Shulou(Shulou.com)06/01 Report--

1. Grammar:

Usage:

Iptables-t [table]-[AD] chain rule-specification [options]

2. Basic processing behavior: ACCEPT (accept), DROP (discard), REJECT (reject)

3. Match all protocols except the specified protocol

Iptables-An INPUT-p! Tcp

Match the host source IP

Iptables-An INPUT-s 10.0.0.14

Iptables-An INPUT-s! 10.0.0.14

Match the network segment

Iptables-An INPUT-s 10.0.0.0Mab 24

Iptables-An INPUT-s! 10.0.0.0Can 24

Match a single port

Iptables-An INPUT-p tcp-- sport 53

Iptables-An INPUT-p udp-- dport 53

4. Seal the port:

Iptables-t filter-An INPUT-p tcp-- dport 80-j DROP

(--sports source port)

(22:80 port range)

Iptables-t filter-An INPUT-p tcp-m multiport-- dport 222323-j ACCEPT

(- m multiport column element 222323)

5. Seal ip:

Iptables-t filter-An INPUT-I eth0-s 10.0.0.105-j DROP

-s source address

-I in-o out specified network interface

6. Ban ping

Iptables-t filter-An INPUT-p icmp--icmp-type 8!-s 10.10.70.0 24-j DROP

(! Not)

Iptables-t filter-I INPUT 2-p icmp--icmp-type any-s 10.10.70.0 DROP 24-j DROP (all types of any)

(- I 2 specified location)

7. Match the network status:

Iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

-m state-- state: allows associated state packets to pass through

NEW: a new connection has been or will be started

ESTABLISHED: established connection

RELATED: starting a new connection

INVALID: illegal or unrecognized

8. Local address: 172.16.14.1. 172.16.0.0lap16 network ping is allowed, but the limit is no more than 20 requests per minute and concurrent each time.

No more than 6.

Iptables-An INPUT-s 172.16.0 ACCEPT 16-d 172.16.14.1-p icmp--icmp-type 8-m limit--limit 20/min-limit-burst 6-j ACCEPT

Iptables-An OUTPUT-s 172.16.14.1-d 172.16.0.0Universe 16-p icmp--icmp-type 0-j ACCEPT

-m limit

-- limit n / {second/minute/hour}: the request rate "n" within the specified time is the rate, followed by seconds, minutes and hours, respectively.

-- limit-burst [n]: the request "n" allowed to pass at the same time is a number, and the default is 5.

9. Custom chain processing syn***

Iptables-N syn-flood

Iptables-An INPUT-I eth0-syn- j syn-flood

Iptables-A syn-flood-m limit- limit 5000 RETURN s-limit-burst 200-j RETURN

Iptables-A syn-flood-j DROP

10. The gateway server configures port address translation

Iptables-t nat-A PREROUTING-d 192.168.1.9-p tcp-- dport 80-j DNAT-- to-destination 10.10.70.60 tcp 9000

12. Configure the gateway:

Server 1: eht0 10.10.70.60 eth2 192.168.1.10

Server 2: eth0 192.168.1.9

Enable routing forwarding:

Sed-n "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1max g" / etc/sysctl.conf

Sysctl-p

Clear the configuration:

Iptables-F

Iptables-Z

Iptables-X

Enable FORWORD: iptables-P FORWARD ACCEPT

Check to see if the kernel module is configured: lsmod | grep nat. If not, please load it.

Configuration:

Iptables-t nat-A POSTROUTING-s 192.168.1.0 eth0-j SNAT 24-o eth0-j SNAT-- to-source 10.10.60.10

Or:

Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-j MASQUERADE camouflage

13. Mapping multiple external networks IP to the Internet

Iptables-t nat-A POSTROUTING-s 10.0.0.0Universe 255.255.240.0-o eth0-j SNAT-- to-source 124.42.60.11-124.42.60.16

Iptables-t nat-A POSTROUTING-s 172.16.1.0 to-source 255.255.255.0-o eth0-j SNAT-- to-source 124.42.60.103-124.42.60.106

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.