The instance disabling ssh port only allows remote ssh login on 192.168.62.1, and prohibit ssh # iptables-AINPUT-s192.168.62.1-ptcp from other computers? # Iptables-AINPUT-ptcp? Dport22-jDROP disable proxy port # iptables-AIN
Instance with prohibited ports
Disable ssh Port
Ssh remote logon is only allowed on 192.168.62.1, and ssh is prohibited from other computers.
#Iptables-AINPUT-s 192.168.62.1-p tcp? Dport 22-j ACCEPT
# Iptables-a input-p tcp? Dport 22-j DROP
Disable proxy port
# Iptables-a input-p tcp? Dport 3128-j REJECT
Disable icmp Port
Except 192.168.62.1, do not allow others to ping my host # iptables-a input-I eth0-s192.168.62.1/32-p icmp-m icmp? Icmp-type echo-request-jACCEPT
# Iptables-a input-I eth0-p icmp? Icmp-type echo-request? J? DROP or
# Iptables-a input-I eth0-s 192.168.62.1/32-p icmp-m icmp? Icmp-type 8-j ACCEPT
# Iptables-a input-I eth0-p icmp-m icmp? Icmp-type 8-j DROP note: Can I use iptables? Protocol icmp? Can I view the ICMP type for help?
Prohibit QQ Port
# Iptables-d forward-p udp? Dport 8000-j REJECT
Force access to the specified site
To enable a computer in the 192.168.52.0/24 network (the gateway of this computer should be set to 192.168.52.10) to forcibly access the specified site, add the following rules on the computer used as the firewall (192.168.52.10): 1. enable the IP packet forwarding function echo 1>/proc/sys/net/ipv4/ip_forward 2. add a destination address translation rule in the NAT table on the NAT/firewall computer: iptables-t nat-I prerouting-I eth0-p tcp? Dport 80-j DNAT? To-destination 202.96.134.130: 80 iptables-t nat-I prerouting-I eth0-p udp? Dport 80-j DNAT? To-destination 202.96.134.130: 80 3. add a source address translation rule in the NAT/firewall computer: iptables-t NAT-I POSTROUTING-o eth1-p tcp? Dport 80-s192.168.52.0/24-j SNAT? To-source 202.96.134.10: 20000-30000 4. test: open a browser on any computer on the intranet and enter an IP address other than the local network to direct it to a website with the IP address 202.96.134.130.
Publish an internal network server
To allow computers on the internet to access the FTP server and WEB server on the intranet, add the following rules on the computer used as the firewall: 1. echo 1>/proc/sys/net/ipv4/ip_forward 2. publish an intranet web server
Iptables-t nat-I prerouting-p tcp-I eth1-s 202.96.134.0/24? Dport 80-j DNAT? To-destination 192.168.52.15: 80
Iptables-t nat-I postrouting-p tcp-I eth0-s 192.168.52.15? Sport 80-j SNAT? To-source 202.96.134.10: 20000-30000 3. publish an intranet ftp server
Iptables-t nat-I prerouting-p tcp-I eth1-s 202.96.134.0/24? Dport 21-j DNAT? To-destination 192.168.52.14: 21
Iptables-t nat-I postrouting-p tcp-I eth0-s 192.168.52.14? Sport 21-j SNAT? To-source 202.96.134.10: 40000-50000 4. note: set the computer gateway on the intranet to the ip address of the firewall (192.168.52.1) 5. test: use a computer with a virtual Internet IP address of 202.96.134.0 to access http: // 202.96.134.10 in its browser. the actual web service of 192.168.52.15 is displayed; when you access ftp: // 202.96.134.10, you should see the ftp service on 192.168.52.14.
Intelligent DNS
1. echo 1>/proc/sys/net/ipv4/ip_forward 2. add the following rules to the NAT server: add a destination address translation rule to the PREROUTING chain:
Iptables-t nat-I prerouting-I eth0-p tcp? Dpor 53-j DNAT? To-destination 202.96.134.130 iptables-t nat-I PREROUTING-ieth0-p udp? Dpor 53-j DNAT? To-destination 202.96.134.130 add source address conversion rules in the POSTROUTING chain:
Iptables-t nat-I POSTROUTING-o eth1-s 192.168.52.0/24-p tcp? Dpor 53-j SNAT? To-source 202.96.134.10: 40000-50000 iptables-tnat-I POSTROUTING-o eth1-s 192.168.52.0/24-p udp? Dpor 53-jSNAT? To-source 202.96.134.10: 40000-50000 3. if you set the DNS to any Internet IP address on any computer on the intranet, you can use the DNS test tool such as nslookup to resolve the name on the DNS server 202.96.134.130.
Port ing
See the transparent proxy settings in the previous section # iptables-t nat-a prerouting-I eth0-p tcp-s192.168.62.0/24? Dport 80-j REDIRECT? To-ports 3128.
Access through NAT
Typical NAT
Generally, the computer used as NAT is also the gateway of the LAN. assume that the machine has two NICs eth0, eth1, and eth0 connected to the internet. the IP address is 202.96.134.134. eth1 connects to the LAN and the IP address is 192.168.62.101. enable the ip forwarding function in the kernel # echo 1>/proc/sys/net/ipv4/ip_forward2 .? Enable LAN users to access the nat required by the internet # iptables-t nat-a postrouting-p tcp-o eth0-j SNAT? To? 202.96.134.134 if the IP address on the Internet is A dynamic IP address, use the following rules: # iptables-t nat-a postrouting-o eth0-s 192.168.62.0/24-j MASQUERADE, if the public IP address is A dynamic IP address, use the following rules: # iptables-t nat-a postrouting-oppp0-s 192.168.62.0/24-j MASQUERADE 3. enable internet users to access the nat required by the web host in the Lan # iptables-t nat-a prerouting-ptcp-d 202.96.134.134? Dport 80-j DNAT? To-destination192.168.62.10 note: clients in the Lan need to set the default gateway, DNS as the firewall IP address
NAT shared internet access in our network room
Working environment: the upper-layer proxy 192.168.60.6 (4480), only authorize the host machine (192.168.62.111) to use the proxy permission. Objective: Use the NAT method instead of the squid proxy to access the Internet: 1) make sure to stop the squid of the host machine (192.168.62.111) or other proxy services. 2. the client gateway and DNS all point to 192.168.62.111, and the browser proxy is set to 192.168.60.6 (4480 ). Test whether you can access the Internet in the current situation. 3) add the following iptables rule to the host machine (192.168.62.111): # iptables-t nat-APOSTROUTING-p tcp-d 192.168.60.6/32? Dport 4480-j SNAT? To-source 192.168.62.111: 0000-30000 explanation: for TCP packets whose destination is 192.168.60.6 and the destination port is 4480, after a firewall route, convert the source address to 192.168.62.111, the port is converted to a port between and. 4) Check whether the client can access the Internet.
IPSave and restore rules
Iptables-save saves the rule to the file, and then the directory rc. d script (/etc/rc. d/init. d/iptables) automatically load and use the command iptables-save to save the rules. Generally, iptables-save>/etc/sysconfig/iptables is used to generate the file/etc/sysconfig/iptables for saving the rules, you can also use service iptables to save the rules automatically in/etc/sysconfig/iptables. When the computer starts, the script under rc. d will use the command iptables-restore to call this file, so that the rules are automatically restored.
Iptables Command syntax
Iptables [-t table] command [match] [-j target/jump]
[-T table] Rule Table
The-t parameter is used. There are three built-in rule tables: nat, mangle, and filter. If no rule table is specified, the table is regarded as a filter. Rule tables have the following functions: nat: This rule table has two rule chains: PREROUTING and POSTROUTING, the main function is to perform one-to-one, one-to-many, multi-to-many, and other URL conversion (SNAT, DNAT). This rule table is not used for other purposes except for URL conversion. Mangle: This rule table has three rule chains: PREROUTING, FORWARD, and POSTROUTING. In addition to modifying the packets for URL conversion, some special applications may have to rewrite the packets (TTL, TOS) or set the MARK (MARK the packets, in this case, you must define the work in the mangle rule table. because the usage is not high, we do not intend to discuss the mangle usage here. Filter: This rule table is the default rule table and has three rule chains: INPUT, FORWARD, and OUTPUT. this rule table, as its name suggests, is used to filter packets (for example: DROP, LOG, ACCEPT, or REJECT), we will create the basic rules in this rule table.Command List of common commands:
Command-,? Append
Example iptables-a input...
It indicates that a new rule is added to a rule chain and will become the last rule in the rule chain. Command-D ,? Delete
Example iptables-d input? Dport 80-j DROP
Iptables-d input 1
This indicates to delete a rule from a rule chain. you can enter a complete rule or directly specify a rule number to delete it. Command-R ,? Replace
Example iptables-r input 1-s 192.168.0.1-j DROP
It indicates that the current rule is replaced, and the Order of the rule is not changed after it is replaced. Command-I ,? Insert
Example iptables-I INPUT 1? Dport 80-j ACCEPT
It indicates that a rule is inserted. The rule at the specified position will move a forward position. Command-L ,? List
Example 1 iptables-L INPUT
Lists all rules in a rule chain.
Example 2 iptables-t nat-L
Lists all rules in all links of the nat table. Command-F ,? Flush
Example iptables-F INPUT
Delete all rules of the INPUT chain in the filter table. Command-Z ,? Zero
Example iptables-Z INPUT
This indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks. Command-N ,? New-chain
Example iptables-N allowed
Define a new rule chain. Command-X ,? Delete-chain
Example iptables-X allowed
Deletes a rule chain. Command-P ,? Policy
Example iptables-P INPUT DROP
Define a filter policy. That is, the default processing method for packets that do not meet the filtering conditions. Command-E ,? Rename-chain
Example iptables-E allowed disallowed
Modifies the name of a custom rule chain.
[Match] Common packet matching parameters
Parameter-p ,? Protocol
Example iptables-a input-p tcp
Indicates whether the communication protocol type matches. it can be used! Operator for reverse matching, for example:
-P! Tcp
It means other types except tcp, such as udp, icmp... .
If you want to match all types, you can use the all keyword, for example:
-P all parameter-s ,? Src ,? Source
Example iptables-a input-s 192.168.1.1
The description is used to match the source IP address of the packet. it can match a single machine or network. when matching the network, use a number to represent the subnet mask. for example:
-S 192.168.0.0/24
It can be used to match IP addresses! Operator for reverse matching, for example:
-S! 192.168.0.0/24. Parameter-d ,? Dst ,? Destination
Example iptables-a input-d 192.168.1.1
The IP address used to match the destination IP address of the packet. the setting method is the same as above. Parameter-I ,? In-interface
Example iptables-a input-I eth0
The wildcard character + can be used to match the NIC from which the packet enters. for example:
-I eth +
Indicates all ethernet NICs
You can also use it! Operator for reverse matching, for example:
-I! Eth0 parameter-o ,? Out-interface
Example iptables-a forward-o eth0
Specifies the network card from which the packet is sent. Parameter? Sport ,? Source-port
Example iptables-a input-p tcp? Sport 22
It indicates that the source port used to match the packet can match a single port or a range, for example:
? Sport 22: 80
It indicates that ports 22 to 80 are both qualified. if you want to match multiple discontinuous ports, you must use? For more information about multiport parameters, see the following section. You can use it when matching the port number! Operator for reverse matching. Parameter? Dport ,? Destination-port
Example iptables-a input-p tcp? Dport 22
Specifies the port number used to match the destination port number of the package. the setting method is the same as the preceding parameter? Tcp-flags
Example iptables-p tcp? Tcp-flags SYN, FIN, ACK SYN
Describes the status flag matching TCP packets. the parameters are divided into two parts: the first part lists the flag to be matched, and the second part lists which of the above flags are set, the unenumerated flag must be empty. TCP status signs include: SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), PSH (forced push) can be used in parameters. In addition, the keyword ALL and NONE can be used for matching. You can use it when matching a flag! Returns the reverse match of the operator line. Parameter? Syn
Example iptables-p tcp? Syn
It indicates that the SYN bit is opened in the TCP communication protocol, and the ACK and FIN bit are closed in the group, that is, the initial TCP connection, and iptables-p tcp? Tcp-flags SYN, FIN, and ack syn act exactly the same! Can be used to match packets that do not require connection. Parameter-mmultiport? Source-port
Example iptables-a input-p tcp-m multiport? Source-port22, 110
This parameter is used to match multiple source ports that are not consecutive. a maximum of 15 ports can be matched at a time! Operator for reverse matching. Parameter-m multiport? Destination-port
Example iptables-a input-p tcp-m multiport? Destination-port22, 110
The description is used to match non-consecutive port numbers. the method is as follows:-m multiport? Port
Example iptables-a input-p tcp-m multiport? Port 22, 53, 80,110
This parameter is special and used to match packets with the same source port and destination port number. the setting method is the same as above. Note: In this example, if the source port number is 80 and the destination port number is 110, this packet does not meet the conditions. Parameter? Icmp-type
Example iptables-a input-p icmp? Icmp-type 8
The description is used to match the ICMP type number. you can use the code or number to match the type number. Please call iptables-p icmp? Help to see which code is available. Parameter-m limit? Limit
Example iptables-a input-m limit? Limit 3/hour
It is used to match the average traffic of packets within a certain period of time. the above example is used to match whether the average traffic per hour exceeds three packets at a time. In addition to the average times per hour, it can also be an average time per second, minute, or every day. the default value is an average time per hour. the parameters include:/second,/minute, and/day. In addition to matching the number of packets, Setting this parameter will also suspend the matching action when the condition is met to avoid service interruption due to the use of the flood attack method by hackers. Parameter? Limit-burst
Example iptables-a input-m limit? Limit-burst 5
The description is used to match the quantity of a large number of packets in an instant. the example above is used to match whether more than five packets flood at a time (this is the default value). packets exceeding this limit will be discarded directly. The usage effect is the same as that. Parameter-m mac? Mac-source
Example iptables-a input-m mac? Mac-source 00: 00: 00: 00: 00: 01
This parameter is used to match the hardware address of the packet source network interface. this parameter cannot be used on the OUTPUT and POSTROUTING rule chains. this is because the packets are sent to the network adapter, only when the NIC driver detects the MAC address of the destination through the ARP communication protocol, iptables does not know the network interface to which the packet will be sent during packet matching. Parameter? Mark
Example iptables-t mangle-a input-m mark? Mark 1
Indicates whether a packet is matched to indicate a number. when the packet is matched successfully, we can MARK a number and number through MARK processing.