In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Illustration of IPtables command under Linux
Analysis of IPtables Command under Linux
1. Command:
-An order add, add a new rule
-I insert, insert a new rule-I is followed by a number to indicate which line to insert
-R modification, delete a new rule-D followed by a number to indicate which line to delete
-D delete, delete a new rule-D followed by a number indicates which line to delete
-N create a new chain
-X Delete a custom chain and make sure that the secondary chain is empty and not referenced before deletion
-L View
@ 1.iptables-L-n is displayed as a number
@ 2. Iptables-L-v displays details
@ 3. Iptables-L-x displays accurate information
-E rename chain
-F clear all rules in the chain
-Z clear the rules used in the chain
-P sets the default rule
two。 Matching criteria:
Implied match:
-p tcp udp icmp
-- sport specifies the source port
-- dport specifies the destination side
-s source address
-d destination address
-I the network card into which the packet enters
-O Network card for packet egress
Extended matching:
-m state-- the matching status of state
-m mutiport-- source-port ports match, specify a set of ports
-m limit-- limit 3/minute every three minutes
-m limit--limit-burst 5 matches only 5 packets
-m string-- string-- algo bm | kmp-- string "xxxx" match string
-mtime--timestart 8:00-- timestop 12:00 indicates from which time to which time period
-mtime--days said that on that day
-m mac--mac-source xx:xx:xx:xx:xx:xx matches the source MAC address
-m layer7-- l7proto qq means that many protocols are also supported if they match Tencent qq. This default is not available. We need to patch the kernel and recompile the kernel and iptables before we can use the display extension-m layer7 to match.
3. Action:
-j
DROP just throw it away.
ACCEPT allows passing through
REJECT is lost, but reply message
LOG-- log-prefix "explain the information, define it yourself" and keep a log
SNAT source address translation
DNAT destination address translation
REDIRECT redirection
MASQUERAED address masquerade
Save iptables rules
Service iptables save
Restart the service
Service iptables stop
Service iptables start
Case Analysis of IPtables Enterprise under Linux
Meaning:
: INPUT ACCEPT [0:0]
This rule indicates that the default policy of the INPUT table is ACCEP ([0:0]) is the total number of packets and bytes that passed through the rule. )
: FORWARD ACCEPT [0:0]
This rule indicates that the default policy of the FORWARD table is ACCEPT
: OUTPUT ACCEPT [0:0]
This rule indicates that the default policy of the OUTPUT table is ACCEPT
NEW user initiates a new request
ESTABLISHED responds to an entirely new request
The relationship between two complete connections of RELATED, one complete connection, depends on the other complete connection.
A state not recognized by INVALID.
-An INPUT-m state-state ESTABLISHED,RELATED-j ACCEPT
It means that the packets allowed to enter can only be the response to the packets I just sent out.
-An INPUT-p icmp-j ACCEPT
-An INPUT-I lo-j ACCEPT
It means that the local loopback interface is allowed to communicate all the data in the INPUT table. The-I parameter is the specified interface, and the interface lo,lo is Loopback (local loopback interface).
-An INPUT-j REJECT-reject-with icmp-host-prohibited
-A FORWARD-j REJECT-reject-with icmp-host-prohibited
These two items mean that all other packets that do not meet any of the above rules are denied in the INPUT table and the FORWARD table. And send a host prohibited message to the rejected host.
Let's introduce what each parameter I added means, just like I didn't say that port 22 is allowed.
-An INPUT-m state-state NEW-m tcp-p tcp-dport 22-j ACCEPT
-A finally add a rule
-j is followed by actions. The main actions are ACCEPT, DROP, REJECT and LOG.
-dport restricts the port number of the destination.
-p protocol: sets which packet format this rule applies to. The main packet formats are: tcp, udp, icmp and all.
-m state-state fuzzy matching a state
Practical practice of IPtables Enterprise case rules
WEB server, open port 80
Iptables-An INPUT-p tcp-- dport 80-j ACCEPT
Mail server, open port 25110
Iptables-An INPUT-p tcp-- dport 110j ACCEPT
Iptables-An INPUT-p tcp-- dport 25-j ACCEPT
FTP server, open port 21
Iptables-An INPUT-p tcp-- dport 21-j ACCEPT
Iptables-An INPUT-p tcp-- dport 20-j ACCEPT
DNS server, open port 53
Iptables-An INPUT-p tcp-- dport 53-j ACCEPT
Allow icmp packets to pass, that is, allow ping
Iptables-An OUTPUT-p icmp-j ACCEPT (if OUTPUT is set to DROP)
Iptables-An INPUT-p icmp-j ACCEPT (if INPUT is set to DROP)
Forward port 8080 of this machine to other hosts, host IP:192.168.1.162, target host IP and port: 192.168.1.163 80, the rules are as follows
Iptables-t nat-A PREROUTING-p tcp-m tcp-d 192.168.1.162-dport 8080-j DNAT-to-destination 192.168.1.163 tcp 80
Iptables-t nat-A POSTROUTING-p tcp-m tcp-- dport 80-j SNAT-- to-source 192.168.1.162 POSTROUTING 8080
Echo 1 > / proc/sys/net/ipv4/ip_forward
At the same time, iptables forward forwarding function is enabled.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.