Basic iptables usage

Iptables official website: Alibaba IptablesHttp://netfilter.org/
Path of the data packet passing through the firewall
Port prohibited
Force access to a site
Publish an internal network server
Intelligent DNS
Port ing
Access through NAT
Save and restore IP rules
Iptables command syntax
Iptables instance
Path of the data packet passing through the firewall
This fully demonstrates how a data packet passes through the firewall. considering the space saving, this graph actually contains
In three cases: from the external, the firewall (local machine) as the destination package, in the top to bottom of the left path.
The package generated by the firewall (local machine) starts from "local process" and goes from top to bottom to the left path.
From the outside, the destination is the package of other hosts, and the path from top to bottom goes to the right.
If we omit the mangle table icons that are rarely used, a clearer path is displayed.
Instance with prohibited ports
Disable ssh Port
Ssh remote logon is only allowed on 192.168.62.1, and ssh is prohibited from other computers.
# Iptables-a input-s 192.168.62.1-p tcp -- dport 22-j
ACCEPT
# Iptables-a input-p tcp -- dport 22-j DROP
Disable proxy port
# Iptables-a input-p tcp -- dport 3128-j REJECT
Disable icmp Port
Prohibit others from pinging my host except 192.168.62.1
# Iptables-a input-I eth0-s 192.168.62.1/32-p icmp-micmp
-- Icmp-type echo-request-j ACCEPT
# Iptables-a input-I eth0-p icmp -- icmp-type echo-request? J
? DROP
Or
# Iptables-a input-I eth0-s 192.168.62.1/32-p icmp-micmp
-- Icmp-type 8-j ACCEPT
# Iptables-a input-I eth0-p icmp-m icmp -- icmp-type 8-j
DROP
Note: You can use iptables -- protocol icmp -- help to view the ICMP type.
Is there any other way to achieve this?
Prohibit QQ Port
# Iptables-d forward-p udp -- dport 8000-j REJECT
Force access to the specified site
　
To enable a computer in the 192.168.52.0/24 network (the gateway of this computer should be set to 192.168.52.10) to forcibly access the specified site, add the following rules on the computer used as the firewall (192.168.52.10:
1. enable the IP packet forwarding function
Echo 1>/proc/sys/net/ipv4/ip_forward
2. add a destination address translation rule to the NAT table on the NAT/firewall computer:
Iptables-t nat-I prerouting-I eth0-p tcp -- dport 80-jDNAT
-- To-destination 202.96.134.130: 80
Iptables-t nat-I prerouting-I eth0-p udp -- dport 80-jDNAT
-- To-destination 202.96.134.130: 80
3. add a source address translation rule to the NAT table on the NAT/firewall computer:
Iptables-t nat-I POSTROUTING-o eth1-p tcp -- dport 80-s
192.168.52.0/24-j SNAT -- to-source202.96.134.10: 20000-30000
Iptables-t nat-I POSTROUTING-o eth1-p udp -- dport 80-s
192.168.52.0/24-j SNAT -- to-source202.96.134.10: 20000-30000
4.
Test: open a browser on any computer on the intranet and enter an IP address other than the local network to direct it to a website with the IP address 202.96.134.130.
Publish an internal network server
　
　
To allow computers on the internet to access the FTP server and WEB server on the intranet, add the following rules on the computers used as firewalls:
1. echo 1>/proc/sys/net/ipv4/ip_forward
2. publish an intranet web server
Iptables-t nat-I prerouting-p tcp-I eth1-s202.96.134.0/24
-- Dport 80-j DNAT -- to-destination 192.168.52.15: 80
Iptables-t nat-I postrouting-p tcp-I eth0-s192.168.52.15
-- Sport 80-j SNAT -- to-source 202.96.134.10: 20000-30000
3. publish an intranet ftp server
Iptables-t nat-I prerouting-p tcp-I eth1-s202.96.134.0/24
-- Dport 21-j DNAT -- to-destination 192.168.52.14: 21
Iptables-t nat-I postrouting-p tcp-I eth0-s192.168.52.14
-- Sport 21-j SNAT -- to-source 202.96.134.10: 40000-50000
4. note: set the computer gateway on the intranet to the ip address of the firewall (192.168.52.1)
5. test:
Access through a computer virtual internet with an IP address of 202.96.134.0. when you access http: // 202.96.134.10 in your browser, what you actually see is the web service of 192.168.52.15;
When you access ftp: // 202.96.134.10, you should see the ftp service on 192.168.52.14.
　
Intelligent DNS
1. echo 1>/proc/sys/net/ipv4/ip_forward
2. add the following rules on the NAT server:
Add a destination address translation rule to the PREROUTING chain:
Iptables-t nat-I prerouting-I eth0-p tcp -- dpor 53-jDNAT
-- To-destination 202.96.134.130
Iptables-t nat-I prerouting-I eth0-p udp -- dpor 53-jDNAT
-- To-destination 202.96.134.130
Add source address conversion rules in the POSTROUTING chain:
Iptables-t nat-I POSTROUTING-o eth1-s 192.168.52.0/24-ptcp
-- Dpor 53-j SNAT -- to-source 202.96.134.10: 40000-50000.
Iptables-t nat-I POSTROUTING-o eth1-s 192.168.52.0/24-pudp
-- Dpor 53-j SNAT -- to-source 202.96.134.10: 40000-50000.
3. test
On any computer on the intranet, set the DNS to any Internet IP address, you can use the DNS test tool such as nslookup to resolve the name on the DNS server 202.96.134.130.
Port ing
See the transparent proxy settings in the previous section.
# Iptables-t nat-a prerouting-I eth0-p tcp-s192.168.62.0/24
-- Dport 80-j REDIRECT -- to-ports 3128
Access through NAT
Typical NAT
Generally, the computer used as NAT is also the gateway of the LAN. assume that the machine has two NICs eth0, eth1, and eth0 connected to the internet. the IP address is 202.96.134.134. eth1 connects to the LAN and the IP address is 192.168.62.10.
1. enable ip forwarding in the kernel first
# Echo 1>/proc/sys/net/ipv4/ip_forward
2 .? Enable LAN users to access the nat required by the internet
# Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT
--? 202.96.134.134
If the IP address on the Internet is a dynamic IP address, use the following rules:
# Iptables-t nat-a postrouting-o eth0-s 192.168.62.0/24-j
MASQUERADE
If you use ADSL to access the Internet and the public IP address is a dynamic IP address, use the following rules:
# Iptables-t nat-a postrouting-o ppp0-s 192.168.62.0/24-j
MASQUERADE
3. enable internet users to access the nat required by web hosts in the Lan
# Iptables-t nat-a prerouting-p tcp-d 202.96.134.134 -- dport
80-j DNAT -- to-destination 192.168.62.10
Note: clients in the Lan must set the default gateway and DNS as the IP address of the firewall.
NAT shared internet access in our network room
Working environment: the upper-layer proxy 192.168.60.6 (4480) only grants the host machine (192.168.62.111) the permission to use this proxy
Objective: to access the Internet through NAT instead of using the squid proxy
Method:
1) make sure that the squid or other proxy services of the host machine (192.168.62.111) are stopped.
2)
The client gateway and DNS both point to 192.168.62.111, and the browser proxy is set to 192.168.60.6 (4480 ). Test whether the Internet can be accessed in the current situation
3) add the following iptables rules on the host machine (192.168.62.111:
# Iptables-t nat-a postrouting-p tcp-d 192.168.60.6/32
-- Dport 4480-j SNAT -- to-source 192.168.62.111: 10000-30000
Explanation: For TCP packets whose destination is 192.168.60.6 and the destination port is 4480, after a firewall route, convert the source address to 192.168.62.111 and the port to a port between and.
4) Check whether the client can access the Internet.
Save and restore IP rules
Iptables-save saves the rule to the file and then automatically loads it by the script (/etc/rc. d/init. d/iptables) under rc. d.
Use the command iptables-save to save the rule. Generally
Iptables-save>/etc/sysconfig/iptables
Generate the file/etc/sysconfig/iptables for saving the rule,
You can also use
Service iptables save
It can automatically save rules in/etc/sysconfig/iptables.
When the computer starts, the script under rc. d will use the command iptables-restore to call this file, so that the rules are automatically restored.
Iptables
Command syntax
Iptables [-t table] command [match] [-j target/jump]
[-T table] specifies the rule table
The-t parameter is used. There are three built-in rule tables: nat, mangle, and filter. If no rule table is specified
Filter. Rule tables have the following functions:
Nat: This rule table has PREROUTING and POSTROUTING
The two rule chains are mainly used to perform one-to-one, one-to-many, and many-to-many url conversion (SNAT and DNAT). This rule table is not only used for URL conversion, do not use it for other purposes.
Mangle: This rule table has PREROUTING, FORWARD, and POSTROUTING
Three rule chains. In addition to modifying packets during URL conversion, some special applications may have to rewrite packets (TTL, TOS) or set
MARK (MARK the packets for subsequent filtering). In this case, you must define these tasks in the mangle rule table. because the usage is not high, we do not intend to discuss them here.
Mangle usage.
Filter: This rule table is the default rule table and has the following options: INPUT, FORWARD, and OUTPUT.
The rule table is used to filter packets (for example, DROP, LOG, ACCEPT, or
REJECT), we will create the basic rules in this rule table.
List of common commands:
Command-A, -- append
Example iptables-a input...
It indicates that a new rule is added to a rule chain and will become the last rule in the rule chain.
Command-D, -- delete
Example iptables-d input -- dport 80-j DROP
Iptables-d input 1
This indicates to delete a rule from a rule chain. you can enter a complete rule or directly specify a rule number to delete it.
Command-R, -- replace
Example iptables-r input 1-s 192.168.0.1-j DROP
It indicates that the current rule is replaced, and the Order of the rule is not changed after it is replaced.
Command-I, -- insert
Example iptables-I INPUT 1 -- dport 80-j ACCEPT
It indicates that a rule is inserted. The rule at the specified position will move a forward position.
Command-L, -- list
Example 1 iptables-L INPUT
Lists all rules in a rule chain.
Example 2 iptables-t nat-L
Lists all rules in all links of the nat table.
Command-F, -- flush
Example iptables-F INPUT
Delete all rules of the INPUT chain in the filter table.
Command-Z, -- zero
Example iptables-Z INPUT
This indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks.
Command-N, -- new-chain
Example iptables-N allowed
Define a new rule chain.
Command-X, -- delete-chain
Example iptables-X allowed
Deletes a rule chain.
Command-P, -- policy
Example iptables-P INPUT DROP
Define a filter policy. That is, the default processing method for packets that do not meet the filtering conditions.
Command-E, -- rename-chain
Example iptables-E allowed disallowed
Modifies the name of a custom rule chain.
[Match] common packet matching parameters
Parameter-p, -- protocol
Example iptables-a input-p tcp
Indicates whether the communication protocol type matches. it can be used! Operator for reverse matching, for example:
-P! Tcp
It means other types except tcp, such as udp, icmp.
If you want to match all types, you can use the all keyword, for example:
-P all
Parameter-s, -- src, -- source
Example iptables-a input-s 192.168.1.1
The description is used to match the source IP address of the packet. it can match a single machine or network. when matching the network, use a number to represent the subnet mask. for example:
-S 192.168.0.0/24
It can be used to match IP addresses! Operator for reverse matching, for example:
-S! 192.168.0.0/24.
Parameter-d, -- dst, -- destination
Example iptables-a input-d 192.168.1.1
The IP address used to match the destination IP address of the packet. the setting method is the same as above.
Parameter-I, -- in-interface
Example iptables-a input-I eth0
The wildcard character + can be used to match the NIC from which the packet enters. for example:
-I eth +
Indicates all ethernet NICs
You can also use it! Operator for reverse matching, for example:
-I! Eth0
Parameter-o, -- out-interface
Example iptables-a forward-o eth0
Specifies the network card from which the packet is sent.
Parameter -- sport, -- source-port
Example iptables-a input-p tcp -- sport 22
It indicates that the source port used to match the packet can match a single port or a range, for example:
-- Sport 22: 80
Indicates that ports from 22 to 80 are qualified. to match multiple discontinuous ports, you must use -- multiport
Parameters. For more information, see the following section. You can use it when matching the port number! Operator for reverse matching.
Parameter -- dport, -- destination-port
Example iptables-a input-p tcp -- dport 22
Specifies the destination port number used to match the packet. the setting method is the same as above.
Parameter -- tcp-flags
Example iptables-p tcp -- tcp-flags SYN, FIN, ACK SYN
Describes the status flag matching TCP packets. the parameters are divided into two parts. The first part lists
The second part lists which of the above flags are set, and the unenumerative flags must be empty. TCP
Status signs include SYN, ACK, FIN, RST, URG, and PSH)
Can be used in parameters. In addition, the keyword ALL and NONE can be used for matching. You can use it when matching a flag!
Returns the reverse match of the operator line.
Parameter -- syn
Example iptables-p tcp -- syn
It indicates that the SYN bit is opened in the TCP communication protocol, and the ACK and FIN bit are closed in the group, that is, the initial TCP connection, and iptables-ptcp.
-- Tcp-flags SYN, FIN, and ack syn act exactly the same! Operator, available
Match non-required connection packets.
Parameter-m multiport -- source-port
Example iptables-a input-p tcp-m multiport -- source-port
22, 53, 80,110
This parameter is used to match multiple source ports that are not consecutive. a maximum of 15 ports can be matched at a time! Operator for reverse matching.
Parameter-m multiport -- destination-port
Example iptables-a input-p tcp-m multiport -- destination-port
22, 53, 80,110
The description is used to match the port numbers of multiple destinations that are not consecutive. the setting method is the same as above.
Parameter-m multiport -- port
Example iptables-a input-p tcp-m multiport -- port 80,110
This parameter is special and used to match packets with the same source port and destination port number. the setting method is the same as above. Note: In this example, if the source port number is 80, the destination port number is
110. Such packets do not meet the conditions.
Parameter -- icmp-type
Example iptables-a input-p icmp -- icmp-type 8
The description is used to match the ICMP type number. you can use the code or number to match the type number. Please call iptables-p icmp -- help
To view which codes are available.
Parameter-m limit -- limit
Example iptables-a input-m limit -- limit 3/hour
It is used to match the average traffic of packets within a certain period of time. the above example is used to match whether the average traffic per hour exceeds three packets at a time.
In addition to the average time per hour, it can also be an average time per second, every minute or every day. the default value is an average time per hour. parameters such as:/second,
/Minute and/day. In addition
In addition to the matching of the number of packages, Setting this parameter will also suspend the matching action when the condition is met to prevent the service from being blocked by hackers using the flood attack method.
Parameter -- limit-burst
Example iptables-a input-m limit -- limit-burst 5
This example is used to match the number of large packets in an instant. the above example is used to match whether the number of packets that flood simultaneously exceeds 5.
Packets (this is the default value) that exceed this limit will be discarded directly. The usage effect is the same as that.
Parameter-m mac -- mac-source
Example iptables-a input-m mac -- mac-source 00: 00: 00: 00: 01
This parameter is used to match the hardware address of the packet source network interface. this parameter cannot be used in the OUTPUT or POSTROUTING rule chain because the packet is sent to the network.
The MAC address of the destination can be identified by the NIC driver through the ARP communication protocol, so iptables
During packet matching, you do not know the network interface to which the packet will be sent.
Parameter -- mark
Example iptables-t mangle-a input-m mark -- mark 1
Indicates whether a number is used to match a packet. when the packet is successfully matched, we can MARK a number through the MARK processing action. The maximum number cannot exceed
4294967296.
Parameter-m owner -- uid-owner
Example
Iptables-a output-m owner -- uid-owner 500
Indicates whether to match the packets from the local machine and whether the packets are generated by a specific user. This prevents the server from using the root user.
Or other factors that send sensitive data can reduce the loss of the system. Unfortunately, this function cannot match the packets from other hosts.
Parameter-m owner -- gid-owner
Example iptables-a output-m owner -- gid-owner 0
The description is used to match packets from the local machine and whether the packets are generated by a specific user group.
Parameter-m owner -- pid-owner
Example
Iptables-a output-m owner -- pid-owner 78
Specifies whether to match the packets from the local machine and whether the packets are generated by a specific process.
Parameter-m owner -- sid-owner
Example
Iptables-a output-m owner -- sid-owner 100
Specifies whether to match the response packet of a specific connection (Session ID) from the local machine.
Parameter-m state -- state
Example