Four watch five chains in iptables

Iptables is just a Linux firewall management tool, located in/sbin/iptables. The real firewall function is NetFilter, which is the internal structure of implementing packet filtering in the Linux kernel.

The iptables contains 4 tables and 5 chains.      Where tables are differentiated according to the operation of the packet, the chain is differentiated by the different hook points, and the table and chain are actually two dimensions of the netfilter. 4 Tables: Filter,nat,mangle,raw, the default table is filter (it is the filter table when no table is specified). Processing priority for table: Raw>mangle>nat>filter.

Filter: General filtering function

NAT: for NAT function (port mapping, address mapping, etc.)

mangle: Used to modify a specific packet

Raw: The limit is the highest, set raw is generally to no longer let iptables do the link tracking processing of packets, improve performance

5 chains: prerouting,input,forward,output,postrouting.

prerouting: Before packets enter the routing table

INPUT: Destination is native after routing table

FORWARDING: The destination is not native after routing table

OUTPUT: Generated by this machine, forwarded outward

Postroutiong: Before sending to the NIC interface.

rule table:

1.filter Table--Three chains: INPUT, FORWARD, OUTPUT
Function: Filter packet   kernel module: iptables_filter.
2.Nat table--Three chains: Prerouting, postrouting, OUTPUT
Function: For network address translation (IP, port) kernel module: Iptable_nat
3.Mangle Table--Five chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD
Functions: Modifies the service type of the packet, TTL, and can configure the route to implement the QoS kernel module: iptable_mangle (although this watch is so troublesome, We don't use it when we set up our strategy.
4.Raw Table--Two chains: OUTPUT, prerouting
function: Determines whether a packet is handled by a status trace mechanism   kernel module: Iptable_raw
(This is REHL4. , but don't be afraid, not much to use)

rule chain:

1.input--incoming packets apply policies in this rule chain
2.output--out of office packets apply policies in this rule chain
3.forward-- Apply the policy in this rule chain when forwarding a packet
4.prerouting--apply the rules in this chain before routing the Packet
(remember!) All packets are processed by this chain before they come in)
5.postrouting--apply the rules in this chain after routing the packets
(all packets are processed first by this chain)

Order of precedence between rule tables:

Raw--mangle--nat--filter
Order of precedence between rule chains (in three cases):

First case: Inbound Data flow

Packets arriving from the outside of the firewall are first processed by the prerouting rule chain (whether to modify the packet address, etc.), followed by a routing (which determines where the packet should be sent). If the target host of a packet is a firewall native (such as a packet of Internet users accessing a Web server in a firewall host), then the kernel passes it to the input chain for processing (deciding whether to allow the pass, etc.). Respond to applications (such as Apache servers) that are later handed over to the upper system.

Second flush situation: forwarding Data flow

When the packet arrives at the firewall, it is first processed by the prerouting rule chain, and then routed, if the destination address of the packet is a different external address (for example, the LAN user accesses the QQ site's packet through the gateway), The kernel passes it to the forward chain for processing (forwarding or blocking) and then handing it over to the postrouting rule chain (whether to modify the address of the packet).

Third case: Outbound Data flow
When a firewall sends packets to an external address (for example, when a public DNS server is tested in a firewall host), it is first processed by the output rule chain, followed by routing, and then passed to the postrouting rule chain (whether to modify the address of the packet) for processing.

Basic syntax format for iptables:
Iptables [-t table name] command options [link name] [conditional match] [-j target action or jump]
Description: The table name, the chain name is used to specify the tables and chains that the Iptables command operates on, and the command options are used to specify how the Iptables rules are managed (such as INSERT, add, delete, view, etc.), which specifies the processing of the packets that match the criteria The target action or jump is used to specify how the packet is handled (such as allowing pass, deny, discard, jump) to other chain processing.

Administrative control options for the iptables command:

-a adds a new rule at the end of the specified chain (append)
-D Delete (delete) A rule in the specified chain that can be deleted by the rule number and content
-I insert (insert) a new rule in the specified chain, which is added by default on the first line
-R Modify, replace (replace) a rule in the specified chain, which can be replaced by the sequence number and content
-L lists all the rules in the specified chain for viewing
-F emptying (flush)
-N New (New-chain) a user-defined rule chain
-X Deletes a user-defined rule chain (delete-chain) from the specified table
-P Sets the default policy for the specified chain
-n Displays the output using the digital form (numeric)
-V View information for rule table details (verbose)
-V View versions (version)
-H Get Help

Four ways the firewall handles packets:

Accept allows packets to pass through
Drop drops the packet directly without giving any response information
REJECT rejects the packet passing, and, if necessary, sends a response message to the data sender.
Log logs information in the/var/log/messages file, and then passes the packet to the next rule

Iptables the preservation and recovery of firewall rules

Iptables-save saves the rules to a file and is automatically loaded by the script under directory Rc.d (/etc/rc.d/init.d/iptables)

Use the command Iptables-save to save the rule. General use

Iptables-save >/etc/sysconfig/iptables

Generate the file/etc/sysconfig/iptables that holds the rule,

can also be used

Service Iptables Save

It can automatically save the rules in/etc/sysconfig/iptables.

When the computer starts, the script under RC.D will invoke the file with the command Iptables-restore, which automatically restores the rule.

Delete the first rule of the input chain

iptables-d INPUT 1

Common policies for Iptables firewalls:

1. All ICMP protocol packets that are denied access to the firewall
Iptables-i input-p icmp-j REJECT

2. Allow the firewall to forward all packets except the ICMP protocol
Iptables-a forward-p! Icmp-j ACCEPT
Description: Use "! "The condition can be reversed.

3. Refuse to forward data from 192.168.1.10 hosts, allowing the forwarding of data from the 192.168.0.0/24 network segment
Iptables-a forward-s 192.168.1.11-j REJECT
Iptables-a forward-s 192.168.0.0/24-j ACCEPT
Note: Pay attention to the refusal to put in front or it will not work ah.

4. Discard packets from the External network interface (ETH1) into the firewall native source address for the private network address
Iptables-a input-i eth1-s 192.168.0.0/16-j DROP
Iptables-a input-i eth1-s 172.16.0.0/12-j DROP
Iptables-a input-i eth1-s 10.0.0.0/8-j DROP

5. Block network Segment (192.168.1.0/24), two hours after the closure.
[root@server ~]# iptables-i input-s 10.20.30.0/24-j DROP
[root@server ~]# iptables-i forward-s 10.20.30.0/24- J DROP
[Root@server ~]# at now +2 hours
at> iptables-d INPUT 1
at> iptables-d FORWARD 1
Description: This strategy we're using CRO ND plan the task to complete, it is no better.
[1]+  stopped     at now +2 hours

6. Only allow administrators to Telnet to the firewall host from the 202.13.0.0/16 network segment using SSH.
Iptables-a input-p TCP--dport 22-s 202.13.0.0/16-j ACCEPT
Iptables-a input-p TCP--dport 22-j DROP
Description: This usage is more suitable for remote management of the device, such as the SQL Server located in the branch office needs to be managed by the Administrator of the head office.

7. Allow the native to open application services from TCP port 20-1024.
Iptables-a input-p TCP--dport 20:1024-j ACCEPT
Iptables-a output-p TCP--sport 20:1024-j ACCEPT

8. Allow forwarding of DNS resolution request packets from the 192.168.0.0/24 LAN segment.
Iptables-a forward-s 192.168.0.0/24-p UDP--dport 53-j ACCEPT
Iptables-a forward-d 192.168.0.0/24-p UDP--sport 53-j ACCEPT

9. Prevent other hosts from pinging the firewall host, but allow other hosts to be ping from the firewall
Iptables-i input-p ICMP--icmp-type echo-request-j DROP
Iptables-i input-p ICMP--icmp-type echo-reply-j ACCEPT
Iptables-i input-p ICMP--icmp-type destination-unreachable-j ACCEPT

10. Disable forwarding of packets from the MAC address 00:0c:29:27:55:3f and the host
Iptables-a Forward-m mac--mac-source 00:0c:29:27:55:3f-j DROP
Description: A display match was called using the form "-M module keyword" in iptables. Here we use "-M mac–mac-source" to represent the source MAC address of the packet.

11. Allow firewall native to open to TCP ports 20, 21, 25, 110, and Passive mode FTP port 1250-1280
Iptables-a input-p tcp-m multiport--dport 20,21,25,110,1250:1280-j ACCEPT
Description: Use "-M multiport–dport" to specify the destination port and range

12. Disable forwarding of TCP packets with a source IP address of 192.168.1.20-192.168.1.99.
Iptables-a forward-p tcp-m iprange--src-range 192.168.1.20-192.168.1.99-j DROP
Description: The IP range is specified here with "-m–iprange–src-range".

13. Disable forwarding of non--syn request packets unrelated to the normal TCP connection.
Iptables-a forward-m State--state new-p TCP! --syn-j DROP
Description: "-M state" indicates the connection status of the packet, and "new" indicates that it is not related to any connection.

14. Deny access to new packets for the firewall, but allow response connections or packets associated with an existing connection
Iptables-a input-p tcp-m State--state new-j DROP
iptables-a input-p TCP -M state--state established,related-j ACCEPT
Description: "Established" means a packet that has responded to a request or has already established a connection, and "related" indicates that it is relevant to the established connection. such as FTP data connection.

15. Only open the local Web service (80), FTP (20, 21, 20450-20480), release the external host to send the other port of the server reply packet, the other inbound packets are discarded processing.
Iptables-i input-p tcp-m multiport--dport 20,21,80-j ACCEPT
Iptables-i input-p TCP--dport 20450:20480-j ACCEPT
Iptables-i input-p tcp-m State--state established-j ACCEPT
Iptables-p INPUT DROP

Four watch five chains in iptables