In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-09 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
Iptables from the introduction to the application of case analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.
Iptables from entry to Application
I. brief introduction
1.1. What is it?
Iptables is a tool for isolating hosts and networks. It detects and processes data packets through self-set rules and processing actions.
1.2. History of development
The development history of firewall is the process from wall to chain and then to table, that is, from simple to complex. Why are there more and more rules? because the Internet is becoming more and more insecure, the rules of all firewalls are becoming more and more complex. The changes in fire prevention tools are as follows:
Ipfirewall (Wall)-- > ipchains (chain)-- iptables (Table)
In version 2.0 kernel, the packet filtering mechanism is ipfw and the management tool is ipfwadm
In version 2.2 kernel, the packet filtering mechanism is ipchain, and the management tool is ipchains
In version 2. 4 and later kernels, the packet filtering mechanism is netfilter, and the management tool iptables.
Second, principle
Iptables [- t table] {- A |-C |-D} chain rule-specification
Iptables [- t table]-I chain [rulenum] rule-specification
Iptables [- t table]-R chain rulenum rule-specification
Iptables [- t table]-D chain rulenum
Iptables [- t table]-S [chain [rulenum]]
Iptables [- t table] {- F |-L |-Z} [chain [rulenum]] [options...]
Iptables [- t table]-N chain
Iptables [- t table]-X [chain]
Iptables [- t table]-P chain target
Iptables [- t table]-E old-chain-name new-chain-name
Rule-specification = [matches...] [target]
Match =-m matchname [per-match-options]
Target =-j targetname [per-target-options]
3.4. Analysis of grammatical structure
The grammatical structure is analyzed as follows.
-N,-- new-chain chain: create a custom rule chain
-X,-- delete-chain [chain]: delete a user-defined empty chain with a reference count of 0
-F,-- flush [chain]: clears the rules on the specified rule chain
-E,-- rename-chain old-chain new-chain: rename chain
-Z,-- zero [chain [rulenum]]: zero counter
Note: each rule has two counters
Packets: the number of all messages matched by this rule
Bytes: the sum of all messages matched by this rule
-P,-- policy chain target formulates the policy of linked list (ACCEPT | DROP | REJECT)
-A,-- append chain rule-specification: appends a new rule to the end of the specified chain
-I,-- insert chain [rulenum] rule-specification: inserts a new rule at the specified location of the specified chain. The default is the header.
-R,-- replace chain rulenum rule-specification: replace the specified rule with the new rule
-D,-- delete chain rulenum: delete a rule according to the rule number
-D,-- delete chain rule-specification: delete a rule based on the rule itself
Rule display
one
two
three
four
five
six
seven
-L,-- list [chain]: list rules
-v,-- verbose: details
-more detailed information on vv
-n,-- numeric: displays the host address and port number in numeric format
-x,-- exact: displays the exact value of the counter instead of the rounded data
-- line-numbers: displays the corresponding number on the chain when the rule is listed
-S,-- list-rules [chain]: displays all rules for the specified chain
3.4.3, chain
The function of the five chains is shown in the figure.
3.4.4, conditional matching
Conditional matching is divided into basic matching and extended matching, and extended matching is divided into explicit matching and implicit matching.
The characteristic of the basic matching is that there is no need to load the expansion module, the matching rule takes effect; the characteristic of the extended matching is that the expansion module needs to be loaded before the matching rule can take effect.
Characteristics of implicit matching: when using the-p option to specify the protocol, you no longer need to use the-m option to indicate the expansion module and do not need to load the expansion module manually
Display matching characteristics: the-m option must be used to indicate the extension mechanism of the extension module to be invoked and the need to manually load the extension module.
Basic matching options and functions
one
two
three
four
five
six
-p specifies the rule protocol, tcp udp icmp all
-s specifies the source address of the packet, ip hostname
-d specify destination address
-I input interface
-o output interface
! Take reverse
Options and functions of implicit matching
-p tcp
-- sport matches the message source port; multiple ports can be given, but only a contiguous range of ports
-- dport matches the destination port of the message; multiple ports can be given, but only a continuous range of ports
-- tcp-flags mask comp matches the tcp protocol flag bits in the message
-p udp
-- sport matches the message source port; multiple ports can be given, but only a contiguous range of ports
-- dport matches the destination port of the message; multiple ports can be given, but only a continuous range of ports
-- icmp-type
/ 0: echo reply allows other hosts to ping
8/0:echo request allows other hosts to ping
one
two
three
Example:
Iptables-I INPUT-d 172.16.100.7-p tcp-m multiport-- dports 22pen 80-j ACCEPT
Iptables-I OUTPUT-s 172.16.100.7-p tcp-m multiport-- sports 22pen 80-j ACCEPT
2.iprange (ip range)
Multiple IP address matching conditions are indicated in the form of contiguous address blocks.
one
two
three
Example:
Iptables-An INPUT-d 172.16.100.7-p tcp-- dport 23-m iprange-- src-range 172.16.100.1-172.16.100.100-j ACCEPT
Iptables-An OUTPUT-s 172.16.100.7-p tcp-- sport 23-m iprange-- dst-range 172.16.100.1-172.16.100.100-j ACCEPT
3.time (time range)
Specify a time range.
one
two
three
Example:
Iptables-An INPUT-d 172.16.100.7-p tcp-- dport 901m time--weekdays Mon,Tus,Wed,Thu,Fri-- timestart 08:00:00-- time-stop 18:00:00-j ACCEPT
Iptables-An OUTPUT-s 172.16.100.7-p tcp-- sport 901-j ACCEPT
4.string (string)
Do string pattern matching detection to the application layer data in the message (realized by algorithm).
one
two
three
-- algo {bm | kmp}: use the algorithm for character matching search
-- string "STRING": the string to find
-- hex-string "HEX-STRING": the character to be found is first encoded in hexadecimal format
5.connlimit (connection limit)
Limit the number of concurrent connections based on each client IP.
one
two
-- match when the number of connlimit-upto n connections is less than or equal to n
-- match when the number of connlimit-above n connections is greater than n
6.limit (rate limit)
Message rate control.
7.state (status)
Tracks the status of data packets between requests and responses on this machine. There are five states: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED.
Rule:
1. ESTABLISHED should be released if the status is entered.
2. ESTABLISHED should be released for the status of going out.
3. Strictly check the connection in the state of NEW
4. All INVALIED status should be rejected.
3.4.5, processing action
Processing actions have built-in processing actions and custom processing actions. Custom processing actions are rarely used, so only built-in processing actions are introduced.
one
two
three
four
five
six
seven
eight
nine
ten
eleven
twelve
thirteen
fourteen
fifteen
sixteen
seventeen
eighteen
nineteen
twenty
twenty-one
ACCEPT: allow packets to pass through
DROP: discards packets directly without giving any response information
REJECT: the packet is refused to pass, and a response message is given to the data sender if necessary.
LOG: log information in the log file, and then pass the packet to the next rule
QUEUE: firewalls hand over packets to user space
RETURN: the firewall stops executing the subsequent Rules in the current chain and returns to the call chain
REDIRECT: Port redirection
MARK: do firewall marking
DNAT: destination address translation
SNAT: source address translation
MASQUERADE: address masquerade
3.5. Save and load rules
The rules saved and loaded by CentOS6 and CentOS7 differ slightly.
Save: iptables-save > / PATH/TO/SOME_RULE_FILE
Overload: iptabls-restore
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.