A simple introduction to iptables (firewall)

Firewall command System-config-firewall into the graphical interface

View firewall configuration Vi/etc/sysconfig/iptables

1, the composition structure of iptables

Iptables partitioning the capabilities of the firewall into multiple tables (tables)

Filter: For general packet filtering

Nat:network address translation/network addresses translation

Tables also contains multiple chains (chains), such as the following three chains in a packet filter table:

1) INPUT//Can add rules for incoming packet filtering in this chain

2) output//can add the packet filter rule to go out in this chain

3) forward//can add packet filtering rules to be forwarded in this chain

4) A number of rules are included in each chain.

2. Save and start iptables

When a user adds a new rule to the chain, the firewall's rules should be saved to take effect the next time the computer is started.

Service Iptables Save saved firewall configuration file on/etc/sysconfig/iptables

Start Firewall service iptables start

Turn off Firewall service iptables stop

Set the firewall to boot from chkconfig iptables on

3. Iptables configuration syntax (tables, commands)

iptables [-t table] command [match] [target]

Common two tables are: "Filter" and "Nat"

Common Command Options

-A chain: Add a rule to the chain

-D chain: Delete a rule in chain

-I chain: inserting 1 rules at a specified location

-R chain: A rule in the replacement rule list

-L [Chain]: List rules in chain

-F [Chain]: emptying rules in chain

-X chain: Clears the rules in the user-defined chain of the preset table filter

-P Chain: Specify a new default policy for chain ACCEPT: All licenses are not allowed DROP: all without permission

4. Iptables configuration Syntax (match match)

The optional Match section of the iptables command specifies the characteristics (such as source address, destination address, protocol, and so on) that the packet should have to match the rule.

The matching options are:

-S <IP Address | network segment | domain name;: Source Address

-D <IP Address | network segment | domain name;: Destination Address

-p < protocol;: Specify protocol, can be tcp/udp/icmp

--dport < port >: Target port, first specify-p

--sport < port;: Source port, first specify-p on the front

-I: Refers to the network card device in the direction of entry

-O: The network card device that represents the direction of the go

5. Iptables configuration syntax (target destination)

Target targets are actions specified by the rule that perform these operations on packets that match those rules.

The target option is specified by the option "-j", which includes the following targets:

REJECT: Reject

DROP: Ignore

ACCEPT: License

Example 1: Deny 192.168.0.1 host ping native.

Iptables-t filter-a input–s 192.168.0.1–p icmp-j REJECT

Example 2: A host that is only allowed to 192.168.0.0/24 a network segment can telnet to the local computer remotely.

Iptables-a Input–s! 192.168.0.0-p TCP--dport 23-j REJECT

A simple introduction to iptables (firewall)