-means no

Target: processing mechanism

Note: the order of "v" and "L" in the options (V can only be before L)

Iptables-nvL-line-numbers: view the order of rules in the fliter table

Note:-line-numbers: view the order of rules in the specified table

Note: do not specify a table, it is the "fliter" table by default

Note: the rules in the table are executed in order, and the smaller the number (num), the more they are executed first. As long as the match reaches the result, it will not be executed any further.

Iptables-F: clear all rules in the "fliter" table

Note:-F: indicates that the rules in all chains in the specified table are cleared

Iptables-I INPUT-s 1.1.1.1-j DROP: insert a rule at the beginning of the INPUT chain in the "fliter" table

Note:-I: indicates that a rule is inserted in the specified chain, and the number can be specified

Iptables-R INPUT 1-s 2.2.2.2-j REJECT: indicates replacing the first rule

Note:-R replace, replace the specified rule

Iptables- S: displaying rules on the fliter chain in iptables-save command format

Iptables-An INPUT-s 192.168.109.10-d 192.168.109.4-j REJECT: deny hosts from 192.168.109.10 access to the ip address of 192.168.109.4

Note:-d: specify the destination address to make the rules more detailed

Iptables-An INPUT-s 192.168.109.10-d 192.168.109.4192.168.109.5-j REJECT: hosts of 192.168.109.10 are denied access to the two ip addresses of 192.168.109.4192.168.109.5.

Note: one command adds two rules

Note: source addresses can also be used in this way to quickly add rules

Note: the semantic meaning of this command in the rule,-s,-d belong to and the relationship, that is: reject the source is 192.168.109.10 ip, and the source is 192.168.109.4 access; and 192.168.109.4 and 192.168.109.5 logically belong to or.

Iptables-An INPUT-s 192.168.109.10-p tcp-dport 22-j REJECT: deny the 192.168.109.10 host access to port 22 of all my ip using the tcp protocol.

Note:-p: specify the protocol; you can view the protocol type through the "/ etc/protocols" file

Note:-dport: specify the port number of the target host; (refuse others to link to me. )

Note:-sport: specify the port number of the source host; (refuse me to link to others. )

Note: here, note the distinction between dport and sport

Iptables-An INPUT-s 192.168.109.10-p icmp-j REJECT: reject ping packets from the 192.168.109.10 host.

Note: the icmp protocol does not have a port number, that is, it does not belong to tcp or udp. Due to the characteristics of the icmp protocol, the result of this command is that 192.168.109.10 cannot ping itself, nor can it ping the 192.168.109.10 host.

Note: if you want to achieve that others can not ping themselves, you can ping others, you need to judge according to state. 0 indicates the response packet and 8 indicates the request packet.

Iptables-An INPUT-s 192.168.109.10-I eth0-j REJECT: deny 192.168.109.10 host access to my eth0 network card.

Note:-I: add the name of the network card to indicate the interface on which the message flows

Note:-o: add the name of the network card to indicate the interface of the message

Iptables-An INPUT!-s 192.168.109.4-p tcp-dport 80-j REJECT: all hosts are denied access to port 80 of my tcp except 192.168.109.4

Note:! Means "not"; in general, this method is rarely used.

Iptables-An INPUT-s 192.168.109.4-p icmp- icmp-type 8-j REJECT: reject the request packet from the icmp sent by the 192.168.109.10 host. That is, 192.168.109.10 the host can't ping me, I can ping it.

Note: in the icmp protocol, ping communication needs to meet two conditions: first, the source host sends a request packet (8) to the target host, and after the destination host receives it, it will return a response packet (0).

Note:-p: specify the protocol

Note:-icmp-type: specify the type of ping package. (code can be omitted;)

Iptables-An INPUT-s 192.168.109.10-p tcp-m multiport-dports 20hol22 REJECT 80-j REJECT: deny a packet from the 192.168.109.10 host to access my 20-22Magi 80 port.

Note:-m: followed by module name, multiport: multiple ports in discrete form (up to 15 ports)

Note:-dports: the destination port is multiple ports

Note: there may be problems when using samba services to test multiple ports. If you want to grab the package for testing, you can use "tcpdump-I eth0-nn host 192.168.109.4"

Iptables-An INPUT-m iprange-src-range 192.168.109.1-192.168.109.10-j REJECT: deny access to all hosts in the range 192.168.109.1 "192.168.109.10.

Note: iprange:ip-scoped modules

Note:-src-range: source address range

Note:-dsc-range: range of destination addresses

Iptables-An INPUT-m mac- mac-source 00:0c:29:2f:b1:d6-j REJECT: the host with this mac address is denied access to the host's resources.

Note: mac:mac address module

Note:-mac-source: the mac address of the source host

Iptables-An OUTPUT-p tcp-m string-algo bm-string "han"-j REJECT: deny all hosts access to my message with the "han" string.

Note: string: string module

Note:-algo: specify matching algorithm, bm, kmp algorithm, choose one of the two

Note:-string: specify the string to match

Note:-from offset: start offset,-to offset: end offset

Note: OUTPUT chain is added

Iptables-F OUTPUT: clear the rules in the OUTPUT chain

Iptables-An INPUT-m time-weekdays 1, 2, 3, 4, 5-timestart 9:00-timestop 10:00-j REJECT: deny all hosts access to all resources of the host between 9: 00 and 10: 00 from Monday to Friday.

Note: time: time module

Note:-datestart YYYY [- MM [- DD [Thh [: mm [: ss] date

-datestop YYYY [- MM [- DD [Thh [: mm [: ss]

-timestart hh:mm [: ss] time

-timestop hh:mm [: ss]

-monthdays day [, day...] What is the date of each month

-weekdays day [, day...] What day is it?

Note: UTC time is used in centos7 (Beijing time is converted to UTC time minus 8); local time is used in centos6

Iptables-An INPUT-m connlimit- connlimit-above 2-j REJECT: reject when the number of concurrent connections is greater than two

Note: connlimit: the module with the number of concurrent connections

Note:-connlimit-upto n: match when the number of connections is less than or equal to n

Note:-connlimit-above n: match when the number of connections is greater than n

Note: you can use ssh services to test

Iptables-An INPUT-p icmp-m limit- limit 10/minute-limit-burst 5-j ACCEPT: for the icmp protocol, after five packets are passed by ping, they will match at a rate of ten per minute.

Note:-limit-burst 5: after reaching 5, the speed will be limited.

Note:-limit 10/minute: match at a speed of 10 per minute

Note: "iptables-An INPUT-p icmp-j REJECT" is required.

Iptables-N ACCOUNT: in the fliter table, create a custom chain named ACCOUNT

Note:-N: create a chain; it is recommended to put some commonly used rules in the custom chain, and when used, associate the custom chain to the INPUT chain.

Note: the operation of a custom chain can be understood as a function declaration. Understand the associated operation as a call to a function

Iptables-An ACCOUNT-s 192.168.109.10192.168.109.220-j REJECT: add a rule to the custom chain ACCOUNT

Iptables-D INPUT 2: delete the second item in the INPUT chain

Iptables-An INPUT-j ACCOUNT: associate the ACCOUNT chain to the INPUT chain

Iptables-F ACCOUNT: clear the rules in the ACCOUNT chain in the "fliter" table

Iptables-X ACCOUNT: delete the ACCOUNRT chain from the "fliter" table

Note:-X: delete the specified custom chain

Iptables-An INPUT-p icmp-m state-state NEW-j REJECT: rejects a request packet that uses icmp for the first connection

Note: state:state module

Note: NEW: first connection (note that this is not the state of the three-way handshake)

Iptables-An INPUT-s 192.168.109.10-j LOG-log-prefix "FROM. 10records ~": when the 192.168.109.10 host accesses me, it is recorded in the / var/log/messige log file, and the record in the log is prefixed with "FROM. 10records ~".

Note: LOG, the target for logging

Note:-log-prefix: defines the prefix of the records in the log file

Iptables-A FORWARD-s 192.168.109.4 ACCEPT 24-d 172.17.253.120Universe 16-m state-state NEW-j ACCEPT: add a rule to the FORWARD table that allows connections when the status is NEW (first connection) when the host in the source 192.168.109.0 segment is targeted at the host in the 172.17.0.0 segment

Iptables-A FORWARD-m state-state ESTABLISHED-j ACCEPT: for connections with a state of ESTABLISHED, pass is allowed.

Iptables-A FORWARD-j REJECT: deny all connections

Combined with the above three rules, it is possible to allow hosts in the 192.168.109.0 network segment to ping hosts with 172.17.0.0, but vice versa, ping is not available. Realize the function of network firewall.

It can be verified by experiments:

Four machines, two addresses of 192 (A, B), one address of 172 (D), and one acting as a router (C), with both 172 and 192 addresses. Set up the routing tables of the four hosts and turn on the routing forwarding function of the C host. Then, execute the command of iptables and add rules to achieve the function.

Iptables-t nat-R POSTROUTING 1-s 192.168.109.0 pick 24-j SNAT-to-source 172.17.250.111: in the POSTROUTING chain in the nat table, add a policy to change the source address of the packet to 172.17.250.111 when the destination address of the host that receives the 192.168.109.0 impact 24 network segment is any address. (SNAT)

Note: make sure that the routing table on the firewall host has a path to the destination address.

Note: on the C host in the experiment, after implementing this rule, host A changes the source address of the packet to the public network address of the C host when it reaches the POSTROUTING chain of the C host, and then sends it to the D host. In the experiment, delete the default route on the D host. Make sure that the returned packet has the public network address of the C host as the destination address.

Note: you can install a httpd service on the D host, and after An accesses D, verify the results by looking at the log (/ var/log/httpd/access_log).

Iptables-t nat-A PREROUTING-d 172.17.250.111-dport 80-j DNAT-to-destination 192.168.109.4 PREROUTING 8080: when accessing port 80 of the 172.17.250.111 host, change the destination port to port 8080 of the 192.168.109.4 host. (DNAT)

Note: change the port that the httpd service listens on the 192.168.109.4 host to 8080

After reading the above, have you mastered how to use the iptables command in the Linux system? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.