Home > Developer > Linux

Command analysis and understanding of iptables in Linux

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Iptables default three tables:
• Filter: Firewall, including INPUT, OUTPUT, and FORWARD
• Nat: Network conversion, including PREROUTING, POSTROUTING, and OUTPUT
• Mangle: Traffic Shaping, including all five chains
 
Five Links in iptables-> where to write rules
• INPUT: data packets are stored on the LINUX host.
• OUTPUT: data packets are sent by the LINUX host.
• FORWARD: the data packet enters from one interface and is sent from another interface (if route forwarding is performed,/etc/sysctl. conf must be enabled to modify net. ipv4.ip _ forward = 1)
• PREROUTING: Before Routing
• POSTROUTING: After Routing
 
 
 
Command
 
Clear Firewall
 
Iptables-F
 
Change the default INPUT rule to DROP.
 
Iptables-P INPUT DROP
 
Add a rule to allow SSH to pass the INPUT
 
Generally, many people insert iptables-A (the append rule is added at the bottom, and the firewall rule is effective at the top, so I usually use-I, the added rule takes effect first and I can specify a specific location)
 
Iptables-I INPUT-p tcp-s 192.168.0.0/24 -- dport 22-j ACCEPT
 
Iptables-I INPUT 2-p tcp -- dport 80-j ACCEPT (insert this rule to the second row above)
 
Only allow access to port 22 of the local machine from the eth0 Nic of 192.168.0.0 and 24
 
Iptables-I input-I eth0-p tcp-s 192.168.0.0/24 -- dport 22-j ACCEPT
 
List firewall rules
 
Iptables-L
 
Delete the second rule in INPUT (starting from the top)
 
Iptables-d input 2
 
Save the firewall rules (if the firewall is not saved, the rules will become invalid after the service is restarted)
 
Service iptables save
 
Back up firewall rules
 
Iptables-resotre </etc/sysconfig/iptables.20130301
 
Routing
 
Blocks an IP address from reaching the Local Machine
 
Iptables-I FORWARD-s 202.106.0.20-j DROP
 
Iptables-t nat-I POSTROUTING-s 192.168.0.0/24-j SANT -- to 1.1.1.1
 
Convert the IP address range of 192.168.0.0 to 1.1.1.1 for nat access.
 
Iptables-t nat-I POSTROUTING-s 192.168.0.0/24-j SANT -- to 1.1.1.1-1.1.1.20
 
Convert the IP address of the 192.168.0.0 CIDR block to the IP address of the 1.1.1.1-20 CIDR Block for nat access.
 
Iptables-t nat-I prerouting-I eth0-p tcp 80-j DNAT -- to 192.168.0.1
 
Change the destination address of the data packet accessing port 80 through the eth0 Nic to 192.168.0.1.
 
Iptables-t nat-I POSTROUTING-s 192.168.0.0/24-j MASQUERADE
 
Disguise the data packet address whose source address is 192.168.0.0/24
 
STATE
 
-M state-the state is divided
 
NEW: syn different from tcp
 
ESTABLISHED: connection status
 
RELATED: derivative state, associated with the conntrack (connection tracking module) (FTP)
 
INVALID: Unrecognized connection or status
 
Iptables-I INPUT-m state -- state RELATED, ESTABLISHED \-ACCEPT
 
Packets responded by the host of the other party after the connection is permitted
 
MAC
 
-M mac -- mac-source MAC
 
Iptables-I FORWARD-m mac -- mac0source xx: xx \-j DROP
 
Blocks packets from a MAC address and passes the local route
 
Iptables-P FORWARD DROP
 
Iptables-I FORWARD-s 192.168.0.2-m mac -- mac-source xx: xx-j ACCEPT
 
The ip address is bound to the mac address. Only this ip address can be routed from the local host.
 
LIMIT Speed LIMIT
 
-M limit -- limit
 
Iptables-I FORWARD-d 192.168.0.2-m limit -- limit 50/s-j ACCEPT
 
Iptables-I FORWARD-d 192.168.0.2-j DROP
 
Speed limit: 50/s. to limit the upload and download speeds, you must use TC to separate network segments.
 
Firewall Configuration on simple web Servers
 
Iptables-I input-I eth0 (network port)-j ACCEPT
 
Iptables-I INPUT-p tcp-m multiport -- dports 22,80-j ACCEPT
 
Iptables-I INPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT
 
Iptables-P INPUT DROP
 
Gateway
 


Instance: ADSL dial-up network topology
 
Echo "1">/proc/sys/net/ipv4/ip_forward
 
Iptables-t nat-I POSTROUTING-s 192.168.1.0/24-o eth0 \
 
-J MASQUERADE
 


External Server
 
Service protocol (TCP/UDP)
 
External Service port
 
Private IP address of Internal Server
 
Internal real service port
 
Instance:
 
Iptables-t nat-a prerouting-I ppp0-p tcp -- dport 80 \
 
-J DNAT -- to 192.168.1.1
 
Iptables-t nat-a prerouting-I ppp0-p tcp -- dport 81 \
 
-J DNAT -- to 192.168.1.2: 80

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More