Application and explanation of iptables command under Linux

First, iptables the rules of the table and chain.

Table (tables) provides specific functionality, the Iptables contains 4 tables, the filter table, the NAT table, the Mangle table, and the raw table, respectively, to implement packet filtering, network address translation, packet refactoring (modification), and data tracking processing.

Chain (chains) is the path of packet propagation, each chain is actually a checklist in many rules, each chain can have one or several rules. When a packet arrives at a chain, the iptables starts checking from the first rule in the chain to see if the packet satisfies the conditions defined by the rule. If satisfied, the system processes the packet according to the method defined by the rule, otherwise iptables will continue to check the next rule, and if the packet does not conform to any of the rules in the chain, Iptables will process the packet based on the default policy defined by the chain.
Iptables uses a hierarchical structure of "table" and "chain". Here is a list of these four tables and five chains. Note that the relationships and roles of these tables and chains must be understood.

650) this.width=650; "src=" https://s2.51cto.com/oss/201710/31/72adc5d2b59ef7df8e2a37cb6e32de14.jpg "title=" 2.jpg " alt= "72adc5d2b59ef7df8e2a37cb6e32de14.jpg"/>

(1) Iptables rules table:

①filter Table --Three chains: INPUT, FORWARD, OUTPUT
Function: Filter the packet kernel module: Iptables_filter.
②nat Table --Three chains: Prerouting, Postrouting, OUTPUT
Function: For network address translation (IP, port) kernel module: Iptable_nat
③mangle Table --Five chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD
Function: Modify the service type of the packet, TTL, and can configure the route to implement the QoS kernel module: iptable_mangle (although this watch is so troublesome, we don't use it when we set up our strategy)
④raw Table --Two chains: OUTPUT, prerouting
Function: Determines whether the packet is handled by the state tracking mechanism kernel module: Iptable_raw

The order of precedence from highest to lowest is: raw-->mangle-->nat-->filter

(2) iptables rule chain:

①input--incoming packets Apply the policy in this rule chain
②output--outgoing packets Apply policies in this rule chain
③forward--policies in this rule chain are applied when forwarding packets
④prerouting--apply rules in this chain before routing packets to a packet
( Note: All data packets are processed by this chain in the first time)
⑤postrouting--apply the rules in this chain after the packet is routed
( Note: All data packets are processed by this chain first)

the order of the rules on the chain:

① similar rules (access to the same application), matching a small range on top

② different classes of rules (access to different applications), matching to a higher frequency of the message on the top

③ merge multiple rules that can be described by one rule into a single

④ Setting the default policy

First case: Inbound Data Flow

Packets arriving from the outside of the firewall are first processed by the prerouting rule chain (whether to modify the packet address, etc.), followed by a routing (which determines where the packet should be sent), if the packet The target host is the firewall native (for example, Internet users access the Web server in the firewall host packet), then the kernel will pass it to the input chain for processing (decide whether to allow the pass, etc.), and later to the system to the upper layer of the application (such as Apache server) to respond.

Second flush situation: forwarding Data flow
When the packet arrives at the firewall, it is first processed by the prerouting rule chain, and then routed, if the destination address of the packet is a different external address (for example, the LAN user accesses the QQ site's packet through the gateway), The kernel passes it to the forward chain for processing (forwarding or blocking) and then handing it over to the postrouting rule chain (whether to modify the address of the packet).

Third case: Outbound Data flow
When a firewall sends packets to an external address (for example, when a public DNS server is tested in a firewall host), it is first processed by the output rule chain, followed by routing, and then passed to the postrouting rule chain (whether to modify the address of the packet) for processing.

650) this.width=650; "src=" https://s4.51cto.com/oss/201710/31/546258c1d7f3588cc14d9cc46c2e2a6b.jpg "title=" 1.jpg " alt= "546258c1d7f3588cc14d9cc46c2e2a6b.jpg"/>

Second, iptables command detailed:

basic syntax format for iptables

iptables [-t table name] command options [link name] [conditional match] [-j target action or jump]
Description: The table name, the chain name is used to specify the tables and chains that the Iptables command operates on, and the command options are used to specify how the Iptables rules are managed such as: Insert, add, delete, view, and so on; conditional matching is used to specify which packets are to be processed The target action or jump is used to specify how the packet is handled (such as allowing pass, deny, discard, jump) to other chain processing.

(1) Basic commands

①-l "chain name" lists all the rules on the specified chain, and all the rules on the chain are listed by default.

Example: List all the rules on the input chain

Iptables-l INPUT

- n is displayed in digital form

- v lists more details

Usually-VNL (L can only write to the end) together to see all the policies above the firewall.

Iptables-vnl

②--line-numbers lists policies in serial numbers, usually with-VNL.

Example: See how many policies are on the firewall

IPTABLES-VNL--line-numbers

③-a Append

④-i Inserts a policy, which is the first policy by default.

Example: Write the Forbidden 172.17.66.66ping native to the second line of the input rule chain.

Iptables-a INPUT 2-s 172.17.66.66-p icmp-j REJECT

⑤-r Modifying policies

Example: Modify the IP address of the previous example to disable ping native 172.17.66.66 to 172.17.88.88

Iptables-r INPUT 2-s 172.17.88.88-p icmp-j renect

⑥-d Delete policy "NOTE: You need to indicate the rule number and the rule itself"

Example: Delete all policies on the input rule chain

Iptables-d INPUT 2

⑦-f Clear All policies

Example: emptying all policies on the firewall

Iptables-f

The ⑧-s Command mode shows the policy and can be redirected in the file.

Example: Import all policies into the Iptables.txt file

Iptables-s > Iptables.txt

⑨-n Custom rule chain (must be placed in one of the five rule chains that the system comes into effect "

Custom rule chain: Iptables-n account

add a policy to a custom rule chain: iptables-a account-s 172.17.66.66,172.17.88.88-j ACCEPT

The custom rule chain is added to the system rule chain: Iptables-a input-j Account

⑩-x Deleting a custom rule chain

Delete a custom chain from the system rule chain: iptables-d INPUT (custom rule ordinal)

Clears the policy within the custom rule chain: Iptables-f account

Delete a custom rule chain: Iptables-x account

650) this.width=650; "src=" https://s2.51cto.com/oss/201710/31/fc5884b9c5cc180f7fb124d120e6df0a.jpg "title=" 1.jpg " alt= "Fc5884b9c5cc180f7fb124d120e6df0a.jpg"/>

650) this.width=650; "src=" https://s4.51cto.com/oss/201710/31/d49356844b12c64b27df47e3e8014afd.jpg "title=" 2.jpg " alt= "D49356844b12c64b27df47e3e8014afd.jpg"/>

(2) Basic matching conditions: No need to load modules, provided by Iptables/netfilter, do not have to add-M

①[!]--dport Specify port

Iptables-a input-p TCP--dport 22:23:24,80-j REJECT

②[!]-s --source address[/mask][,...] : Source IP address or range

③[!]-D --destination address[/mask][,...] : Destination IP address or range

④[!]-P --protocol Protocol: Specify protocol that can use numbers such as 0 (all)

PROTOCOL:TCP, UDP, ICMP, ICMPv6, Udplite,esp, ah, SCTP,

Example: Deny 172.17.66.66 access to 172.17.88.88 TCP80 Port

Iptables-a forward-s 172.17.66.66-d 172.17.88.88-p tcp--dport 80-j REJECT

Description: [!] The explanation can be reversed.

Example: In addition to 172.17.66.66 cannot ping this machine, others can

Iptables-a Inpput! -S 172.17.66.66-p icmp-j REJECT

⑤[!]-I,--in-interface name: Packet inflow interface, only for data packet inflow, only for input, FORWARD, prerouting chain

Example: "Iptables-a input-s 172.17.66.66-i eth0-j REJECT"

⑥[!]-O,--out-interface name: interface for packet outflow, only for data packet outflow, only for forward, OUTPUT, postrouting chain

(3) Extended command:

①multiport Extension

Define multi-port matching in a discrete way, specifying up to 15 ports

[!] --source-ports,--Sports Port[,port|,port:port] ... Specify multiple source ports

[!] --destination-ports,--dports Port[,port|,port:port] ... Specify multiple destination ports

[!] --ports Port[,port|,port:port] ... Multiple source or destination ports

Example: Allow 172.17.0.0/16 This segment of the network to access the machine via 20, 80 ports

Iptables-a input-s 172.16.0.0/16-p tcp-m multiport--dports 20,80-j ACCEPT

②iprange extension

indicates a contiguous (but generally not an entire network) IP address range

[!] --src-range from[-to] Source IP address range

[!] --dst-range from[-to] Destination IP address range

Example: Deny 172.16.100.5-172.16.100.10 This segment's IP access native via TCP80 Port

Iptables-a input-p TCP--dport 80-m iprange--src-range 172.16.100.5-172.16.100.10-j DROP

③mac Extensions

Indicates the source MAC address

--mac-source XX:XX:XX:XX:XX:XX

Example: Deny 00:50:56:12:34:56 this MAC address to access native

Iptables-a input-s 172.16.0.100-m mac--macsource 00:50:56:12:34:56-j ACCEPT

④string extension: "Response message"

string pattern matching detection for application layer data in messages

--algo {BM|KMP}: string matching detection algorithm

Bm:boyer-moore

Kmp:knuth-pratt-morris

[!] --string pattern: The string pattern to be detected

[!] --hex-string pattern: To detect string patterns, 16 binary format

Example: Deny 172.16.0.0/16 This segment's IP access to a website with the Goolge word

Iptables-a output-s 172.16.0.0/16-d 0/0-P tcp--sport 80-m string--algo bm--string "Google"-j REJECT

⑤tIME Extension

Match the time the message arrives to a specified time range

--datestart Yyyy[-mm[-dd[thh[:mm[:ss]] [date]

--datestop Yyyy[-mm[-dd[thh[:mm[:ss]]

--timestart Hh:mm[:ss] Time

--timestop Hh:mm[:ss]

[!] --monthdays Day[,day ...] The number of each month

[!] --weekdays day[,day ...] days of the week

Note: The CentOS7 system defaults to UTC "Eight hours is the Beijing time zone"

Example: Deny 172.16.0.0/16 this segment on a weekly Sat,sun 14:30-18:30 access TCP port 80

Iptables-a input-s 172.16.0.0/16-p TCP--dport 80-m time--timestart 14:30--timestop 18:30--weekdays Sat,Sun--kerne Ltz-j DROP

⑥connlimit extension

Number of concurrent connections per client IP matched to prevent cc (Challenge Collapsar challenge black hole) attack

--connlimit-upto N: Match when the number of connections is less than or equal to n

--connlimit-above N: Match when number of connections is greater than n

Example: Deny access when the number of connections is greater than 2 o'clock 172.16.100.10

Iptables-a input-d 172.16.100.10-p tcp--dport 22-m connlimit--connlimit-above 2-j REJECT

⑦ StateExtension

Conntrack mechanism: Tracing the relationship between requests and responses on the machine

There are several states:

NEW: Newly issued request; The connection tracking repository does not have an associated information entry for this connection, so it is identified as a request for the first time

Iptables-a input-s 172.17.66.66-p TCP--dports 80-m State--state new-j REJECT "Nothing is going on, no new connection denied, no re-access to port 80."

After the Established:new state, the communication status in the connection tracking repository for the entry established for it before it expires

Related: A newly initiated connection that is associated with an existing connection, such as the relationship between a data connection and a command connection in the FTP protocol

INVALID: Invalid connection, such as flag flag not correct

Untracked: A connection that has not been traced, such as a trace off in the raw table

Third, the network firewall

Iptables/netfilter Network firewall:
(1) Acting as a gateway
(2) Forward chain using the filter table

①SNAT

allow hosts on the local network to access the external network through a specific address to disguise the address

Network topology:

650) this.width=650; "src=" Https://s3.51cto.com/oss/201710/31/38f68bfacf1efd3c6b64add156e3409f.png "title=" 1.png " alt= "38f68bfacf1efd3c6b64add156e3409f.png"/>

the conversion based on the original address is generally used in many of our intranet users through an external network of the port when the Internet, then we will be the address of our intranet into a network of IP, we can achieve the ability to connect to other external network IP .

The defined style:

For example, we now want to all 192.168.0.0/24 network segment IP through the router (remember to turn on the forwarding function, while connecting the extranet and intranet) when all converted to 8.8.8.8 this assumption out of the external network address:

Command: iptables-t nat-a postrouting-s 192.168.10.0/24-j SNAT--to-source 8.8.8.8

In this way, any attempt to access the network through the NIC from the local network will be converted to the IP 8.8.8.8.

②dnat

for the destination address translation, the data flow is from the outward, the outside is the client, inside the server side through the destination address translation, we can let the outside of the IP through our external IP to access our server different servers, Our services are placed on different servers in the intranet server.

The defined style:

For example, we are now on the Internet to visit 192.168.0.0/24 this network segment of the LAN, through the router when all converted to 192.168.2.2 this intranet address:

Command: iptables-t nat-a prerouting-d 8.8.8.8-p tcp--dport 80-j DNAT--to-destination 192.168.0.0/24

Iv. Storage and opening of control rules

Note: Everything you define will fail when you restart the machine, and you need to save it with a command if you want us to take effect.

①service iptables Save command

It will be saved in the/etc/sysconfig/iptables file.

②iptables-save Command

Iptables-save >/etc/sysconfig/iptables

③iptables-restore Command

It will automatically load/etc/sysconfig/iptabels when it is powered on

If the boot does not load or does not load, and you want to have a self-written configuration file (assuming iptables.2) to be manually effective:

Iptables-restore </etc/sysconfig/iptables.2

The rules defined in Iptables are completed manually

Application and explanation of iptables command under Linux