After learning iptables for the first time, you must learn several major points: iptables installation, iptables configuration, and iptables commands. When it comes to commands, new users will have a big head. This article provides some useful iptables commands for your reference!
Below is my summaryIptablesCommonCommand:
Command-A, -- append
Example iptables-a input...
It indicates that a new rule is added to a rule refining, and the rule will become the last rule in the rule refining.
Command-D, -- delete
Example iptables-d input -- dport 80-j DROP
Iptables-d input 1
This indicates that a rule can be deleted from a rule refining process. you can enter a complete rule or directly specify a rule number to delete it.
Command-R, -- replace
Example iptables-r input 1-s 192.168.0.1-j DROP
It indicates that the current rule is replaced, and the Order of the rule is not changed after it is replaced.
Command-I, -- insert
Example iptables-I INPUT 1 -- dport 80-j ACCEPT
It indicates that a rule is inserted. The rule at the specified position will move a forward position.
Command-L, -- list
Example iptables-L INPUT
Lists all rules in a rule.
Command-F, -- flush
Example iptables-F INPUT
Delete all rules in a rule refining.
Command-Z, -- zero
Example iptables-Z INPUT
This indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks.
Command-N, -- new-chain
Example iptables-N allowed
Define new rules.
Command-X, -- delete-chain
Example iptables-X allowed
Delete a rule.
Command-P, -- policy
Example iptables-P INPUT DROP
Define a filter policy. That is, the default processing method for packets that do not meet the filtering conditions.
Command-E, -- rename-chain
Example iptables-E allowed disallowed
Modifies the name of a custom rule.
Common packet comparison parameters:
Parameter-p, -- protocol
Example iptables-a input-p tcp
It indicates whether the communication protocol type is consistent and can be used! The operator performs reverse comparison, for example,-p! Tcp, which means other types except tcp, including udp, icmp, etc. If you want to compare all types, you can use the all keyword, for example,-p all.
Parameter-s, -- src, -- source
Example iptables-a input-s 192.168.1.1
The description is used to compare the source IP address of the packet. it can be compared to a single machine or network. when comparing the network, use a number to block it. for example,-s 192.168.0.0/24 can also be used to compare the IP address! The operator performs reverse comparison, for example,-s! 192.168.0.0/24.
Parameter-d, -- dst, -- destination
Example iptables-a input-d 192.168.1.1
Description used to compare the destination IP address of the packet. the setting method is the same as above.
Parameter-I, -- in-interface
Example iptables-a input-I eth0
The description is used to compare the network card from which the package Enters. you can use wildcard character + to perform large-scale comparison. for example,-I eth + indicates all ethernet network cards. you can also use it! The operator performs reverse comparison, for example,-I! Eth0.
Parameter-o, -- out-interface
Example iptables-a forward-o eth0
Specifies the network card from which the packet is sent.
Parameter -- sport, -- source-port
Example iptables-a input-p tcp -- sport 22
The source port number used to compare the packets. it can be compared to a single port or a range, for example, -- sport 22: 80, which indicates that the port number ranges from 22 to 80.
Ports are both qualified. to compare multiple ports that are not consecutive, you must use the -- multiport parameter. for details, see the following section. You can use it when comparing the port number!
The operator performs reverse comparison.
Parameter -- dport, -- destination-port
Example iptables-a input-p tcp -- dport 22
Description used to compare the destination port number of the package. the setting method is the same as above.
Parameter -- tcp-flags
Example iptables-p tcp -- tcp-flags SYN, FIN, ACK SYN
TCP
The status flag of the package. the parameters are divided into two parts: the first part lists the banners for comparison, and the second part lists which of the aforementioned banners are set and the unlisted banners must be empty. TCP
Status banners include SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), and PSH (forced push)
Can be used in parameters. In addition, you can use the keywords ALL and NONE for comparison. You can use it when comparing the banners! The operator performs reverse comparison.
Parameter -- syn
Example iptables-p tcp -- syn
The description is used to compare whether a TCP packet is online. it works exactly the same as iptables-p tcp -- tcp-flags SYN, FIN, and ack syn. if Yes! The operator can be used to compare non-required online packets.
Parameter-m multiport -- source-port
Example iptables-a input-p tcp-m multiport -- source-port 80,110
The description is used to compare multiple source ports that are not consecutive. up to 15 ports can be compared at a time. you can use this description! The operator performs reverse comparison.
Parameter-m multiport -- destination-port
Example iptables-a input-p tcp-m multiport -- destination-port 80,110
The description is used to compare non-consecutive destination port numbers. the setting method is the same as above.
Parameter-m multiport -- port
Example iptables-a input-p tcp-m multiport -- port 80,110
This parameter is special and used to compare packets with the same source port number and destination port number. the setting method is the same as above. Note: In this example, if the source port number is 80 but the destination port number is 110, this packet does not meet the condition.
Parameter -- icmp-type
Example iptables-a input-p icmp -- icmp-type 8
The description is used to compare the type numbers of ICMP. you can use code or number numbers for comparison. Please call iptables-p icmp -- help to check which code can be used.
Parameter-m limit -- limit
Example iptables-a input-m limit -- limit 3/hour
The description is used to compare the average traffic of packets within a certain period of time. the example above is used to compare whether the average traffic per hour exceeds three packets at a time.
In addition to the average time per hour, it can also be an average time per second, every minute or every day. the default value is an average time per hour. parameters such as:/second,/minute,/day.
In addition to comparing the number of packets, Setting this parameter will also suspend the packet comparison when conditions are met to avoid service interruption due to the use of the flood attack method by hackers.
Parameter -- limit-burst
Example iptables-a input-m limit -- limit-burst 5
The description is used to compare the quantity of a large number of packets in an instant. the example above is used to compare whether the number of packets that flood in at a time exceeds 5 (this is the default value). packets that exceed this limit will be discarded directly. The usage effect is the same as that.
Parameter-m mac -- mac-source
Example iptables-a input-m mac -- mac-source 00: 00: 00: 00: 01
This parameter is used to compare the hardware address of the packet source network interface. this parameter cannot be used in OUTPUT or Postrouting.
Rule refining, this is because the packet must be sent to the NIC before the NIC driver can identify the destination MAC address through the ARP communication protocol, so iptables
During packet comparison, you do not know the network interface to which the packet will be sent.
The description in this article will be of great help to new users! Hope you like it!