IptablesIt is a commonly used firewall software in Linux. it has complicated commands and powerful functions. Used to forward and filter data packets.
1. functions of the firewall:
A. separate trusted or untrusted regions
B. restrict the services that can provide Internet access
C. analyze accepted or rejected packets
D. NAT function-address translation and port redirection
2. components:
2.1 three tables:
Filter is related to the local machine and used to filter data packets
Nat is only used for NAT. it is used to convert the source or target addresses of data packets.
Mangle is related to the routing flag of special packets.
2.2 Five Links:
PREROUTING route pre-judgment
Post-judgment of POSTROUTING routing
Packet filtering judgment when FORWARD passes through the firewall
INPUT when entering the local machine
OUTPUT is determined when it goes out of the local machine
2.3 inclusion relationship:
Filter -- INPUT + OUTPUT + FORWARD
Nat -- PREROUTING + POSTROUTING + OUTPUT
Mangle -- all chains
3. syntax:
Iptables [-t tables] command [match] [target]
-T tables: specifies the iptables table. If this parameter is not specified, the default value is the filter table.
Command: command option.
Match: Rule option.
Target: action options.
4. commands
| Command | Description |
| -A, -- append | Add rules at the end of the selected chain. |
| -D, -- delete | Delete a rule from a chain. |
| -I, -- insert | Insert rules to the top by default based on the given sequence number insertion rules. |
| -R, -- replace | Replace the rule on the specified row in the selected chain. |
| -L, -- list | Displays all the rules of the selected chain. If no chain is specified, all chains in the specified table are displayed. |
| -F, -- flush | Clears the selected chain. If no chain is specified, all chains in the specified table are cleared. |
| -Z, -- zero | Returns all counters of a specified link (if not specified, all links are considered as all links) to zero. |
| -N, -- new | Create a new user-defined chain. |
| -X, -- delete-chain | Deletes a user-defined chain. |
| -P, -- policy | Define the chain's target. here, the target can only be DROP and ACCEPT. |
| -E, -- rename-chain | Rename the custom chain. |
5. rules
Classify them into five categories. The first type is generic matches (general-purpose matching), applicable to all rules; the second type is TCPmatches, which can only be used for TCP packets as the name suggests; the third type is UDP matches, of course, it can only be used on UDP packets; the fourth class is ICMPmatches, for ICMP packets; the fifth class is special, for the status, owner) and the frequency limit of access (limit), they have been divided into more small classes, although they are not completely different.
General rules
| Command | Description |
| -P, -- protocol | Matches the coreness type. It can be a co-definition name (case-insensitive) or an integer. it must be defined in/etc/protocols and set to ALL by default. You can add an English exclamation point before the coroutine. |
| -S, -- src, -- source | Match the source address. Single address: 192.168.1.11920.1.1/24; multiple addresses: 192.168.1.0/24192.168.1.0/255.255.255.0; add an English exclamation point before the address to indicate reverse. note the space:-s! 192.168.1.0/24; all addresses are matched by default. |
| -D, -- dst, -- destination | Match the target address. The syntax is exactly the same as-s. |
| -I, -- in-interface | To enter the local network interface matching package. Note that this matching operation can only be used for the INPUT, FORWARD, and PREROUTING links. Exclamation point (-I! Eth0. |
| -O, -- out-interface | Match the package with the network interface used by the package to exit the local device. The syntax is exactly the same as-I. |
| -F, -- fragment | It is used to match the second or later part of a fragmented package. Because they do not contain information such as the source or destination address, or ICMP type, other rules cannot match it, so this matching operation is available. Pay attention to fragment attacks. This operation can also contain an English exclamation mark (exclamation point), but pay attention to the location, such! -F. When the image is reversed, it indicates that only the unsharded package or the first shard of the package to be split can be matched, and neither of the later parts can be matched. Now the kernel has a complete fragment function to prevent fragment attacks, so you do not need to use the reverse function to prevent fragment from passing through. If you use connection tracing, you will not see any fragments, because they are processed before they reach any chain. |
TCP rules
Used to match TCP packets.-p tcp must be used as the precondition.
| Command | Description |
| -- Sport, -- source-port | Match the packet based on the source port of the TCP packet. If no port is specified, all ports are considered as ports. The port number or service name can be used for matching. the service name must be defined in/etc/servers. Continuous ports-sport22: 80 can be used to indicate all ports from 22 to 80. When a continuous port is used, the default value is 0 when the first port is omitted. for example,-sport: 80 indicates all ports from 0 to 80. when a continuous port is used, the default value is 65535 when the last port is omitted, for example,-sport22 indicates all ports from 22 to 65535. Add an English exclamation mark before the port number to indicate reverse. |
| -- Dport, -- destination-port | Match the packet based on the destination port of the TCP packet. The syntax is exactly the same as that of-sport. |
| -- Tcp-flags | Matches the specified TCP tag. There are two parameters, both of which are lists. the list is separated by commas (,), which are separated by spaces. The first parameter specifies the tag we want to check, the second parameter specifies the tag set to 1 in the first parameter (that is, the status is open tag), and other tag values are 0. This matching operation can identify the following tags: SYN, ACK, FIN, RST, URG, and PSH. Two other words can also be used: ALL and NONE. ALL indicates that ALL tags are selected, and NONE indicates that no tags are selected. -Tcp-flags can also use an English exclamation point to obtain an inverse value, for example,-tcp-flags! SYN, FIN, and ack syn indicate TCP packets that match the settings of the FIN and ACK tags but the SYN tags are not set. |
| -- Syn | This is the legacy of the ipchains age, and? Tcp-flags SYN, RST, and ACKSYN have the same effect. You can also use an English exclamation point, for example :! -Syn is used to match the established connection package. |
| -- Tcp-option | Based on the matching package. The TCP option is a special part of the TCP header and has three different parts. The first eight-bit group indicates the option type, and the second eight-bit group indicates the option length (this length is the length of the entire option, but does not contain the bytes occupied by the filling part, note that not every TCP option has this part). The third part is the option content. It is related to the TCP packet format. |
UDP rules
Used to match UDP packets.-p udp must be used as a prerequisite.
| Command | Description |
| -- Sport, -- source-port | The UDP-based source port matching package has the same syntax as-p tcp-sport. |
| -- Dport, -- destination-port | UDP-based destination port matching package. The syntax is the same as above. |
ICMP rules
Used to match ICMP data packets.-p icmp is required as a prerequisite.
| -- Icmp-type | Based on the ICMP type matching package, you can specify the type using a decimal value and the corresponding name. The value is defined in RFC792. The name can be iptables-pICMP? Help. This option can also be reversed with an English exclamation point. |
Advanced Rules
Advanced Rules: Use-m to load the extension module, which is rarely used at ordinary times. I won't talk about it.
Action rules
Determines where the qualified package goes. The syntax is -- jump target or-j target.
| -J ACCEPT | Permit the pass of compliant packages. |
| -J DROP | Discard the rule. |
| -J REJECT | Reject data packets and return error messages. It can only be used in INPUT, FORWARD, and OUTPUT chains. -Reject-with indicates the information that the REJECT target should return to the sender. The available information type can be man. |
| -J DNAT | Destination address conversion. DNAT can only be used in PREROUTING and OUTPUT of nat tables. -To-destination: specifies the address of the IP header to be written. You can use these methods: 1. single IP address; 2. continuous IP address 192.168.1.1-192.168.1.10. in this case, each stream will be allocated a random address to forward, however, the same stream always uses the same address. 3. you can also specify the port or port range after the address, for example, 192.168.1.1: 80 or 192.168.1.1: 80-100. Note that you can only use the-p protocol. |
| -J SNAT | SOURCE address conversion. It can only be applied to the POSTROUTING of a nat table. -To-source: specifies the source address and port to be converted. |
| -J MASQUERADE | This action has the same effect as SNAT. The difference is that it does not need to specify the source address. MASQUERADE is designed for connections that dynamically obtain IP addresses, such as dial-up access. Like SNAT, MASQUERADE can only be used in the POSTROUTING of a nat table. -To-ports: Set the ports that can be used for outgoing packets on the premise of specifying the meanings. Example:-to-ports 1025 or? To-ports1024-1050. |
| -J LOG | Record the information about the package. This function is completed by the Kernel Log tool. you need to enable the syslogd service. -Log-level record level settings. you can view the/etc/syslog. conf file for detailed record level information. -Log-prefix: add the specified prefix before the record information. For example :? Log-prefix "INPUT packets" -Log-tcp-sequence records the TCP serial number of the package along with other log information. -Log-tcp-options: the option that records the unchanged field size in the TCP header. -Log-ip-options: the option that records the unchanged field size in the IP header. |
| -J MARK | Used to set the mark value. this value can only be used in the local mangle table and cannot be used anywhere else. -Set-mark: sets the mark value, which is an unsigned integer. |
| -J MIRROR | The source address and destination address in the IP header are reversed, and then the packet is forwarded. This action can only be performed in the INPUT, FORWARD, PREROUTING chain, and custom chain called by them. if the outgoing packet is sent by MIRRORtarget, then they are not processed by links in the filter, net, and mangle tables. |
| -J QUEUE | This target is the application or application management package queue of the user space. It is used together with programs or tools other than iptables, including network counting tools, advanced packet proxy or filtering applications. |
| -J REDIRECT | Forward packets or flow to another port within the sub-host of the firewall. In other words, this target changes the destination address of the packet to be forwarded to our own IP address. This target played a major role when we were doing transparent proxy. -To-ports: define the destination port under the specified meaning. If this option is not used, the destination port will not be changed. Specify a port, such as The-to-ports8080. Specify the port range, for example,-to-ports 8080-8090. |
| -J RETURN | If RETURN target is encountered in the sub-chain, the next row of the parent chain is returned for comparison of the condition. |
| -J TOS | TOS is used to set the Type ofService field in the IP header. This target can only be used in the mangle table. -Set-tos: set the TOS value. |
| -J TTL | Modify the value of the Time To Live field in the IP header. It can only be used in mangle tables. -Ttl-set: set the TTL value. -Ttl-dec: set the value of TTL to be dropped. -Ttl-inc: set the value of TTL to be added. |
| -ULOG | You can record the matched package information in the user space. both the information and the entire package are multicast through netlinksocket. Then one or more user space processes will accept them. We can find the ULOGD User space Software in ULOGD projectpage. -Ulog-nlgroup specifies the netlink group to which the package is sent. -Ulog-prefix specifies the prefix of the record information. -Ulog-cprange specifies the number of bytes that each packet sends to the "ULOG proxy in user space. -Ulog-qthreshold indicates that multiple small packages are accumulated in the kernel before they are sent to the user space. |
So many rules are lost...
Let's look at several examples:
1) iptables-a input-p tcp -- dport 80-j ACCEPT
Allow access to port 80
2) iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to-source 184.22.201.112
After the packets whose local source address is 192.168.0 are routed (know where the destination is), convert the source address to 184.22.201.112 before leaving the local network for PPTPVPN.
3) iptables -- table nat -- append POSTROUTING -- jumpMASQUERADE
After route the locally sent data packets (knowing where the destination is) and convert the source address before leaving the local device, the difference between MASQUERADE and SNAT is that MASQUERADE automatically obtains the address to be converted, you do not need to specify -- to-source for L2TPVPN. Curious why can't I use MASQUERADE for PPTPVPN? May be because the PPTP transport layer uses the TCP protocol, while the L2TP uses the UDP protocol? Not clear. =.
4) iptables-a input-p icmp -- icmp-type 8-s 0/0-j DROP
Discard all ICMP data packets. Ping prohibited.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
