Iptables Introduction to logic and some parameters

For Linux users, Iptable is one of the necessary skills! Maybe with many people will feel iptables difficult, not familiar with! It feels like a mess! In fact iptables (firewall) is rarely a command how complicated. But you understand the logic of the relationship! The rest of the order is a bit of a rusty feeling! But all can understand what is doing!
Iptables is entered by prerouting (before routing), whether it is forwarded according to the routing decision, or inbound
Iptables Data Inbound----Outbound-----routing based on routing decisions
Iptables the data is forwarded----------based on the routing decision #因为没有进入本机, so no outbound

Network A route select inbound to Outbound

Data INPUT (inbound)---> OUTPUT (Outbound)

↓↑↓

Routing lets data inbound outbound to routed network B

Prerouting (before routing) postrouting (after routing) → Outbound data

Route selection Not Inbound

↓ because forwarding, no inbound ↑

FORWARD (Forward) →→→→↑

After reading this somewhat rotten topology diagram, is not the work of the firewall has a general understanding of the operation! Let's talk about the four tables.

The matching order between tables is the Raw→→mangle→→nat→→filter table! Let's talk about what chain the table contains!
Raw (trace outbound packets before routing) mangle (modify data markers)
Nat (address Translation table) filter (filter table)


Raw Table mangle table NAT Table Filter Table

Route the road forward by the front inbound

Prerouting prerouting preouting INPUT

Outbound routing back-forwarding by post

OUTPUT postrouting postrouting FORWARD

Inbound Outbound Outbound

INPUT Output output

Outbound

OUTPUT

Forward

FORWARD

This is the chain that is contained in the four tables, which by default generally operate on the filter table the most! The following is the process action,

ACCEPT: Allow drop: direct discard, do not give response REJECT: Deny Pass, will give the response log: log, and then passed to the next rule. The iptables is matched to the action that matches to the execution, and the stop-to-match log is outside the matching rule!
Order of rules between chains
Inbound input→prerouting
Outbound output→postrouting
Forwarding Prerouting→forward→postrouting
Sequential comparison, matched to stop (except log), and if there is no match, the default policy for that chain is processed
Add rule-A to append a rule to the end of the chain
-I at the beginning or specify an ordinal insert rule

View rule-N Displays the address port as a number
--line-numbers Display the sequence number of a rule when viewing a rule
Delete rule-D Delete the specified ordinal in the chain
-F Clears all rules
Default Policy-P sets the default rule for the specified chain
Filter table filtering and forwarding
1, Protocol match-P protocol name
Generic match 2, address matching-s source address-D destination Address
3, the interface matches the-I receiving data network card-O Send data network card

1, port matching--sport source port--dport Destination port
Implicit matching 2,icmp matching--icmp-type ICMP type
3,tcp tag--tcp-flags Check which bits, those for being set! Take the inverse value

1, state matching-m state--state status value
Show matching 2,mac address match-M Mac--mac-soure MAC address
3, multi-port matching-m multiport--sports Source Port list
-M multiport--dport Destination address port

IP range Matching-m iprange--src-range ip1-ip2
-M IPRange--dst-range ip1-ip2
Iptables parameters here, generally used is not much, familiar with the know! Nothing more practice!

View Table Rules

Iptables-nl

Modify the default table rule

Iptables-p INPUT DROP

Insert Table Rule

Iptables-i input-p TCP--dport 80-j ACCEPT #开放本机80端口

Iptables-i input-p TCP--dport 80-j REJECT #关闭本机80端口

Iptables-i input-s 192.168.1.1-j ACCEPT #允许这个IP访问本机

Iptables-i input-p TCP--dport 80-s 192.168.1.1-j DROP #拒绝这个IP访问本机80端口

Iptables-t nat-i postrouting-s 192.168.0.0/24-j SANT--to-source 124.126.x.x
#将192.168.0.0 segment Source address converted to 124.126.x.x

Iptables-t nat-i prerouting-d 192.168.1.1-p tcp--dport 80-j DNAT--to-destination 192.168.2.1
#将访问在192.168.1.1 80 port go to 192.168.2.1.

Iptables-t filter-i input-p icmp-j regect #拒绝ping本机

Iptables-i forward-m string--algo BM--string "/etc/passwd"-j REJECT
#拒绝含有 The/ETC/PASSWD keyword is passed
Iptables-t nat-a prerouting-p tcp-i eth0-d 192.168.1.1--dport 80-j DNAT--to 192.168.1.1:8080
#将访问本机的80端口转到8080端口上去

Save firewall rules

Service Iptables Save

View Firewall rules

Service Iptables Status

IPTABLES-NL--line-numbers #显示规则行号

Delete a firewall rule

iptables-d INPUT 2 #删除INPUT中的第二条规则

All right, here's a brief introduction to the firewall. There are a lot of things that haven't been said, including some parameters! Because iptables look at the parameters are what they do! I hope you have something to gain! After you understand the firewall's workflow, you don't know what to do with your firewall rules. !

I hope you will also say harvest! Here bless everyone happy life!

This article is from the "Bucket Month" blog, please be sure to keep this source http://douyue.blog.51cto.com/10174393/1640454

Iptables Introduction to logic and some parameters