Detailed description of iptables firewall rule settings

Source: Internet
Author: User
1. clear all rules in IPTABLES [root @ localhost ~] # Iptables-F [root @ localhost ~] # Iptables-X [root @ localhost ~] # Iptables-Z [root @ localhost ~] # Iptables-L-nChainINPUT (policyACCEPT) targ

1. clear all rules in IPTABLES

[Root @ localhost ~] #Iptables-F
[Root @ localhost ~] # Iptables-X
[Root @ localhost ~] # Iptables-Z
[Root @ localhost ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot optsource destination

Chain FORWARD (policy ACCEPT)
Target prot optsource destination

Chain OUTPUT (policy ACCEPT)
Target prot optsource destination

2. set preset rules
[Root @ localhost ~] # Iptables-P INPUT DROP
[Root @ localhost ~] # Iptables-P OUTPUT ACCEPT
[Root @ localhost ~] # Iptables-P FORWARD ACCEPT
[Root @ localhost ~] # Iptables-L-n
Chain INPUT (policy DROP)
Target prot optsource destination

Chain FORWARD (policy ACCEPT)
Target prot optsource destination

Chain OUTPUT (policy ACCEPT)
Target prot optsource destination

Open port 80
[Root @ localhost ~] # Iptables-a input-p tcp? Dport 80-jACCEPT

Then save service iptables save
Test...

Open port 22 to allow others to access the port through SSH, and only allow access to this port through the 10.112.5 network segment

[Root @ localhost ~] # Iptables-a input-p tcp-s 10.112.5.0/24? Dport 22-j ACCEPT

[Root @ localhost ~] # Iptables-L-n
Chain INPUT (policy DROP)
Target prot optsource destination
ACCEPT tcp? 0.0.0.0/0 0.0.0.0/0 tcp dpt: 80
ACCEPT tcp? 10.112.5.0/24 0.0.0.0/0 tcp spt: 22
ACCEPT tcp? 10.112.5.0/24 0.0.0.0/0 tcp dpt: 22

Chain FORWARD (policy ACCEPT)
Target prot optsource destination

Chain OUTPUT (policy ACCEPT)

Now you need to delete the second rule under INPUT and execute the command

[Root @ localhost ~] # Iptables-d input 2

Check that the rule has been cleared ......

Iptables... ^-^)

Iptables basics, rules, links, and tables

Rule: it is the predefined condition of the network administrator. The rule is generally defined as "if the data packet header meets this condition, process the data packet in this way ". Rules are stored in the information packet filtering table of the kernel space. these rules define the source address, destination address, Transmission Protocol (such as TCP, UDP, ICMP), and service type (HTTP, FTP, when a packet matches the rule, iptables processes the packet according to the rule-defined method, such as accept, reject, and drop). The main task of configuring a firewall is to add, modify, and delete these rules.

Chain: A chain is a way to transmit data packets. each chain is actually a check list among many rules. each chain can have one or several rules. When a packet arrives at a chain, iptables checks the first rule in the chain to check whether the packet meets the conditions defined by the rule. If yes, the system will process the packet according to the method defined by this rule; otherwise, iptables will continue to check the next rule. if the packet does not comply with any rule in the chain, iptables processes data packets according to the default policy.

Table: a table (tables) provides specific functions. iptables has three built-in tables: filter table, nat table, and mangle table. These functions are used to implement packet filtering, network address translation, and packet reconstruction respectively.

1. Filter table

The Filter table is mainly used to Filter data packets. it is the default iptables table that contains the INPUT chain (used to process incoming data packets), FORWORD chain (used to process forwarded data packets ), OUTPUT chain (processing locally generated data packets ). In the filter table, only data packets can be accepted or discarded, but data packets cannot be modified.

2. Nat table

Nat tables are mainly used for network address translation and can implement one-to-one, one-to-many, and many-to-many NAT operations, including the PREROUTING chain (modifying incoming packets ), OUTPUT chain (packet generated locally before the route is modified) and POSTROUTING (packet to be modified ).

3. Mangle table

The Mangle table is mainly used to modify specified packages, such as TTL and TOS. Rarely used.

IPTABLES packet transmission process
1. when a packet enters the NIC, it first enters the PREROUTING chain, and the kernel determines whether to forward the packet based on the destination IP address.

2. if the data packet enters the local machine, it will go down to the INPUT chain. After the data packet arrives at the INPUT chain, any process will accept it. Programs running on the local machine can also send data packets that pass through the OUTPUT chain and then reach the POSTROUTING chain OUTPUT.

3. if the packet is to be forwarded and the kernel permits it, the packet will pass through the FORWARD chain and then be output to the POSTROUTING chain.

You can define rules in each chain.

Iptables command format:

Iptables [-t table]? Command matching action

1. table options: filter table, nat table, and mangle table

2. command options are used to specify the execution mode, including inserting rules, deleting rules, and adding rules.

-P or-policy defines the default policy

-L or? List View iptables rule list

-A or? Append adds one rule at the end of the rule list.

-I or? Insert rules at the specified position

-D or? Delete: delete a rule from the rule list.

-R or? Replace a rule in the rule list

-F or? Flush delete all rules in the table

-Z or? Zero clears the data packet counters and traffic counters in the table.

3. matching options: match the characteristics of a specified data packet that matches the rule, including the source address, destination address, transmission protocol, and port number.

-I or-in-interface <网络接口名称> Specify the network interface from which the data packet enters, such as ppp0 and eth0.

-O or-out-interface <网络接口名称> Network interface from which data packets flow out

-P or-proto <协议类型> Tcp, udp, and icmp protocols that match data packets

-S or-source <源地址或子网> SOURCE address of the specified data packet matching

? Sport <源端口号> Specifies the source port number for packet matching.

-D or-destination <目的地址或者子网>

? Dport <目标端口号>

4. action options: specifies what operations should be performed when the data packet matches the rule, such as interface and discard

ACCEPT data packets

DROP dropped data packets

REDIRECT redirects data packets back to a port on the local machine or another host.

SNAT source address conversion

DNAT destination address translation

Masquerade ip disguise, that is, NAT technology

LOG to function, record the relevant information of compliant data packets in the day

Iptables usage

1. define the default policy

Iptables [-t table name] <-P> <链名> <动作>

For example, iptables? P inputaccept defines the default policy of the INPUT chain in the filter table to accept all data packets.

Iptables? T nat? P outputdrop: discards all data packets at the default rate of the nat table OUTPUT chain.

Tip: define default rules to reject all

Iptables? P INPUT DROP

Iptables? P FORWARD DROP

Iptables? P OUTPUT ACCEPT

2. View iptables rules

Iptables [-t table name] <-L> [chain name]

For example, you can view the list of all chain rules in the nat table.

Iptables? T nat? L

3. add, insert, delete, and replace rules

Iptables [-t table name] <-A, I, D, or R> chain name [rule number] [-I or o Nic name] [-p protocol type] [-s SOURCE address or subnet] [-- sport source port number] [-d destination IP address or subnet] [-- dport destination port number] <-j action>

For example, add one rule for the INPUT chain of the filter table.

Iptables? T filter? A input? S 192.168.1.200? J DROP

For example, insert one rule before the first rule in the INPUT chain rule list of the filter table.

Iptables? T filter? I INPUT 2? S 192.168.2.0/24? P tcp? Dport 80? J DROP

For example, delete the first rule in the INPUT chain rule list of the filter table.

Iptables? T filter? D input 3

Use iptables for NAT

First, you must enable the kernel routing function:

Echo "1">/proc/sys/net/ipv4/ip_forward

Then implement IP Spoofing. add a rule to the POSTROUTING chain in the nat table. this rule is used to disguise all packets sent from the ppp0 port.

Iptables? T nat? A postrouting? O PPP0? J MASQUERADE

Although you can use iptables-L to view the rules, the information is incomplete. Therefore, you can use cat/etc/sysconfig/iptables to view the rules.

Note: After a rule is added or deleted, you must save the service iptables save. Otherwise, the rule will be lost after the iptables service is restarted.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.