Iptables simple tutorial

Iptables simple tutorial [Overview] netfilter/iptables is a free firewall provided by the linux system. It can implement the firewall, NAT (Network Address Translation), and packet splitting functions. netfilter works on the kernel layer, iptables works at the user layer, allowing you to easily define the table structure of the rule set. [Iptables option Introduction] the netfilter user control command is iptables. You can use iptables to create appropriate rules and add them to the kernel to filter information packets. The general syntax of iptables is as follows: iptalbes [-t table] command [match] [target] An iptables rule contains four basic elements. 1) table) the [-t table] Option allows any table outside the standard table. Three table options are available: filter, nat, and mangle. 2) command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. The command is shown in table 1. Table 1 iptables Common commands-A or -- append this command attaches A rule to the end of the chain-D or -- delete by using-D to specify the rule to be matched or specify the rule in the chain location number, this command deletes the rule-P or -- policy from the chain. This command sets the default destination of the chain, that is, the policy. All information packages that do not match any rule in the chain will be forced to use the chain's policy-N or -- new-chain to create a new chain with the name specified in the command- F or -- flush if the chain name is specified, this command deletes all the rules in the chain. If no chain name is specified, this command deletes all the rules in the chain. This parameter is used to quickly clear-L or -- list all rules in the specified chain-R or -- replace to replace a matched rule in the specified chain-X or -- delete-chain to delete the specified user's definition chain, if no chain is specified, delete all user chain-C or -- check to check whether the data packet matches the rule of the specified chain-Z or -- zero clears the byte counters of all rules in the specified chain. 3) the optional match section of the match iptables command specifies the characteristics (such as source and destination addresses, protocols, and so on) that the information package matches with the rule ). There are two types of matching: general matching and protocol-specific matching. Here, the research will be available for general matching of information packages using any protocol. Below are some important and commonly used general-purpose matching and their descriptions, as shown in table 2. Table 2 General match description-p or -- protocol this General protocol match is used to check certain specific protocols. The Protocol examples include a list of combinations of TCP, UDP, ICMP, and any of the three protocols separated by commas, and ALL (for ALL protocols) is the default match. Available! Symbol indicates that it does not match the item-s or -- source. The source match is used to match the source IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item. By default, the source match matches all IP addresses-d or -- destination. This destination match is used to match the destination IP addresses of the information package. This match can also be used to match IP addresses in a certain range! The symbol indicates that it does not match the rule. -- sport specifies the source port or port range of the rule. -- dport specifies the target port or port range of the rule.-I matches a separate network interface or a type of interface. set filter rules 4) as mentioned earlier, the target is an operation specified by a rule that performs these operations on information packets matching those rules. In addition to allowing users to define targets, there are also many available target options. The following are common targets, examples, and descriptions, as shown in table 3. Table 3 target item description object description ACCEPT is accepted when the information package exactly matches the rule with an ACCEPT target (allow it to go to the destination) when the information package exactly matches the rule with the DROP target, the information package will be blocked and will not be further processed. This target is specified as-j drop reject. This target works in the same way as the DROP target, but it is better than DROP. Unlike DROP, REJECT does not leave dead sockets on the server and client. In addition, the REJECT sends the error message back to the sender of the information package. This target is specified as-j reject return. The RETURN target set in the rule allows the information package matching the rule to stop traversing the chain containing the rule. If the chain is the main chain such as the INPUT class, use the Default policy of the chain to process the information package. It is specified as-jump return log, which indicates that the information about the package is recorded into the log tos, which indicates that the TOS value of the rewrite data packet [iptables use instance]. The actual usage rules are as follows: only one ip address is allowed to access A port # iptables-a input-p tcp-s 61.145.251.36 -- dport 16322-j ACCEPT-A added in the INPUT chain, -p indicates the protocol-s indicates the source address-dport indicates that the destination port-j indicates that all other ip addresses in the target operation are rejected # iptables-a input-p tcp -- dport 16322-j REJECT deletes A rule (delete the first rule in the INPUT chain, man iptables) # iptalbes-d input 1 inserts a rule (the second rule inserted into the INPUT chain) # iptables-I INPUT 2-p tcp-s 61.145.133. 63 -- dport 16322-j ACCEPT restricts access to a network port (a rule is inserted for access to port eth0) # iptables-I input 3-p tcp-s 61.145.251.66-I eth0 -- dport 16322-j ACCEPT # iptables-I input 4-p udp-s 61.145.251.66-I eth0 -- dport 16322- j ACCEPT restricts access to a certain network segment # iptables-I input 5-p tcp-s 192.168.0.0/16-I eth1 -- dport 3306-j REJECT for some other iptables options, you can view the user manual: in parallel, man iptables and iptables include iptables-save and iptables-restore commands, which are used to save and restore rules to I Ptables-save.txt # iptables-save> iptables-save.txt recovery from the save file # iptables-restore <iptables-save.txt for tables that already contain rules, you can first iptables-save and then make changes, and then iptables-restore.