Use of iptables extensions

1. in fact, the matching extension also needs to be added to the display extension of the-m reference module. the default value is implicit extension. do not use the-m status Detection Package to filter-mstate -- state {NEW, ESTATBLISHED, INVALID, RELATED} specifies the status to be checked-mmultiport specifies multiple port numbers -- sport -- dport -- ports-miprange specifies IP segment -- s

1. in fact, the display extension of the-m reference module needs to be added in the matching extension. the default value is implicit extension. do not use-m.

Packet filtering for status detection
-M state
-- State {NEW, ESTATBLISHED, INVALID, RELATED} specifies the detection status.
-M multiport: specifies multiple port numbers.
-- Sport
-- Dport
-- Ports
-M iprange: specifies the IP segment.
-- Src-range ip-ip
-- Dst-range ip-ip
-M connlimit connection restrictions
-- Comlimit-above # limit the number of large connections
-M limit: current connection rate, that is, limit the number of matched packets
-- Limit: specified speed
-- Limit-burst # peak rate, maximum limit
-M string is limited by string
-- Algo bm | kmp specifies the algorithm bm or kmp.
-- String "STRING" specifies the string itself
 

Iptables-A input-p tcp-m multiport -- dports110, 80, 25, 445,1863, 5222-j ACCEPT
Iptables-a input-p tcp-s 172.16.0.0/16 -- dport 139-jACCEPT
# Allow dns resolution. if a DNS server (forwarder) is configured on the intranet, only the IP address of the forwarder can be used. modify the ip address (-s IP address) on your own)
Iptables-a input-I eth1-p udp-m multiport -- dports 53-jACCEPT
# Iptables-a input-s 0.0.0.0/0.0.0.0-d 192.168.80.139-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT

Any connection in the NEW or ESTABLISHED status is allowed. Note that this parameter can be omitted when 0.0.0.0/0.0.0.0 indicates any address:
# Iptables-a input-d 192.168.80.140-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT

Allow the local ESTABLISHED status. in order to prevent Trojans from rebounding, the server initiates an external request.
# Iptables-a output-s 192.168.80.140-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT

Then, modify the default permission to reject it.
# Iptables-P INPUT DROP
# Iptables-P OUTPUT DROP

Now ping 127.0.0.1 on the local machine. it is different when it is found. therefore, to allow the local machine, write the following:
# Iptables-I INPUT 1-s 127.0.0.1-d 127.0.0.1-j ACCEPT
# Iptables-I OUTPUT 1-s 127.0.0.1-d 127.0.0.1-j ACCEPT

If you want to limit port 80, write one now to save query time.
You can add continuous ports such as -- sport 22: 80 after -- sport or -- dport to indicate that all ports from 22 to 80 do not meet the current conditions, so we use the second display extension:

# Iptables-a input-d 192.168.80.140-p tcp-m multiport -- dport 22,80-m state -- state NEW, ESTABLISHED-j ACCEPT
In this way, the and 80 are combined, and the OUTPUT is the same, but pay attention to the target port of the source port, and then delete the original one.
(Note: If there is SSH, you must first add it to delete it)

Here we need to know that all the ESTABLISHED requests from the local machine come in, so you can write them as follows:
# Iptables-a output-m state -- state ESTABLISHED-j ACCEPT
Indicates that all NEW requests from the client come in and the server returns the ESTABLISHED status. all requests are allowed.

You can also add it to INPUT to increase the query speed.
# Iptables-I INPUT 1-m state -- state ESTABLISHED-j ACCEPT
The principle here is that when NEW requests match his own rule, the rule will be directly matched after the connection is established to improve efficiency.
For example, the first rule permits ESTABISHED, and the second rule is the NEW and ESTABLISHED rules of 22, so that when the user requests 22, the NEW rule of 22 is matched first, in the subsequent ESTABLISHED status, the first rule is directly matched, so that we do not need to match the second rule. in this way, when there are many items, the efficiency is greatly improved.

# Iptables-a input-d 192.168.80.140-m iprange -- src-range192.168.80.130-192.168.80.150-p tcp -- dport 23-m state -- stateNEW-j ACCEPT
Specify 192.168.80.130-192.168.80.150 to access port 23 of the local machine.

# Iptables-I INPUT 2-d 192.168.80.140-p tcp -- dport 22-m state -- state NEW-m connlimit! -- Connlimit-above 2-j ACCEPT

Here connlimit! -- Connlimit-above 2-j ACCEPT indicates that only two times of SSH local machine are allowed, and connlimit -- connlimit-above 2-j DROP indicates that it is rejected after more than two times, the default permission is denied! If Port 22 is allowed in the front, the matching rule will be matched first and then the allowed change will be matched.

# Iptables-a input-d 192.168.80.140-p tcp -- dport 80-m state -- state NEW-m limit -- limit 1/second -- limit-burst 3-jACCEPT
Indicates a new connection request to the web service. on average, only one request is allowed per second, and up to three requests are allowed at a time.

# Iptables-I OUTPUT 1-m string -- algo kmp -- string "peace"-jDROP
Indicates that the server in the local response contains the "peace" string is rejected.

2. how to develop FTP
Enable FTP in active mode

# Iptables-a input-d 192.168.80.140-p tcp -- dport 21-m state -- state NEW-j ACCEPT
# Iptables-a input-d 192.168.80.140-p tcp -- dport 20-m state -- state NEW-j ACCEPT
# Iptables-a input-m state -- state ESTABLISHED, RELATED-jACCEPT
# Iptables-a output-m state -- state ESTABLISHED, RELATED-jACCEPT

Open FTP in passive mode
1) clear the previous configuration and restart the service.
# Service iptables restart

2) add an ssh rule first
# Iptables-a input-m state -- state ESTABLISHED-j ACCEPT
# Iptables-a output-m state -- state ESTABLISHED-j ACCEPT
# Iptables-a input-d 192.168.80.140-p tcp -- dport 22-m state -- state NEW-m connlimit! -- Connlimit-above 3-j ACCEPT
# Iptables-P INPUT DROP
# Iptables-P OUTPUT DROP

3) enable FTP
# Iptables-a input-d 192.168.80.140-p tcp -- dport 21-m state -- state NEW-j ACCEPT

But access is still unavailable.

4) load the module first
# Modprobe ip_nat_ftp
# Lsmod | grep ftp
Ip_nat_ftp 7361 0
Ip_nat 20973 1 ip_nat_ftp
Ip_conntrack_ftp 11569 1ip_nat_ftp
Ip_conntrack 53409 5ip_nat_ftp, ip_nat, ip_conntrack_ftp, xt_connlimit, xt_state

5) Development RELATED status
# Iptables-r input 2-m state -- state ESTABLISHED, RELATED-jACCEPT
# Iptables-r output 1-m state -- state ESTABLISHED, RELATED-jACCEPT

6) you can find the connection.

If you restart the service before, the rule will disappear. Therefore, after you confirm the rule, run the following command to save it:
# Service iptables save or # iptables-save>/etc/sysconfig/iptables
There are two files to know:
/Etc/sysconfig/iptables: file for saving the rule
/Etc/sysconfig/iptables-config: provides the configuration file to the iptables script.

3. SNAT in DNAT configuration
First, clear the previous configurations. the topology is as follows:

Ping it first. it is different.

1) first enable the routing function
# Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1
# Sysctl-p

2) add a route to the client
Route add 172.16.0.0 mask 255.255.0.0 192.168.80.140
Web route adding
# Route add-net 0.0.0.0 gw 172.16.15.20

Access was found to be accessed at 192.168.80.1

3) You can also add PING denied
# Iptables-a forward-p icmp -- icmp-type 8-j REJECT

Add SNAT rules
# Iptables-t nat-a postrouting-s 192.168.80.0/24-j SNAT -- to-source 172.16.15.20

4) access the web site under 172.16.15.30 and check the log. it is already 172.16.15.20.

The specified IP address is used here. if it is a dial-up address, the address is not fixed, so you can use the following method:
# Iptables-t nat-a postrouting-s 192.168.80.0/24-jMASQUERADE
However, this method consumes more resources than the specified one.

In addition, the route added to the web is deleted and accessible.

DNAT implementation:
The topology is as follows:

1) first enable the routing function
# Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1
# Sysctl-p

2) the web here must specify the gateway.
# Route add-net 0.0.0.0 gw 172.16.15.20

3) add a rule to convert the web request 192.168.80.140 to 172.16.15.30.
# Iptables-t nat-a prerouting-d 192.168.80.140-p tcp -- dport 80-j DNAT -- to-destination 172.16.15.30

4) access 192.168.80.140 and check the log. it is 192.168.80.1.

5) the local server does not have a log record. to add the log record, follow these steps:
# Iptables-t nat-I PREROUTING 1-d 192.168.80.140-p tcp -- dport80-j LOG -- log-prefix "DNAT for Web :"

6) check the local log. tail/var/log/messages finds that the local log information already exists.

4. use recent to defend against DOS attacks

# Iptables-I INPUT-p tcp -- dport 22-m connlimit-abve 3-j DROP

# Iptables-I INPUT-p tcp -- dport 22-m state -- state NEW-mrecent -- set-name SSH
Record the new connection accessing tcp port 22. record the source IP address of the record packet named SSH -- set. if the IP address already exists, update the existing entries.

Iptables-I INPUT-p tcp -- dport 22-m state -- state NEW-mrecent -- update -- seconds 300 -- hitcount 3 -- name SSH-j DROP
# Indicates the IP address in the SSH record. if more than three connections are initiated within S, the connection from this IP address is rejected.

5. use iptables at the application layer to restrict Thunder and QQ:
Note that the version here has requirements:
Above iptables-1.4.3
Kernel-2.6.20 or above

Test procedure:
1) patch the kernel and re-compile the kernel

# Tar zxvf linux-2.6.28.10.tar.gz-C/usr/src
# Tar zxvf netfilter-layer7-v2.22.tar.gz-C/usr/src
# Cd/usr/src
# Ln? S linux-2.6.28.10 linux
# Cd/usr/src/linux/
# Patch-p1 <../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

# Cp/boot/config-2.6.18-164.el5/usr/src/linux/. config
# Make menuconfig

The following content is selected for compilation:
Networking support → Networking Options → Network packet filteringframework → Core Netfilter Configuration
Netfilter connection tracking support
"Layer7" match support
"String" match support
"Time" match support
"Iprange" match support
"Connlimit" match support
"State" match support
"Conntrack" connection matchsupport
"Mac" address match support
"Multiport" Multiple port match support

Networking support → Networking Options → Network packetfiltering framework → IP: Netfilter Configuration
IPv4 connection tracking support (required for NAT)
Full NAT
  MASQUERADE targetsupport
  NETMAP targetsupport
  REDIRECT target support

Compile and install
# Make
# Make modules_install
# Make install
2) patch iptables source code and recompile iptables.
# Cp/etc/init. d/iptables ~ /Iptables
# Cp/etc/sysconfig/iptables-config ~ /
# Rpm-e iptables-ipv6 iptables iptstate -- nodeps
# Tar jxvf iptables-1.4.6.tar.bz2? C/usr/src
# Iptables-1.4.6/cd/usr/src/
# Cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7. *./extensions/

#./Configure -- prefix =/usr -- with-ksource =/usr/src/linux
# Make
# Make install

3) install l7proto

# Tar zxvf l7-protocols-2009-05-28.tar.gz
# Cd l7-protocols-2009-05-28
# Make install

# Mv ~ /Iptables/etc/rc. d/init. d/
Change/sbin/$ iptables to/usr/sbin/$ IPTABLISH for The IPTABLES file to be modified.
# Service iptables start

# Iptables-a forward-m layer7 -- l7proto xunlei-j DROP limit xunlei
Restrictions on the relevant information here/etc/l7-protocols/protocols/can produce test, such as qq, pplive and so on all have