iptables multiport

option and select the Iptables daemon.2, Iptables simple application1) Basic Rule applicationHere are some simple examples of using the framework theory to form rules for the reader to imitate and use in the actual application process:(1) Accept all incoming packets from the specified IP address:#iptables-A input-s 203.159.0.10-j ACCEPT(2) Only accept packets fr

-O eth0Specifies the network card from which the packet is sent.Parameter -- Sport, -- source-PortExample iptables-A input-p tcp -- Sport 22The source port number used to compare the packets. It can be compared to a single port or a range, for example, -- Sport 22: 80, indicating that the ports from 22 to 80 are consistent.If you want to compare multiple non-consecutive ports, you must use the -- multiport

from which the packet is sent. Parameter -- sport, -- source-port Example iptables-a input-p tcp -- sport 22 The source port number used to compare the packets. it can be compared to a single port or a range, for example, -- sport 22: 80, which indicates that the port number ranges from 22 to 80. Ports are both qualified. to compare multiple ports that are not consecutive, you must use the -- multiport par

:--sport 22:80Indicates that between 22 and 80 ports are eligible, and if you want to match multiple ports that are not contiguous, you must use the--multiport parameter, as described later in this article. When you match the port number, you can use it! Operator for reverse matching.Parameter--dport,--destination-portExample Iptables-a input-p TCP--dport 22Describes the destination port number used to matc

the remaining fragments because the Baotou information is incomplete and can not pass. You can use the-FRAGMENT/-F option to specify the second and subsequent IP fragments to resolve the above problem.#iptables-A forward-f-S 192.168.1.0/24-d 192.168.2.100-j ACCEPTNote There are now many instances of IP fragmentation attacks, such as Dos attacks, so allowing IP fragmentation to pass is a security risk, which can be limited by

will only let the first IP fragment through, and the remaining fragments because the Baotou information is incomplete and can not pass. You can use the-FRAGMENT/-F option to specify the second and subsequent IP fragments to resolve the above problem.#iptables-A forward-f-S 192.168.1.0/24-d 192.168.2.100-j ACCEPTNote There are now many instances of IP fragmentation attacks, such as Dos attacks, so allowing IP fragmentation to pass is a security risk,

-I '/net. ipv4.conf. *. accept_source_route/D'/etc/sysctl. conf For dev in 'ls/proc/sys/net/ipv4/conf /' Do Sysctl-w net. ipv4.conf. $ dev. accept_source_route = 0>/dev/null Echo "net. ipv4.conf. $ dev. accept_source_route = 0">/etc/sysctl. conf Done # Do not record the fragment package Iptables-a input-f-j LOG -- log-prefix '[iptables fragment]:' Iptables-a inpu

DropNote: iptables uses the "-M module keyword" form to call display matching. Here we use "-M Mac-source" to represent the source MAC address of the packet.11. Allow the firewall machine to open TCP ports 20, 21, 25, 110, and passive mode FTP ports 1250-1280Iptables-A input-p tcp-M multiport -- dport 20, 21, 25,110,125 0: 1280-J acceptNote: "-M multiport-dport"

source port of the tcp Header in the packet. It can be a port range.[!] -- Destination-port, -- dport port [: port]: match the target port of the tcp Header in the packet. It can be a port range.Icmp: indicates "-m icmp", with special options.[!] -- Icmp-type {type [/code] [typename]Type/code:0/0: indicates a response.0/8: indicates the request[Root @ bkjia ~] # Iptables-a input-s 0/0-d 172.18.42.200-p icmp -- icmp-type 8-j ACCEPT[Root @ bkjia ~] #

192.168.1.0/24-d 192.168.2.100–dport 80-j ACCEPTAnd at this time the forward policy is drop, the system will only let the first IP fragment through, and the remaining fragments because the Baotou information is incomplete and can not pass. You can use the-FRAGMENT/-F option to specify the second and subsequent IP fragments to resolve the above problem.#iptables-A forward-f-S 192.168.1.0/24-d 192.168.2.100-j ACCEPTNote There are now many instances of

operations, open port 22 .) #/Bin/bashiptables-fiptables-xiptables-Z modprobe cannot exceed your own iptables-P input dropiptables-P forward acceptiptables-P output accept iptables-A input-I lo-J accept iptables -A output-O lo-J accept iptables-A input-p tcp-M multiport -

port number ranges from 22 to 80. Ports are both qualified. To compare multiple ports that are not consecutive, you must use the -- multiport parameter. For details, see the following section. You can use it when comparing the port number! The operator performs reverse comparison. Parameter -- dport, -- destination-port Example iptables-a input-p tcp -- dport 22 Description used to compare the destination

TCP, UDP, and ICMP) is impossible. Suppose there is a rule like this: # Iptables-a forward-p tcp-s 192.168.1.0/24-d 192.168.2.100? Dport 80-j ACCEPT In this case, when the FORWARD policy is DROP, the system will only let the first ip fragment pass, and the remaining fragment cannot pass because the packet header information is incomplete. You can use the-fragment/-f option to specify the second and later ip fragmentation to solve the above problem. #

# 1. Delete all existing rules Iptables-f # 2. Set the default chain policy Iptables-p INPUT DROP Iptables-p FORWARD DROP Iptables-p OUTPUT DROP # 3. Block a specific IP address #BLOCK_THIS_IP = "x.x.x.x" #iptables-A input-s "

extended rule matching (for example, the target action has been ignored)1. multi-port matching.1) match multiple source ports.# Iptables-a input-p tcp-m multiport? Sport 22, 53, 80,1102) match multiple destination ports.# Iptables-a input-p tcp-m multiport? Dpoort 22, 53, 803) match multiple ports (source port or dest

80, write one now to save query time. You can add continuous ports such as -- sport 22: 80 after -- sport or -- dport to indicate that all ports from 22 to 80 do not meet the current conditions, so we use the second display extension: # Iptables-a input-d 192.168.80.140-p tcp-m multiport -- dport 22,80-m state -- state NEW, ESTABLISHED-j ACCEPT In this way, the and 80 are combined, and the OUTPUT is the sa

-- limit 1/s -- limit-burst 10-j ACCEPT Limit only matches data packets at a certain rate, not a "limit" Multi-port matching multiport) -M multiport Multiple ports can be matched at a time to distinguish between source ports, destination ports, or unspecified ports.# Iptables-a input-p tcp-m multiports -- ports 110,-j ACCEPT Note: It must be used with the-p par

need is to use the ' multiport ' option in iptables and follow it with the port number that will be blocked. The above scenario can be done with one of the following statements:# iptables-a input-s 192.168.0.6-p tcp-m multiport--dport 22,23,80,8080-j DROPYou can use the following statement to view the rules that are w

00:0c:29:27:55:3f and the hostIptables-a Forward-m mac--mac-source 00:0c:29:27:55:3f-j DROPDescription: A display match was called using the form "-M module keyword" in iptables. Here we use "-M mac–mac-source" to represent the source MAC address of the packet.11. Allow firewall native to open to TCP ports 20, 21, 25, 110, and Passive mode FTP port 1250-1280Iptables-a input-p tcp-m multiport--dport 20,21,2

Common commands Service iptables [save | start | restart | stop] Iptables-L-n Simple shell commands Iptables-P INPUT DROPIptables-P FORWARD DROPIptables-P OUTPUT DROPIptables-a input-p tcp -- dport 22-j ACCEPTIptables-a input-p tcp-m multiport -- destination-port, 80,-j ACCEPT Redirect settings