Shulou(Shulou.com)05/31 Report--

This article is about how to use the IPTABLS command. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Introduction to iptables

Netfilter/iptables (abbreviated as iptables) constitutes a packet filtering firewall under the Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering, packet redirection and network address translation (NAT) and other functions.

Iptables Foundation

A rules is actually a condition predefined by a network administrator, which is generally defined as "if the packet header meets such a condition, the packet will be processed in this way." Rules are stored in the packet filtering table in kernel space, specifying the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP), respectively. When packets match rules, iptables processes them according to the methods defined by the rules, such as accept, reject, drop, and so on. The main job of configuring a firewall is to add, modify, and delete these rules.

The relationship between iptables and netfilter:

This is the first place to say, the relationship between Iptables and netfilter is a very confusing issue. Many people know iptables but don't know netfilter. In fact, iptables is just an administrative tool for Linux Firewall, located at / sbin/iptables. The real firewall function is netfilter, which is the internal structure of packet filtering in the Linux kernel.

The process of transmitting a packet by iptables

It can be simply understood as:

If the packet is sent to the local machine, it passes through the PREROUTING-- "INPUT"

If the packet needs to be forwarded locally, it goes through PREROUTING-- "FORWORD-- > POSTROUTING"

3. If the packet is sent locally, it will go through OUTPUT-- "POSTROUTING."

Iptables's rule table and chain:

Tables provides specific functions. Iptables has built-in four tables, namely, filter table, nat table, mangle table and raw table, which are used for packet filtering, network address translation, packet reconstruction (modification) and data tracking processing.

Chains is the path of packet propagation, and each chain is actually a checklist of many rules, and there can be one or more rules in each chain. When a packet reaches a chain, iptables checks from the first rule in the chain to see if the packet meets the conditions defined by the rule. If so, the packet is processed according to the method defined by the rule; otherwise, iptables will continue to check the next rule, and if the packet does not meet any of the rules in the chain, iptables will process the packet according to the default policy predefined by the chain.

A diagram of four tables and five chains:

The relationship between rule table and chain

1.filter table-three chains: INPUT, FORWARD, OUTPUT

Function: filter packet kernel module: iptables_filter.

2.Nat table-three chains: PREROUTING, POSTROUTING, OUTPUT

Function: for network address translation (IP, port) kernel module: iptable_nat

3.Mangle table-five chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD

Purpose: modify the service type of the packet, TTL, and configure routing to implement the QOS kernel module: iptable_mangle (don't look at this table so troublesome, we hardly use it when setting policies)

4.Raw table-two chains: OUTPUT, PREROUTING

Function: determine whether the packet is processed by the state tracking mechanism kernel module: iptable_raw

General order of tables: Raw--mangle--nat--filter.

Iptables commands and rules are written as shown in the figure

The general syntax for the command to add / remove / edit rules is as follows:

Iptables [- t table] command [match] [target]

An iptables rule contains the following four basic elements: table, command, match, and target.

Iptables

-N: create a new chain

-X: delete chain

-F: clear the rules on the chain

-Z: set the counter to zero

-P: set the default policy

Rules:

-A: add a rule at the end.

-I: insert a rule that can be specified as Article n.

-R: replace a rule and specify section n to be replaced.

-D: delete a rule.

Matching criteria:

Basic match:

-s: source address

-d: destination address

-p: specify the protocol (tcp | udp | icmp)

-I: specifies that data flows into the API and can only be on the first half of the chain. (prerouting | input | forword)

-o: specifies the data outflow interface, on the second half of the chain. (forword | output | postrouting)

Extended matching:

Implicit extension:

If you limit-p udp-- dport

-- sport

If you limit-p tcp-- dport

-- sport

-- tcp-flags checks that the flag bits of tcp links include these (URG,ACK,SYN,FIN,RST,PSH,ALL,NONE).

-- syn matches the status of the first handshake syn=1, which can also be written as

-- tcp-flags ACK,SYN,FIN,RST SYN

If the limit is-p icmp--icmp-flags

Show extensions:

-m state

-m muliport

Special note:

Although iptables also has a service script, it is not a service. The role of the script is to enable all the written rules.

The service script is in / etc/rc.d/init.d/iptables.

Script configuration file / etc/sysconfig/iptables-config.

Rule save location / etc/sysconfig/iptables.

Simple example:

(1) accept incoming packets from specified IP addresses and designated ports: (release ssh remote connections)

# iptables-An INPUT-s 192.168.1.0 pound 24-d 192.168.1.104-p tcp-- dport 22-j ACCEPT

# iptables-An OUTPUT-s 192.168.1.105-d 192.168.1.0 24-p tcp-- sport 22-j ACCEPT

(2) only packets from designated ports (services) are accepted:

# iptables-D INPUT-- dport 80-j DROP

(3) allow forwarding of all packets to the local (198.168.10.13) smtp server:

# iptables-A FORWARD-p tcp-d 198.168.10.13-- dport smtp-I eth0-j ACCEPT

(4) allow all local udp packets to be forwarded (packets generated by software such as instant messaging):

# iptables-A FORWARD-p udp-d 198.168.80.0According 24-I eth0-j ACCEPT

(5) reject request packets sent to the client of the WWW server:

# iptables-A FORWARD-p tcp-d 198.168.80.11-- dport www-I eth0-j REJECT

(6) allow tcp packets destined for the designated port to enter:

# iptables-An INPUT-p tcp-m multiport-- destination-port 21 ACCEPT 53, 80, 25110

(7) allow tcp packets originating from designated ports to enter:

# iptables-An INPUT-p tcp-m multiport-- source-port 21 ACCEPT 53, 80, 25110

(8) drop packets with SYN and ACK flag location bits:

# iptables-An INPUT-p tcp--tcp-flags ALL SYN,ACK DROP

Thank you for reading! This is the end of the article on "how to use the IPTABLS command". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.