Detailed iptables usage

How to Write rules
Iptables

Iptables [-T table] commnd chain cretiria-J action
-T if the table is not fixed, the default filter
How does commadn manage and delete a chain?
Chain: Specifies the chain operation.
Cretiria: matching rule (what is the source address and the target address)
-J action: indicates the matching result processing.

Iptables-T filter-s 172.16.0.0/16-p udp -- dport 53-J Drop
Access to port 53 from the local machine is not allowed
Rejetct is more thorough than drop and directly rejects

Iptables-l-N: display the rule Chain Defined by iptables
Iptables-T nat-l-N
Iptables-l-N-V to view counters
Command: Command class
Chain management commands
-P # Polocy indicates a pass policy and sets the Default policy (whether the door is open or closed)
Iptables-P input (drop | accept) # If it is enabled
Shut down and be careful with the operation (for example, your data center is in the United States, and you have rejected SSH)
-F # flusah: Clear the rule chain
Iptables-T nat-F prerouting
Clear all Nat route Entry rule chains
-N # New create user-defined chain
Iptables-N inbound_tcp_web
-X # delete a user-defined empty chain. If there are rules that cannot be deleted, you need
The rules are cleared.
-E # used to rename a user-defined chain
Iptables-e oldname newname
-Z # Clear the chain and the counter of the rules in the chain
Iptables-l-N-V
Pkts bytes # Two counters # Video watching
Iptables-Z clear these counters

Rule management commands
-A # atend append: the order of the rules is critical.-A append is placed at the end.
-I # insert, insert to num cannot exceed the total number !!
Iptables-I num

-R # Replace, replace, or modify a rule
Iptables-r-s 172.16.0.0/16-p udp -- dport 53
Iptables-R
-D # delete Delete
Iptables-D input num
View commands
-L # list: It has sub-options, which can be used in combination. If it does not contain the self-options, it is very slow and needs to be resolved.
-N numeric Mode
-V verbos-v-VV-vvv
Iptables-l-N-vvv
-X exsicly exact value, not converted by Unit
-Line-number: displays the row number.
Iptables-l-N -- line-Number
#### These commands are common and must be kept in mind
For TCP, there are four statuses:
New Connection
Connection established by established
Related-related connections
Invalid unrecognized connection
--------------------------------------------------------------
Matching criteria:
1. General match: everyone can use
-S # match the source address. You can reverse it and add an exclamation point! You can also use -- Source
IP, netwoer/nemask, 0.0.0.0/0.0.0.0 (match all)
-D # match the target address or -- destnation
-P # protocal used for protocol matching
-P [TCP | UDP | ICMP] Only these three protocols are defined.
-I # inbound interface, followed by the NIC
-I eth0
-O # outbond outbound Interface
Inbound traffic is generally used in pre input forw.
The outbound traffic is usually the same as post outpurt forw.
2. Extension matching: expansion of a certain function
Implicit Extension
-P TCP
-- Dport target port 0-65535
You can use to indicate continuity (but you cannot use a non-consecutive port)
-- Sport source port 0-65525
-- TCP-flags SYN, ack, FIN, Psh, RST, URG
The checked flag must be 1, SYN is 1, and others are 0.
-- TCP-flags SYN, ack, FIN, RST, Syn
The first packet of the three-way handshake. This matching method is abbreviated as syn.
-P UDP
-- Dport # Target Port
-- Sport

-P ICMP
-- ICMP-types
Ping Message Type
Echo-request 8 # match the ping data packet. Type: 8 indicates request echo.
Echo-reply 0 # response packet from others, type expressed as 0
Explicit Scaling
-P tcp-M mutiport -- dports
#-M mutiport
Multiple ports are used. Separate them with commas)
-P tcp-M mutiport -- dports 21,23, 80
#-M startup Module

-J # specifies the corresponding processing action after the action matches
Drop quietly discards data packets and does not return rejection Information
The rejiect explicitly discards the data packet and returns the rejection information. Generally, the drop
ACCEPT
Custom_chain use custom chain
DNAT target address translation
SNAT source address conversion
Masquerade source address disguise
Redirect redirection mainly implements port redirection
Mark used in the mangel table
Returen returns. After the user chain is called, it is processed by chain. After the processing is accepted, it is returned to the next
Link setting
There are actually dozens of actions, which are commonly used here

Status detection:

For TCP, there are four statuses:
New Connection
Connection established by established
Related-related connections

Invalid unrecognized connection

----------------------------------------
Assume that only 172.16.0.0 is allowed to access SSH on a host.
The best definition of access to the local machine is input.
It is best to define the output
Iptables-T filter-A input-s 172.16.0.0/16 172.16.100.1-p tcp -- dport 22-J accept
Iptables-l-N-V
Iptables-T filter-A output-s 172.16.100.1-D 172.16.0.0/16-P TCP

Communication policies are commonly used on the Internet, which are disabled by default.
Iptables-P input drop
Iptables-P output drop
Iptables-P forward drop
In future, make sure that the remote connection is enabled.
------------------------------------------------------------

Module Enabled
-M state -- state

The following sub-commands are used to implement module control management:
Connlimit
Helps you limit the number of concurrent requests that a specific customer can initiate
For servers such as web, there is a download site. If a user uses P2P or multithreading to initiate dozens of connections at the same time, it will inevitably occupy too much resources. conlimit can limit the number of these connections
[!] -- Connlimit-above n
Iptables-p tcp-syn-dport 23-M connlimit -- connlimit-above 2-J reject

Iprange limits the source CIDR Block

Iptables-a forward-M iprange -- Src-range 172.16.100.1-172.16.100.100-DST-range 172.16.0.1-172.16.0.2-p tcp -- dport 80

The limit matches a specified rate, and the token-passing mechanism. It is not used to limit the bandwidth, but only for rate matching.
It can use burst and Rete to limit the speed of certain applications.
# Video watching
Token-based mechanism to collect idle tokens
-- Limit rate 3/minutes does not match 3 packets in minutes
-- Limit-burst number

TC is a small tool that is easy to use and can implement traffic control.

Mac matches the source MAC address. It makes no sense to match the target MAC address on the Internet.
-- Mac-source [!] Adress

Multiport enables the multi-port mechanism. Up to 15 ports can be enabled at a time.
-- Soure-Ports
-- Destination-Ports
-- Ports
Example:
Iptables-a forward-p tcp-M multiport -- destination-ports 80,110,-M iprange -- Src-range 172.16.0.1-172.14.100.254-M state -- state new, established-J accept

Stirng is limited by a string.
# String-based Chinese Character matching capabilities are limited, but it can match English letters, and Pinyin is very useful.
-- Algo BM | the algorithm used by KMP for matching. You must select one.
BM developed by Boyer-Moore KMP by knuth-Pratt-Morris
Example: Access to QQ.com is denied.
Iptables-a forward-M string -- string "QQ.com" -- algo BM-J reject

Time specifies the start time and end time to limit Internet access from Monday to Friday.
-- Timestart value hh: mm
-- Timestop Value
-- Days listofdays
-- Datestart date
-- Datestop date
-M Time -- timestart

Logs can be recorded using logs. limit is mainly used with logs.
-- Log-level
-- Log-Prefix prefix
Add a prefix to the log so that you can conveniently view specific logs in messages. For example
Iptables-A input-D 172.16.100.1-p tcp -- dport 22-m limit -- limit 6/minute-J log -- log-prefix "iptables sshd"

# Generally, we use limit to limit the log speed, which can reduce the disk pressure.

Reason for rejection
-- Reject-with Type
The type given can be
ICMP-net-unreachable
ICMP-host-unreachable
ICMP-Port-unreachable
ICMP-proto-unreachable
ICMP-net-prohibited
ICMP-host-prohibited Ro
ICMP-Amin-prohibited (*)