Shulou(Shulou.com)06/01 Report--

Iptables from the introduction to the application of case analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Iptables from entry to Application

I. brief introduction

1.1. What is it?

Iptables is a tool for isolating hosts and networks. It detects and processes data packets through self-set rules and processing actions.

1.2. History of development

The development history of firewall is the process from wall to chain and then to table, that is, from simple to complex. Why are there more and more rules? because the Internet is becoming more and more insecure, the rules of all firewalls are becoming more and more complex. The changes in fire prevention tools are as follows:

Ipfirewall (Wall)-- > ipchains (chain)-- iptables (Table)

In version 2.0 kernel, the packet filtering mechanism is ipfw and the management tool is ipfwadm

In version 2.2 kernel, the packet filtering mechanism is ipchain, and the management tool is ipchains

In version 2. 4 and later kernels, the packet filtering mechanism is netfilter, and the management tool iptables.

Second, principle

Iptables [- t table] {- A |-C |-D} chain rule-specification

Iptables [- t table]-I chain [rulenum] rule-specification

Iptables [- t table]-R chain rulenum rule-specification

Iptables [- t table]-D chain rulenum

Iptables [- t table]-S [chain [rulenum]]

Iptables [- t table] {- F |-L |-Z} [chain [rulenum]] [options...]

Iptables [- t table]-N chain

Iptables [- t table]-X [chain]

Iptables [- t table]-P chain target

Iptables [- t table]-E old-chain-name new-chain-name

Rule-specification = [matches...] [target]

Match =-m matchname [per-match-options]

Target =-j targetname [per-target-options]

3.4. Analysis of grammatical structure

The grammatical structure is analyzed as follows.

-N,-- new-chain chain: create a custom rule chain

-X,-- delete-chain [chain]: delete a user-defined empty chain with a reference count of 0

-F,-- flush [chain]: clears the rules on the specified rule chain

-E,-- rename-chain old-chain new-chain: rename chain

-Z,-- zero [chain [rulenum]]: zero counter

Note: each rule has two counters

Packets: the number of all messages matched by this rule

Bytes: the sum of all messages matched by this rule

-P,-- policy chain target formulates the policy of linked list (ACCEPT | DROP | REJECT)

-A,-- append chain rule-specification: appends a new rule to the end of the specified chain

-I,-- insert chain [rulenum] rule-specification: inserts a new rule at the specified location of the specified chain. The default is the header.

-R,-- replace chain rulenum rule-specification: replace the specified rule with the new rule

-D,-- delete chain rulenum: delete a rule according to the rule number

-D,-- delete chain rule-specification: delete a rule based on the rule itself

Rule display

one

two

three

four

five

six

seven

-L,-- list [chain]: list rules

-v,-- verbose: details

-more detailed information on vv

-n,-- numeric: displays the host address and port number in numeric format

-x,-- exact: displays the exact value of the counter instead of the rounded data

-- line-numbers: displays the corresponding number on the chain when the rule is listed

-S,-- list-rules [chain]: displays all rules for the specified chain

3.4.3, chain

The function of the five chains is shown in the figure.

3.4.4, conditional matching

Conditional matching is divided into basic matching and extended matching, and extended matching is divided into explicit matching and implicit matching.

The characteristic of the basic matching is that there is no need to load the expansion module, the matching rule takes effect; the characteristic of the extended matching is that the expansion module needs to be loaded before the matching rule can take effect.

Characteristics of implicit matching: when using the-p option to specify the protocol, you no longer need to use the-m option to indicate the expansion module and do not need to load the expansion module manually

Display matching characteristics: the-m option must be used to indicate the extension mechanism of the extension module to be invoked and the need to manually load the extension module.

Basic matching options and functions

one

two

three

four

five

six

-p specifies the rule protocol, tcp udp icmp all

-s specifies the source address of the packet, ip hostname

-d specify destination address

-I input interface

-o output interface

! Take reverse

Options and functions of implicit matching

-p tcp

-- sport matches the message source port; multiple ports can be given, but only a contiguous range of ports

-- dport matches the destination port of the message; multiple ports can be given, but only a continuous range of ports

-- tcp-flags mask comp matches the tcp protocol flag bits in the message

-p udp

-- sport matches the message source port; multiple ports can be given, but only a contiguous range of ports

-- dport matches the destination port of the message; multiple ports can be given, but only a continuous range of ports

-- icmp-type

/ 0: echo reply allows other hosts to ping

8/0:echo request allows other hosts to ping

one

two

three

Example:

Iptables-I INPUT-d 172.16.100.7-p tcp-m multiport-- dports 22pen 80-j ACCEPT

Iptables-I OUTPUT-s 172.16.100.7-p tcp-m multiport-- sports 22pen 80-j ACCEPT

2.iprange (ip range)

Multiple IP address matching conditions are indicated in the form of contiguous address blocks.

one

two

three

Example:

Iptables-An INPUT-d 172.16.100.7-p tcp-- dport 23-m iprange-- src-range 172.16.100.1-172.16.100.100-j ACCEPT

Iptables-An OUTPUT-s 172.16.100.7-p tcp-- sport 23-m iprange-- dst-range 172.16.100.1-172.16.100.100-j ACCEPT

3.time (time range)

Specify a time range.

one

two

three

Example:

Iptables-An INPUT-d 172.16.100.7-p tcp-- dport 901m time--weekdays Mon,Tus,Wed,Thu,Fri-- timestart 08:00:00-- time-stop 18:00:00-j ACCEPT

Iptables-An OUTPUT-s 172.16.100.7-p tcp-- sport 901-j ACCEPT

4.string (string)

Do string pattern matching detection to the application layer data in the message (realized by algorithm).

one

two

three

-- algo {bm | kmp}: use the algorithm for character matching search

-- string "STRING": the string to find

-- hex-string "HEX-STRING": the character to be found is first encoded in hexadecimal format

5.connlimit (connection limit)

Limit the number of concurrent connections based on each client IP.

one

two

-- match when the number of connlimit-upto n connections is less than or equal to n

-- match when the number of connlimit-above n connections is greater than n

6.limit (rate limit)

Message rate control.

7.state (status)

Tracks the status of data packets between requests and responses on this machine. There are five states: INVALID, ESTABLISHED, NEW, RELATED, UNTRACKED.

Rule:

1. ESTABLISHED should be released if the status is entered.

2. ESTABLISHED should be released for the status of going out.

3. Strictly check the connection in the state of NEW

4. All INVALIED status should be rejected.

3.4.5, processing action

Processing actions have built-in processing actions and custom processing actions. Custom processing actions are rarely used, so only built-in processing actions are introduced.

one

two

three

four

five

six

seven

eight

nine

ten

eleven

twelve

thirteen

fourteen

fifteen

sixteen

seventeen

eighteen

nineteen

twenty

twenty-one

ACCEPT: allow packets to pass through

DROP: discards packets directly without giving any response information

REJECT: the packet is refused to pass, and a response message is given to the data sender if necessary.

LOG: log information in the log file, and then pass the packet to the next rule

QUEUE: firewalls hand over packets to user space

RETURN: the firewall stops executing the subsequent Rules in the current chain and returns to the call chain

REDIRECT: Port redirection

MARK: do firewall marking

DNAT: destination address translation

SNAT: source address translation

MASQUERADE: address masquerade

3.5. Save and load rules

The rules saved and loaded by CentOS6 and CentOS7 differ slightly.

Save: iptables-save > / PATH/TO/SOME_RULE_FILE

Overload: iptabls-restore

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.