Examples of iptables

Instance:
#iptables-T filter-a input-s 172.16.0.0/16-d 172.16.100.7-j Drop the source address of the 172.16.0.0 network segment, the access 172.16.100,7 packets are discarded.

#iptables-L-N View rules for the filter table

#iptables-T Nat-l-n View rules in the NAT table

#iptables-A input-m State--state new,established-j ACCEPT display extension, allowing packets with a connection status of NEW and established to enter the native

1. Native IP is 172.16.100.7, with sshd service, monitor on TCP22 port, release 172.16.0.0 access to native sshd service
#iptables-T filter-a input-s 172.16.0.0/16-d 172.16.100.7-p tcp--dport 22-j ACCEPT
#iptables-T filter-a output-s 172.16.100.7-d 172.16.0.0/16-p tcp--sport 22-j ACCEPT

2. Modify the rule default policy to drop, only open Web services:
#iptables-P INPUT DROP
#iptables-P OUTPUT DROP
#iptables-P FORWARD DROP
#iptables-I input-d 172.16.100.7-tcp-dport 80-j ACCEPT
#iptables-I output-s 172.16.100.7-tcp-sport 80-j ACCEPT

3. Allow ping of the local IO interface
#iptables-A input-s 127.0.0.1-d 127.0.0.1-i io-j ACCEPT
#iptables-A output-s 127.0.0.1-d 127.0.0.1-o io-j ACCEPT

4. Allow this machine to ping to external
#iptables-A output-s 192.168.100.7-p icmp-icmp-type 8-j ACCEPT
#iptables-A input-d 192.168.100.7-p icmp-icmp-type 0-j ACCEPT

5. Allow external ping to native
#iptables-A input-d 172.16.100.7-p ICMP--icmp-type 8-j ACCEPT
#iptables-A output-s 172.16.100.7-p ICMP--icmp-type 0-j ACCEPT

6. Assume that a DNS service is set up on the 172.16.1007 to open the corresponding port for service

To provide DNS resolution for clients:

#iptables-A input-d 172.16.100.7-p udp-dport 53-j ACCEPT
#iptables-A output-s 172.16.100.7-p udp-sport 53-j ACCEPT

To query other DNS servers:
#ptables-A input-d 172.16.100.1-p Udp-sport 53-j Accept the response from other DNS, the packet source port is 53
#ptables-A output-s 172.16.100.7-p udp-dport 53-j ACCEPT sends requests to other DNS, the packet destination port is 53

#iptables-A input-d 172.16.100.7-p tcp-dport 53-j ACCEPT
#iptables-A output-s 172.16.100.7-p tcp-sport 53-j ACCEPT
#ptables-A input-d 172.16.100.7-p tcp-sport 53-j ACCEPT
#ptables-A output-s 172.16.100.7-p tcp-dport 53-j ACCEPT

7. Save the rule to the default configuration file:
#service iptables Save

8. Customize the Save configuration file and load:
#iptables-save >/etc/sysconfig/iptables.test
#iptables-restore </etc/sysconfig/iptables.test

9. Clear all Rules:
#iptables-F

10. Overwrite sshd and httpd rules using connection state detection
Only packets with a state of new and establised can enter the machine, and only packets with a status of established can go out of the machine. The remaining packets are discarded.

This rule causes the server to respond only to client requests and does not make unsolicited requests. Ensure that the server is a passive connection. Improved security.

#iptables-A input-d 172.16.100.7-p TCP--dport 22-m State--state new,established-j ACCEPT connection status for NEW and
Established packets allow access to the native
#iptables-A output-s 172.16.100.7-p TCP--sport 22-m State--state established-j ACCEPT a packet with a status of established allowed to go out of the machine, its His state is not allowed.

#iptables-A input-d 172.16.100.7-p TCP--dport 80-m State--state new,established-j ACCEPT
#iptables-A output-s 172.16.100.7-p TCP--sport 80-m State--state established-j ACCEPT

#iptables-P INPUT DROP to modify the default rule
#iptables-P OUTPUT DROP

11. Temporarily modify the max value and cache time of the modified Ip_conntrack, or the connection will be rejected if the number of connections is too large.
#sysctl-W net.ipv4.ip_conntrack_max=65536 defaults to 32768
#sysctl-W net.ipv4.ip_conntrack_tpc_timeout_established=86400

12. Permanently modify the relevant values of the Ip_conntrack
#vim/etc/sysctl.conf
net.ipv4.ip_conntrack_max=65536
net.ipv4.ip_conntrack_tpc_timeout_established=86400

13. Allow external Ping native:
#iptables-A input-d 172.16.100.7-p ICMP--icmp-type 8-m State--state new,established-j ACCEPT
#iptables-A output-s 172.16.100.7-p ICMP--icmp-type 0-m State--state established-j ACCEPT

14. Merge Output Tracking rules:
#iptable-I output-s 172.16.100.7-m State--state establelished-j ACCEPT packets with a source address of 172.16.100.7 and a connection status of established Yes.
#iptable-D OUTPUT 2 to remove additional rules
#iptable-D OUTPUT 2
#iptable-D OUTPUT 2
#iptables-L-N--line-nubmers

15. Assume that there is a hypothetical FTP server on 172.16.100.7 that allows FTP services to be provided:

Here FTP is generally set to active mode, that is, open 20,21 port. There are too many open ports in passive mode and rules are not well defined.
Load the IP_CONNTRACK_FTP and IP_NAT_FTP modules into the kernel first
#vim/etc/sysconfig/iptables-config
iptables_modules= "Ip_nat_ftp ip_conntrack_ftp"

#iptables-A input-d 172.16.100.7-p tcp-dport 21-m State--state New,established-j Accept allows the status to be NEW and established with the destination address 172.16.100.7, the FTP protocol packet with Port 22 enters the machine.

#iptables-I output-s 172.16.100.7-p tcp-m State--state Established,related-j Accept packets that have a status of established and related from this Machine, including protocols and data.

#iptables-I input-d 172.16.100.7-p-tcp-m State--state established,related-j Accept FTP packets with established and related status allowed into native native.

If the FTP account is stored on MySQL, you will need to allow IO loopback, otherwise you will not be able to connect to MySQL for account verification.
#iptables-A input-i io-j ACCEPT
#iptables-A output-o io-j ACCEPT

16. Multi-Port matching
Multiple entries can be combined using multi-port matching to improve matching efficiency.
The sshd, VSFTPD, httpd are multi-port merged.

#iptables-F
#iptables-I input-d 172.16.100.7-p tcp-m state--state established,realted-j ACCEPT
#iptables-I INPUT 2-d 172.16.100.7-p tcp-m multiport--destination 21,22,80-m State--state new-j ACCEPT

#iptables-I output-s 172.16.100.7-p tcp-m state--state established,related-j ACCEPT

#iptables-A input-i io-j ACCEPT
#iptables-A output-o io-j ACCEPT


17. Match conditions take the reverse
#iptables-A input-d! 172.16.100,7-j accept indicates that packets with the destination address 172.16.100.7 are allowed to enter the native

18. Specify the IP group;
#iptables-A input-p tcp-m iprange 172.16.100.3-172.16.100.10-j ACCEPT

19. Limit the number of TCP connections to the connection server to 5:
#iptables-A input-p tcp-d 172.16.100.7--dport 80-m connlimit! --connlimit-above 5-j ACCEPT
Or
#iptables-A input-p tcp-d 172.16.100.7--dport 80-m connlimit--connlimit-above 5-j REJECT

20. Limit the rate of ping requests:
#iptables-A output-s 127.16.100.7-m State--state related,established-j ACCEPT
#iptables-I input-p ICMP--icmp-type 8-d 172.16.100.7-m limit--limit 5/minute [--limit-burst 5]-j ACCEPT Specifies the pi into the native Ng requests are 5 per minute, and up to 5 can be requested in a minute. --limit-burst can not be specified, default is 5.

21. Specifying a string to restrict user access
#iptables-I output-s 172.16.100.7-m string--algo kmp--string "test"-j REJECT response packets that contain the test character are rejected

22. Custom Logging Capabilities
Log entries must be above the corresponding entries to be correctly matched.

Example of a custom external host allowing Ping

#iptables-I INPUT 172.16.100.7-p icmp-j log--log-prefix "Ping log"

#iptables-I INPUT 4-d 172.16.100.7-p ICMP--icmp-type 8-m State--state new,established-j ACCEPT

#cat/var/log/messages |grep "Ping Log"

23. Using a custom chain
The custom chain name is test. The custom chain is placed at the top of the list, and the return list continues to match after the call is complete.
#iptables-n test to create a custom chain test
#iptables-A test-d 255.255.255.255-p icpm-j DROP Add rule
#iptables-A test-d 172.16.100.7-j RETURN at the end, jump back to the main chain

#iptables-I INPUT 1-j Test call test chain

24. Prevent Dos attacks.

is to use the recent extension to control the number of connections. Take sshd service as an example

#iptables-I INPUT 2-d 172.116.100.7-p tcp--dport 22-m connlimit--connlimit-above 3-j DROP The destination address is 172.16.100.7 and the port is TC The TCP connection with the number of TCP connections greater than 3 is discarded, number 22nd of the P protocol.
#iptables-I INPUT 172.116.100.7-p TCP--dport 22-m recent--set--name sshconn-m State--state NEW will target address is 172, 16, 100.7, the port is the TCP protocol number 22nd, establish a manifest named Sshconn, the state is the new corresponding IP address recorded in Sshconn.
#iptables-I INPUT 4-d 172.116.100.7-p tcp--dport 22-m recent--update--second--hitconut 3--name sshconn-j DRO P The destination address is 172,16,100.7, the port is number 22nd of the TCP protocol, and packet drops in the Sshconn manifest that match the number of new connections or 3 in 300 seconds. That is, allow only 2 connections per IP address to the SSHD service. A 3rd connection request will be rejected.

25. Enable network card forwarding
#vim/etc/sysctl.conf
Net.ipv4.ip_forward = 1
#sysctl-P


26. Source address translation.

Assuming that the gateway has 2 network cards, the IP of the enoin0 is 192.168.10.1,enoout0 123.123.0.1, the intranet is 192.168.10.0/24. The extranet server IP is 123.123.0.5, the intranet host IP is 192.168.10.2.

192.168.10.2 access to 123.123.0.5 is now allowed.

#iptables-T nat-a postrouting-o enoout-s 192.168.10.0/24-j SNAT--to-source 123.123.0.1

Suppose the gateway has ENOOUT0-ENOOUT3 multiple network cards, IP address bit 123.123.0.1-123.123.0.4. Multi-source address translation requires device mates such as load balancing to work properly, because the packets go out of the port and the returned ports are not necessarily the same.

#iptables-T nat-a postrouting-o enoout-s 192.168.10.0/24-j SNAT--to-source 123.123.0.1-123.123.0.4

    27. Disable Ping gateway for intranet host and open httpd service at the same time.
        for gateways, the ICMP packets are forwarded and no other tables are involved.

        #iptables-A forward-s 192.168.10.0/24-p icmp-j REJECT
 & nbsp;      #iptables-A forward-m State--state established-j ACCETP
   & nbsp;    #iptables-A forward-m State--state new-s 192.168.10.0/24--dport 80-j ACCEPT

 &nb sp;  28. Allow the intranet to ping the gateway.
        #iptables-A forward-s 192.168.10.0/24-p ICMP--icmp-type 8--m State--s Tate new-j ACCEPT

    29. Allow access to FTP, load the corresponding kernel module (IP_NAT_FTP) in advance
         #iptables-A forward-s 192.168.10.0/24-p TCP--dport--m State--state new-j ACCEPT
  &nbs p;     #iptables-R FORWARD 1-m State--state established,related-j ACCEPT

  & nbsp 30. Destination Address translation.

There are 2 network cards in the gateway, the IP of the enoin0 is 192.168.10.1,enoout0 123.123.0.1, the intranet is 192.168.10.0/24. The extranet client IP is 123.123.0.5, the intranet server IP is 192.168.10.2, and the port is 80.

Extranet clients are now allowed to access intranet servers.

#iptables-T nat-a prerouting-d 123.123.0.1-p TCP--dport 80-j DNAT--to-destination 192.168.10.2

31. Port conversion.

Answer the question, 192.16.10.1 's httpd port is 8080.
#iptables-T nat-r prerouting 1-d 123.123.0.1-p tcp--dport 80-j DNAT--to-destination 192.168.10.2:8080

32. After the question, use string matching on the gateway to discard the packet containing the test string.
#iptables-A forward-m string--algo kmp--string "test"-j DROP

33. Assuming that 192.168.10.2 is an intranet host, 123.123.0.1 is an extranet gateway.

Use L7 extension to disable QQ from 8 to 12 points
#iptables-T nat-a postrouting-s 192.168.10.0/24-j Snat-to-source 123.123.0.1
#iptables-A forward-s 192.168.10.0/24-m layer7--l7proto qq-m time--timestart--timestop 12:00-j REJECT

This article is from "Small Private blog" blog, please be sure to keep this source http://ggvylf.blog.51cto.com/784661/1663826

Examples of iptables