Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to understand Iptables

2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

How to understand Iptables, I believe that many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Query

Iptables-L default filter table

Iptables-L-t filter

Iptables-L-t nat

Iptables-L-t mangle

Filter table

Service iptables start

Service iptables stop

Iptables-t filter-An INPUT-j DROP

Centos6

Service iptables save save rules

The path to save the rule: / etc/sysconfig/iptables

Centos7

Iptables-save > / tmp/iptables.rules save

Iptables-restore / tmp/iptables.rules recovery

Iptables-t filter-F clears all rules of the filter table

Iptables-t filter-F INPUT clears all rules of the filter table INPUT chain

Iptables-t filter-An INPUT-j DROP add rules

Iptables-t filter-An INPUT-j ACCEPT

Iptables-t filter-I INPUT 1-j ACCEPT specified location insertion rules

Iptables-t filter-I INPUT 2-j ACCEPT

Iptables-t filter-R INPUT 3-j ACCEPT modify rules

Iptables-t filter-D INPUT-j ACCEPT deletion rule

Iptables-t filter-D INPUT 3 specifies the line number of the delete rule

Iptables-L-- line-numbers query rule line number

Iptables-t filter-P INPUT DROP modify default value

According to the IP address

270/557

Iptables-t filter-An INPUT-s 172.16.110.92-j DROP

Iptables-t filter-An INPUT-d 172.16.110.1-j DROP

Iptables-t filter-An INPUT!-s 172.16.110.92-j DROP

Iptables-t filter-An INPUT-s 172.16.110.0 Universe 24-j DROP

Eg:

How many rules are forbidden for your deskmate to visit you (write rules in INPUT and OUTPUT)?

Iptables-An INPUT-s 172.16.110.92-j DROP

Iptables-An OUTPUT-d 172.16.110.92-j DROP

According to the agreement

Iptables-An INPUT-s 172.16.110.92-p icmp-j DROP

Iptables-An INPUT-s 172.16.110.92-p tcp-j DROP

Iptables-An INPUT-s 172.16.110.92!-p tcp-j DROP

Based on port

Iptables-An INPUT-s 172.16.110.92-p tcp-- dport 22-j DROP

Iptables-An INPUT-s 172.16.110.92-p tcp!-- dport 22-j DROP

Iptables-An INPUT-s 172.16.110.92-p tcp-- dport 22:80-j DROP

Iptables-An INPUT-s 172.16.110.92-p tcp-- dport 22:-j DROP 22 port to last port

Iptables-An INPUT-s 172.16.110.92-p tcp-- dport: 80-j DROP 0 to 80

Eg:

Do not allow deskmate to access your port 80 (INPUT and OUTPUT).

Iptables-An INPUT-s 172.16.110.92-p tcp-- dport 80-j DROP

Iptables-An OUTPUT-d 172.16.110.92-p tcp-- sport 80-j DROP

Eg

1. Only allow others to access your port 80

Iptables-An INPUT-p tcp!-- dport 80-j DROP

two。 Deny everyone login to your sshd service

Iptables-An INPUT-p tcp-- dport 22-j DROP

3. Ftp services that only allow others to access

Port mode (active)

Iptables-An INPUT-p tcp-- dport 20:21-j ACCEPT

Iptables-An INPUT-j DROP

Passive

Vim / etc/vsftpd/vsftpd.conf

Pasv_min_port=10000

Pasv_max_port=11000

Service vsftpd restart

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-p tcp-- dport 10000 tcp 11000-j ACCEPT

Iptables-An INPUT-j DROP

According to the network card

Iptables-An INPUT-I eth0-j DROP

Iptables-An OUTPUT-o eth0-j DROP

Custom chain

Iptables-N lian1 creation

Iptables-An INPUT-j lian1 add Link

Iptables-A lian1-j DROP Custom chain Action

Iptables-E lian1 newlian modifies chain name

Delete self-defined chain

Iptables-D INPUT 1 clears links

Iptables-F newlian removes custom in-chain rules

Iptables-X newlian delete custom chain

Action-j

DROP

ACCEPT

Custom chain

REJECT

271/557

LOG

Iptables-An INPUT-j LOG

Port module multiport (up to 15 ports matched)

Target port matching

Iptables-An INPUT-p tcp-m multiport-- dport 20, 21 DROP, 23, 25, 80-j DROP

Source port matching

Iptables-An OUTPUT-p tcp-m multiport-- sport 20, 21 DROP, 23, 25, 80-j DROP

Port matching

Iptables-An OUTPUT-p tcp-m multiport-- port 20, 21 DROP, 23, 25, 80-j DROP

Iptables module stateful firewall

SNAT table (address exchange table)

172.16.110.2-> 172.16.110.1

10.10.10.1---------------------------10.10.10.200

1. Clients: gateway

Route add default gw 172.16.110.1

2.SNAT open forwarding

Echo 1 > / proc/sys/net/ipv4/ip_forward

Write firewall rules

Iptables-t nat-A POSTROUTING-s 172.16.110.0 pound 24-j SNAT-- to 10.10.10.1

Iptables-t nat-A POSTROUTING-s 172.16.110.0 Universe 24-j MASQUERADE

172.16.110.2-----------------172.16.110.1

Client 10.10.10.1 / proc/sys/net/ipv4/ip_forward

Firewall Rul

Iptables-t nat-A PREROUTING-p tcp-- dport 80-j DNAT-- to 10.10.10.200

test

Elinsk-- dump 172.16.110.1

After reading the above, have you mastered how to understand Iptables? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report