Iptables setting graphic Details

NetFilter contains three kinds of tables, and three types of tables contain five kinds of chains, and the chain contains various rules. That is, the table contains several chains, and the chain contains several rules.
(a) Three types of tables are: Filter Nat mangle
1. Filter: Handle the packet related to the machine, is the default table, contains three kinds of chains: input output forward
2. Nat table: independent of this machine. The main processing source and destination address IP and port conversion. There are three kinds of chains: prerouting postrouting output
3. mangle table: Used for advanced routing packets, such as changes in the header (such as TOS change the service type of package, TTL packet life time, Mark special mark). There are two types of chains: prerouting output (kernel 2.4.18 with two more chains: input forward), which is rarely used.


(ii) five types of chain
1. Prerouting: The rules that the packets after entering the NetFilter are executed before entering the routing judgment. Change the package.
2, Input: When the route is determined, to enter the local data packet execution rules.
3, output: generated by the local, the need to send out the rules of the packet execution.
4, Forward: After routing judgment, the destination is not the local data packet execution rules. Associated with NAT and Mangle tables is very high and is not associated with this machine.
5, postrouting: After routing judgment, sent to the network card interface before. The rule that the packet executes when it is ready to leave netfilter.
Iptables Explanation (Turn)
In the image above, the running daemon refers to this machine. Input packages are sent to this machine. The machine is processed and then sent out by output.


(iii) After the data packet enters the netfilter after the diagram:
1, the packet enters the Linux server into the interface, the interface sends the packet to the NetFilter, the packet enters the netfilter in this.
2, prerouting processing, (if you need to change the source IP address of the packet, etc.)
3, packet to route, routing through the routing table to determine the destination of the packet. If the destination is local, the packet is transferred to Intput processing and then into the local machine. If the destination is not native, the packet is transferred to forward processing.
4, the packet through forward processing, and then to postrouting processing, (whether there is a target address needs to change, etc.), after processing the packet out of the NetFilter, to the Linux server out of the interface, out of the Linux server.
5, if the data packet into the machine after processing the need for outgoing data packets, or the machine itself has a packet needs to be outgoing, the packet sent to the output chain for processing, transferred to postrouting processing, out of the Linux server. Into the outside of the colorful.


(iv) Order of execution of rules
When the packet enters the netfilter, it is compared with the rules inside. The rules are sequential.
In contrast to Rule 1, if it matches Rule 1 and is accepted by rule 1, the data will no longer be compared with the subsequent rules. If they do not match, they are compared sequentially to the following rules until they are accepted. If all the rules do not match, the default policy action is taken to determine where the packets will go. So the order of the rules is important.
Iptable is mainly to understand the above content, some of the detailed parameters can be found in the appendix of the Guide.


Second, Iptalbe Grammar and parameters
iptable [-t table] command [chain] [match][-j target]
Note: iptable [-t table name]-command [link] [match] [-J action/target]


(a) Table (table)
1. Filter table: The default is to use the filter table to execute all commands. Only the data packets that are related to this machine are manipulated.
2. Nat table: Mainly used for NAT address translation. Only the first packet of the data flow is matched by this chain, and the subsequent package will do the same processing automatically.
Divided into: DNAT (destination address translation), SNAT (source address translation), Masquerade
(1) Dnat operation is mainly used in such a case, you have a legitimate IP address, to redirect access to the firewall to other machines (such as the DMZ). In other words, we are changing the destination address so that the packet can be rerouted to a host.
(2) SNAT change the source address of the package, which can hide your local network or the DMZ to a great extent. Network-to-extranet mapping.
(3) The role of Masquerade is exactly the same as Snat, except that the load on the computer is slightly more. Because for each matching package, Masquerade is looking for an available IP address, not the IP address that is configured as Snat. Of course, this is also good, that is, we can use the PPP, PPPOE, slip and other dial-up address, these addresses are randomly assigned by the ISP's DHCP.
3, mangle table: Used to change the advanced features of the packet, generally do not use.


(ii) command (order) detailed
1,-A or--append//Add one or more rules to the end of the chain
2,-D, or--delete//remove the rule from the chain
3,-R or--replace//replace a rule from the selected chain
4,-L or--list//display chain all rules
5,-I or--inset//The rule is inserted in the chain according to the given rule number. Inserted in ordinal order, as "1" insert chain head
6,-X or--delete-chain//used to remove rules from user-defined chains. You must ensure that the rules in the chain are not in use to delete the chain. If no chain is specified, all rules in the custom chain are deleted.
7,-F, or--flush//clears all rules in the selected chain. If you specify a chain name, all rules for the corresponding chain are deleted. If no chain name is specified, all rules for all chains are deleted.
8,-N, or--new-chain//create a new chain with the name specified in the command.
9,-P or--policy//set the default target of the chain, that is, policy. Packets that do not match any rule in the chain will force the policy specified in this command to be used.
10,-Z, or--zero//The packet byte counter of all rules in the specified chain is zeroed.


(c) Match match
Divided into four categories: general-purpose matching, implicit matching, display matching, matching for abnormal packets


1. Universal Matching
No matter what protocol we use, which extensions are loaded, generic matches can be used. No Prerequisites required
(1)-p (lowercase) or--protocol
Used to check for certain protocols. There are three tcpudpicmp of the agreement. Use commas to separate any combination of these three protocols. Also available ". "Number is reversed to indicate the remainder of the agreement except the Protocol. All can also be used to represent all agreements. The default is all, but only represents tcpudpicmp three protocols.
$ iptable-a input-p tcp,udp
$ iptable-a input-p! ICMP//The meaning of the two representations is the same.


(2)-S or--source
Match the packet with the IP source address. Determines whether a packet is allowed or denied through a filter based on the source address range. You can use the.    Symbol The default is to match all IP addresses.
However, a single IP address can also specify a network segment.   Such as: 192.168.1.1/255.255.255.255 represents an address. 192.168.1.0/255.255.255.0 represents a network segment.


(3)-D or--destination
Use the destination IP address to match them. Same as the format usage of source


(4)-I.
Match the package to the network interface used by the package into the local. Only use input FORWARD prerouting in three chains. In any other chain, there will be errors.
You can use "+". "Two symbols.
Use only a "+" sign to indicate that all packages are matched, regardless of which interface is used. For example: iptable-a input-i +//table matches all packages.
Placed behind a class of interfaces, indicating that all such interfaces match. such as: Iptable-a input-i eth+//indicates that all Ethernet interfaces are matched.


(5)-O
Match the packet with the network interface that the packet is used locally. Use the same way as I do.
Can only be used in output FORWARD postrouting three chains. In any other chain, there will be errors.
You can use "+". "Two symbols.


(6)-F (or--fragment)
The second or later part of a packet that is used to match a shard. Since a packet is divided into multiple slices, only the first piece has a source or destination address. The back does not carry, so only use this to match. To prevent fragmentation attacks.


2. Implicit matching
This match is implicit and automatically loaded into the kernel. If we use--protocol TCP, we can automatically match TCP packet-related features.
Implicit matching of three different protocols: TCP UDP ICMP
2.1 TCP Match
TCP match can only suppress the details of a TCP packet or stream. However, you must have-p TCP as a precondition.
(2.1.1) TCP--sport
A TCP packet-based source port matching package, which is not specified, represents all ports.
Iptable-a input-p TCP--sport 22:80//tcp Source port number 22 to 80 for all ports.
Iptable-a input-p TCP--sport://tcp All ports from the source port number 22 to 65535.
(2.1.2) TCP--dport
The packet is matched based on the destination port of the TCP packet. Same as the--sport port usage.
(2.1.3) TCP--flags
Matches the specified TCP token.
Iptable-p TCP--tcp-flags Syn,fin,ack SYN
2.2 UDP Match
(2.1.1) UDP--sport
UDP packet-based source port matching package, this entry is not specified to represent all ports.

(2.1.1) UDP--dport
Packets based on the destination port of the UDP packet are not specified, which means all ports.
2.3 ICMP match
ICMP--icmp-type
Based on the ICMP type package match. The designation of a type can use a decimal number or a related name, different types, with different ICMP numeric representations. You can also use the ". "Take the reverse."
Example: Iptable-a input-p icmp-imcp-type 8


3. Display Matching
The display match must be loaded with-M.
(1) Limit match
Must be explicitly indicated by-m limit. You can limit the number of matches to a specified rule. That is, when a rule matches to a certain number of times, it no longer matches. That is, limit the number of packages that can be matched. This will prevent Dos attacks.
Throttling method: Sets the maximum number of times a rule is matched. Set a limit value. When the limit value is reached, the match is stopped. However, there is a requirement that once the limit is exceeded, the number of matches will continue to be increased once every other time. However, the maximum number of idle matches increased does not exceed the maximum limit number.
--limit Rate
Maximum average match rate: assignable values are '/second ', '/minute ', '/hour ', or '/day ' units, which are 3/hour by default.
--limit-burst number
Maximum value of the initial number of packets to be matched: If the previously specified limit has not yet reached this value, the approximate number is 1. The default value is 5
Iptable-a input-m Limit--LIMT 3/hour//sets the maximum average match rate.   That is, the number of packets that can be matched within a unit of time. --LIMT is to specify how often to send a pass.
Iptable-a input-m Limit--limit-burst 5//set to start issuing 5 passes, and can only match up to 5 packets at a maximum.
(2) Mac match
Only the Mac source address can be matched. Package-based Mac source address matching Package
Iptable-a Input-m mac--mac-source 00:00:eb:1c:24//Source address matches some MAC address
(3) Mark match
Match the package with the mark that the packet is set to. This value is set by MARK TARGET.
(4) Multiport match
This module matches a set of source or destination ports and can specify a maximum of 15 ports. Can only be used with-p TCP or-p UDP attached.

The multi-port matching extension allows us to specify multiple disjoint ports in a single rule. Without this extension, we can only write the rules by port. This is only an enhanced version of standard port matching. You cannot use standard port matching and multi-port matching in one rule at the same time.
Three options:--source-port;   --destination-port; --port
Iptable-a input-p tcp-m multiport--source-port 22,28,115
Iptable-a input-p tcp-m multiport--destination-port 22,28,115
Iptable-a input-p tcp-m multiport--port 22,28,115
(5) State match
The state matching extension should have the assistance of the connection tracking code in the kernel. This is because the status of the package is obtained from the connection tracking mechanism. It is not possible to understand the state in which it is located.
(6) Tos match
The package is matched according to the TOS field to control the priority level.
(7) TTL match
Match the package according to the TTL field in the IP header.
Used to change the TTL of a package, some ISPs use TTL to determine if there is more than one machine sharing connection to the Internet.
Iptables-t mangle-a prerouting-i eth0-j TTL--ttl-set 64
Iptables-t mangle-a prerouting-i eth0-j TTL--ttl-dec 1
# When you leave the firewall, the TTL is actually 2, because the firewall itself-11 times.
Iptables-t mangle-a prerouting-i eth0-j TTL--ttl-inc 1
# When leaving the firewall does not increase or decrease, tracert is not good use, hehe.
(8) Owner match
Match the package based on the ID of the package's creator (that is, the owner or the owning person).
Owner can be the ID of the user who started the process, or the ID of the user's level or the ID of the process, or the ID of the session. This can only be used in output.
This module sets the local build package to match the different characteristics of the package creator. And even if such packages (such as ICMP ping answers) may not have owners, they will never match.
--uid-owner userid
If a valid user ID is given, then the package generated by the process that matches it.
--gid-owner GroupID
If a valid group ID is given, then the package generated by the process that matches it.
--sid-owner Seessionid
The package generated by the process is matched against the given conversation group.


(d) Targets/jump
Refers to the action specified by the rule, and what action is performed on the packet that matches the rule.
1. Accept
This parameter does not have any options. Specify-J Accept.
Once the match is met no longer goes to match the table or other rules defined within the chain. But it may also match other tables and rules within the chain. That is, after matching within the same table, it will not go down until it is up.
2. Drop
-j drop when the packet matches the rule exactly, the package is discarded. Do not handle it. And does not return any information to the sender. Also does not return information to the router.
3, Reject
The same way that the drop works, the difference is that after the package is discarded, an error message is sent to the sender.
Iptables-a forward-p TCP--dport 22-j REJECT--reject-with icmp-net-unreachable

4, DNAT
Used on the prerouting chain.
Do the destination network address translation. is the IP address of the overriding destination.
If a package is matched, all packages that belong to the same stream will be automatically converted. It can then be routed to the correct host and network.
This is just like the external address mapping of the firewall. Map the external address to the internal address.
Iptables-t nat-a prerouting-d 218.104.235.238-p TCP--dport 110,125-j DNAT--to-destination 192.168.9.1
Forward all packets that access the 218.104.235.238 address 110.125 port to 192.168.9.1.
--to-destination//Destination rewrite


5, SNAT
The postrouting linked list used in the NAT table. This is the opposite of Dnat. is to do the source address translation. is to rewrite the source address IP. Commonly used in the internal network to the external network conversion.
--to-source
iptables-t Nat Postrouting-o eth0-p tcp-j SNAT--to-source 218.107.248.127//Outgoing packets from the Eth0 interface rewrite the source address to 218.107.248.127
********************
Iptables-t nat-a prerouting-p tcp-d 15.45.23.67--dport 80-j DNAT--to-destination 192.168.1.9
# All access to the 15.45.23.67:80 port data is Dnat sent to 192.168.1.9:80
If and 192.168.1.9 in the same intranet machine to access 15.45.23.67, firewall also need to do settings, change the source IP for firewall intranet IP 192.168.1.1. Otherwise the packet is sent directly to the intranet machine, and the other party discards it.
Iptables-t nat-a postrouting-p tcp--dst 15.45.23.67--dport 80-j SNAT--to-source 192.168.1.1
# Change the packet source IP of all Access 15.45.23.67:80 ports to 192.168.1.1
If the firewall also needs access to the 15.45.23.67:80, it needs to be added in the output chain because the firewall itself emits packets that are not prerouting.
Iptables-t nat-a OUTPUT--dst 15.45.23.67--dport 80-j DNAT--to-destination 192.168.1.9
********************


6, Masquerade
The role of Masquerade is the same as that of Snat. The difference is that he does not need to specify a fixed converted IP address. Specifically designed to dynamically obtain an IP address for a connection.
The role of masquerade is to automatically obtain the current IP address from the server's network card to do NAT
such as the home ADSL Internet, the external network IP address is not fixed, you can not set the NAT converted IP address fixed. You need to use masquerade to get it dynamically.
Iptables-t nat-a postrouting-s 192.168.1.0/24-j Masquerade//That is, the address of the 192.168.1.0 this segment is rewritten as a dynamic external IP address.


7, REDIRECT
Can only be used in the prerouting OUTPUT chain in a NAT table
Transfer the package or stream to another port within the same machine as the firewall. For example, we can redirect all the packets going to port HTTP to HTTP proxies (squid, for example), of course, which happens inside our own hosts.
--to-ports
Iptables-t nat-a prerouting-p tcp--dport 80-j REDIRECT--to-ports 8080
Without this option, the destination port will not be changed.
Specify a port, such as--to-ports 8080
Specify the port range, such as--to-ports 8080-8090


8. RETURN
As the name implies, it returns the package to the previous layer, in order: the child-to-parent chain-to-default policy. Specifically, if the package encounters a return in the sub-chain, the next rule that returns the parent chain continues to compare the conditions, and if a return is encountered in the parent chain (or the main chain, for example, input), the default policy (typically accept or drop) will be manipulated. (Translator Note: This is much like the case of a function return value in C)


9, MIRROR
Reverse the source address and destination address in the IP header, and then forward.


10. LOG
Log in the kernel space, dmesg wait to see.


11, Ulog
Logs are logged in the user space.


(v) IP forwarding function
Turn on forwarding IP feature (IP forwarding):
echo "1" >/proc/sys/net/ipv4/ip_forward
If you use a dynamic IP such as PPP, DHCP, and so on, you need to open:
echo "1" >/proc/sys/net/ipv4/ip_dynaddr