Basic use of the iptables command

1. basic operations of the chain 1. clear all rules. 1) clear all rules in the rule chain in the filter of the preset table. # Iptables-F2) clears the rules in the user-defined chain in the preset table filter. # Iptables-X # iptables-Z2, set the chain's default policy. There are two methods. 1) allow all packages first, and then prohibit dangerous

I. basic chain operations

1. clear all rules.

1) clear all rules in the rule chain in the filter of the preset table.

#Iptables-F

2) clear the rules in the user-defined chain in the filter of the preset table.

# Iptables-X

# Iptables-Z

2. set the default link policy. There are two methods.

1) allow all packages first, and then prohibit dangerous packages from passing through the fire wall.

# Iptables-P INPUT ACCEPT

# Iptables-P OUTPUT ACCEPT

# Iptables-P FORWARD ACCEPT

2) deny all packages first, and then allow specific packages to pass through the firewall according to the required services.

# Iptables-P INPUT DROP

# Iptables-P OUTPUT DROP

# Iptables-P FORWARD DROP

3. list all rules in a table or chain. By default, only filter tables are listed.

# Iptables-L

4. add rules to the chain. The following statement is used to open a network interface:

# Iptables-a input-I lo-j ACCEPT

# Iptables-a output-o lo-j ACCEPT

# Iptables-a input-I eth0-j ACEPT

# Iptables-a output-o eth1-jACCEPT

# Iptables-a forward-I eth1-jACCEPT

# Iptables-a forward-0 eth1-jACCEPT

Note: Because the local process does not pass through the FORWARD chain, the loopback interface lo only applies to the INPUT and OUTPUT chains.

5. user-defined chain.

# Iptables-N custom

# Iptables-A custom-s 0/0-d 0/0-picmp-j DROP

# Iptables-a input-s 0/0-d 0/0-jDROP

2. set basic rule matching

1. specify protocol matching.

1) match the specified protocol.

# Iptables-a input-p tcp

2) match all protocols other than the specified protocol.

# Iptables-a input-p! Tcp

2. match the specified address.

1) specify the matched host.

# Iptables-a input-s 192.168.0.18

2) specify the matched network.

# Iptables-a input-s 192.168.2.0/24

3) match the address other than the specified host.

# Iptables-a forward-s! 192.168.0.19

4) match networks outside the specified network.

# Iptables-a forward-s! 192.168.3.0/24

3. match the specified network interface.

1) specify a single network interface match.

# Iptables-a input-I eth0

# Iptables-a forward-o eth0

2) specify network interfaces of the same type to match.

# Iptables-a forward-o ppp +

4. match the specified port.

1) specify a single port match.

# Iptables-a input-p tcp -- sportwww

# Iptables-a input-p udp Cdport 53

2) match the port other than the specified port.

# Iptables-a input-p tcp Cdport! 22

3) match the port range.

# Iptables-a input-p tcp Csport22: 80

4) match the ICMP port and ICMP type.

# Iptables-a inout-p icmp Cicimp-type8

5) specify ip fragmentation.

Each network interface has a MTU (maximum transmission unit), which defines the maximum size of data packets that can be passed. If a data packet exceeds this parameter value, the system divides it into smaller data packets (called ip fragmentation) for transmission, the receiver reassembles the ip fragments to restore the entire package. This will cause a problem: when the system divides large data packets into ip fragments for transmission, the first shard contains the complete packet header information (IP + TCP, UDP, and ICMP ), however, the subsequent fragments only contain part of the packet header information (such as the source address and destination address ). Therefore, it is impossible to check the ip fragment header (like TCP, UDP, and ICMP. Suppose there is a rule like this:

# Iptables-a forward-p tcp-s192.168.1.0/24-d 192.168.2.100 Cdport 80-j ACCEPT

In this case, when the FORWARD policy is DROP, the system will only let the first ip fragment pass, and the remaining fragment cannot pass because the packet header information is incomplete. Can be passed? Fragment/-f option to specify the second and later ip fragmentation to solve the above problem.

# Iptables-a forward-f-s192.168.1.0/24-d 192.168.2.100-j ACCEPT

Note that there are many instances that conduct ip fragmentation attacks, such as DoS attacks. Therefore, it is a security risk to allow ip fragmentation to pass through. you can use iptables matching extension to limit this.

3. set extended rule matching (for example, the target action has been ignored)

1. multi-port matching.

1) match multiple source ports.

# Iptables-a input-p tcp-m multiportCsport 22, 53, 80,110

2) match multiple destination ports.

# Iptables-a input-p tcp-m multiportCdpoort 22, 53, 80

3) match multiple ports (source port or destination port)

# Iptables-a input-p tcp-m multiportCport 22, 53, 80,110

2. specify TCP matching extension

The Ctcp-flags option can be used to filter tcp packets based on the flag bit.

# Iptables-a input-p tcp Ctcp-flagsSYN, FIN, ACK SYN

# Iptables-a froward-p tcp Ctcp-flagsALL SYN, ACK

In the instance, the first flag indicates that SYN, ACK, and FIN are checked, but only SYN matches. The second sign indicates ALL (SYN, ACK, FIN, RST, URG, PSH) is checked, but only SYN and ACK matching are set.

# Iptables-a forward-p tcp -- syn

Option? Syn is equivalent to "-- tcp-flags SYN, RST, ACKSYN.

3. expansion of limit rate matching.

1) specify the number of data packets allowed to pass in a unit of time. the unit time can be/second,/minute,/hour,/day, or use the first child mother.

# Iptables-a input-m limit -- limit300/hour

2) specify the threshold value for the trigger event.

# Iptables-a input-m limit Climit-burst10

It is used to compare whether there are more than 10 incoming packets at a time. packets exceeding this limit will be discarded directly.

3) specify both the speed limit and trigger threshold values.

# Iptables-a input-p icmp-m limitC-limit 3/m Climit-burst 3

The maximum number of packets per minute is the maximum rate (3 in this example) plus the current trigger threshold value burst. Under any circumstances, three packets can pass through, and the trigger threshold burst is equivalent to the number of additional packets allowed.

4) state-based scaling (connection tracking)

Each network connection includes the following information: source address, target address, source port, and destination port, known as socket pair (socketpairs); protocol type, connection status (TCP protocol)

And timeout. The firewall calls this information stateful ). The status packet filtering firewall can maintain a table with the tracking status in the memory, which is more secure than the simple packet filtering firewall. the command format is as follows:

Iptables-m state C-state [!] State [, state]

The state table is a comma-separated list used to specify the connection status. There are four types:

> NEW: This package wants to start a NEW connection (reconnection or connection redirection)