Detailed description of iptables Firewall Configuration

Source: Internet
Author: User

Iptables Introduction

Iptables is a kernel-based firewall with powerful functions. iptables has three built-in tables: filter, Nat, and mangle.

Filters are used to filter data packets, including rule chains such as input, output, and forward;

Nat involves network address translation, including rule chains such as prerouting, postrouting, and output;

The mangle table is mainly used to modify the data packet content for Traffic Shaping. The default rule chains include input, output, Nat, postrouting, and prerouting;

Input matches the destination IP address as the local data packet, forward matches the data packet that flows through the local machine, prerouting is used to modify the destination address for DNAT, and postrouting is used to modify the source address for SNAT.

Main iptables Parameters

-A adds a rule to the rule chain, which is added to the end by default.

-T specifies the table to be operated. The default value is filter.

-D. delete a rule from the rule chain. You can specify the sequence number or matched rule to delete the rule.

-R: Replace rules

-I insert a rule, which is inserted to the header by default.

-F clears the selected chain and restores it after restart.

-N create a custom rule chain

-X delete a custom rule chain

-P is used to specify protocol numbers such as TCP, UDP, and ICMP,

-S specifies the source address

-D: Specify the destination address.

-I access interface

-O outbound Interface

-Actions taken by J: Accept, drop, SNAT, DNAT, and masquerade

-- Sport Source Port

-- Dport destination port, which must be used together with the Protocol

Note: All chain names must be in upper case, indicating that they must be in lower case, actions must be in upper case, and matches must be in lower case

Iptable configuration instance

Basic iptable operations

Iptables-l list iptables rules
Iptables-F clear iptables built-in rules
Iptables-x clear iptables custom rules

Set default rules

If no rules are matched in iptables rules, use the default rules for processing.

Iptables-P input drop
Iptables-P output accept
Iptables-P forward drop

Configure SSH rules

Iptables-A input-p tcp -- dport 22-J accept
Iptables-A output-p tcp -- Sport 22-J accept if you set output to drop, you need to add this rule. Otherwise, ssh cannot log on, because SSH service functions cannot be implemented.

Only machines with are allowed for SSH connection.

Iptables-A input-s tcp -- dport 22-J accept

If you want to allow or restrict the availability of a certain IP address, indicates all IP addresses of

Allow loopback loop Communication

Iptables-A input-I lo-P all-J accept
Iptables-A output-O lo-P all-J accept

Destination Address Translation: maps internal addresses

Iptables-T Nat-A prerouting-I ppp0-P TCP -- dprot 81-J DNAT -- To 80
Iptables-T Nat-A prerouting-I ppp0-P TCP -- dprot 81-J DNAT -- To

Source Address conversion to hide internal addresses

Iptables-T Nat-A postrouting-s snat -- To
Iptables-T Nat-A postrouting-s snat -- To

Address disguise, dynamic IP address Nat

Iptables-T Nat-A postrouting-s Masquerade

The main difference between masquerade and SNAT is that SNAT converts the source address to a fixed IP address or address pool, while masquerade is very useful in dial-up Internet access using ADSL and other methods, because the Internet IP address of the NIC is frequently changed, the IP address in the conversion policy needs to be modified each time during address conversion, the use of masquerade can solve this problem very well. He will test the IP address obtained by the external network card and then automatically perform address translation. This way, even if the IP address obtained by the Internet changes frequently, no manual intervention is required.

Enable forwarding

Iptables-a forward-I eth0-O eth1-M state -- state related, established-J accept can only forward established connections and related links internally
Ptables-a forward-I eth1-O eh0-J accept allows external forwarding

Filter a Mac

Iptables-a forward-M Mac -- Mac-source MAC address-J Drop

After a packet passes through the route, the original Mac information of the packet will be replaced. Therefore, it is meaningless to use Mac matching in the iptables after the route.

Data Packet Rectification

Iptables-a forward-D limit -- limit 50/S-J accept
Iptables-a forward-D Drop

Multi-port matching

Used to match multiple ports at a time

Iptables-A input-p tcp-M muliport -- dport s 110,-J accept

Discard invalid connection

Iptables-A input-M state -- State invalid-J Drop
Iptables-A output-M state -- State invalid-J Drop
Iptables-a forward-M state -- State invalid-J Drop

Stored in restoring iptables rules

Iptables-save> somefile
Iptables-Restore <somefile


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.