iptables multiport

-- Icmp-type {0 | 8 | 3}0: responds to the packet and responds to the ping request.8: Request Message, self-sent ping request3: inaccessible target-P udp:-- Sport: Source Port-- Dport: Target Port Explicit Scaling: use an additional matching mechanism-M EXTESTION -- sep-optStart: Status connectionTracks session status with ip_conntrackNEW: NEW Connection RequestESTABLISHED: ESTABLISHED connectionINVALID: illegal connection (e.g., SYN = 1, FIN = 1)RELATED: associated (command connection and data

to close specific portsMany times, we need to block a particular port's network connection, and you can use IPtables to close a specific port.To block a specific outgoing connection:Iptables-a output-p TCP--dport xxx-j DROPTo block a specific incoming connection:Iptables-a input-p TCP--dport xxx-j ACCEPT6, using Multiport control multi-PortWith Multiport we can

To undertake the previous blog, here is the main firewall Advanced section, an example of content, I hope you understand!One, explicit extension:You must explicitly indicate the extension that is being used by the expansion module;Use Help:CentOS 6:man iptablesCentOS 7:man iptables-extensions1. multiport extensionDefine multi-port matching in a discrete way; specify up to 15 ports;[!] --source-ports,--Sport

Iptables basic CommandsBefore we introduce the complex firewall rules, let's start with some simple materials, so that we can have some simple understanding of Iptables's most basic commands.The first thing to note is that the iptables command must run as root, which means you need to log in as root or have permission to use Su or sudo-i to get the root Shell. We use sudo in the following, which is also the

only want to block TCP traffic, you can use the-p parameter specified protocol, for example:Iptables-a input-p tcp-s xxx. xxx-j DROP 4. Unseal an IP address To unban IP addresses, run the following command to delete them:Iptables-d input-s xxx. xxx-j DROP The-D parameter indicates that one or more rules are deleted from the chain. 5. Use IPtables to close a specific port Most of the time, we need to block the network connection of a specific port. Yo

icmp -- icmp-type 8-j ACCEPT (the two rules allow external ping to the local machine) Iptables-a output-p icmp-m icmp -- icmp-type 0-j ACCEPTAllow internal ping of external domain names Iptables-a input-p udp -- sport 53-j ACCEPT Iptables-a output-p udp -- dport 53-j ACCEPTAllow external access to 80 services on the local machine, and only allow newly connected

# iptables-a output-s 192.168.137.30-p ICMP--icmp-type 8-jaccept6, judge the meaning of the following rules:# iptables-n Clean_inCreate a new custom chain called clean_in# iptables-a clean_in-d 255.255.255.255-p icmp-j DROPDiscard packages for broadcast domains# iptables-a clean_in-d 172.16.255.255-p icmp-j DROPDiscard

, because there is not much function involved here, the module loading is very simple, only the Filter table is involved, the initialization of the script is also very simple. We can write scripts in the order of iptables writing. the script content is as follows: (Note: This server is placed in its own data center. Therefore, port 22 is not open. you can directly debug the server in the data center. For remote operations, open port 22 .) #/Bin/bash

is, all your items will be checked. Therefore, for the design principle, the layer-7 firewall is more secure, but this brings lower efficiency. Therefore, the common firewall solutions on the market are both combined. However, because we all need to access the port controlled by the firewall, the working efficiency of the firewall has become the most important control over how much data users can access, poor configuration may even cause traffic bottlenecks. II:

/*release 2>/dev/null) If ["$os _release"] ["$os _release_2"] then if echo "$os _release" |grep "13.1" G T;/dev/null 2>1 Then os_release=opensuse131 echo "$os _release" Else os_release= "" echo "$os _release" fi break fi break Done} exit_script () {ECHO-E "\033[1;40;31minstall $ error,will exit.\n\033[0m" Rm-f $LOCKfile exit 1} config_i Ptables () {iptables-i output 1-p tcp-m multiport--dport21,22,23,25

. You cannot use standard port matching and multi-port matching in one rule at the same time. Three options:--source-port; --destination-port; --port Iptable-a input-p tcp-m multiport--source-port 22,28,115 Iptable-a input-p tcp-m multiport--destination-port 22,28,115 Iptable-a input-p tcp-m multiport--port 22,28,115 (5) State match The state matching extension

the table is not specified, all links are created by default. Iptables-A creates A rule at the end of the chain -D. delete a rule. -I insert a rule at the specified position (if not specified, it is at the beginning of the chain) -F: Clear all rules. -P: Set the default chain Policy -P indicates the protocol. -S source -D target -R: replaces the rule of the specified location or content. -N: create a custom rule chain -X deletes a custom rule chain.

is not 10.0.0.0/24 network segment prohibit connectionIptables-t filter-i input-i eth0! -S 10.0.0.0/24-j DROP4, Source address is not 10.0.0.0/24 forbidden PingIptables-t filter-i input-p ICMP--icmp-type 8-i eth0! -S 10.0.0.0/24-j DROP5. seal off 3306 portsIptables-a input-p TCP--dport 3306-j DROP6.Matching Rules 　　 match all protocols outside the specified protocol Iptables-a input-p! Tcp 　　 Match Host Source IPIptables-a input-s 10.0.0.14Iptables-a

and the hostIptables-a Forward-m mac--mac-source 00:0c:29:27:55:3f-j DROPDescription: A display match was called using the form "-M module keyword" in iptables. Here we use "-M mac–mac-source" to represent the source MAC address of the packet. 11. Allow firewall native to open to TCP ports 20, 21, 25, 110, and Passive mode FTP port 1250-1280Iptables-a input-p tcp-m multiport--dport 20,21,25,110,1250:1280-j

command Mod= the path to the "/sbin/modprobe"//modprode command Ctl= the path to the "/sbin/sysctl"//sysctl command # 2. Load kernel module $MOD ip_tables//iptables Basic Modules $MOD Ip_conntrack//Connection Tracking module $MOD Ipt_reject//Reject action module $MOD Ipt_log//logging module $MOD Ipt_iprange//support IP range matching $MOD XT_TCPUDP//Support TCP, UDP protocol $MOD xt_state//Support status matching $MOD Xt_multiport//Support

firewall scheme on the market is the combination of the two. And because we all need to access from the firewall control of this port, so the efficiency of the firewall becomes the user can access the data how much of the most important control, the configuration of the bad even may become the bottleneck of traffic.II: The history and working principle of iptablesThe development of 1.iptables:Iptables, formerly known as Ipfirewall (Kernel 1.x ERA), is an easy access control tool that the author

/1.1" 403 3985 "-" "elinks/0.11.1 (textmode; LINUX; 77x24-2 )" Status-based restrictions V-M state ÜNew ÜEstablished ÜRelated ÜInvalid Only 3.100 of web services can be accessed, and 2.100 of spontaneous responses to 2.100 of Web services are not allowed. It is mainly used to prevent native viruses and send out information leaks spontaneously. [Root @ station93 ~] # Iptables-Forward-S 10.0.3.100-D 10.0.2.100-p tcp --Dport80-M state -- stateNew, estab

Open Virtual Machine vnc port, dns, bootps and other ports. Create the chain and rules required for the nova-compute and nova-network. manually add and create virtual machines with the same effect. Iptables-IINPUT1-ptcp-mmultiport -- dport5900: 6200,53-jACCEPTiptables-IINPUT1-pudp-m Open Virtual Machine vnc port, dns, bootps and other ports. Create the chain and rules required for the nova-compute and nova-network. manually add and create virtual mach

Iptables-a input-I eth0-p tcp-m multiport-dports 22,80, 443-m state-state NEW, ESTABLISHED-j ACCEPTIptables-a output-o eth0-p tcp-m multiport-sports 22,80, 443-m state-state ESTABLISHED-j ACCEPT 8. Allow SSH to connect to other hosts The Code is as follows: Copy code Iptables-

network segment to connect via SSH The code is as follows Copy Code Iptables-a input-i eth0-p tcp-s 192.168.100.0/24–dport 22-m state–state new,established-j ACCEPTIptables-a output-o eth0-p tcp–sport 22-m state–state established-j ACCEPT 6, allow HTTP and HTTPSallow all incoming Web traffic: Port 80 of the HTTP protocol The code is as follows Copy Code