Shulou(Shulou.com)06/01 Report--

I. the basic operation of the chain

1. Clear all rules.

1) clear all rules in the chain of rules in the preset table filter.

# iptables-F

Clear all rules in the chain. If you have previously run iptables-P INPUT-j DROP/ACCEPT, you just cannot clear this default.

2) clear the rules in the user-defined chain in the preset table filter.

# iptables-X [chain-name] if there are rules being applied in the chain, # iptables-Z cannot be cleared

2. Set the default policy of the chain. There are usually two ways.

1) allow all bags first, and then prohibit dangerous bags from passing through the arson wall.

# iptables-P INPUT ACCEPT# iptables-P OUTPUT ACCEPT# iptables-P FORWARD ACCEPT

2) first disable all packets, and then allow specific packets to pass through the firewall according to the required services.

# iptables-P INPUT DROP# iptables-P OUTPUT DROP# iptables-P FORWARD DROP

3. List all the rules in the table / chain. Only the filter table is listed by default.

# iptables-L

4. Add rules to the chain. The following statement is used to open the network interface:

# iptables-An INPUT-I lo-j ACCEPT# iptables-An OUTPUT-o lo-j ACCEPT# iptables-An INPUT-I eth0-j ACEPT# iptables-An OUTPUT-o eth2-j ACCEPT# iptables-A FORWARD-I eth2-j ACCEPT# iptables-A FORWARD-0 eth2-j ACCEPT

Note: since the local process does not pass through the FORWARD chain, the loopback interface lo only works on the INPUT and OUTPUT chains.

5. User-defined chain.

# iptables-N custom# iptables-A custom-s 0 DROP 0-d 0 DROP 0-p icmp-j DROP # iptables-An INPUT-s 0 DROP

Second, set up basic rule matching

1. Specify a protocol match.

1) match the specified protocol.

# iptables-An INPUT-p tcp

2) match all protocols except the specified protocol.

# iptables-An INPUT-p! tcp

2. The specified address matches.

1) specify a matching host.

# iptables-An INPUT-s 192.168.0.2

2) specify a matching network.

# iptables-An INPUT-s 192.168.2.0 Universe 24

3) match an address other than the specified host.

# iptables-A FORWARD-s! 192.168.0.3

4) match a network other than the specified network.

# iptables-A FORWARD-s! 192.168.3.0 Universe 24

3. Specify the matching of network interfaces.

1) specify a single network interface match.

# iptables-An INPUT-I eth0# iptables-A FORWARD-o eth0

2) specify the matching of network interfaces of the same type.

# iptables-A FORWARD-o ppp+

4. The specified port matches.

1) specify a single port match.

# iptables-An INPUT-p tcp-- sport www# iptables-An INPUT-p udp-dport 53

2) match a port other than the specified port.

# iptables-An INPUT-p tcp-dport! 22

3) match the port range.

# iptables-An INPUT-p tcp-sport 22:80

4) match ICMP port and ICMP type.

# iptables-An INOUT-p icmp-icimp-type 8

5) specify ip fragments.

Each network interface has a MTU (maximum transmission unit), which defines the maximum size of packets that can pass. If a packet is larger than this parameter value, the system divides it into smaller packets (called ip fragments) for transmission, and the recipient reassembles these ip fragments to restore the entire packet. This leads to a problem: when the system divides a large packet into ip fragments for transmission, the first fragment contains the complete header information (IP+TCP, UDP, and ICMP), but the subsequent fragments contain only part of the header information (such as source address, destination address). Therefore, it is impossible to check the head of the back ip fragment (like TCP, UDP, and ICMP). If there is such a rule:

# iptables-A FORWARD-p tcp-s 192.168.1.0 take 24-d 192.168.2.100-dport 80-j ACCEPT

And when the policy of FORWARD is DROP, the system will only allow the first ip fragment to pass, while the remaining fragments cannot pass because the header information is incomplete. You can use the-fragment/-f option to specify a second and subsequent ip fragment to solve the above problem.

# iptables-A FORWARD-f-s 192.168.1.0 Universe 24-d 192.168.2.100-j ACCEPT

Note that there are many instances of ip fragmentation * *, such as DoS***, so it is a security risk to allow ip fragments to pass through, which can be restricted by iptables's matching extension.

Third, set extended rule matching (for example, the target action has been ignored)

1. Multi-port matching.

1) match multiple source ports.

# iptables-An INPUT-p tcp-m multiport-sport 22 53meme 80110

2) match multiple destination ports.

# iptables-An INPUT-p tcp-m multiport-dpoort 22, 53 and 80

3) match multiple ports (whether source port or destination port)

# iptables-An INPUT-p tcp-m multiport-port 22 53meme 80110

2. Specify the TCP matching extension

Use the-tcp-flags option to filter based on the flag bits of the tcp package.

# iptables-An INPUT-p tcp- tcp-flags SYN,FIN,ACK SYN# iptables-A FROWARD-p tcp- tcp-flags ALL SYN,ACK

The first flag in the example above that represents SYN, ACK, and FIN is all checked, but only SYN matches. The second flag for ALL (SYN,ACK,FIN,RST,URG,PSH) is checked, but only the match between SYN and ACK is set.

# iptables-A FORWARD-p tcp-- syn

The option-syn is equivalent to the abbreviation of "--tcp-flags SYN,RST,ACK SYN".

3. Limit rate matching expansion.

1) specify the number of packets allowed to pass per unit time, which can be / second, / minute, / hour, / day, or use the first child.

# iptables-An INPUT-m limit-- limit 300/hour

2) specify the threshold for triggering the event.

# iptables-An INPUT-m limit- limit-burst 10

It is used to compare whether there are more than 10 packets flooding in at the same time, and packets exceeding this limit will be discarded directly.

3) specify both the rate limit and the trigger threshold.

# iptables-An INPUT-p icmp-m limit--limit 3-limit-burst 3

Indicates that the maximum number of packets allowed per minute is the limit rate (3 in this example) plus the current trigger threshold burst. In any case, three packets can be guaranteed to pass, and the trigger threshold burst is equal to the number of additional packets allowed.

=

An example of a port speed limit

# vim controlmilk flow.shatter tcp DROP binds Bashiptables-Fiptables-An INPUT-p tcp-s 192.168.2.0 DROP 24-- dport 8080-m limit-- limit 800amp s-j ACCEPT iptables-An INPUT-p tcp-s 192.168.2.0 pound 24-- dport 8080-j

=

4) State-based matching extension (connection tracking)

Each network connection includes the following information: source address, destination address, source port, destination port, called socket pair (socket pairs); protocol type, connection status (TCP protocol)

And timeouts, etc. Firewalls refer to this information as stateful. Stateful packet filtering firewall maintains a table of tracking states in memory, which is more secure than simple packet filtering firewall. the command format is as follows:

# iptables-m state-- state [!] state [, state,state,state]

Among them, the state table is a comma-separated list, which is used to specify the connection status, four types:

> NEW: this package wants to start a new connection (reconnection or connection redirection)

> RELATED: this package belongs to a new connection established by an established connection. For example:

The relationship between the data transfer connection and the control connection of FTP is the RELATED relationship.

> ESTABLISHED: this package belongs to a connection that has been established.

> INVALID: this packet does not match any connection. Usually, these packets are DROP.

For example:

(1) add a rule to the INPUT chain to match established connections or new connections made by established connections. That is, all TCP response packages are matched.

# iptables-An INPUT-m state-state RELATED,ESTABLISHED

(2) add a rule to the INPUT chain that matches all connection request packets from non-eth0 interfaces.

# iptables-An INPUT-m state-- state NEW-I! eth0

For another example, you can use the following connection tracking for ftp connections:

(1) passive (Passive) ftp connection mode.

# iptables-An INPUT-p tcp-- sport 1024:-- dport 1024:-m state-- state ESTABLISHED-j ACCEPT# iptables-An OUTPUT-p tcp-- sport 1024:-- dport 1024:-m state-- state ESTABLISHED,RELATED-j ACCEPT

(2) active (Active) ftp connection mode

# iptables-An INNPUT-p tcp-- sport 20-m state-- state ESTABLISHED,RELATED-j ACCEPT# iptables-An OUTPUT-p tcp-OUTPUT-p tcp-dport 20-m state-- state ESTABLISHED-j ACCEPT

5) TOS matching extension.

Fourth, set the target extension

The target extension consists of kernel modules, and an optional extension of iptables provides new command-line options.

=

#! / bin/bash

# Flush all policy and add default policy

Iptables-F

Iptables-t filter-P INPUT DROP

# Open port 80 and limit rate from 80

Iptables-t filter-An INPUT-p tcp-- dport 80-j ACCEPT

Iptables-An INPUT-p tcp-s 0ACCEPT 0-- dport 80-m limit-- limit 800max s-j ACCEPT

Iptables-An INPUT-p tcp-s 0ax 0-- dport 80-j DROP

# Open port 22 only for 192.168.2.45

Iptables-t filter-An INPUT-s 192.168.2.45-p tcp-- dport 22-j ACCEPT

# iptables-t filter-An INPUT-s! 192.168.2.45-p tcp-- dport 22-j DROP

# Open the protocal icmp for all users

Iptables-t filter-An INPUT-p icmp-j ACCEPT

# Make sure this host can connect any hosts

Iptables-t filter-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

=

Sometimes the gateway is dynamic and uncertain when connected to the Internet. For example, adsl goes online.

Iptables-t nat-An OUTPUT-s 192.168.0.0.1 hand 24-j MARSUERADE

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.