Start and stop
1. Order:
Frames: Tables > Chains > Rules (target)
as a whole, iptables is made up of many chain, otherwise the old version is called IPChains. But the hierarchy is:
A table can consist of multiple chain, and a chain can consist of multiple rules (one rule corresponds to one target). The advantage of the
target concept is that the system presets some target, such as accept,drop,reject,log, which means that if the package matches this rule, its approach is target. The advantage of introducing target here is that it allows the user to customize a chain and then use the chain name as the new target, so that you can aggregate some rule! The rule of hierarchy is formed, that is to say, if it is satisfied, then look at its target.
1, iptables consists of four tables, each table consists of the default chain:
(1) Filter: The default has three Chain--input,output and forward
(2) Nat: Do NAT work, The default three chain--output,prerouting,postrouting
(3) Mangle: Modifies some of the package's parameters by default to five chain--input,output,forward,prerouting. Postrouting
(4) Raw: The effect is not clear, by default there are two chain--output,prerouting
different table in charge of different aspects. The default command for Iptables is for filter to take effect. Can be specified with the-T NAT for Nat to take effect.
2, the so-called configuration firewall is:
(1) Add rule to chain:
Each chain is composed of a series of rule, such as you want to change the input this chain to allow users to access a port on your machine.
For example, this input has two rule, one to allow users access to your 5901 port, one to allow users to access your 5902 port
General Security Policy:
1. Start with the most stringent safety measures, and when you find that useful things can not work a little bit more relaxed limits.
2, the firewall can not be used as the main means of prevention of intrusion, it can only be used as an independent protection of each host a supplement to the measures. The independent protection measures on each host include crack,tcpd,nmap,cops,tripwire and corresponding policies.
Rules and commands:
The rule is very simple, the corresponding package will be given to the corresponding built-in chain, and then for the rules in chain, is the order from top to bottom, and the break statement. So, for example, if you want to open some ports, write them on, and then write off all the ports.
Static rules:
1, iptables-f Chain-name:
Clears all rule in the chain named Chain-name, only writes-F clears all rule in all chain, but retains chain.
This defaults to the filter table only. If you want to clear a NAT table, use the Iptables-t nat-f
2, iptables-p chain-name target:
Sets the default rule for the chain named Chain-name. This is usually the beginning of all the rule set for the chain. Equivalent to default in a break statement. Note that if you give the chain setting in Nat or Mangle, don't forget to use-t table. But note that the target here can only be built with a built-in
3, iptables-a chain-name rule
Add a rule to the chain named Chain-name, followed by a combination of:
-j target preset target or user-defined chain
-I interface such as Eth0
-P proto protocol, with TCP,UDP
-S SOURCE-IP Source IP
-D dest-ip Destination IP
--sport Source-port Source Port
--dport Dest-port Destination Port
The--icmp-type type matches the ICMP type, such as what type of ICMP packets you allow to pass, followed by a number
! Negative
-T table
4, Iptables-i chain-name rulenum rule:
The difference between this and-A is: insert, not add to the end. The Rulenum is 1 to the front.
5, Iptables-x Chain-name:
Remove the chain built-in (user defined), this is different from-F, this is chain the entire deletion, the name is gone, that is, you use Iptables-l-V to see.
6, iptables-d Chain-name rule/rulenum
This is the exact opposite of iptable-a chain-name rule, and if you want to delete one of the chain-name, you can delete it by writing as a. Or use Rulenum, that is, the number of NUM chain from the top down, the first rule of the Rulenum is 1.
7, Iptables-l Chain-name
Print the rules for the chain named Chain-name. If Chain-name is not given, print all chain.
8, iptables-l-V chain-name
On the basis of 6 added some useful information, such as from the boot up to now, matching the number of each rule of the package!
Dynamic rules: For connection (TCP connections)
1, there are three kinds of dynamic parameters:
NEW: Refers to the first TCP connection received
Established: When the connection is established, the package belonging to the connection
RELATED: When the connection is established, there is a connection established (typically the FTP passive mode, the client initiates a data connection to the server, which is specified by the server but initiated by the client)
2. Order:
The above two commands reject all new foreign packages. But allow yourself to send a connection to receive foreign data (established)
Plus:
It means that you can allow outside access to 21 ports (FTP, and assume the passive mode), combined with the above state, it allows the outside initiative to initiate to their own FTP data connection ——— may be any port, but there is no need to write!!
So, in general, write the dynamic rules first, and then write static rules, you can do to deal with some like the FTP passive mode this does not know which port the user will access.
3. Note:
Stateful rules require kernel-appropriate module support, if not compiled or not loaded, will not take effect.
Iptables IP access control on the requested URL
Let's look at an example.
The server runtime environment is Tomcat and is now being implemented to allow only specific IP access to a directory.
One approach is to use Remoteaddrvalve to make access control to a virtual host in the Tomcat configuration file server.conf.
Another method can pass the iptables rule. I like iptables more than anyone.
For example: Prohibit access to http://192.168.137.254:10000/managersns this path, only allow 192.168.137.101 access
The above rules are the ETH0 network card, you can track their needs to modify.
Parameter description:
-M string
Using the string feature, string is a module of iptables, which is a string match.
–string "XXXX"
The definition of string content, can be any character in the URL, if you need block to download certain types of files or requests, this has a lot of space to play, can be free to imagine oh.
–algo BM
Set character matching query algorithm, the general default to use BM algorithm effect on it, but also can set the KMP algorithm, which is a more complex algorithm, detailed content can see the information in higher mathematics. (BM = boyer-moore, KMP = Knuth-pratt-morris)
-j DROP
This is very effective for disabling video sites on the corporate network, set on the gateway server:
The meanings of the parameters are as follows:
-A FORWARD
Increase the rules for the forward chain, which is for routing enabled (that is, echo 1 >/proc/sys/net/ipv4/ip_forward)
If direct access is available, the input or output can be used.
Set the handling of packages that meet this condition, drop is discarded, also reject meaning.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
