Iptables is the simple introduction of Linux firewall and the use of iptables effective location such as:
Among them, the network firewall can also use a iptables-enabled Linux host instead; Facilities such as routers or hubs are omitted from the topology;
That shows where Iptables is, here's how Iptables works:
We know that all the packets received and sent in Linux are done in the kernel, but iptables is not working in the kernel, how do we implement the firewall function?
Iptables work in the user space and define rules to the netfilter that work in the kernel, and the function of filtering packets is done by NetFilter; NetFilter is the framework provided by the kernel;
So how did iptables command it? (iptables rule definition, four-sheet five-chain)
Five chains include: INPUT, OUTPUT, FORWARD, prerouting, postrouting, Position please refer to, if there is no wrong, please correct me;
Four tables include: Filter <--nat <--mangle <--Raw (with priority order)
The function of the linked list is implemented:
Filter: Filtering: INPUT, FORWARD, OUTPUT
Nat:prerouting (Dnat do destination address translation), OUTPUT, postrouting (SNAT, Destination address translation)
Mangle: Unpacking the message, all locations
Raw: Connection tracking, prerouting, OUTPUT
Note: Connection tracking is a relatively resource-intensive thing, do not use the general situation;
Summary: iptables with four table five chain to set the rules of filtering messages, and NetFilter according to the rules set by the elder brother; then let's briefly describe the iptables command application:
The iptables command uses:
Iptables [-t table] subcommand CHAIN creteria -j TARGET
which table to work on Sub-command chain matching standard processing action
-T table omitted, the default action is on the filter
For specific instructions, please see the link for more information.
IPTABLES-T table name <-A/I/D/R> rule chain name [rule number] <-I/O nic name >-P protocol name <-s source ip/Source Subnet >--sport source port <-d destination ip/target subnet >--d Port Target Ports-j action
We list a few common:
View: Iptables-l-N
Empty: Iptables-f
To delete an empty custom chain: iptables-x
Sets the default policy for the specified chain: iptables-p {INPUT | OUTPUT | ... } {DROP | ACCEPT | REJECT ...}
Let's say you've seen the links above and learned the meaning of-s-d-p-i-o options, so here are a few simple examples:
First, we open a CentOS 7 virtual machine and use Iptables-l-N to view the current rule settings:
Note: If you find more rules, you can first disable FIREWALLD and use iptables-f && iptables-x to clean up and then display;
Remarks: Disable Firewalld method: Systemctl Disable FIREWALLD
At this point, we are remotely logged on to Linux via SSH, then we must first ensure that SSH login, in other words, open 22 port input and output
# iptables-i input-d your Linux IP address-p tcp-dport 22-j ACCEPT
# iptables-i output-s your Linux IP address-p tcp-sport 22-j ACCEPT
Next, we'll change the default policy for INPUT and OUTPUT to DROP
# iptables-p INPUT DROP
# iptables-p OUTPUT DROP
No accident, if your host has 80 ports to provide Web services, it is now inaccessible; Why is it?
Because we dropped all the packets except for the access to Port 22, and the response from Port 22;
Why do I have to explain open port 22 first? Because the first time I set it, I changed the default policy of input to drop, and then I was locked out of my door ...
So now I need to make the Web service accessible:
# iptables-i input-d your Linux IP address-p tcp-dport 80-j ACCEPT
# iptables-i output-s your Linux IP address-p tcp-sport 80-j ACCEPT
So is it not the same as opening the 22 port above, just changing a port? Yes, just a change of port ...
Is there any way to get it done at once? Yes:
# iptables-i input-d your Linux IP address-p tcp-m multiport--dports 22,80-j ACCEPT
# iptables-i output-s your Linux IP address-p tcp-m multiport--sports 22,80-j ACCEPT
What is the-m?
Explicit extension: You must explicitly indicate which extension module is used; To view the extension modules supported by the current host: Rpm-ql iptables | grep "\.so"
Articles about explicit extensions
How to save and reload rules:
Save the rule to the specified file:
Iptables-save >/root/iptables.1 Store Current firewall rules
Overload rules from the specified file:
Iptables-restore </root/iptables.1 read and enable to save firewall rules
The above mentioned using Linux as a network firewall to use, the following simple introduction:
Summary: The use of iptables flexible, slightly more complex, but as long as the principle of understanding, and then complex rules can not withstand the slow scrutiny;
Iptables Simple Introduction and application of Linux firewall