Ubuntu (Linux) iptables firewall configuration detailed

Iptables Introduction
Iptables is a core based firewall, very powerful, iptables built-in Filter,nat and mangle three tables.
Filter is responsible for filtering packets, including the chain of rules, input,output and forward;
NAT is concerned with network address translation, including the rule chain, prerouting,postrouting and output;
Mangle table is mainly used to modify the contents of the packet, used to do traffic shaping, the default chain of rules are: input,output,nat,postrouting,prerouting;
Input matching destination IP is the local packet, forward matching packets flowing through the computer, prerouting used to modify the destination address used to do dnat,postrouting to modify the source address to do snat.
Iptables Main parameters
-a adds a rule to the chain of rules, which is added to the end by default
-t specifies the table to be manipulated, the default is filter
-D Deletes a rule from the chain of rules, specifying an ordinal or matching rule to remove
-R for rule substitution
-I inserts a rule that is inserted into the header by default
-F clears the selected chain and resumes after reboot
-N Create a custom rule chain for a user
-X Delete user-defined rule chains
-P is used to specify that the protocol can be a tcp,udp,icmp or a number protocol number,
-s Specifies the source address
-D Specify Destination Address
-I Access interface
-O Outflow interface
-j take the action, Accept,drop,snat,dnat,masquerade
--sport Source Port
--dport destination port, port must be used in conjunction with protocol
Note: All chain names must be uppercase, indicating that they must be lowercase, the action must be uppercase, and the match must be lowercase
Iptable Configuration Instance
Iptable Basic Operations
Iptables-l list Iptables Rules
Iptables-f Clear Iptables Built-in rules
Iptables-x Purge iptables Custom rule
Set default rules
The default rule is used to process a rule if there is no match in the iptables rule
Iptables-p INPUT DROP
Iptables-p OUTPUT ACCEPT
Iptables-p FORWARD DROP
Configuring SSH Rules
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT If you set OUTPUT to drop, you need to add this rule, or SSH will not be able to login, because SSH service function can not go out.
Allow SSH connection only for 192.168.0.3 machines
Iptables-a input-s 192.168.0.3-p TCP--dport 22-j ACCEPT
If you want to allow, or limit a section of IP address available 192.168.0.0/24 to represent all IP at 192.168.0.1-255 end.
Allow loopback loopback Communication
Iptables-a input-i lo-p all-j ACCEPT
Iptables-a output-o lo-p all-j ACCEPT
Destination address translation, mapping internal address
Iptables-t nat-a prerouting-i ppp0-p tcp--dprot 81-j dnat--to 192.168.0.2:80
Iptables-t nat-a prerouting-i ppp0-p tcp--dprot 81-j dnat--to 192.168.0.1-192.168.0.10
Source address translation, hiding internal addresses
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to
Address camouflage, NAT for dynamic IP
Iptables-t nat-a postrouting-s 192.168.0.0/24-j Masquerade
Masquerade and Snat The main difference is that the snat is to convert the source address to a fixed IP address or address pool, and masquerade in ADSL and other ways dial-up Internet is very useful, because it is dial-up Internet, so the network of IP cards often change, This will change the IP in the conversion strategy every time when the address translation is done. The use of masquerade is a good solution to this problem, he will be able to detect the external network card to obtain the IP address and then automatically address translation, so even if the external network to obtain the IP often change without manual intervention.
Turn on forwarding function
Iptables-a forward-i eth0-o eth1-m State--state related,established-j ACCEPT only allow established connections and related links to be forwarded internally
Ptables-a forward-i eth1-o eh0-j ACCEPT Allow outbound forwarding
Filter a Mac
Iptables-a Forward-m mac--mac-source mac address-j DROP
After the message is routed, the MAC information in the data packet is replaced, so it is meaningless to use Mac matching in the iptables after routing.
Data packet Rectification
Iptables-a forward-d 192.168.0.1-m limit--limit 50/s-j ACCEPT
Iptables-a forward-d 192.168.0.1-j DROP
Multi-port matching
Used to match multiple ports at a time
Iptables-a input-p tcp-m muliport--dport s 21,22,25,80,110-j ACCEPT
Discard illegal connections
Iptables-a input-m State--state invalid-j DROP
Iptables-a output-m State--state invalid-j DROP
Iptables-a forward-m State--state invalid-j DROP
stored in recovery iptables rules
Iptables-save > Somefile

Iptables-restore < Somefile