In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
How to understand Iptables, I believe that many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.
Query
Iptables-L default filter table
Iptables-L-t filter
Iptables-L-t nat
Iptables-L-t mangle
Filter table
Service iptables start
Service iptables stop
Iptables-t filter-An INPUT-j DROP
Centos6
Service iptables save save rules
The path to save the rule: / etc/sysconfig/iptables
Centos7
Iptables-save > / tmp/iptables.rules save
Iptables-restore / tmp/iptables.rules recovery
Iptables-t filter-F clears all rules of the filter table
Iptables-t filter-F INPUT clears all rules of the filter table INPUT chain
Iptables-t filter-An INPUT-j DROP add rules
Iptables-t filter-An INPUT-j ACCEPT
Iptables-t filter-I INPUT 1-j ACCEPT specified location insertion rules
Iptables-t filter-I INPUT 2-j ACCEPT
Iptables-t filter-R INPUT 3-j ACCEPT modify rules
Iptables-t filter-D INPUT-j ACCEPT deletion rule
Iptables-t filter-D INPUT 3 specifies the line number of the delete rule
Iptables-L-- line-numbers query rule line number
Iptables-t filter-P INPUT DROP modify default value
According to the IP address
270/557
Iptables-t filter-An INPUT-s 172.16.110.92-j DROP
Iptables-t filter-An INPUT-d 172.16.110.1-j DROP
Iptables-t filter-An INPUT!-s 172.16.110.92-j DROP
Iptables-t filter-An INPUT-s 172.16.110.0 Universe 24-j DROP
Eg:
How many rules are forbidden for your deskmate to visit you (write rules in INPUT and OUTPUT)?
Iptables-An INPUT-s 172.16.110.92-j DROP
Iptables-An OUTPUT-d 172.16.110.92-j DROP
According to the agreement
Iptables-An INPUT-s 172.16.110.92-p icmp-j DROP
Iptables-An INPUT-s 172.16.110.92-p tcp-j DROP
Iptables-An INPUT-s 172.16.110.92!-p tcp-j DROP
Based on port
Iptables-An INPUT-s 172.16.110.92-p tcp-- dport 22-j DROP
Iptables-An INPUT-s 172.16.110.92-p tcp!-- dport 22-j DROP
Iptables-An INPUT-s 172.16.110.92-p tcp-- dport 22:80-j DROP
Iptables-An INPUT-s 172.16.110.92-p tcp-- dport 22:-j DROP 22 port to last port
Iptables-An INPUT-s 172.16.110.92-p tcp-- dport: 80-j DROP 0 to 80
Eg:
Do not allow deskmate to access your port 80 (INPUT and OUTPUT).
Iptables-An INPUT-s 172.16.110.92-p tcp-- dport 80-j DROP
Iptables-An OUTPUT-d 172.16.110.92-p tcp-- sport 80-j DROP
Eg
1. Only allow others to access your port 80
Iptables-An INPUT-p tcp!-- dport 80-j DROP
two。 Deny everyone login to your sshd service
Iptables-An INPUT-p tcp-- dport 22-j DROP
3. Ftp services that only allow others to access
Port mode (active)
Iptables-An INPUT-p tcp-- dport 20:21-j ACCEPT
Iptables-An INPUT-j DROP
Passive
Vim / etc/vsftpd/vsftpd.conf
Pasv_min_port=10000
Pasv_max_port=11000
Service vsftpd restart
Iptables-An INPUT-p tcp-- dport 21-j ACCEPT
Iptables-An INPUT-p tcp-- dport 10000 tcp 11000-j ACCEPT
Iptables-An INPUT-j DROP
According to the network card
Iptables-An INPUT-I eth0-j DROP
Iptables-An OUTPUT-o eth0-j DROP
Custom chain
Iptables-N lian1 creation
Iptables-An INPUT-j lian1 add Link
Iptables-A lian1-j DROP Custom chain Action
Iptables-E lian1 newlian modifies chain name
Delete self-defined chain
Iptables-D INPUT 1 clears links
Iptables-F newlian removes custom in-chain rules
Iptables-X newlian delete custom chain
Action-j
DROP
ACCEPT
Custom chain
REJECT
271/557
LOG
Iptables-An INPUT-j LOG
Port module multiport (up to 15 ports matched)
Target port matching
Iptables-An INPUT-p tcp-m multiport-- dport 20, 21 DROP, 23, 25, 80-j DROP
Source port matching
Iptables-An OUTPUT-p tcp-m multiport-- sport 20, 21 DROP, 23, 25, 80-j DROP
Port matching
Iptables-An OUTPUT-p tcp-m multiport-- port 20, 21 DROP, 23, 25, 80-j DROP
Iptables module stateful firewall
SNAT table (address exchange table)
172.16.110.2-> 172.16.110.1
10.10.10.1---------------------------10.10.10.200
1. Clients: gateway
Route add default gw 172.16.110.1
2.SNAT open forwarding
Echo 1 > / proc/sys/net/ipv4/ip_forward
Write firewall rules
Iptables-t nat-A POSTROUTING-s 172.16.110.0 pound 24-j SNAT-- to 10.10.10.1
Iptables-t nat-A POSTROUTING-s 172.16.110.0 Universe 24-j MASQUERADE
172.16.110.2-----------------172.16.110.1
Client 10.10.10.1 / proc/sys/net/ipv4/ip_forward
Firewall Rul
Iptables-t nat-A PREROUTING-p tcp-- dport 80-j DNAT-- to 10.10.10.200
test
Elinsk-- dump 172.16.110.1
After reading the above, have you mastered how to understand Iptables? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.