Explicit extension rules for iptables

For the difference between an explicit extension and an implicit extension, the following 2 rules are analyzed first

Rule 1:iptables-t filter-a input-s 192.168.1.0/24-d 172.16.100.1-p udp–dport 53-j DROP

Rule 2:iptables-t filter-a input-s 192.168.1.0/24-d 172.16.100.1-p udp-m udp–dport 53-j DROP

Compared to rule 1, the-M option is used on Rule 2, explicitly specifying the extension of UDP, and extending the port to 53

For implicit extensions, you do not need to explicitly specify with the-M option, for TCP, you can extend the TCP flag bit, source, and destination ports, for UDP, you can extend the source and destination ports, and for ICMP, you can extend different packets such as Request,replay

Here are some common explicit extensions:

One of the explicit extensions state: Connection status

-M State–-state {new| established| related| invalid|}

As mentioned in the first blog post: Packet filter firewall can be divided into "State detection type" and "Simple packet filter Type"

Next, we use iptables to implement stateful detection packet filtering.

Describes TCP connections for the following 4 states

1.NEW

That is, the first time you shake hands 3 times, a new request

Iptable-a output-o eth0-m State--state new-j DROP

Analyzing this rule, where-M represents an extended load state detection module,--state new represents the first handshake to detect TCP, and the whole rule is to deny a new TCP connection from the Eth0 network card.

2.ESTABLISHED

Two times after the handshake, the connection before the disconnect

3.RELATED

Associated state, which solves the cumbersome protocol of controlling FTP connections.

4.INVALID

Unrecognized status

Application Case:

Combining the 2 States of new and established, the following rules are implemented

Iptables-a input-d 192.168.1.1-p tcp–dport 22-m state–-state new,established-j ACCEPT

Allow a new SSH request to be initiated outside the host

Iptables-a input-d 192.168.1.1-p tcp-dport 80-m state–-state new,established-j ACCEPT

Allow a new web connection to be initiated from outside to the host

Iptables-a output-s 192.168.1.1-p TCP Sport 22-m State-–state Established-j

Allow host to send external SSH packets while in a connected state

Iptables-a output-s 192.168.1.1-p TCP sport 80-m state–-state established-j

Allow host to send external Web packets while in a connected state

Iptables-p Intup DROP

Reject all other incoming packets

Iptables-p OUTPUT DROP

Reject all other packets out of the way

These rules can be used on the Web server, only allow customers to send SSH and Web requests to the server access, the server can not actively send out any connection to prevent the server to become a springboard for hackers

Explicit extension bis mport: multi-port matching

-M {Mport|multiport}

--source-ports

--destination-ports

--ports

This extension can specify a discontinuous port, where the above case is optimized to illustrate its role

Iptables-a input-d 192.168.1.1-m mport–-destination-ports 22,80,443-m state–-state new,established-j ACCEPT

Iptables-a output-s 192.168.1.1-m mport–-source-ports 22,80,443-m state–-State established-j ACCEPT

Iptables-p Intup DROP

Iptables-p OUTPUT DROP

Multiple ports can be added at a time, separated by commas

Three iprange of explicit extensions: multi-IP matching

-M IPRange

–-src-range

–-dst-range

Here is a simple example to illustrate

Iptables-a input-d 192.168.1.1-m iprange–src-range 192.168.0.1-192.168.0.100-p tcp–-dport DROP

Deny 192.168.0.1-192.168.0.100 this address to access 192.168.1.1 Web services