Shulou(Shulou.com)06/01 Report--

First, the introduction of IPTABLES 1. Introduction to IPTABLES/netfilter (http://www.netfilter.org) in fact, most people think that iptables is a service on the linux system, but it is not. When the service on our linux system, such as httpd service, starts up, does it start a corresponding service process in the background and listen on a port on the network card, but iptables is not? what on earth is iptables? In fact, iptables is just a tool. Our linux system has user space and kernel space, while iptables has two components, one is netfilter, the netfilter component is only used to filter firewall rules and make corresponding processing mechanisms, it is integrated in the kernel, that is to say, it works in the kernel space, then everyone knows that it is impossible for users to deal with the kernel space directly, then netfilter only works in the kernel space to process the rules. So where do the rules come from? It comes from iptables, the second component of iptables. We said above that IPTABLES is just a tool that works in user space, so users use a command of this tool to deal with netfiter components working in kernel space. In fact, IPTABLES firewall is like this.

2. IPTABLES tables and chains IPTABLES commonly used tables and chains have three filter tables, nat tables, mangle tables, and five chain INPUT chains, OUTPUT chains, FORWARE chains, POSTROUTING chains, PREROUTING chains. Here are their various functions.

1.filter table filter mainly filters packets, and almost all packet filtering in IPTABLES is implemented in this table. Filter table is also the default table in IPTABLES. This table also contains three chains as follows

1.1 INPUT chain

Filter all packets whose destination address is local

1.2 OUTPUT chain

Filter all packets out of this computer

1.3 FORWORD chain

Filter all packets passing through the local computer

2.nat Table nat Table is mainly used for network address translation (NAT) in IPTABLES can do SNAT (source address translation), DNAT (destination address translation), PNAT (that is, similar to SNAT, the difference is that the source address of SNAT is fixed, while the source address of PNAT is not fixed, which is generally adapted when using ppp or pppoe to connect to the Internet). The nat table contains two chains as follows

2.1 PREROUTING chain

Change the destination address when the packet arrives at the firewall DNAT is applied to this chain.

2.2 OUTPUT chain

The destination address of locally generated packets can be changed.

2.3 POSTROUTING chain

Change the source address when the packet leaves the firewall, and SNAT is applied to the subchain

3. Mangle table mangle table mainly modifies packet header information, this table contains the following five chains

3.1 PREROUTING chain

After the packet enters the firewall, also known as before routing

3.2 POSTROUTING chain

After the packet determines the destination address, also known as routing

3. 3 OUTPUT chain

Before the time packet out of this machine is routed

3.4 INPUT chain

After the packet enters the local machine, after routing,

3. 5 FORWARD chain

Change the packet after the first route decision and before the last route decision

3. The status of IPABLES there are four kinds of state tracking connections for IPTABLES, namely, NEW,ESTABLISHED,RELATED,INVALID. In addition to the data packets coming out of this machine are handled by the OUTPUT chain of the nat table, it is said that some state tracking is handled in the PREROUTING chain of the nat table. What are the next four states?

1Magnew status

The packet with NEW status indicates that this packet is the first packet received

2statement ESTABLISHED status

As long as a reply is sent and received, the status of a packet changes from NEW to ESTABLEISHED, and that state continues to match the connection successor packet

3Perfect released status

When a connection in the ESTABLSHED state of a packet is related, it is considered to be RELATED, that is to say, if a link wants to be in the RELATED state, it must first have an ESTABLISHED connection.

4 invalid status

Cannot be identified as belonging to which connection state or unrelated state, usually the packet will be rejected

4. detailed explanation of the use of IPTABLES commands iptables is installed by default on RHEL systems. The command options of IPTABLES are mainly divided into these categories: rule management, chain management, default management, viewing, matching conditions, and processing actions. That should be it. Let's name them one by one.

1. Rule management class # iptables-An adds a new rule

# iptables-I insert a new rule-I followed by a number to indicate which line to insert

# iptables-D deletes a new rule-D followed by a number indicates which line to delete

# iptables-R replaces a new rule-R followed by a number indicates which line to replace

two。 The chain management class # iptables-F clears all rules in the chain

# iptables-N create a new chain

# iptables-X Delete a custom chain and make sure that the secondary chain is empty and not referenced before deletion

# iptables-E rename chain

3. Default management class

# iptables-P sets the default policy

4. View class # iptables-L View rules-L and several suboptions are as follows

# iptables-L-n is displayed digitally

# iptables-L-v displays details

# iptables-L-x displays accurate information

# iptables-L-line-numbers displays the line number

5. Conditional matching class 5.1 basic match

Condition matching can also be used! Take reverse

-s source address

-d destination address

-p protocol {tcp | udp | icmp}

Which network interface does-I enter from, such as-I eth0

-o which network interface do you exit from, such as-o eth0

5.2 extended matching

5.2.1 implied extended matching

-p {tcp | udp}-- sport specifies the source port

-p {tcp | udp}-- dport specifies the destination port

5.2.2 display extended match

-m state-- the matching status of state

-m mutiport-- source-port ports match, specify a set of ports

-m limit-- limit 3/minute every three minutes

-m limit--limit-burst 5 matches only 5 packets

-m string-- string-- algo bm | kmp-- string "xxxx" match string

-m time-- timestart 8:00-- timestop 12:00 indicates from which time to which time period

-m time-- days means that day

-m mac--mac-source xx:xx:xx:xx:xx:xx matches the source MAC address

-m layer7-- l7proto qq means that many protocols are also supported if they match Tencent qq. This default is not available. We need to patch the kernel and recompile the kernel and iptables before we can use the display extension-m layer7 to match.

6, deal with the action class

-j ACCEPT allow

-j REJECT reject

-j DROP rejects and prompts messages

-j SNAT source address translation

-j DNAT destination address translation

-j REDIRECT redirect

-j MASQUERAED address camouflage

-j LOG-- log-prefix "explain the information, define it yourself" and log.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.