Detailed description of IPTABLES configuration in linux

For more information about IPTABLES configuration in linux-general Linux technology-Linux technology and application information, see the following. Simple Application of IPTABLES:

Iptables-a input-p tcp-s 10.1.2.187-j ACCEPT
Add 10.1.2.187 to the permitted range

Iptables-t nat-a postrouting-j SNAT -- to-source 10.1.2.1
Parameter --

-A: add (Link)
-I: insert
-P: Protocol
-S: source IP address
-D: Target IP Address
-J: Operation Behavior
-T: Add Table
-- To-source: used for SNAT to indicate the SNAT source address.
-- To-destination: used for DNAT to indicate the destination address of the changed DANT.


IPTABLE: input output forword prerouting postrouting (chain)
For more information, see online.

View the current iptable list:
Iptables-L
Iptables-t nat-L (content in the nat table)
Iptables-L-n: IP address displayed, not automatically resolved to Domain Name
Iptables-L -- line-numbers: Display number: iptables-F Delete filter table content: iptables-F-t nat Delete nat table content

SNAT is generally used to access the Internet.
DNAT is used to come in from outside

SNAT eg:
Iptables-t nat-I POSTROUTING-s 10.1.0.0/24-j SNAT -- to-source 192.168.0.5
Map Intranet 10.1 fields to 192.168.0.5
You can also do this:
Iptables-t nat-I POSTROUTING-s 10.1.0.0/24-j SNAT -- to-source 192.168.0.5-192.168.0.245
Map a local IP address to an IP address (attack can be performed ^)
The same function in the preceding example: iptables-t nat-I POSTROUTING-s 10.1.0.0/24-j NETMAP -- to 192.168.0.0/24

DNAT eg:
Iptables-t nat-a prerouting-d ROUTEIP-p tcp -- dport 80-j DNAT -- to-destination WEBIP
ROUTEIP indicates the public IP address of the firewall (router ).
WEBIP indicates the IP address of the Intranet WEB server
This rule indicates that when the Internet accesses the local port HTTP80, it is automatically forwarded to the Intranet WEB server. As a result, the web server is mapped to the Internet. This is sufficient when you only need to access the Intranet from the Internet, but if you need to access the WEB server from the Intranet machine through the Internet IP address of the WEB server, you also need to add an SNAT rule: iptables-t nat-a postrouting-p tcp-d WEBIP -- dport 80-j SNAT -- to ROUTEIP: Change the source IP address of the data packet accessing the WEB server to the gateway IP address. Otherwise, the access will fail. Reason for simple analysis: assume that the Intranet 192.168.0.10-> the host that needs to access the WEB from the external IP address 192.168.0.254-> the internal IP address of the WEB server 192.168.0.1-> the gateway (the external IP address is 202.96.22.22) when 192.168.0.10 accesses the WEB Service of 202.96.22.22, according to The DNAT on the gateway, the destination IP address of the data packet is changed from 202.96.22.22 to 192.168.0.254. 254 after receiving the packet, it is found that 10 is sent, then it will directly return the packet to 192.168.0.10, but 10 after receiving the packet, it is found that the packet source is not your desired 202.96.22.22, the package will be discarded directly. The solution is to send packets to 10 instead of the gateway at 254, so that the gateway returns the original route to 10 machines. In this way, you can solve this problem by changing the source IP address of the packet sent to the WEB Service 254 request to the gateway IP address 192.168.0.1. That is, iptables-t nat-a postrouting-p tcp-d 192.168.0.254 -- dport 80-j SNAT -- to 192.168.0.1 has A better solution to separate A network segment, that is to say, in the DMZ zone, each SERVER is placed. Detailed description of IPTABLES configuration in linux: if you do not know the basic knowledge about IPTABLES, we recommend that you check it first. configure a filter table firewall. (1) view the settings of IPTABLES on the local machine [root @ tp ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination Chain FORWARD (policy ACCEPT)
Target prot opt source destination Chain OUTPUT (policy ACCEPT)
Target prot opt source destination Chain RH-Firewall-1-INPUT (0 references)
Target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.20.udp dpt: 5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 uddpt: 631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 25
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
We can see that when I installed linux, I chose to have a firewall and opened ports 22, 80, and 25. if you do not choose to start the firewall when installing linux, this is the case [root @ tp ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination Chain FORWARD (policy ACCEPT)
Target prot opt source destination Chain OUTPUT (policy ACCEPT)
Target prot opt source destination has no rules. (2) Clear the original rules. whether or not you have enabled the firewall when installing linux, if you want to configure your own firewall, clear all the filter rules. [root @ tp ~] # Iptables-F clear the rules of all rule chains in the filter of the preset table
[Root @ tp ~] # Iptables-X clear the rules in the User-Defined chain in the filter of the preset table. Let's take a look at [root @ tp ~]. # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination Chain FORWARD (policy ACCEPT)
Target prot opt source destination Chain OUTPUT (policy ACCEPT)
Target prot opt source destination has nothing to do with. It is the same as we didn't start the firewall when installing linux. (say in advance, these configurations are the same as configuring IP addresses with commands, so restarting them will lose effect.) How to save them. [root @ tp ~] #/Etc/rc. d/init. d/iptables save to write it to the/etc/sysconfig/iptables file. after writing, remember to repeat the firewall to make it work. [root @ tp ~] # Service iptables restart: No configuration is available in the IPTABLES configuration table. Let's start our configuration. (3) set the default rule [root @ tp ~] # Iptables-p input drop [root @ tp ~] # Iptables-p output accept [root @ tp ~] # Iptables-p FORWARD DROP
The above means that when two chain rules (INPUT and FORWARD) in the filter table in IPTABLES are exceeded, how can we process data packets not in these two rules, that is, DROP (discard ). it should be said that the configuration is safe. we need to control inbound data packets, but we do not need to impose too many restrictions on the OUTPUT chain, that is, the outgoing packet, but adopt ACCEPT. That is to say, what should we do if the packet is not in a rule, that is through. we can see what packets are allowed to pass through the INPUT and FORWARD chains, and what packets are not allowed to pass through the OUTPUT chain. this setting is quite reasonable. Of course you can also DROP all three links, but I don't think it is necessary to do so, and the rules to be written will increase. but if you only want a limited number of rules, for example, only WEB servers. we recommend that all three links be DROP. note: If you log on remotely through SSH, you should drop it when you enter the first command and press Enter. because you have not set any rules. what should I do? Go to the local machine to operate it! (4) Add a rule. first, add the INPUT chain. The default rule of the INPUT chain is DROP, so we will write the chain requiring ACCETP (VIA). In order to enable remote SSH Login, We need to enable port 22. [root @ tp ~] # Iptables-a input-p tcp -- dport 22-j ACCEPT [root @ tp ~] # Iptables-a output-p tcp -- sport 22-j ACCEPT (Note: If you set OUTPUT to DROP, write this rule, many people are eager to write this rule, and SSH is always unavailable. remotely, is it okay. the same applies to other ports. If the web server is enabled and the OUTPUT is set to DROP, a chain should also be added: [root @ tp ~] # Iptables-a output-p tcp -- sport 80-j ACCEPT, similarly.) If the WEB server is configured, enable port 80. [root @ tp ~] # Iptables-a input-p tcp -- dport 80-j ACCEPT
If the email server is configured, enable port 25,110. [root @ tp ~] # Iptables-a input-p tcp -- dport 110-j ACCEPT
[Root @ tp ~] # Iptables-a input-p tcp -- dport 25-j ACCEPT
If the FTP server is configured, enable port 21 [root @ tp ~]. # Iptables-a input-p tcp -- dport 21-j ACCEPT [root @ tp ~] # Iptables-a input-p tcp -- dport 20-j ACCEPT if the DNS server is configured, enable port 53 [root @ tp ~] # Iptables-a input-p tcp -- dport 53-j ACCEPT. the above mainly writes the INPUT chain. For anything not in the above rules, DROP allows icmp packets to pass through, that is, allow ping, [root @ tp ~] # Iptables-a output-p icmp-j ACCEPT (if OUTPUT is set to DROP) [root @ tp ~] # Iptables-a input-p icmp-j ACCEPT (if INPUT is set to DROP)
Allow loopback! (Otherwise, DNS may fail to be shut down normally.) IPTABLES-a input-I lo-p all-j ACCEPT (if it is INPUT DROP)
IPTABLES-a output-o lo-p all-j ACCEPT (if it is output drop)
The OUTPUT chain is written below. The default rule of the OUTPUT chain is ACCEPT, so we will write the chain that requires DROP (discard). Reduce insecure port connections [root @ tp ~] # Iptables-a output-p tcp -- sport 31337-j DROP [root @ tp ~] # Iptables-a output-p tcp -- dport 31337-j DROP some Trojans scan services on ports 31337 to 31340 (elite ports in hacking languages. Since legal services do not use these non-standard ports for communication, blocking these ports can effectively reduce the chances of independent communication between infected machines on your network and their remote master servers. There are also other ports, such: ports 31335, 27444, 27665, 20034 NetBus, 9704, 137-139 (smb), and 2049 (NFS) should also be disabled. I have not written all of them here, if you are interested, check related information. of course, you can set the OUTPUT chain to DROP for more secure access, so you can add more rules, just like adding the above to allow SSH login. just write it. the following is a more detailed rule that limits access to a machine. For example, we only allow hosts with 192.168.0.3 to perform SSH connections [root @ tp ~]. # Iptables-a input-s 192.168.0.3-p tcp -- dport 22-j ACCEPT if you want to allow, you can also restrict the number of subnet masks for a certain IP address. The value 192.168.0.0/24 indicates all IP addresses in the range of 192.168.0.1-255. but remember to delete this line in/etc/sysconfig/iptables. -a input-p tcp-m tcp -- dport 22-j ACCEPT because it indicates that all addresses can log on. or use the command: [root @ tp ~] # Iptables-d input-p tcp -- dport 22-j ACCEPT and save it. I'll talk about it again. Instead, it uses the command method and takes effect only at the time. If you want to restart it, it will also take effect, save it. write to the/etc/sysconfig/iptables file. [root @ tp ~] #/Etc/rc. d/init. d/iptables save! 192.168.0.3 indicates that other rule connections except the IP address 192.168.0.3 are also set. the following is the FORWARD chain. The default rule of the FORWARD chain is DROP, so we will write the chain that requires ACCETP (VIA) to monitor the ongoing forwarding chain. enable the forwarding function (required when the default FORWARD rule is DROP when performing NAT) [root @ tp ~] # Iptables-a forward-I eth0-o eth1-m state -- state RELATED, ESTABLISHED-j ACCEPT [root @ tp ~] # Iptables-a forward-I eth1-o eh0-j ACCEPT discard bad TCP Packets [root @ tp ~] # Iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP: number of IP fragments processed to prevent attacks. 100 [root @ tp ~] # Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT: sets ICMP packet filtering and allows one packet per second, the trigger condition is 10 packets. [root @ tp ~] # Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT, this is because I have restrictions here.
2. configure a NAT table to go to firewall 1 and view local NAT settings [root @ tp rc. d] # iptables-t nat-L
Chain PREROUTING (policy ACCEPT)
Target prot opt source destination Chain POSTROUTING (policy ACCEPT)
Target prot opt source destination
SNAT all -- 192.168.0.0/24 anywhere to: 211.101.46.235 Chain OUTPUT (policy ACCEPT)
Target prot opt source destination my NAT has been configured (only the simplest proxy Internet access function is provided, and no firewall rules have been added ). for more information about how to configure NAT, see my other article. If you have not configured NAT, you do not need to clear the rules, because NAT does not have anything by default. If you want to clear it, run the [root @ tp ~] command. # Iptables-F-t nat [root @ tp ~] # Iptables-X-t nat [root @ tp ~] # Iptables-Z-t nat2: add rules to add basic NAT address translation (see my other article on how to configure NAT). To add rules, we only add DROP links. because the default chain is all ACCEPT. prevent Internet spoofing by using an intranet IP Address [root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s 10.0.0.0/8-j DROP
[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s 172.16.0.0/12-j DROP
[Root @ tp sysconfig] # iptables-t nat-a prerouting-I eth0-s 192.168.0.0/16-j DROP
If we want to, for example, block MSN, QQ, BT, etc., we need to find the port or IP address they use (I personally think it is not necessary) for example: disable all connections to 211.101.46.253 [root @ tp ~] # Iptables-t nat-a prerouting-d 211.101.46.253-j DROP disable FTP (21) Port [root @ tp ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-j DROP. If the write range is too large, we can define it more accurately. [root @ tp ~] # Iptables-t nat-a prerouting-p tcp -- dport 21-d 211.101.46.253-j DROP to disable only the FTP connection with the 211.101.46.253 address. Other connections are also allowed. for example, web (port 80) connection. according to what I wrote, you only need to find the IP addresses, ports, and protocols of other software such as QQ and MSN. finally: drop illegal connection
[Root @ tp ~] # Iptables-a input-m state -- state INVALID-j DROP
[Root @ tp ~] # Iptables-a output-m state -- state INVALID-j DROP
[Root @ tp ~] # Iptables-a forward-m state -- state INVALID-j DROP
Allow all established and related connections
[Root @ tp ~] # Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
[Root @ tp ~] # Iptables-a output-m state -- state ESTABLISHED, RELATED-j ACCEPT

[Root @ tp ~] #/Etc/rc. d/init. d/iptables save

In this way, you can write it to the/etc/sysconfig/iptables file. Remember to repeat the firewall after writing it to make it take effect.

[Root @ tp ~] # Service iptables restart


Don't forget to save it. If you can't save it, write it once. You can save it while doing experiments to see if it meets your requirements,

I have tried all the rules above and there is no problem. it took me nearly one month to write this article. search for information and perform experiments on your own. I hope this will help you. if there are incomplete and incomplete information, please submit it. this article focuses on configuration. I will upload the basic knowledge about IPTABLES and instructions on commands as soon as possible. Of course, you can search for them online.