Basic iptables applications

Official website of Iptables firewall www.netfilter.org

Iptables is used with the kernel and does not need to be manually installed.

Iptables firewall supports layer-7 protocol

Table and link

A table is a chain container and a chain is a rule container.

Default four rule tables

All tables are in lower case.

Raw table: status tracking of data packets

Mangle table: sets a tag for a data packet. Traffic Control is similar to QOS.

Nat table: Modify the source, destination IP address, and port of a data packet.

Filter table: If no table type is specified for data packet filtering, the filter table is specified by default.

-T parameter to specify the table Type

Default rule chain 5

All links are in uppercase.

INPUT: the incoming data packet associated with the local machine, used to protect the local machine

OUTPU: outgoing data packets related to the local machine, used to protect the local machine

FORWARD: forwards packets that are not related to the local device. It is used to protect a network.

POSTROUTING: route selection post-processing data packets

PREROUTING: Route Selection pre-processing data packets

Each chain has a default policy by default.

# Iptables-L list all policies

(Policy ACCEPT) is accepted by default policy

# Iptables-t nat-L view the Link Structure of the nat table. Three Links are displayed.

Data packet filtering priority

Priority flow between Rule tables

Raw, mangle, nat, and filter

Priority process between Rule chains

Inbound data: PREROUTING and INPUT

Outbound data: OUTPUT and POSTROUTING

Data Forwarding: PREROUTING, FOURWARD, and POSTROUTING

Packet action

Write actions in uppercase

ACCEPT allows data packets to pass through

DROP discarded data packet, as if this data packet is not accepted (directly discarded)

LOG records data to syslog

The REJECT discards the packet and sends the appropriate response packet (and then returns a message indicating why the packet is discarded)

RETURN continues to process data packets in the call chain

Syntax format of the Iptables command

Iptables [-t table name] management option [Chain name] [condition matching] [-j action]

If no table name is specified, the filter table is used by default.

If the chain in the table is not specified, all links are created by default.

Iptables-A creates A rule at the end of the chain

-D. delete a rule.

-I insert a rule at the specified position (if not specified, it is at the beginning of the chain)

-F: Clear all rules.

-P: Set the default chain Policy

-P indicates the protocol.

-S source

-D target

-R: replaces the rule of the specified location or content.

-N: create a custom rule chain

-X deletes a custom rule chain.

Port match

-- Sport Source Port

-- Dprot Target Port

-I defines the entry of a network card. For example, if-I ech0 is used, select 0 for multiple network cards.

-O defines the egress of a specified Nic

TCP tag matching

Use -- tcp-flags such as SYN (serial number), ACK (confirmation number), RST,

ICMP type match

Use-icmp-type such as echo-request and echo-reply

Explicit condition matching

-M

MAC address match

-M mac-source 00: 00: 00: 00: 00: 00

Multi-port matching

-M multiport-dport 20, 21, 25

Multi-IP address match

-M iprange -- src-range 192.168.1.20-192.168.1.30

Packet status matching

-M state

NEW

ESTABLISHED: The data packet returned by the server.

RELATED: related

Data Packet Control

SNAT modifies the source address of a data packet.

DNAT: modifies the destination address of a data packet.

# Iptables-t filter-I INPUT-p icmp-s 0.0.0.0/0-d 192.168.1.2/24-j DROP

# Iptables-t filter-I OUTPUT-p icmp-j DROP

# Iptables-t filter-d input 1 This 1 is the row number

#/Etc/init. d/iptables save permanent save iptables command

Save it to the/etc/sysconfig/iptables file. After the restart is not saved, all rules are lost.

List View rules

-L view rule information in the list

-- Line-numbers: displays the row number when you view the rule.

-N: displays IP addresses, port numbers, and protocol numbers in numbers.

-V: displays the number of data packets and the number of bytes.

# Iptables-l input-line-numbers view the row number of the INPUT rule in the filter table

Iptables should reject everything in actual applications. Cannot enter or exit

# Iptables-p input drop the default value is policy ACCEPT.

# Iptables-P OUTPUT DROP

# Iptables-P FORWARD DROP

View Protocol

/Etc/services stores all the services supported by the system

The/etc/protocols storage system supports all protocols.

# Iptables-p icmp-help | less

Firewall Rules

Deny all machines to PING the firewall and allow the firewall to PING all machines

First, reject all communications

# Iptables-F clearing Policy

# Iptables-p icmp-help | more view icmp Type

# Iptables-a output-p icmp -- icmp-type echo-request-j ACCEPT request packet

# Iptables-a input-p icmp-tyep echo-reply-j ACCEPT

# Iptables-save

You can also specify the Protocol number when specifying the protocol. The icmp protocol number is 1 and can be viewed in the/etc/protocols file.

Allow SSH connection

You must specify the protocol before specifying the port.

# Iptables-a output-p tcp -- sport 22-s 172.16.1.200-d 172.16.1.100-j ACCEPT

# Iptables-a input-p tcp-dport 22-s 172.16.1.100-d 172.16.1.200-j ACCEPT

Allow the local 127.0.0.1 loopback address to ensure the normal operation of some services

# Iptables-a input-s 127.0.0.1-d 172.0.0.1-j ACCEPT

# Iptables-a output-s 127.0.0.1-d 127.0.0.1-j ACCEPT

MAC address match

# Iptables-a forward-m mac-macc-source 00: 00: 00: 00: 00: 00-j DROP

Multi-port matching

Differentiate port numbers by commas

# Iptables-a input-p tcp-m multiprot-dport 20, 21, 1260--j ACCEPT

Multi-IP address match

# Iptables-a forward-p tcp-m iprange -- src-range 192.168.1.20-192.168.1.30-j DROP

Packet status matching

-M state

# Iptables-a forward-p tcp-m state -- state NEW! -- Syn-j DROP

A new connection

! Non (not)

-- The first handshake packet of syn TCP Connection

# Iptables-a input-p tcp-m state -- state NEW-j DROP discard the TCP-initiated connection package

# Iptables-a input-p tcp-m state -- state ESTABLISHED, RELATED-j ACCEPT

Only ESTABLISHED and RELATED packet statuses are allowed (TCP access is denied)

SNAT Policy

A lan host shares a public IP address to access the INTERNET.

SNAT modifies the source IP address of a data packet

Lab 1

SNAT source

Three virtual machines, Internet WWW Service, iptables firewall, and Intranet xp Client

WWW Service

Build the WWW Service on the Internet

Iptables Firewall

# Iptables-F clear all policies

# Iptables-p input drop reject all

# Iptables-P OUTPUT DROP

# Iptables-P FORWARD DROP

# Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT allow local loopback addresses

# Iptables-a output-s 127.0.0.1-d 127.0.0.1-j ACCEPT

# Iptables-I INPUT-p tcp -- dport 22-s 0.0.0.0/0-d 61.233.154.1-j ACCEPT

# Iptables-I OUTPUT-p tcp -- sport 22-s 61.233.154.1-d 0.0.0.0/0-j ACCEPT

Set up the above Basic Environment

# Vi/etc/sysclt. conf

Net. ipv4.ip _ forward = 1 enable ipv4 route forwarding

1 indicates Enabled

0 indicates disabled

# Iptables-a forward-s 172.16.0.0/16-j ACCEPT

# Iptables-a forward-d 172.16.0.0/16-j ACCEPT

# Iptables-t nat-I POSTROUTING-s 172.16.0.0/16-o eht1 -- to-source 61.233.154.1

POSTROUTING routing rules

-S LAN Intranet segment

-O eth1 goes out of eth1 NIC (not specified)

-- To-source: Specify the Internet address

XP Client

Access to the Internet WWW server successful

You can capture packets on XP. If the source address of the captured packets is 61.233.154.1, it indicates that SNAT is correct.

Use address disguise. If the Internet address is not a fixed IP address, it is often changed (ADSL). If the Internet address is accessed by ADSL, the Internet interface name is ppp0, ppp1

Change-j SNAT-to-source to-j MASQUERADE.

# Iptables-t nat-a postrouting-s 172.16.0.0/16-o ppp0-j MASQUERADE

Lab 2

DNAT destination

Usually used to publish servers in the LAN to the Internet

# Iptables-t nat-a prerouting-I eth1-d 61.233.154.1-p tcp-dport 80 \

-J DNAT -- to-destination 172.16.1.2

Client

Access Company Internet address

Successful

View access records on the WWW Server

# Tail/var/log/httpd/access_log

61.233.154.2 the host has been accessed.

 

From shanhuhai5739's BLOG