iptables multiport

have been modified by us at this time) If the packet is in the native (that is, the destination IP of the packet is the network port IP of the native), the packet moves down the graph to reach the input chain . After the packet arrives in the input chain, any process will-receive it Programs running on this machine can also send packets that go through the output chain and then reach the postroting chain output (note that this time the SRCIP of the packet may have been modified by us)

Syntax: iptables-Dchainrulenum [options] Where: chain indicates the chain, that is, the attribute rulenum such as INPUTFORWARD indicates the rule number. Start from 1. You can use iptables-LINPUT -- line-numbers to list... syntax: iptables-D chain rulenum [options] Where: chain indicates the chain, that is, the attribute rulenum such as input forward is the numbe

#!/bin/sh#Modprobe Ipt_masqueradeModprobe ip_conntrack_ftpModprobe ip_nat_ftpIptables-fIptables-t nat-fIptables-xIptables-t Nat-x########################## #INPUT键 ###################################Iptables-p INPUT DROPIptables-a input-m State--state established,related-j ACCEPTIptables-a input-p tcp-m multiport--dports 110,80,25-j ACCEPTIptables-a input-p tcp-s 192.168.0.0/24--dport 139-j ACCEPT#允许内网samba

Explicit extensions: You must explicitly indicate which module to use for scaling to use the extended options -M Extension Module name (This module should be available on both iptables and NetFilter) 1) multiport is used to match non-contiguous or continuous ports, and to specify 15 more ports --sports "Port,port:port" specifies the source port --dports Destination Port The--ports source

from WAN only release response packets $IPTABLES-A forward-i $INET _iface-o $LAN _iface-m State--state established,related-j ACCEPT # Allow Ping packets from WAN to be delivered to all servers in the campus $IPTABLES-A forward-p icmp-i $INET _iface-o $LAN _iface-d $LAN _http1_ip-j icmp_packets $IPTABLES-A forward-p icmp-i $INET _iface-o $LAN _iface-d $LAN _http2

#firewallconfigurationwrittenbysystem-config-firewall#manual customizationofthisfileisnotrecommended.*filter:inputaccept[ 0:0]:forwardaccept[0:0]:outputaccept[0:0]-ainput-mstate--state established,related-jaccept-ainput-picmp-jaccept-ainput -ilo-jaccept-ainput-mstate--statenew-mtcp -ptcp--dport22-jACCEPT-AINPUT-mstate--state new-mudp-ptcp--dport10000-jaccept-ainput-m state--statenew-mtcp-ptcp--dport80-jaccept-a input-mstate--statenew-mtcp-ptcp--dport8080- jaccept-ainput-mstate--statenew-mtcp-ptc

the local machine can also send data packets that pass throughOUTPUT chain,Then arrivePOSTROTING chain output(Note: The SrcIP of the data packet may have been modified) If the data packet is to be forwarded (that is, the destination IP address is no longer in the current subnet), and the kernel allows forwarding, the data packet will move to the right.FORWARD chainAnd then arrivePOSTROUTING chain output(Select the network port of the corresponding subnet for sending) 　　When writing

For Linux users, Iptable is one of the necessary skills! Maybe with many people will feel iptables difficult, not familiar with! It feels like a mess! In fact iptables (firewall) is rarely a command how complicated. But you understand the logic of the relationship! The rest of the order is a bit of a rusty feeling! But all can understand what is doing!Iptables is

Relationship between iptables rules and between iptables rules The relationship between iptables rules is ignored from top to bottom.Therefore, when adding rules, you must add them through files. In this way, you can control the order.Machine:[Root @ www ~] # Netstat-an | grep 6100Tcp 0 0 0.0.0.0: 6100 0.0.0.0: * LISTENTcp 0 0 192.168.5.140: 6100 192.168.4.199: 6

The firewall is divided into kernel State and user state:Iptables is a user-stateThe NetFilter is a kernel-stateIptables Integrated Language method:IPTABLES-T table name [ options ] link name condition -j ActionIptables-t raw/mangle/nat/filter-ai/-dfx/-lvn--line-numbers input/output/forward/preroting/postrouting conditions -j Drop/accept/reject/logPC Settings:/etc/init.d/iptables Stop # #清空所有规则, including default rulesIptables-i input-i lo-j ACCEPTIpt

,ack,rst SYN = =--syn--syn-p ICMP--icmp-type [num]num:0:echo-reply response message 8:echo-request Request message-p UDP--sport port--dport PORTShow Extensions:-M state--state combined with Ip_constack to track the status of the session New: Connection request established: Established connection invalid: Illegal connection Related: Associated, set specifically for FTP Exercise: 192.168.137.11 as a server, allowing only new data to be requested, and not allowing TCP/22 (80) to send new requests

#iptables [OPTION] COMMAND CHAIN match standard-j TARGET[OPTION]-T TABLENAME does not specify default to filter-j Specify targetCOMMANDManagement rules-a adds a rule at the end of the chain-I CHAIN [num] inserts the NUM rule on the China chain without specifying num to insert as first-D CHAIN [num] Delete the NUM rule on the CHAIN chain-R CHAIN [num] replaces the NUM rule on the CHAIN chainManagement chain-F [CHAIN] flush empties the specified rule ch

to display precise information ); -- The line-numbers rule displays the row number; Matching Condition creteria: Basic match: -S SOURCE :( IP, NETWORK) or add! Indicates reverse (for example :! -S NETWORK); (it can be omitted to indicate multiple hosts) -D DESTIONIP (target address ); -P {tcp | udp | icmp }; -I INTERFACE indicates the network INTERFACE from which the stream comes in. (only used for INPUT, FORWARD, POSTROUTING) -O INTERFACE indicates the network card from which the stream is sen

→ Core Netfilter Configuration Netfilter connection trackingsupport "Layer7" match support "String" match support "Time" matchsupport "Iprange" matchsupport "Connlimit" matchsupport "State" matchsupport "Conntrack" connection match support "Mac" address match support "Multiport"

.html######################################## ##########MPort = ", 21, 80"######################################## ##########Modprobe nf_conntrack_ftp ports = 21Modprobe nf_nat_ftp/Sbin/iptables-t filter-Z; iptables-t filter-F; iptables-t filter-X/Sbin/iptables-p input drop; iptabl