Shulou(Shulou.com)06/02 Report--

Iptables

The iptables instruction is used to set the ip filtering rules of the Linux kernel and to manage the nat function. Iptables is used to set up, maintain, and examine tables of IPv4 packet filtering rules in the Linux kernel. You can define several different tables. Each table contains many built-in chains and may also contain user-defined chains. Each chain is a list of rules that can match a set of packets. Each rule specifies how to handle matching packets. This is called a "goal", and it may be a chain of user definitions that jump to the same table.

The scope of this command: RedHat, RHEL, Ubuntu, CentOS, SUSE, openSUSE, Fedora.

1. Grammar

Iptables [- t table] {- A |-D} chain rule-specification

Iptables [- t table]-I chain [rulenum] rule-specification

Iptables [- t table]-R chain rulenum rule-specification

Iptables [- t table]-D chain rulenum

Iptables [- t table]-S [chain [rulenum]]

Iptables [- t table] {- F |-L |-Z} [chain [rulenum]] [options...]

Iptables [- t table]-N chain

Iptables [- t table]-X [chain]

Iptables [- t table]-P chain target

Iptables [- t table]-E old-chain-name new-chain-name rule-specification = [matches...] [target]

Match =-m matchname [per-match-options] target =-j targetname [per-target-options]

Currently, the Linux kernel supports three independent tables: filter to filter ip packets, nat to configure nat functions, and mangle to modify ip packets.

Filter is a default table and consists of three chains: INPUT (sent to local machine), OUTPUT (sent out locally), and FORWARD (routed out).

The nat table contains three chains: PREROUTING (modifying packets just received), OUTPUT (processing locally generated packets before routing), and POSTROUTING (modifying packets to be sent).

The mangle table includes five chains: PREROUTING (modify received packets before routing), OUTPUT (modify locally generated packets before routing), INPUT (modify packets sent to the local machine), FORWARD (modified routed packets), and POSTROUTING (modify packets to be sent locally).

The built-in targets in the Linux system include: ACCEPT (allow packets to pass) DROP (drop packets) QUEUE (pass packets to user space) RETURN (stop backward detection of other rules and return to previous rules)

2. List of options

Options can be distinguished by group

Command

Description

-t table

Specify the table to manage

-A |-- append chain rule-specification

Additional record

-D |-- delete chain rule-specification

Delete record

-I |-- insert chain [rulenum] rule-specification

Insert record

-R |-- replace chain [rulenum] rule-specification

Replace the record

-L |-- list [chain]

List records

-S |-- list-rules [chain]

Lists all rules for the selected chain. If no chain is selected, all chains are printed

-F |-- flush [chain]

Delete the specified record

-Z |-- zero [chain [rulenum]]

Zero data count and byte count

-N |-- new-chain chain

User-defined new chain

-X |-- delete-chain [chain]

Delete a user custom chain

-P |-- policy chain target

Sets the policy for the specified chain

-E |-- rename-chain old new

Rename chain

-h

Display help information

Parameters.

Description

[!]-p |-- protocol protocol

Specify the protocol type tcp, udp, icmp, all, and add it before the protocol! Label negation

[!]-s |-- source address [/ mask] [,...

Source address

[!]-d

-- destination address [/ mask] [,...

target

-j |-- jump

Specify the target of the jump

-g |-- goto chain

This specifies that processing should continue in the chain specified by the user. Unlike the "--jump" option, returns will no longer be processed in this chain, but in the chain that calls us through "--jump".

[!]-I |-- in-interface name

The name of the interface on which the packet is received (packets for input, forwarding, and PREROUTING chains only). When "!" The parameter is used before the interface name and the meaning is inverted. If the interface name ends with "+", any interface that begins with that name will match. If this option is omitted, any interface names will match.

-o |-- out-interface name

Specify the network interface on which the packet leaves

[!]-f |-- fragment

This means that the rule refers only to the second and more segments of the segmented packet.

-c |-- set-counters packets bytes

This enables administrators to initialize packet and byte counters for rules (during insert, append, and replace operations).

Other options

Description

-v |-- verbose

Verbose output that causes the List command to display the interface name, rule options, if any, and TOS mask. Packet counters and byte counters are also listed

-n |-- numeric

Digital output IP address and port number will be printed in digital format. By default, the program will attempt to display them as hostnames, network names, or services (as long as applicable).

-x |-- exact

Expand the number. Displays the exact values of packet and byte counters, rather than just the rounding in Knowles (1000 times) Maps (1000 K multiples) or Gems (1000 m multiples). This option is only relevant to the-L command.

-- line-numbers

When a rule is listed, add a line number to the beginning of each rule, corresponding to the position of the rule in the chain.

-- modprobe= command

When adding or inserting rules into the chain, use the command to load any necessary modules (targets, matching extensions, etc.)

3. Matching extension

Iptable can use an extended packet matching module. They are loaded in two ways: implicitly, when "- p" or "- protocol" are specified, or using the "- m" or "- match" options, followed by matching module names; and then, depending on the specific module, a variety of additional command-line options are available. You can specify multiple extension matching modules in a row, and you can use the "- h" or "--help" options after the module is specified to receive help specific to that module.

1) addrtype

This module matches packets based on the address type of the packet. Address types are used in the kernel network stack and addresses are classified into different groups. The exact definition of this group depends on the specific layer 3 protocol. Address types can be as follows:

UNSPEC, an unspecified address, for example, 0.0.0.0.

UNICAST, unicast address.

LOCAL, local address.

BROADCAST, broadcast address.

ANYCAST, choose the broadcast package.

MULTICAST, Multicast address.

BLACKHOLE, black hole address.

UNREACHABLE, unreachable address.

PROHIBIT, a forbidden address.

THROW, FIXME .

NAT, FIXME .

XRESOLVE

[!]-- src-type type, which matches if the source address is of a given type.

[!]-- dst-type type, which matches if the destination address is of a given type.

-- limit-iface-in, address type checking can be limited to the interface into which the packet is about to enter. This option is valid only in PREROUTING, INPUT, and FORWARD chains. It cannot be specified with the "--limit-iface-out" option.

-- limit-iface-out, address type checking can be limited to the interface that the packet will output. This option is valid only in POSTROUTING, OUTPUT, and FORWARD chains. It cannot be specified with the "--limit-iface-in" option.

2) ah

This module matches the Spis in the authentication header of the IPSec packet.

[!]-- ahspi spi [: spi]

3) cluster

Allows you to deploy gateway and back-end load sharing clusters without the need for a load balancer. This match requires that all nodes see the same packet. Therefore, cluster matching determines whether the node must process packets given the following options.

-- cluster-total-nodes num, set the total number of nodes in the cluster.

[!]-- cluster-local-node num, set the local node number ID.

[!]-- cluster-local-nodemask mask, sets the local node number ID mask. You can use this option instead of "--cluster-local-node".

-- cluster-hash-seed value, sets the seed value of the Jenkins hash.

Iptables-A PREROUTING-t mangle-I eth2-m cluster--cluster-total-nodes 2-cluster-local-node 1-- cluster-hash-seed 0xdeadbeef-j MARK-- set-mark 0xffff

Iptables-A PREROUTING-t mangle-I eth3-m cluster--cluster-total-nodes 2-cluster-local-node 1-- cluster-hash-seed 0xdeadbeef-j MARK-- set-mark 0xffff

Iptables-A PREROUTING-t mangle-I eth2-m mark!-- mark 0xffff-j DROP

Iptables-A PREROUTING-t mangle-I eth3-m mark!-- mark 0xffff-j DROP

The following command causes all nodes to see the same packet

Ip maddr add 01:00:5e:00:01:01 dev eth2

Ip maddr add 01:00:5e:00:01:02 dev eth3

Arptables-An OUTPUT-o eth2-- h-length 6-j mangle--mangle-mac-s 01:00:5e:00:01:01

Arptables-An INPUT-I eth2-- h-length 6-- destination-mac 01:00:5e:00:01:01-j mangle--mangle-mac-d 00:zz:yy:xx:5a:27

Arptables-An OUTPUT-o eth3-- h-length 6-j mangle--mangle-mac-s 01:00:5e:00:01:02

Arptables-An INPUT-I eth3-- h-length 6-- destination-mac 01:00:5e:00:01:02-j mangle--mangle-mac-d 00:zz:yy:xx:5a:27

4) comment

Allows you to add comments to any rule (up to 256 characters).

-- comment comment

Iptables-An INPUT-s 192.168.0.0 comment 16-m comment-- comment "A privatized IP block"

5) connbytes

The main purpose is to detect long downloads and mark them with lower priority bands in flow control. The bytes transmitted by each connection can also be viewed through "conntrack-L" and accessed through ctnetlink.

[!]-- connbytes from [: to] matches packets in connections that are larger than FROM and smaller than TO, "!" Used to match packets that are not in this range.

-- connbytes-dir {original | reply | both}, which packets to consider

-- connbytes-mode {packets | bytes | avgpkt}, whether to check the number of packets, the number of bytes transferred, or the average size of all packets received so far in bytes. Note that when "both" is used with "avgpkt" and the data (mainly) is directed in only one direction (for example, HTTP), the average packet size will be about half of the actual packet size.

Iptables.. -m connbytes--connbytes 10000 connbytes-dir both-- connbytes-mode bytes

6) connlimit

Allows you to limit the number of parallel connections per client IP address (or client address block) to the server.

[!]-- connlimit-above n, if the number of existing connections is greater than n, then match

-- connlimit-mask prefix_length, using prefix length to group hosts. For IPv 4, this must be a number between (including) 0 and 32. For IPv 6, between 0 and 128.

# allow 2 telnet connections per client host

Iptables-An INPUT-p tcp-- syn-- dport 23-m connlimit--connlimit-above 2-j REJECT

Iptables-An INPUT-p tcp-- syn-- dport 23-m connlimit!-- connlimit-above 2-j ACCEPT

# limit the number of parallel HTTP requests to 16 per Class C network (24-bit network mask)

Iptables-p tcp-- syn-- dport 80-m connlimit--connlimit-above 16-- connlimit-mask 24-j REJECT

# limit parallel HTTP requests for link-local networks to 16

(ipv6) ip6tables-p tcp-- syn-- dport 80-s fe80::/64-m connlimit--connlimit-above 16-- connlimit-mask 64-j REJECT

7) connmark

This module matches the netfilter tag field associated with the connection (which can be set using the CONNMARK target below).

[!]-- mark value [/ mask] matches the packets in the connection with the given tag value (if a mask is specified, the tag is used for logical analysis before comparison)

8) conntrack

When combined with connection tracking, this module allows access to the connection tracking status of this packet / connection.

[!]-- ctstate statelist, Statelist is a comma-separated list of connection states to match. The possible states are listed below.

[!]-ctproto l4proto, layer 4 protocol matching (by number or name)

[!]-- ctorigsrc address [/ mask]

[!]-- ctorigdst address [/ mask]

[!]-- ctreplsrc address [/ mask]

[!]-- ctrepldst address [/ mask], which matches the original/reply and source/destination addresses.

[!]-ctorigsrcport port

[!]-ctorigdstport port

[!]-ctreplsrcport port

[!]-- ctrepldstport port, matching original/reply, source/destination port (TCP/UDP/, etc.) or GRE key

[!]-- ctstatus statelis, Statuslist is a comma-separated list of connection states to match. The possible states are listed below

[!]-- ctexpire time [: time] matches the remaining lifetime (in seconds) to a given value or range, including.

-- ctdir {ORIGINAL | REPLY}, matching packets that flow in the specified direction. If this flag is not specified at all, packets in both directions are matched.

Valid value of ctstate

INVALID, which means that the packet is not associated with a known connection.

NEW, which means that the packet has initiated a new connection or is associated with a connection that does not see the packet in both directions.

ESTABLISHED, which means that the packet is associated with the connection that sees the packet in both directions.

RELATED, which means that the packet is starting a new connection but is associated with an existing connection, such as FTP data transfer or ICMP errors.

SNAT, virtual status, matching if the original source address is different from the reply destination.

DNAT, virtual state, matching if the original destination is different from the reply source.

Valid value of ctstatus

NONE is not any of the following.

EXPECTED, this is an expected connection.

SEEN_REPLY, ConnTrack sees packets in both directions.

ASSURED, connection items should not expire prematurely.

CONFIRMED, confirm connection: the original packet has left the box.

9) dccp

[!]-source-port,-sport port [: port]

[!]-- destination-port,--dport port [: port]

[!]-- dccp-types mask, when the DCCP packet type is one of the masks, which is a comma-separated list of packet types. The type can be: REQUEST, RESPONSE, DATA, ACK, DATAACK, CLOSEREQ, CLOSE, RESET, SYNC, SYNCACK, INVALID.

[!]-- dccp-option number, match if you set the DCP option

10) dscp

This module matches the 6-bit DSCP field in the TOS field in the IP header. Dscp has replaced TOS in IETF.

[!]-- dscp value, matching numeric (decimal or hexadecimal) values [0-63]

[!]-- dscp-class class, matching the DiffServ class. This value can be any of the BE, EF, AFxx, or CSX classes. It will then be converted to its corresponding value.

11) ecn

This allows you to match the ECN bits of the IPv 4 and TCP headers. ECN is an explicit congestion notification mechanism specified in RFC3168.

[!]-- ecn-tcp-cwr, if the TCP ECN CWR (congestion window receive) bit is set, it matches.

[!]-- ecn-tcp-ece, if the TCP ECN ECE (ECN Echo) bit is set, it matches.

[!]-- ecn-ip-ect num, which matches the specific IPv 4 ECT (ECN capability transfer). You must specify a number between'0' and'3'.

12) esp

This module matches the spis in the esp header of the ipsec packet.

[!]-- espspi spi [: spi]

13) hashlimit

Hash limits use hash buckets to represent rate limit matches (such as limit matches) for a set of connections, using a single iptables rule. Grouping can complete the perhostgroup (source and / or destination addresses) and / or each port. It enables you to express "each group of quantum N packets per time":

Match on the source host: 192.168.0.0Universe 16: 1000 packets per second per host.

Source Prot match: 100 packets per second for each service (192.168.1.1).

Matching of subnets: 10000 packets per minute for each / 28 subnet in 10.0.0.0amp 8.

-- hashlimit-upto amount [/ second | / minute | / hour | / day]. If the rate is lower than or equal to amount/quantum, it will match. It is specified as a number with an optional time quantum suffix; the default value is 3 / hour.

-- hashlimit-above amount [/ second | / minute | / hour | / day]. Match if the rate is greater than amount/quantum.

-- hashlimit-burst amount, the maximum initial number of packets to match: when the specified limit is not reached, the number will be recharged once, up to this number; the default value is 5.

-- hashlimit-mode {srcip | srcport | dstip | dstport},..., a comma-separated list of objects to consider. If the "--hash-limit-mode" option is given, hashlimit is like limit, but at a high cost in hash housekeeping.

-- hashlimit-srcmask prefix, when using "--hashlimit-mode", all source addresses encountered will be grouped according to the given prefix length, so the subnet created will be limited by hash. The prefix must be between (including) 0 and 32.

-- hashlimit-dstmask prefix, similar to "--hashlimit-srcmask", but for the destination address.

-- hashlimit-name foo, the name of the "/ proc/net/ipt_hashlimit/foo" entry.

-- hashlimit-htable-size buckets, the number of barrels in the hash table.

-- hashlimit-htable-max entries, the largest item in the hash.

-- hashlimit-htable-expire msec, after how many milliseconds the hash entry expires.

-- hashlimit-htable-gcinterval msec, the number of milliseconds between garbage collection intervals.

14) helper

This module matches packets related to a specific connection helper.

[!]-- helper string that matches the packet associated with the specified connection helper. For packets related to ftp sessions on the default port, the string can be "ftp". For other ports, append-portnr to the value, I. e. "ftp-2121"

15) icmp

You can use this extension if "--protocol icmp" is specified. It provides the following options

[!]-- icmp-type {type [/ code] | typename}, which allows you to specify an icmp type, which can be a numeric icmp type, a type / code pair, or one of the icmp type names displayed by the command.

16) iprange

This matches a given arbitrary range of ip addresses.

[!]-- src-range from [- to], which matches the source IP within the specified range.

[!]-- dst-range from [- to], which matches the target IP within the specified range.

17) length

This module matches the length of the layer 3 payload of the packet, such as the layer 4 packet, to a specific value or range.

[!]-- length length [: length]

18) limit

This module uses a token bucket filter to match at a limited speed. Rules that use this extension will match until this limit is reached (unless "!" Use flags). It can be used in conjunction with logging targets to provide limited logging.

-- limit rate [/ second | / minute | / hour | / day], maximum average match rate: specified as a number with optional suffixes of'/ second','/ minute','/ hour'or'/ day'; default is 3 / hour

-- limit-burst number, the maximum initial number of packets to match: when the specified limit is not reached, this number will be recharged once, up to this number; the default value is 5.

19) mac

[!]-- mac-source address, matching the source MAC address. It must be in XX:XX:XX:XX:XX:XX format. Note that this only makes sense for packets from Ethernet devices that enter the PREROUTING, FORWARD, or INPUT chain.

20) mark

This module matches the netfilter tag field associated with the packet (which can be set using the tag target below).

[!]-- mark value [/ mask] matches the packet to the given unsigned tag value (if a mask is specified, the mask will be logically connected to the mask before comparison)

21) multiport

This module matches a set of source or destination ports. Up to 15 ports can be specified. The port range (port: Port) counts as two ports. It can only be used with "- p tcp" or "- p udp".

[!]-source-ports,-sports port [, port |, port: port]... If the source port is one of the given ports, it matches Flagpole movement is a convenient alias for this option. Multiple ports or port ranges are separated by commas, and port ranges are specified by colons. Therefore, the 53Jing 1024Suzhou 65535 will match port 53, with all ports from 1024 to 65535.

[!]-- destination-ports,-- dports port [, port |, port: port] If the destination port is one of the given ports, it matches Flag-dports is a convenient alias for this option.

[!]-- ports port [, port |, port: port] If the source port or destination port is equal to one of the given ports, it matches

22) owner

For locally generated packets, this module attempts to match the various characteristics of the packet creator. This match is valid only in output and POSTROUTING chains. The forwarded packet does not have any sockets associated with it. Packets from kernel threads do have a socket, but usually have no owner.

[!]-uid-owner username

[!]-- uid-owner userid [- userid], if the file structure (if any) of the packet socket is owned by a given user, it matches. You can also specify a numeric UID or UID range.

[!]-gid-owner groupname

[!]-- gid-owner groupid [- groupid], matches if the file structure of the packet socket belongs to the given group. You can also specify a numeric GID or GID range.

[!]-- socket-exists, if the packet is associated with a socket, it matches.

23) physdev

The module matches on the bridge port input and output devices, which are enslaved to the bridge device. This module is part of the infrastructure that supports transparent bridging of IP firewalls and is only applicable to kernel versions above version 2.5.44.

[!]-- physdev-in name, the name of the bridge port that received the packet (for packets of INPUT, FORWARD, and PREROUTING chains only). If the interface name ends with "+", any interface that begins with that name will match. If the packet does not arrive through the bridging device, the packet will not match this option unless "!" It's been used.

[!]-- physdev-out name, the name of the bridged port to send packets (packets for FORWARD, OUTPUT, and POSTROUTING chains). If the interface name ends with "+", any interface that begins with that name will match. Note that in the NAT and Magle output chains, you cannot match on the bridge output port, but you can match in the filter output chain. If the packet will not be left by the bridge device, or if it does not know what the output device will be, then the packet will not match this option unless'!' Use.

[!]-- physdev-is-in, if the packet has been entered through the bridge interface, it matches.

[!]-- physdev-is-out, if the packet will leave through the bridge interface, it will match.

[!]-- physdev-is-bridged, if the packet is being bridged and therefore not routed, it matches. This is useful only in forward and POSTROUTING chains.

24) pkttype

This module matches the link layer packet type.

[!]-- pkt-type {unicast | broadcast | multicast}

25) policy

This module matches the policy that IPsec uses to process packets.

-- dir {in | out}, which is used to select whether to match the policy used to unencapsulate or the policy to be used for encapsulation. In is valid in PREROUTING, INPUT, FORWARD chains, and out is valid in POSTROUTING, OUTPUT, and FORWARD chains.

-- pol {none | ipsec}, which matches if the packet is to be processed by ipsec.

-- strict, choose whether to match the exact policy, or if any of the rules of the policy match the given policy, select match.

[!]-- reqid id, the reqid that matches the policy rule. You can use setkey (8) to specify REQID and use unique:id as the level.

[!]-- spi spi, which matches the SPI of SA.

[!]-- proto {ah | esp | ipcomp}, matching the encapsulation protocol.

[!]-- mode {tunnel | transport}, matching the encapsulation mode.

[!]-- tunnel-src addr [/ mask], which matches the source endpoint address of tunnel mode sa. It works only with "--mode tunnel".

[!]-- tunnel-dst addr [/ mask], which matches the destination endpoint address of the tunnel mode sa. It works only with "--mode tunnel".

-- next, the next element in the startup policy specification, is valid only for use with "--strict."

26) quota

The network quota is achieved by reducing the byte counter of each packet.

-- quota bytes, quota in bytes.

27) rateest

The rate estimator can match the estimated rate collected by the RATEEST target. It supports absolute bps/ pps value matching, compares two rate estimators, and matches the difference between the two rate estimators.

Rateest1 name, the name of the first ratio estimator.

Rateest2 name, the name of the second ratio estimator.

-- rateest-delta to compare the difference with a given ratio

-- rateest1-bps value

-- rateest2-bps value, compare bytes per second

-- rateest1-pps value

-- rateest2-pps value, compare packets per second

[!]-- rateest-lt, if the rate is less than the given rate / estimate, then match

[!]-- rateest-gt, if the rate is greater than the given rate / estimate, then match

[!]-- rateest-eq, if the rate is equal to the given rate / estimate, then match

# example: when starting a data connection, the data connection can be routed out of the FTP server through two lines according to the available bandwidth:

# estimated rate

Iptables-t mangle-A POSTROUTING-o eth0-j RATEEST-- rateest-name eth0-- rateest-interval 250ms-- rateest-ewma 0.5s

Iptables-t mangle-A POSTROUTING-o ppp0-j RATEEST-- rateest-name ppp0-- rateest-interval 250ms-- rateest-ewma 0.5s

# tags based on available bandwidth

Iptables-t mangle-A balance-m conntrack-ctstate NEW-m helper-- helper ftp-m rateest--rateest-delta-- rateest1 eth0-- rateest-bps1 2.5mbit-- rateest-gt-- rateest2 ppp0-- rateest-bps2 2mbit-j CONNMARK-- set-mark 1

Iptables-t mangle-A balance-m conntrack-ctstate NEW-m helper-- helper ftp-m rateest--rateest-delta-- rateest1 ppp0-- rateest-bps1 2mbit-- rateest-gt-- rateest2 eth0-- rateest-bps2 2.5mbit-j CONNMARK-- set-mark 2

Iptables-t mangle-A balance-j CONNMARK-- restore-mark

28) realm

This matches the routing domain. Routing domains are used for complex routing settings, involving dynamic routing protocols such as BGP.

[!]-- realm value [/ mask], matching the given domain number (optional mask). If it is not a number, the value can be a named field in "/ etc/iproute2/rt_realms" (in this case a mask cannot be used).

29) recent

Allows you to dynamically create a list of IP addresses and then match it in several different ways. For example, you can create a "bad guys" list of people who are trying to connect to port 139 on the firewall, and then discard all their future packets regardless of these packets. -- set,-- rcheck,-- update,-- remove are mutually exclusive.

-- name name, which specifies the list to use for commands. If no name is specified, the default name is used.

[!]-- set, which will add the source address of the packet to the list. If the source address is already in the list, this updates the existing entry. This will always return success (or failure, if passed in!) .

-- rsource to match / save the source address of each packet in the most recent list. This is the default.

-- rdest to match / save the destination address of each packet in the recent list

[!]-- rcheck to check whether the source address of the packet is currently in the list.

[!]-- update, similar to "--rcheck", but if matched, it updates the "last seen" timestamp.

[!]-- remove, check whether the source address of the packet is currently in the list, if so, the address will be removed from the list and the rule will return true. If the address cannot be found, false is returned.

-- seconds seconds, this option must be used with one of "--rcheck" or "--update". When used, this narrows the match and occurs only if the address is seen in the list and within the last given second.

-- hitcount hits, this option must be used in conjunction with either "--rcheck" or "--update". When used, this narrows the match and occurs only if the address is in the list and the packet has received a value greater than or equal to the given value. This option can be used with "--seconds" to create a narrower match that requires a certain number of hits within a specific time frame. The maximum value of the HitCount parameter is given by the "ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this value on the command line will result in the rule being rejected.

-- rttl, this option can only be used with "--rcheck" or "--update". When used, this narrows the match, which occurs only if the address is in the list and the ttl of the current packet matches the packet that matches the "--set" rule. This may be useful if you have a problem with people forging their source addresses in order to deny others access to your site through this module by sending fake packets to you.

Iptables-A FORWARD-m recent-- name badguy-- rcheck-- seconds 60-j DROP

Iptables-A FORWARD-p tcp-I eth0-- dport 139m recent-- name badguy-- set-j DROP

"/ proc/net/xt_new/*" is the current list of addresses and information for each entry in each list. You can read each file in "/ proc/net/xt_new/" to see the current list, or write two files to modify the list using the following command:

Echo + addr > / proc/net/xt_recent/DEFAULT

Add addr to the default list

Echo-addr > / proc/net/xt_recent/DEFAULT

Remove addr from the default list

Echo / > / proc/net/xt_recent/DEFAULT

Shu Xin default list

The module itself accepts parameters, and the default display is as follows:

Ip_list_tot = 100, the number of addresses remembered in each table

Ip_pkt_list_tot = 20, number of packets per address remembered

Ip_list_hash_size =, hash table size. 0 means that it is calculated according to ip_list_tot (default: 512).

Ip_list_perms = 0644, "/ proc/net/xt_recent/*" is brand new.

Ip_list_uid =, ID, owner of "/ proc/net/xt_recent/*".

Ip_list_gid =, owner group ID of "/ proc/net/xt_recent/*".

30) sctp

[!]-- source-port,--sport port [: port]

[!]-- destination-port,--dport port [: port]

[!]-chunk-types {all | any | only} chunktype [: flags] [..]

The flag letters in uppercase indicate that if the setting will match the flag, and lowercase indicates matching (if not set).

Chunk types: DATA INIT INIT_ACK SACK HEARTBEAT HEARTBEAT_ACK ABORT SHUTDOWN SHUTDOWN_ACK ERROR COOKIE_ECHO COOKIE_ACK ECN_ECNE ECN_CWR SHUTDOWN_COMPLETE ASCONF ASCONF_ACK

Chunk type: available flags

DATA: U B E u b e

ABORT: T t

SHUTDOWN_COMPLETE: T t

Examples

Iptables-An INPUT-p sctp-- dport 80-j DROP

Iptables-An INPUT-p sctp-- chunk-types any DATA,INIT-j DROP

Iptables-An INPUT-p sctp-- chunk-types any DATA:Be-j ACCEPT

31) set

The module matches a set of IP that can be defined by ipset (8).

[!]-match-set setname flag [, flag].. Where flag is a comma-separated list of src or dst specifications, of which there can be up to six

Iptables-A FORWARD-m set-- match-set test src,dst

Packets will be matched, and for these packets (if the SET type is ipportmap), the source address and destination port pairs can be found in the specified collection. If the collection type of the specified set is single-dimensional (for example, ipmap), the command matches packets that can find the source address in the specified set.

If the option does not conflict with other extended options, you can replace the option "--match-set" with "--set".

32) socket

If the open socket can be found by performing a socket lookup on the packet, its match.

-- transparent, ignore non-transparent packages.

33) state

When combined with connection tracking, this module allows access to the connection tracking status of this packet.

[!]-- state state, where status is a comma-separated list of connection states to match. The possible state is invalid, which means that the packet cannot be recognized for some reason, including insufficient memory and ICMP errors that do not correspond to any known connection, which means that the packet is associated with a connection that has seen the packet in both directions, meaning that the packet has initiated a new connection Or otherwise associated with a connection that does not see a packet in both directions, and which means that the packet is starting a new connection but is associated with an existing connection, such as FTP data transfer or ICMP errors.

34) statistic

The module matches the data packets based on certain statistical conditions. It supports two different modes set with the "--mode" option.

-- mode mode, sets the matching pattern of matching rules, and the supported patterns are random mode and nth mode.

-- probability p, sets the probability of randomly matching packets from 0 to 1. It only applies to random patterns.

-- every n, one packet for each nth packet. It only applies to nth mode.

-- packet p, which sets the initial counter values for the nth mode (0 to n and 22 to move 22 bits to the right. Moving 24 bits gives the first byte, so only 22 bits are quadrupled, plus a few bits. & 3C then deletes the two extra bits on the right and the first four bits of the first byte. For example, if IHL=5, the IP header is 20 (4x5) bytes long. In this example, byte 0-1 is (binary) xxx0101 yzzzz, > 22 is 10-bit xxx0101yy, and & 3C is 010100. @ means to use this number as the new offset in the packet and read four bytes from there. This is the first 4 bytes of the ICMP payload, where the bytes are of type ICMP. Therefore, we just need to move the value 24 to the right, except for all the bytes except the first byte, and compare the result with.

TCP payload byte 8-12 is any one of 1, 2, 5, or 8. First, we test whether the packet is a TCP packet (similar to ICMP).

-- U32 "6 & 0xFF = 6 & &.

Next, test that it is not a fragment (same as above).

. 0 > > 22 & 0x3C @ 12 > > 26 & 0x3C @ 8 = 1, 2, 5, 5, 8 "

As shown above, 0 > 22: 3C calculates the number of bytes in the IP header. Make this the new offset in the packet, which is the beginning of the TCP header. The length of the TCP header (also represented by 32-bit words) is the left half of the first 12 bytes of the TCP. 12 > 26. 3C calculates this length in bytes (similar to the previous IP header). "@" makes it a new offset, which is the beginning of the TCP payload. Finally, 8 reads byte 8-12 of the payload and = checks whether the result is any one of 1, 2, 5, or 8.

42) udp

If "--protocol udp" is specified, you can use these extensions. It provides the following options:

[!]-- source-port,--sport port [: port], source port or port range specification.

[!]-- destination-port,-- dport port [: port], specification of destination port or port range.

43) unclean

This module does not require any options, but tries to match packets that appear to be malformed or unusual.

4. Target expansion

1) AUDIT

This goal allows the creation of audit records for packets that arrive at the destination. It can be used to record packets that are accepted, dropped, and rejected.

-- type {accept | drop | reject} to set the audit record type.

Iptables-N AUDIT_DROP

Iptables-An AUDIT_DROP-j AUDIT-- type drop

Iptables-An AUDIT_DROP-j DROP

2) CHECKSUM

This goal allows you to selectively handle broken / old applications. It can only be used on mangle tables.

-- checksum-fill, calculate and fill in the checksum in a packet that lacks a checksum. This is especially useful if you need to deal with legacy applications such as dhcp clients that do not handle checksum offloading well, but do not want to disable checksum offloading on the device.

3) CLASSIFY

This module allows you to set skb- > priority (thus classifying packets into specific CBQ classes).

-- set-class major: minor, setting the primary and secondary class values. Even if the 0x prefix is not provided, these values are always interpreted as hexadecimal.

4) CLUSTERIP

This module allows you to configure a simple cluster of nodes that share specific IP and MAC addresses without having to explicitly load balancer in front of them. Connections are statically distributed between nodes in this cluster.

-- new, create a new cluster IP. For a given cluster IP, you must always set this item on the first rule.

-- hashmode mode, which specifies the hash mode, which can be: sourceip, sourceip-sourceport, sourceip-sourceport-destport.

-- clustermac mac, specify the cluster IP MAC address. Must be a link layer multicast address.

-- total-nodes num, the total number of nodes in the cluster.

-- local-node num, the local node number in this cluster.

-- hash-init rnd, which specifies the random seed used for hash initialization.

5) CONNMARK

This module sets the value of the netfilter tag associated with the connection. The tag is 32 bits wide.

-- set-xmark value [/ mask], zeroing the mask definition, value-defined bits and ctmark XOR.

-- save-mark [--nfmask nfmask] [--ctmask ctmask] copies the packet tag (Nfmark) to the connection tag (Ctmark) using the given mask. The new nfmark value is determined as follows:

Ctmark = (ctmark & ~ ctmask) ^ (nfmark & nfmask)

For example, ctmask defines which bits to clear and which nfmark to XOR with ctmark in nfmask. The default is 0xFFFFFFFF.

-- restore-mark [--nfmask nfmask] [--ctmask ctmask], which is only used in the mangle table.

-- and-mark bits, ctmark and bits operate with, mnemonic:-- set-xmark 0/invbits.

-- or-mark bits, ctmark and bits perform or operate, mnemonic:-- set-xmark bits/bits.

-- xor-mark bits, ctmark and bits perform XOR operations, mnemonic:-- set-xmark bits/0.

-- set-mark value [/ mask], set the connection tag. If a mask is specified, only the bits set in the mask are modified.

-- save-mark [--mask mask], copy nfmark to ctmark. If a mask is specified, only these bits are copied.

-- restore-mark [--mask mask], copy cctmark to nfmark. If a mask is specified, only these bits are copied. This is valid in the mangle table

6) CONNSECMARK

This module copies the security tag from the packet to the connection (if there is no tag) and from the connection back to the packet (and only if it is not tagged). Usually used with SECMARK, it is only valid in the mangle table.

-- save, if the packet has a security tag, if the connection is not marked, copy it to the connection.

-- restore, if the packet does not have a security tag and the connection has a security tag, copies the security tag from the connection to the packet.

7) DNAT

This goal is valid only in nat tables, PREROUTING and OUTPUT chains, and user-defined chains that are called only from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be corrupted) and that the inspection rule should be stopped. It requires one of the following options:

-- to-destination [ipaddr] [- ipaddr] [: port [- port]], which can specify a single new destination IP address, included IP address range, and optional port range (valid only if the rule also specifies "- p tcp" or "- p udp"). If no port range is specified, the destination port is never modified. If no IP address is specified, only the destination port is modified.

-- random, if you use the option "--random", the port mapping will be random (kernel > = 2.6.22).

-- persistent, providing the same source / destination address for each connection. This replaces the same goal. Support for persistent mapping is available from 2.6.29-Rc2.

8) DSCP

This target allows the value of the DSCP bit to be changed in the TOS header of the IPv 4 packet. Because this manipulates a packet, it can only be used in the mangle table.

-- set-dscp value, sets the DSCP field to a numeric value (which can be decimal or hexadecimal).

-- set-dscp-class class, set the DSCP field to the DiffServ class.

9) ECN

This goal allows you to work selectively around known ECN black holes. It can only be used in mangle tables.

-- ecn-tcp-remove, removes all ECN bits from the TCP header. Of course, it can only be used with "- p tcp".

10) LOG

Turn on kernel logging for matching packets. When this option is set to a rule, the Linux kernel prints some information on all matching packets, such as most IP header fields, from the kernel log, which can be read using dmesg or sy d (8). This is a "non-terminating goal", that is, the rule traversal continues in the next rule. Therefore, if you want to log rejected packets, use two separate rules with the same matching criteria, first use the destination log, and then delete (or reject).

-- log-level level, logging level.

-- log-prefix prefix, prefixed with the log message of the specified prefix. It can be up to 29 letters in length and is used to distinguish the messages in the log.

-- log-tcp-sequence, record the TCP serial number. This is a security risk if the user can read the log.

-- log-tcp-options, from the TCP packet header log option

-- log-ip-options, from the IP packet header log option

-- log-uid, which records the userid of the process that generated the packet

11) MARK

This target is used to set the Netfilter tag value associated with the packet. The target can only be used in the mangle table. For example, it can be used with fwmark-based routing (iucte 2 is required). The tag field is 32 bits wide.

-- set-xmark value [/ mask], zeroing the bits given by the mask and XOR values into the packet tag ("nfmark"). If the mask is omitted, 0xFFFFFFFF is assumed.

-- set-mark value [/ mask], zeroing the bits given by the mask and OR values into the packet tag ("nfmark"). If the mask is omitted, 0xFFFFFFFF is assumed.

-- and-mark bits, operate with nfmark and bits, mnemonic:-- set-xmark 0/invbits.

-- or-mark bits, perform or operate nfmark and bits. Mnemonic:-- set-xmark bits/bits.

-- xor-mark bits, XOR operations on nfmark and bits, mnemonic:-- set-xmark bits/0.

12) MASQUERADE

This goal is valid only in the POSTROUTING chain in the NAT table. It should only be used for dynamically assigned IP (dial-up) connections: if you have a static IP address, you should use the SNAT destination. Masquerading is equivalent to specifying an IP address that maps to the interface that the packet is going to output, but it can also cause the connection to be forgotten when the interface drops. This is the right behavior when the next dial is unlikely to have the same interface address (so any established connection will be lost anyway). There is only one choice:

-- to-ports port [- port], which specifies a series of source ports to use, overriding the default SNAT source port-choose heuristic (see above).

-- random, randomizes the source port mapping, and if you use the option-random, the port mapping will be random (kernel > = 2.6.21).

13) MIRROR

This is a lab demonstration target that reverses the source and destination fields in the IP header and retransmits the packet. It is valid only in input chains, forward chains, and PREROUTING chains, as well as user-defined chains that are called only from those chains. Note that outgoing packets are not visible to any packet filter chain, connection tracking, or NAT to avoid loops and other problems.

14) NETMAP

This goal allows you to statically map the entire address network to another address network. It can only be used from rules in the NAT table.

-- to address [/ mask], the network address to map to. The generated address is constructed in such a way that all bits in the mask are populated from the new address. All zeros in the mask are filled from the original address.

15) NFLOG

This destination provides logging of matching packets. When this goal is set for the rule, the Linux kernel passes the packet to the loaded log back end to record the packet. This is usually used in conjunction with nfnetlink_log as the log backend, which multicasts packets to a specified multicast group through NetLink sockets. One or more user space processes can subscribe to groups to receive packets. Like the log, this is a non-terminating goal of continuing rule traversal in the next rule.

-- nflog-group nlgroup, the NetLink group in which the packet belongs (1 ~ 2 ^ 32-1) (for nfnetlink_log only). The default value is 0.

-- nflog-prefix prefix, a prefix string contained in log messages with a length of up to 64 characters, is used to distinguish between messages in the log.

-- nflog-range size, the number of bytes to copy to user space (nfnetlink_log only). Nfnetlink_log instances can specify their own scope, and this option overrides it.

-- nflog-threshold size, the number of packets to queue in the kernel before sending packets to user space (nfnetlink_log only). A higher value reduces the overhead per packet, but increases the delay until the packet reaches user space. The default value is 1.

16) NFQUEUE

This goal is an extension of the QUEUE goal. In contrast to QUEUE, it allows you to place packets in any particular queue, which is identified by its 16-bit queue number. It can only be used with kernel version 2.6.14 or later because it requires nfnetlink_Queue kernel support. The queue balancing option is added in Linux2.6.31 and the queue bypass is added in 2.6.39.

-- queue-num value, which specifies the queue number to use. Valid queue numbers are 0 to 65535. The default value is 0.

-- queue-balance value: value, which specifies the queue range to be used. The packet is then balanced in a given queue.

-- queue-bypass, by default, if there are no user-space programs listening on NFQUEUE, then all queued packets will be discarded. When this option is used, the NFQUEUE rule is quietly bypassed. The package will go to the next rule.

17) NOTRACK

This target disables connection tracking for all packets that match the rule and can only be used in the raw table.

18) RATEEST

The RATEEST target collects statistics, performs rate estimation calculations, and saves the results for future evaluation using the optimal match.

-- rateest-name name, which counts matching packets into the pool referenced by name, which is optional.

-- rateest-interval amount {s | ms | us}, the rate measurement interval in seconds, milliseconds or microseconds.

-- rateest-ewmalog value, the rate measures the average time constant.

19) REDIRECT

This goal is valid only in NAT tables, PREROUTING, and output chains, and in user-defined chains that are called only from those chains. It redirects packets to the machine itself by changing the destination IP to the primary address of the incoming interface (locally generated packets are mapped to 127.0.0.1 address).

-- to-ports port [- port], which specifies the destination port or port range to use: otherwise, the destination port will never change. Only the matching options "- p tcp" and "- p udp" are useful.

-- random, if you use the option "--random", the port mapping will be random (kernel > = 2.6.22)

20) REJECT

This is used to send error packets in response to matching packets: otherwise, it is tantamount to discarding, so it is a termination target, ending rule traversal. This goal is valid only in input, forward, and output chains, as well as user-defined chains that are called only from those chains. The following options control the nature of the error packets returned:

-- reject-with type, type can be icmp-net-unreachable, icmp-host-unreachabl,icmp-port-unreachable,icmp-proto-unreachable,icmp-net-prohibited,icmp-host-prohibited,icmp-admin-prohibited

21) SAME

Similar to SNAT/DNAT, it depends on the chain: it accepts a series of addresses "--to 1.2.3.4-1.2.3.7". Provide the same source / destination address for each connection.

-- to ipaddr [- ipaddr], the address to map the source to. Multiple ranges can be specified more than once.

-- nodst, when selecting a new source-ip, do not use the target-ip in the calculation.

-- random, port mapping will be forced to randomize to avoid attacks based on port prediction (kernel > = 2.6.21).

22) SECMARK

This is used to set the security flag value associated with the packet for use by security subsystems such as SELinux. It is only valid in mutilated tables. The tag is 32 bits wide.

-- selctx security_context

23) SET

This module adds and / or removes items that can be defined by ipset (8) from the ip set.

-- add-set setname flag [, flag...] to add the address / port of the packet to the collection

-- del-set setname flag [, flag...], delete the address / port of the packet from the collection

24) SNAT

This goal is valid only in the POSTROUTING chain in the NAT table. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be corrupted) and that checking rules should be stopped. It needs a choice.

-- to-source ipaddr [- ipaddr] [: port [- port]], which can specify a single new source IP address, a range of included IP addresses, and an optional port range (valid only if the rule also specifies-p TCP or-p UDP). If no port range is specified, source ports below 512 will be mapped to other ports below 512: ports between 512 and 1023 will be mapped to ports below 1024, while other ports will be mapped to ports of 1024 or above. If possible, the port will not be changed.

-- random, if the option "--random" is used, the port mapping will be randomized (kernel > = 2.6.21).

-- persistent, providing the same source / destination address for each connection. This replaces the same goal. Support for persistent mapping is available from 2.6.29-Rc2

25) TCPMMS

This goal allows you to change the MSS value of the TCP SYN packet to control the maximum size of the connection (usually limited to the MTU of the output interface minus 40 (ipv4) or 60 (ipv6). Of course, it can only be used with-p TCP. It is only valid in the mangle table.

This goal is used to overcome criminal behavior that hinders "ICMP fragment needs" or "ICMPv 6 packets too large" packets. The symptom of this problem is that all the functions of the Linux firewall / router are fine, but the machine behind it can never exchange large packets: Web browsers connect and then suspend unreceived data; small emails work fine, but large emails hang; SSH works fine, but scp hangs after the first handshake.

Workaround: activate this option and add rules to the firewall configuration, as shown in

Iptables-t mangle-A FORWARD-p tcp--tcp-flags SYN,RST SYN-j TCPMSS-- clamp-mss-to-pmtu

-- set-mss value, explicitly sets the MSS option to the specified value. If the MSS of the packet is already below the value, it will not increase (starting with Linux2.6.25) to avoid more problems when the host relies on the appropriate MSS

-- clamp-mss-to-pmtu, automatically clip the MSS value to (PATH_MTU-40;IPv 6 PATH_MTU-60 of IPv4).

26) TCPOPTSTRIP

This destination removes the TCP option from the TCP packet. (it will actually be replaced with no operation.) Therefore, you need to add the "- p tcp" parameter.

-- strip-options option [, option...] to remove the given option. These options can be specified by the TCP option number or symbol name. You can get a list of recognized options by calling iptable with "- j TCPOPTSTRIP-h".

27) TOS

This module sets the service type field (including the priority bit) in the IPv 4 header or the priority field in the IPv 6 header. Note that TOS shares the same bits as DSCP and ECN. The tos target is valid only in the mangle table.

-- set-tos value [/ mask], zeroing the bits given by the mask and XOR values into the TOS/Priority field. If the mask is omitted, 0 xff is assumed.

-- set-tos symbol, you can specify a symbolic name when using the TOS target for IPv4. It implies the mask of 0xFF. You can get a list of recognized TOS names by calling iptables with "- j TOS-h".

-- and-tos bits, bits and TOS perform and operate. (mnemonics are used for "--set-tos 0/invbits", where inbit is the binary negation of bits.)

-- or-tos bits, bits and TOS perform or operate.

-- xor-tos bits, bits and TOS perform XOR operations.

28) TPROXY

This goal is valid only in mangle tables, PREROUTING chains, and user-defined chains, which are called only from that chain. It redirects the packet to the local socket without changing the packet header in any way. It can also change the tag value and then use it in advanced routing rules. It has three options:

-- on-port port, which specifies the target port to use. This is a required option, and 0 means that the new destination port is the same as the original port. This is valid only if the rule also specifies "- p tcp" or "- p udp".

-- on-ip address, which specifies the destination address to use. By default, this address is the ip address of the incoming interface. This is valid only if the rule also specifies "- p tcp" or "- p udp".

-- tproxy-mark value [/ mask] marks the packet with the given value / mask. The fwmark value set here can be used by advanced routing. (required for transparent proxy work: otherwise these packets will be forwarded, which may not be what you want. )

29) TRACE

This target marks Packes so that the kernel records every rule that matches the packet as it traverses tables, chains, and rules. (logging requires an ipt_log or ip6t_log module). The packet is recorded with a string prefix: "TRACE:tablename:chainname:type:ruenum", where type can be the "rule" of a general rule, an implicit rule at the end of a user-defined chain can be "return", and the policy of a built-in chain can be "policy".

Can only be used in raw tables.

30) TTL

This is used to modify the IPv 4 TTL header field. The TTL field determines how many hops (routers) a packet can traverse until it exceeds its lifetime. Setting or incrementing the ttl field can be very dangerous and should be avoided at all costs. Do not set or add values on packets that leave the local network!

-- ttl-set value, set the TTL value to value.

-- ttl-dec value, reduce the value of TTL value times.

-- ttl-inc value, increase the value of TTL value times.

31) ULOG

This target provides user space logging for matching packets. When this goal is set for a rule, the Linux kernel multicasts the packet through NetLink sockets. One or more user-space processes can then subscribe to various multicast groups and receive packets. Like logs, this is a "non-terminating goal", that is, to continue traversing the rules in the next rule.

-- ulog-nlgroup nlgroup, which specifies the netlink group (1-32) to which the packet is sent. Default value is 1

-- ulog-prefix prefix, which is prefixed with the specified prefix, and can be up to 32 characters long to distinguish between messages in the log.

-- ulog-cprange size, the number of bytes to copy to user space. A value of 0 always copies the entire packet, regardless of its size. Default value is 0

-- ulog-qthreshold size, the number of packets to queue in the kernel. For example, set this value to 10, accumulate 10 packets in the kernel and transfer them to user space as a NetLink multipart message. The default is 1 (for backward compatibility)

5. Examples

1) display the records of the filter table

[root@localhost ~] # iptables-t filter-L / / displays the records of the specified table

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere state RELATED,ESTABLISHED

ACCEPT icmp-anywhere anywhere

...

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere state RELATED,ESTABLISHED

ACCEPT icmp-anywhere anywhere

...

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

2) disable tcp packets on port 135

[root@localhost ~] # iptables-t filter-An INPUT-p tcp-- dport 135j DROP / / add records, ignore tcp packets on port 135s

[root@localhost ~] # iptables-L / / View table, rules have been added

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere state RELATED,ESTABLISHED

DROP tcp-anywhere anywhere tcp dpt:epmap

3) prohibit the destination address from accessing the local computer

[root@localhost ~] # iptables-An INPUT-s 192.168.1.110-j DROP / / prohibit 110address from accessing this machine

[root@localhost ~] # iptables-L | grep DROP / / View filter table, record has been added

DROP tcp-anywhere anywhere tcp dpt:epmap

DROP all-192.168.1.110 anywhere

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.