In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-02-22 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces "what is the function of the iptables command". In the daily operation, I believe that many people have doubts about the role of the iptables command. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "what is the function of the iptables command?" Next, please follow the editor to study!
I. IptabLes command parameters
Command structure
Iptables (- t table name) operation mode rule condition
Note: if you cancel the "- t table name", the default is filter table.
Table name: filter, nat, mangle, raw
Operation mode:-L # # list table contents
-F # # clears the contents of the table. If no table name is specified, the contents of all tables are cleared by default.
-A # # add a new rule
-P # # set the default policy
-I # # insert a new rule
-R # # replace the old rules
-D # # delete a rule
Rule conditions:
-p tcp/udp/icmp/all-j ACCEPT/DROP/REJECT
The sample Filter of Filter has three chains: INPUT FORWARD OUTPUT
Example 1: list all the contents of the filter table
# iptables-t filter-L
The results show that: 1. The first part is all the contents of the INPUT chain, followed by FORWARD and OUTPUT.
two。 The default policy for all three chains is ACCEPT example 2: list the contents of the INOUT chain in the filter table
Example 2: list the contents of the INOUT chain in the filter table
[root@vm1] # iptables-t filter-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT all-anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp-anywhere anywhere
ACCEPT all-anywhere anywhere
ACCEPT tcp-anywhere anywhere state NEW tcp dpt:ssh
Example 3: clear everything in the filter table
[root@vm1] # iptables-t filter-F
[root@vm1] # iptables-t filter-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Example 4: add a rule to the INPUT chain in the filter table
[root@vm1] # iptables-t filter-An INPUT-p icmp-j ACCEPT
[root@vm1] # iptables-t filter-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT icmp-anywhere anywhere
Example 5: set the default policy of the forward chain to DROP
[root@vm1] # iptables-t filter-P FORWARD DROP
[root@vm1] # iptables-t filter-L
Chain FORWARD (policy DROP)
Target prot opt source destination
Note: iptables-F does not affect the status of the default policy. The default policy can only be set through the parameter-P
Example 6: insert a new rule in the INPUT chain.
[root@vm1] # iptables-t filter-L-- line-number
Chain INPUT (policy ACCEPT)
Num target prot opt source destination
1 ACCEPT icmp-anywhere anywhere
2 ACCEPT tcp-anywhere anywhere
Chain FORWARD (policy DROP)
Num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Num target prot opt source destination
[root@vm1] # iptables-t filter-I INPUT 2-p udp-j ACCEPT
[root@vm1] # iptables-t filter-L-- line-number
Chain INPUT (policy ACCEPT)
Num target prot opt source destination
1 ACCEPT icmp-anywhere anywhere
2 ACCEPT udp-anywhere anywhere
3 ACCEPT tcp-anywhere anywhere
Chain FORWARD (policy DROP)
Num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Num target prot opt source destination
Note: "iptables-t filter-L-- line- number" is used to display the line number of the rule content
Example 7: replace existing rules in the INPUT chain
[root@vm1] # iptables-t filter-R INPUT 2-p tcp-j ACCEPT
[root@vm1] # iptables-t filter-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp-anywhere anywhere
ACCEPT tcp-anywhere anywhere
ACCEPT icmp-anywhere anywhere
Chain FORWARD (policy DROP)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Example 8: delete rules that already exist in the INPUT chain
[root@vm1] # iptables-t filter-L INPUT-- line-number
Chain INPUT (policy ACCEPT)
Num target prot opt source destination
1 ACCEPT tcp-anywhere anywhere
2 ACCEPT tcp-anywhere anywhere
3 ACCEPT icmp-anywhere anywhere
[root@vm1] # iptables-t filter-D INPUT 2
[root@vm1] # iptables-t filter-L INPUT-- line-number
Chain INPUT (policy ACCEPT)
Num target prot opt source destination
1 ACCEPT tcp-anywhere anywhere
2 ACCEPT icmp-anywhere anywhere
Note: the above seven parameters are also applicable to the other three tables.
Example of the Nat tabl
NAT has three chains: PREROUTING POSTROUTING OUTPUT.
Example 1. List all rules in the nat table
[root@vm1] # iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Example 2: add rules to POSTROUTING in the nat table.
[root@vm1] # iptables-t nat-A POSTROUTING-o eth0-s 192.168.0.0 SNAT 24-j SNAT-- to 192.168.5.178
[root@vm1] # iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
SNAT all-192.168.0.0 Compact 24 anywhere to:192.168.5.178
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Mangle example
Mangle has five chains: PREROUTING INPUT FORWARD OUTPUT POSTROUTING
[root@vm1] # iptables-t mangle-An INPUT-p icmp-j ACCEPT
[root@vm1] # iptables-t mangle-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT icmp-anywhere anywhere
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
Raw example
Raw has two chains: PREROUTING OUTPUT
[root@vm1] # iptables-t raw-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
[root@vm1] # iptables-t raw-An OUTPUT-p tcp-j ACCEPT
[root@vm1] # iptables-t raw-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp-anywhere anywhere
[root@vm1] # iptables-t raw-An OUTPUT-p tcp-j NOTRACK
[root@vm1] # iptables-t raw-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp-anywhere anywhere
NOTRACK tcp-anywhere anywhere
two。 Iptables grammar rules
Basic grammar
Iptables-t filter-An INPUT-p icmp-j DROP
Advanced grammar
Iptables-t filter-An INPUT-m mac--mac-source 00:E0:18:00:7C:A4-j DROP
Note: the basic syntax is that iptables only calls the ipTable_filter.ko module, and the high-level syntax is that it calls other modules in addition to the ipTable_filter.ko module. The xt_mac.ko module is also called in the high-level syntax of the above example.
Example 1: discard the icmp protocol packet that entered this machine from 192.168.0.200
[root@vm1] # iptables-An INPUT-p icmp-s 192.168.0.200-j DROP
[root@vm1] # iptables-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp-anywhere anywhere
ACCEPT icmp-anywhere anywhere
DROP icmp-192.168.0.200 anywhere
Chain FORWARD (policy DROP)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Grammatical explanation:
-An INPUT: the object protected by the INPUT chain is native, which mainly describes the protected object.
The-p icmp:-p parameter is used to specify packets that match a specific protocol, in this case the icmp protocol.
-s 192.268.0.200 IP,-d IP,-d used to specify the "source" side of the matching packet to specify the "destination" side of the matching packet
-j: it means to do specific processing of packets that meet the above conditions.
Handling method:
ACCEPT: allow through
DROP: drop the packet, this processing will cause the source to mistake the packet for loss and keep sending the packet. This action will continue until the connection times out.
REJECT: drop the packet and send a Destination Unreachable icmp packet back to the sender. After receiving this error message, the sender application will terminate the connection.
Example 2: 192.168.0.200 host is not allowed to perform name resolution through native DNS service
[root@vm1] # iptables-An INPUT-p udp-s 192.168.0.200-- dport 53-j REJECT
[root@vm1] # iptables-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp-anywhere anywhere
ACCEPT icmp-anywhere anywhere
DROP icmp-192.168.0.200 anywhere
REJECT udp-192.168.0.200 anywhere udp dpt:domain reject-with icmp-port-unreachable
Grammatical explanation:
-An INPUT: protect the host
-p udp: packets that match the udp protocol, and the DNS service uses the udp protocol.
-s: specify the "source side" IP
-- dport 53:--dport specifies the destination port of the service, and the port used by the DNS service is port 53 of the udp protocol. -- sport means to specify that the service uses the source port.
Note: when using the-- dport or-- sport parameters, be sure to indicate the tcp or udp protocol. If not specified. Then all the ports of the default tcp,udp,icmp protocol match.
Basic grammatical structure: iptables-An INPUT-p udp/tcp/icmp-s REJECT 192.168.0.200-dport/--sport 53-j.
-j REJECT: all packets that meet the above conditions are lost, and the error message of udp is sent back to the source.
Example 3: allow the 192.168.0.200 host to connect to the native TELNET
[root@vm1] # iptables-An INPUT-p tcp-s 192.168.0.200-- dport 23-j ACCEPT
[root@vm1] # iptables-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp-anywhere anywhere
ACCEPT icmp-anywhere anywhere
DROP icmp-192.168.0.200 anywhere
REJECT udp-192.168.0.200 anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp-192.168.0.200 anywhere tcp dpt:telnet
Grammatical explanation:
-An INPUT: protect the local machine
-p tcp: matches tcp protocol. Telnet service uses tcp protocol.
-s: specify the source side IP
-- dport 23: Port 23 that matches the tcp protocol, which is the default port for telnet services.
-j ACCEPT: packets that meet the above conditions are allowed to pass.
Example 4: allow hosts on network segment 192.168.1.0 to make any service request to native 192.168.0.1
[root@vm1] # iptables-An INPUT-p all-s 192.168.1.0 ACCEPT 24-d 192.168.1.0-j
[root@vm1] # iptables-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp-anywhere anywhere
ACCEPT icmp-anywhere anywhere
DROP icmp-192.168.0.200 anywhere
REJECT udp-192.168.0.200 anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp-192.168.0.200 anywhere tcp dpt:telnet
ACCEPT all-192.168.1.0 Universe 24 192.168.1.0
Grammatical explanation:
-An INPUT: protect the local machine
-p all: packets that match u any protocol
-s: specify the source side IP
-d: specify the destination IP
-j ACCETP: packets that meet the above conditions are allowed to pass.
Example 5: only clients are allowed to access native ssh services from the interface eth2
[root@vm1] # iptables-An INPUT-p tcp-I eth2-- dport 22-j ACCEPT
[root@vm1] # iptables-L
Chain INPUT (policy ACCEPT)
Target prot opt source destination
ACCEPT tcp-anywhere anywhere
ACCEPT icmp-anywhere anywhere
DROP icmp-192.168.0.200 anywhere
REJECT udp-192.168.0.200 anywhere udp dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp-192.168.0.200 anywhere tcp dpt:telnet
ACCEPT all-192.168.1.0 Universe 24 192.168.1.0
ACCEPT tcp-anywhere anywhere tcp dpt:ssh
Grammatical explanation:
-An INPUT: protect the host
-p tcp: matches the tcp protocol
-I eth2: matches incoming packets from the native eth2 port. -I means that a packet enters from a port on this machine, and-o means that a packet goes out a port on this machine.
-- dport 22: specifies port 22 of the tcp protocol used by the ssh service
-j ACCEPT: packets that meet the above conditions are allowed to pass
Example 6: native applications are not allowed to send packets from the eth0 interface to visit the edu.uuu.com.tw website
[root@vm1] # iptables-An OUTPUT-p tcp-o eth0-d edu.uuu.com.tw-- dport 80-j REJECT
[root@vm1] # iptables-L
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
REJECT tcp-anywhere vm5.example.com tcp dpt:http reject-with icmp-port-unreachable
Grammatical explanation:
-An OUTPUT: restrict local access
-p tcp: matches the tcp protocol
-o eth0: sent from the eth0 interface when matching whether the data is sent
-d edu.uuu.com.tw: specify the destination website
-- dport 80: the matching service port is port 80 of http service
-j REJECT: all packets that meet the above conditions are lost, and the error message is returned to the incoming source.
Example 7: hosts within the enterprise are not allowed to access the unexpected website of the enterprise
[root@vm1] # iptables-A FORWARD-I eth2-o eth0-p tcp-- dport 80-j DROP
[root@vm1] # iptables-L
Chain FORWARD (policy DROP)
Target prot opt source destination
DROP tcp-anywhere anywhere tcp dpt:http
Note: this example uses a gateway-style firewall, so the chain used is FORWARD, assuming that the eth0 on this firewall host is connected to the Internet and eth2 is connected to the corporate intranet.
Grammatical explanation:
-A FORWARD: protect the host behind the firewall.
-I eth2: enter the interface that matches the packet entry
-o eth0: matches the interface on which the packet leaves
-p tcp: packets that match the tcp protocol
-- dport 80: matches packets with destination service ferry 80
-j REJECT: discard all packets that meet the above conditions and return the error message to the source.
III. IptabLes parameter arrangement
1. Matching parameters of the interface
Parameter name:-I (in)-o (out)
Parameter value: eth0 (interface name of Ethernet)
Ppp0 (interface name of ppp for voice dialing)
Lo (local loopback interface)
Fddi0 (Optical Fiber Network Interface)
Use example:-I eth0 (matches packets coming in from the eth0 interface)
-o eth0 (matches packets sent out the eth0 interface)
Meaning: matches the interface in and out of the packet
Add: it can be matched with "!" To represent the reverse, for example, "- I! eth0" represents matching packets that are not coming in from the eth0 interface
two。 Matching parameters of upper layer protocol
Parameter name:-p
Parameter value: tcp (the matching upper layer protocol is tcp protocol)
Udp (the matching upper layer protocol is udp)
Icmp (the matching upper layer protocol is icmp)
All (matches all upper layer protocols)
Meaning: matching upper layer communication protocols
Add: it can be matched with "!" For reverse, "- p! icmp" means to match a protocol that is not icmp
3. Match the source / destination IP address
Parameter name:-s (source)-d (destination)
Parameter value: 192.168.0.1 (matches a single IP)
172.10.0.0Universe 16 (matches a Class B network segment)
192.168.0.0amp 24 (matches a Class C network segment)
Www.playboy.com (matches a FQDN, but stores an IP)
Example of use:-s 192.168.0.0swap 24 (matches packets from the 192.168.0.0 segment method)
-s 192.168.0.1 (matches packets from 192.168.0.1 host method)
-d 192.168.0.10 (matches packets sent to 192.168.0.10 host)
Meaning: match the source or destination IP of the packet
4. Match source / destination port
Parameter name:-- sport (source)-- dport (destination)
Parameter value: the purpose of matching ports is to match the services you need to access
Use example:-- dport 80 (matches the packet to access the web)
-- sport 110 (matches packets answered by the pop3 service to the client)
Meaning: match the source or destination port of the data
5. Treatment mode
Parameter name:-j
Parameter value: ACCEPT (allowed)
DROP (drop packet)
REJECT (discards the packet and sends back an icmp packet on the sender)
Use example:-j ACCEPT (allowed)
-j DROP (drop packets)
Meaning: use a specific way to process qualified packets.
At this point, the study of "what is the function of the iptables command" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
