Common iptables commands

List of common commands for iptables: command-A, -- append example iptables-AINPUT... it indicates that a new rule is added to a rule refining, and the rule will become the last rule in the rule refining. Command-D, -- delete example iptables-DINPUT -- d... list of commonly used commands of iptables: command-A, -- append sample iptables-a input... it indicates that a new rule is added to a rule refining, and the rule will become the last rule in the rule refining. Command-D, -- delete example iptables-d input -- dport 80-j DROPiptables-d input 1 indicates to delete a rule from a rule refining. you can enter the complete rule, or directly specify the rule number to delete it. Command-R, -- replace example iptables-r input 1-s 192.168.0.1-j DROP description replaces the current rule. after the rule is replaced, the order is not changed. Command-I, -- insert example iptables-I INPUT 1 -- dport 80-j ACCEPT indicates that a rule is inserted, and the rule at the original location will move a forward digit. Command-L, -- list example iptables-l input describes how to list all rules in a rule. Command-F, -- flush example iptables-f input indicates that all rules in a rule refining are deleted. Command-Z, -- zero example iptables-z input indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks. Command-N, -- new-chain example iptables-N allowed indicates defining new rule refining. Command-X, -- delete-chain example iptables-X allowed indicates deleting a rule. Command-P, -- policy example iptables-p input drop describes how to define a filtering policy. That is, the default processing method for packets that do not meet the filtering conditions. Command-E, -- rename-chain example iptables-E allowed disallowed indicates modifying the name of a custom rule. Common packet comparison parameters: parameter-p, -- protocol sample iptables-a input-p tcp indicates whether the communication protocol type is consistent. you can use this parameter! The operator performs reverse comparison, for example,-p! Tcp, which means other types except tcp, including udp, icmp, etc. If you want to compare all types, you can use the all keyword, for example,-p all. The parameter-s, -- src, -- source example iptables-a input-s 192.168.1.1 indicates that the source IP address of the packet can be compared to that of A single machine or network, use a number to block the network. for example,-s 192.168.0.0/24 can be used to compare IP addresses! The operator performs reverse comparison, for example,-s! 192.168.0.0/24. The parameter-d, -- dst, -- destination example iptables-a input-d 192.168.1.1 indicates the IP address used to compare the destination IP address of the packet. The parameter-I, -- in-interface example iptables-a input-I eth0 indicates the NIC from which the package enters. you can use wildcard character + to perform large-scale comparison. for example: -I eth + indicates all ethernet NICs, which can also be used! The operator performs reverse comparison, for example,-I! Eth0. The parameter-o, -- out-interface example iptables-a forward-o eth0 indicates the NIC from which the packet is sent. the setting method is the same as the preceding method. Parameter -- sport, -- source-port example iptables-a input-p tcp -- sport 22 indicates that the source port number of the packet can be compared to A single port or A range, for example: -- sport 22: 80 indicates that all ports from 22 to 80 are qualified. to compare multiple ports that are not consecutive, you must use the -- multiport parameter. for details, see the following section. You can use it when comparing the port number! The operator performs reverse comparison. Parameter -- dport, -- destination-port example iptables-a input-p tcp -- dport 22 indicates the destination port number used to compare the packets. the setting method is the same as above. Parameters -- tcp-flags example iptables-p tcp -- tcp-flags SYN, FIN, and ack syn indicate the flag of the TCP packet status comparison. the parameters are divided into two parts, the first part lists the banners for comparison, and the second part lists which banners have been set and those not listed must be empty. TCP status banners include: SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), PSH (forced push) can be used in parameters. In addition, you can use the keywords ALL and NONE for comparison. You can use it when comparing the banners! The operator performs reverse comparison. Parameter -- syn example iptables-p tcp -- syn description is used to compare TCP packets that require online connection with iptables-p tcp -- tcp-flags SYN, FIN, ack syn works exactly the same. if you use it! The operator can be used to compare non-required online packets. Parameter-m multiport -- source-port example iptables-a input-p tcp-m multiport -- source-port 80,110, indicates that the parameter is used to compare multiple discontinuous source ports, A maximum of 15 ports can be compared at a time! The operator performs reverse comparison. The parameter-m multiport -- destination-port example iptables-a input-p tcp-m multiport -- destination-port 80,110, indicates that it is used to compare non-consecutive destination port numbers, the setting method is the same as above. Parameter-m multiport -- port example iptables-a input-p tcp-m multiport -- port 80,110, indicates that this parameter is special, used to compare the packets with the same source port number and destination port number. the setting method is the same as above. Note: In this example, if the source port number is 80 but the destination port number is 110, this packet does not meet the condition. The parameter -- icmp-type example iptables-a input-p icmp -- icmp-type 8 indicates that it is used to compare the type numbers of ICMP. you can use code or number numbers for comparison. Please call iptables-p icmp -- help to check which code can be used. The parameter-m limit -- limit example iptables-a input-m limit -- limit 3/hour is used to compare the average traffic of packets within A certain period of time. the above example is used for comparison: whether the average traffic per hour exceeds three packets at a time. In addition to the average time per hour, it can also be an average time per second, every minute or every day. the default value is an average time per hour. parameters such as:/second,/minute,/day. In addition to comparing the number of packets, Setting this parameter will also suspend the packet comparison when conditions are met to avoid service interruption due to the use of the flood attack method by hackers. Parameter -- limit-burst example iptables-a input-m limit -- limit-burst 5 indicates the number of packets in an instant, the above example is used to compare whether more than five packets flood at a time (this is the default value). packets exceeding this limit will be discarded directly. The usage effect is the same as that. Parameter-m mac -- mac-source example iptables-a input-m mac -- mac-source 00: 00: 00: 00: 00: 01 The description is used to compare the hardware address of the packet source network interface. this parameter cannot be used in OUTPUT and Postrouting rule refining. this is because after the packet is sent to the NIC, only when the NIC driver detects the MAC address of the destination through the ARP communication protocol, iptables does not know the network interface to which the packet will be sent during packet comparison. Parameter -- mark example iptables-t mangle-a input-m mark -- mark 1 indicates whether the packet is represented by A number. when the packet is successfully compared, we can MARK a number through the MARK processing action. The maximum number of the number cannot exceed 4294967296. Parameter-m owner -- uid-owner example iptables-a output-m owner -- uid-owner 500 indicates whether to compare the packets from the local machine and whether the packets are generated by A specific user, this prevents the server from using root or other identities to transmit sensitive data, which can reduce the loss of system hacking. Unfortunately, this function cannot compare the packets from other hosts. Parameter-m owner -- gid-owner example iptables-a output-m owner -- gid-owner 0 indicates whether to compare the packets from the local machine and whether the packets are generated by A specific user group, the time of use is the same as the time of use. Parameter-m owner -- pid-owner example iptables-a output-m owner -- pid-owner 78 indicates whether to compare the packets from the local machine and whether the packets are generated for A specific trip, the time of use is the same as the time of use. Parameter-m owner -- sid-owner example iptables-a output-m owner -- sid-owner 100 indicates whether A Session ID is used to compare packets from the local machine). Parameter-m state -- state example iptables-a input-m state -- state RELATED. ESTABLISHED indicates that the parameter is used to compare the online status. There are four online statuses: INVALID, ESTABLISHED, NEW, and RELATED. INVALID indicates that the package's online number (Session ID) cannot be identified or the number is incorrect. ESTABLISHED indicates that the package belongs to a ESTABLISHED online network. NEW indicates that the package wants to start online (reset online or redirect online ). RELATED indicates that the packet belongs to a newly established online host. For example, FTP-DATA online must be from an FTP online. Common Action: The-j parameter is used to specify the action to be processed. common actions include: ACCEPT, REJECT, DROP, REDIRECT, MASQUERADE, LOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, and MARK are described as follows, instead of comparing other rules, we will directly jump to the next rule refining (nat: postrouting ). REJECT blocks the packet and sends the packet to notify the other party. you can choose to transfer the packet: ICMP port-unreachable, ICMPecho-reply, or tcp-reset (this packet will require the other party to shut down online). after this action is completed, the filtering program will not be directly interrupted after comparison with other rules. Example: iptables-a forward-p TCP -- dport 22-j REJECT -- reject-with tcp-resetDROP discarded packets are not processed, the filter program will be directly interrupted without comparing other rules. REDIRECT redirects the packet to another port (PNAT). after this action is completed, it will continue to compare with other rules. This function can be used to implement transparent porxy or to protect web servers. For example, iptables-t nat-a prerouting-p tcp -- dport 80-jREDIRECT -- to-ports 8080 MASQUERADE modifies the source IP address of the packet to the nic ip address of the firewall. you can specify the port range, after the processing, directly jump to the next rule refining (mangle: postrouting ). This function is slightly different from SNAT. when you perform IP camouflage, you do not need to specify which IP address you want to disguise. the IP address will be directly read from the NIC. when you use a dial connection, the IP address is usually assigned by the DHCP server of the ISP company. in this case, MASQUERADE is particularly useful. Example: iptables-t nat-a postrouting-p TCP-j MASQUERADE -- to-ports 1024-31000LOG records packets related information in/var/log, for details, refer to/etc/syslog. conf configuration file. after this operation is completed, it will continue to compare with other rules. For example: iptables-a input-p tcp-j LOG -- log-prefix "INPUT packets" SNAT rewrite the source IP address of the packet to A specific IP address or IP address range. you can specify the port range, after this action is completed, it will jump directly to the next rule refining (mangle: postrouting ). Example: iptables-t nat-a postrouting-p tcp-o eth0-j SNAT -- to-source 194.236.50.155-194.236.50.160, you can specify the range corresponding to the port. after this operation is completed, it will directly jump to the next rule for refining (filter: input or filter: forward ). Example: iptables-t nat-a prerouting-p tcp-d 15.45.23.67 -- dport 80-j DNAT -- to-destination 192.168.1.1-192.168.1.10: 80-100MIRROR mirror shot packet, that is, after the source IP address and destination IP address are reversed, the packet is sent back. after this operation, the filter program will be interrupted. The QUEUE interrupt filtering program puts the packets into the QUEUE and submits them to other programs for processing. Other applications can be implemented through self-developed processing programs, such as calculating the online cost. The RETURN statement ends with the filtering program in the current rule refining process. it returns the master rule refining to continue filtering. if you think of custom rule refining as a sub-program, this action is performed, it is equivalent to early completion of the subroutine and return to the main program. MARK marks a code on the package to provide a judgment basis for the filter conditions. after this processing, the MARK will continue to compare with other rules. Example: iptables-t mangle-a prerouting-p tcp -- dport 22-j MARK -- set-mark 2