Shulou(Shulou.com)06/01 Report--

Illustration of IPtables command under Linux

Analysis of IPtables Command under Linux

1. Command:

-An order add, add a new rule

-I insert, insert a new rule-I is followed by a number to indicate which line to insert

-R modification, delete a new rule-D followed by a number to indicate which line to delete

-D delete, delete a new rule-D followed by a number indicates which line to delete

-N create a new chain

-X Delete a custom chain and make sure that the secondary chain is empty and not referenced before deletion

-L View

@ 1.iptables-L-n is displayed as a number

@ 2. Iptables-L-v displays details

@ 3. Iptables-L-x displays accurate information

-E rename chain

-F clear all rules in the chain

-Z clear the rules used in the chain

-P sets the default rule

two。 Matching criteria:

Implied match:

-p tcp udp icmp

-- sport specifies the source port

-- dport specifies the destination side

-s source address

-d destination address

-I the network card into which the packet enters

-O Network card for packet egress

Extended matching:

-m state-- the matching status of state

-m mutiport-- source-port ports match, specify a set of ports

-m limit-- limit 3/minute every three minutes

-m limit--limit-burst 5 matches only 5 packets

-m string-- string-- algo bm | kmp-- string "xxxx" match string

-mtime--timestart 8:00-- timestop 12:00 indicates from which time to which time period

-mtime--days said that on that day

-m mac--mac-source xx:xx:xx:xx:xx:xx matches the source MAC address

-m layer7-- l7proto qq means that many protocols are also supported if they match Tencent qq. This default is not available. We need to patch the kernel and recompile the kernel and iptables before we can use the display extension-m layer7 to match.

3. Action:

-j

DROP just throw it away.

ACCEPT allows passing through

REJECT is lost, but reply message

LOG-- log-prefix "explain the information, define it yourself" and keep a log

SNAT source address translation

DNAT destination address translation

REDIRECT redirection

MASQUERAED address masquerade

Save iptables rules

Service iptables save

Restart the service

Service iptables stop

Service iptables start

Case Analysis of IPtables Enterprise under Linux

Meaning:

: INPUT ACCEPT [0:0]

This rule indicates that the default policy of the INPUT table is ACCEP ([0:0]) is the total number of packets and bytes that passed through the rule. )

: FORWARD ACCEPT [0:0]

This rule indicates that the default policy of the FORWARD table is ACCEPT

: OUTPUT ACCEPT [0:0]

This rule indicates that the default policy of the OUTPUT table is ACCEPT

NEW user initiates a new request

ESTABLISHED responds to an entirely new request

The relationship between two complete connections of RELATED, one complete connection, depends on the other complete connection.

A state not recognized by INVALID.

-An INPUT-m state-state ESTABLISHED,RELATED-j ACCEPT

It means that the packets allowed to enter can only be the response to the packets I just sent out.

-An INPUT-p icmp-j ACCEPT

-An INPUT-I lo-j ACCEPT

It means that the local loopback interface is allowed to communicate all the data in the INPUT table. The-I parameter is the specified interface, and the interface lo,lo is Loopback (local loopback interface).

-An INPUT-j REJECT-reject-with icmp-host-prohibited

-A FORWARD-j REJECT-reject-with icmp-host-prohibited

These two items mean that all other packets that do not meet any of the above rules are denied in the INPUT table and the FORWARD table. And send a host prohibited message to the rejected host.

Let's introduce what each parameter I added means, just like I didn't say that port 22 is allowed.

-An INPUT-m state-state NEW-m tcp-p tcp-dport 22-j ACCEPT

-A finally add a rule

-j is followed by actions. The main actions are ACCEPT, DROP, REJECT and LOG.

-dport restricts the port number of the destination.

-p protocol: sets which packet format this rule applies to. The main packet formats are: tcp, udp, icmp and all.

-m state-state fuzzy matching a state

Practical practice of IPtables Enterprise case rules

WEB server, open port 80

Iptables-An INPUT-p tcp-- dport 80-j ACCEPT

Mail server, open port 25110

Iptables-An INPUT-p tcp-- dport 110j ACCEPT

Iptables-An INPUT-p tcp-- dport 25-j ACCEPT

FTP server, open port 21

Iptables-An INPUT-p tcp-- dport 21-j ACCEPT

Iptables-An INPUT-p tcp-- dport 20-j ACCEPT

DNS server, open port 53

Iptables-An INPUT-p tcp-- dport 53-j ACCEPT

Allow icmp packets to pass, that is, allow ping

Iptables-An OUTPUT-p icmp-j ACCEPT (if OUTPUT is set to DROP)

Iptables-An INPUT-p icmp-j ACCEPT (if INPUT is set to DROP)

Forward port 8080 of this machine to other hosts, host IP:192.168.1.162, target host IP and port: 192.168.1.163 80, the rules are as follows

Iptables-t nat-A PREROUTING-p tcp-m tcp-d 192.168.1.162-dport 8080-j DNAT-to-destination 192.168.1.163 tcp 80

Iptables-t nat-A POSTROUTING-p tcp-m tcp-- dport 80-j SNAT-- to-source 192.168.1.162 POSTROUTING 8080

Echo 1 > / proc/sys/net/ipv4/ip_forward

At the same time, iptables forward forwarding function is enabled.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.