Basic practice of iptables and basic practice of iptables

Last Update:2017-07-26 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Directory:

I. Basic Rule exercises

Ii. SNAT Source Address Transfer

Iii. DNAT target address transfer

I. Basic Rule exercises

(1) Allow ssh (Port: 22)

1 iptables -A INPUT -d 192.168.42.153 -p tcp --dport 22 -j ACCEPT2 iptables -A  OUTPUT -s  192.168.42.153  -p tcp  --sport  22 -j ACCEPT

(2) modify the default rule chain (close all ports)

1 iptables -P INPUT DROP2 iptables -P OUTPUT DROP3 iptables -P FORWARD DROP

(3) Open the web (80) Port httpd nginx

1 iptables -I INPUT -d 192.168.42.153 -p tcp --dport 80 -j ACCEPT2 iptables -I OUTPUT -s 192.168.42.153 -p tcp --sport 80 -j ACCEPT

(4) After modifying the default rule chain, we find that we cannot ping ourselves or other hosts.

1 iptables -t filter -I INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo  -j ACCEPT 2 iptables -t filter -I OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo  -j ACCEPT

(5) allow yourself to ping other hosts

1 iptables -t filter -I OUTPUT -s 192.168.42.153 -d 0/0  -p icmp --icmp-type 8 -j ACCEPT2 iptables -t filter -I INPUT -s 0/0 -d 192.168.42.153 -p icmp --icmp-type 0 -j ACCEPT

(6) allow anyone to ping the machine

1 iptables -t filter -I INPUT -s 0/0 -d 192.168.42.153 -p icmp --icmp-type 8 -j ACCEPT2 iptables -t filter -I OUTPUT -s 192.168.42.153 -d 0/0  -p icmp --icmp-type 0 -j ACCEPT

(7) develop multiple ports at the same time (multi-port matching)

1 iptables -I INPUT -s 0/0 -d 192.168.42.153 -p tcp -m multiport --dports 22,80,3306 -j ACCEPT2 iptables -I INPUT -d 0/0 -s 192.168.42.153 -p tcp -m multiport --sports 22,80,3306 -j ACCEPT

(8) iptables-vnL-line-numbers # display numbers

iptables  -vnL INPUT  --line-numbers Chain INPUT (policy DROP 1 packets, 229 bytes)num   pkts bytes target     prot opt in     out     source               destination         1        8   576 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.42.153       icmptype 82       12  1008 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.42.153       icmptype 03       16  1226 ACCEPT     all  --  lo     *       127.0.0.1            127.0.0.1           4       88  7565 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.42.153       tcp dpt:805     2135  163K ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.42.153       tcp dpt:22

(9) Source Address, target address range match

1 iptables -I INPUT -d 192.168.42.153 -p tcp --dport 23 -m iprange --src-range 192.168.42.150-192.168.42.158 -j ACCEPT2 iptables -I OUTPUT -s 192.168.42.153 -p tcp --dport 23 -m iprange --dst-range  192.168.42.150-192.168.42.158 -j ACCEPT

(10) prohibit pages containing the "old" Character

1 iptables -I OUTPUT -s 192.168.42.153 -d 0/0 -p tcp --sport 80 -m string --algo bm --string "old" -j DROP

(11) access to port 80 is prohibited from to based on the time limit

1 iptables -I INPUT -s 0/0  -d 192.168.42.153 -p tcp --dport 80  -m time --timestart 09:00:00 --timestop 19:00:00 --kerneltz  -j DROP

(12) access to port 80 is prohibited from to from Monday to Friday.

1 iptables -I INPUT  -d 192.168.42.153 -p tcp --dport 80  -m time --timestart 09:00:00 --timestop 19:00:00 --kerneltz --weekdays 1,2,3,4,5  -j DROP

(13) more than two concurrent connections on the port (Prohibited)

1 iptables -I INPUT -s 0/0 -d 192.168.42.153 -p tcp  --dport 22 -m connlimit --connlimit-above 2 -j DROP

(14) The same client has less than three concurrent connections on the port.

1 iptables -I INPUT -s 0/0 -d 192.168.42.153 -p tcp  --dport 22 -m connlimit ! --connlimit-above 3 -j DROP

(15) target address and port conversion example (for port 22 conversion)

1 iptables -t nat -A PREROUTING -d 10.1.249.125 -p tcp --dport 22022 -j DNAT --to-destination 192.168.2.4:22

Ii. SNAT Source Address Transfer

 SNAT: source address conversion. When an intranet host accesses the Internet, all source addresses are converted to the Internet addresses of the firewall to hide the Intranet client. At the same time, the IPV4 public network address is not enough.1 iptables -t nat -A POSTROUTING -s 10.1.249.158 -j SNAT --to-source 192.168.2.3

Iii. DNAT target address transfer

 
 
DNAT: Destination Address conversion. When an Internet host accesses a server on the Intranet, if the IP address of the server is exposed to the Internet, it may suffer various attacks, the main function of DNAT is to add a firewall in front of the server. Publish the firewall address so that the Internet client can access the local server by accessing the firewall address. This serves to protect the server;1 iptables -t nat -A PREROUTING -d 10.1.249.125 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.4

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Basic practice of iptables and basic practice of iptables

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support