Detailed description of iptables command parameters

Source: Internet
Author: User
The principles and concepts of the iptables firewall are described above. here we mainly describe the parameters and usage of the iptabels command. let's first review the content of the iptables control process in the previous article. Iptables uses the rule stack for filtering. when a packet enters the NIC, it first checks Prerouting and then checks whether the destination IP address needs to be transferred. IptablesThe principles and concepts of the firewall. here we mainly describe the parameters and usage of the iptabels command. let's review the above. IptablesControl the content of the process.
Iptables uses a rule stack for filtering. when a packet enters the NIC, it first checks Prerouting and then checks the destination IP to determine whether the packet needs to be transferred out, then, it will jump to INPUT or Forward for filtering. if the packet needs to be transferred for processing, it will check Postrouting. if it is from the local packet, it will check OUTPUT and Postrouting. If a rule is met during the process, the processing will be performed in addition to ACCEPT, REJECT, DROP, REDIRECT, and MASQUERADE, there are also more LOG, ULOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, TOS, TTL, MARK, and so on, some of the processing actions will not interrupt the filtering program, some processing actions will interrupt the filtering of the same rule chain and continue filtering the next rule chain according to the preceding process (note: This is different from ipchains ), until the rule check in the stack is complete. The advantage of this mechanism is that we can perform complex and multi-packet filtering. In short, iptables can be used to filter packets (tables) instead of chins ). After the ACCEPT completes the processing, it will not compare other rules and directly jump to the next rule chain (nat: postrouting ).
So how can I use iptables to control the packet processing behavior in the above process? Of course, iptables and its related parameters are used.

1. iptables command formatThe command format of iptables is complex. the general format is as follows:

Iptables [-t table]-command matching operation
Description
(1)-t table
The table option specifies the iptables built-in table that the command applies.
(2) commands
Command options are used to specify the iptables execution method, including inserting rules, deleting rules, and adding rules, as shown in the following table.

Command description
-P -- policy chain name> define default policy
-L -- list chain name> view the iptables rule list
-A -- append chain name> add one rule at the end of the rule list.
-I -- insert chain name> insert 1 rule at the specified position
-D -- delete chain name> delete one rule from the rule list
-R -- replace chain name> replace a rule in the rule list
-F -- flush chain name> delete all rules in the table
-Z -- zero chain name> returns the data packet counter and traffic counter in the table to zero.
-X -- delete-chain name> delete custom chain
-V -- verbose chain name> used with the-L command to display more detailed information

(3) matching rules
The matching option specifies the characteristics of a data packet that matches the rule, including the source address, destination address, transmission protocol, and port number, as shown in the following table.
Matching Description
-I -- in-interface network interface name> specifies the network interface from which the data packet enters,
-O -- out-interface network interface name> specifies the network interface from which the data packet is output
-P --- The proto protocol type specifies the Protocol for Packet matching, such as TCP, UDP, and ICMP.
-S -- source address or subnet> specifies the source address that the packet matches
-- Sport source port number> specifies the source port number that the data packet matches.
-- Dport destination port number> specify the destination port number for data packet matching
-M -- the matching module specifies the filtering module used by the packet rule.
When iptables executes a rule, it is executed from top to bottom in the rule table. If no matching rule is encountered, it is executed one by one. if a matching rule is encountered, then the rule will be executed. after the rule is executed, the next execution will be determined based on the action (accept, reject, log, drop, etc.) of the rule. Generally, there are three situations for subsequent execution.
One is to continue executing the next rule in the current rule queue. For example, after the LOG in the Filter queue is executed, the next rule in the Filter queue is also executed.
One is to stop the execution of the current rule queue and go to the next rule queue. For example, after the accept is executed, other rules in the Filter queue are interrupted and the rules are jumped to the nat queue for execution.
One is to abort the execution of all rule queues.

2. iptables rule action
We have mentioned earlier that iptables processing operations except ACCEPT, REJECT, DROP, REDIRECT, and MASQUERADE, there are also more logs, ULOG, DNAT, RETURN, TOS, SNAT, MIRROR, QUEUE, TTL, and MARK. We only describe the most common actions:

REJECT
Block the data packet and return the data packet to notify the other party. There are several possible options for the returned data packet: ICMP port-unreachable, ICMPecho-reply, or tcp-reset (this data packet will require the other party to disable online ), after this action is completed, the filter program is directly interrupted without comparing other rules. Example:
Iptables-a input-p TCP -- dport 22-j REJECT -- reject-with ICMP echo-reply
DROPDiscarded data packets are not processed. after this operation, the filtering program is directly interrupted instead of comparing other rules.
REDIRECTRedirect the packet to another port (PNAT). after the processing, the packet will continue to be compared with other rules. This function can be used to implement transparent proxy or to protect web servers. For example:
Iptables-t nat-a prerouting-p tcp -- dport 80-j REDIRECT -- to-ports 8081
MASQUERADERewrite the source IP address of the packet to the IP address of the firewall. you can specify the port range. after this action is completed, directly jump to the next rule chain (mangle: postrouting ). This function is slightly different from SNAT. when you perform IP camouflage, you do not need to specify which IP address you want to disguise. the IP address will be directly read from the NIC. when you use a dial connection, the IP address is usually assigned by the DHCP server of the ISP company. in this case, MASQUERADE is particularly useful. Example:
Iptables-t nat-a postrouting-p TCP-j MASQUERADE -- to-ports 21000-31000
LOGRecord data packet-related information in/var/log. for detailed location information, see The/etc/syslog. conf configuration file. after this operation is completed, the data packet will continue to be compared with other rules. For example:
Iptables-a input-p tcp-j LOG -- log-prefix "input packet"
SNATRewrite the source IP address of the packet to a specific IP address or IP address range. you can specify the port range. after this operation is completed, it will directly jump to the next rule refining (mangle: postrouting ). Example:
Iptables-t nat-a postrouting-p TCP/IP eth0-j SNAT -- to-source 192.168.10.15-192.168.10.160: 2100-3200
DNATRewrite the destination IP address of the data package to a specific IP address or IP address range. you can specify the port range. after this operation is completed, it will directly jump to the next rule chain (filter: input or filter: forward ). Example:
Iptables-t nat-a prerouting-p tcp-d 15.45.23.67 -- dport 80-j DNAT -- to-destination 192.168.10.1-192.168.10.10: 80-100
MIRRORMirror data packet, that is, after the source IP address and the destination IP address are reversed, the data packet is returned. after this operation is completed, the filter program will be interrupted.
QUEUEInterrupt the filter program, put the packet into the queue, and hand it to other programs for processing. Other applications can be implemented through self-developed processing programs, such as calculating the online cost.
RETURNThe filtering program ended in the current rule chain and returned to the main rule chain for further filtering. if you think of custom rule refining as a sub-program, then this action, it is equivalent to early completion of the subroutine and return to the main program.
MARKMark the packets with a specific code to provide a judgment basis for subsequent filtering conditions. after this action is completed, other rules will be compared. Example:
Iptables-t mangle-a prerouting-p tcp -- dport 22-j MARK -- set-mark 22

I have read about iptables parameters. I will use instances to describe iptables parameter usage in more detail.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.