Firewall Management command for Linux: iptables

Source: Internet
Author: User

Four-table five-chain: filternatmanglerawpreroutinginputoutputforwardpostrouting

------------------------------

Note: There are multiple chains in a table, and one or more rules can be in one chain.


When a packet arrives at a chain, the system checks from the first rule to see if the rule is met, the rule processes the packet if it is satisfied, and if it does not, it continues to check the next rule, and finally the packet does not conform to any rule in the chain. The system processes the packet based on a pre-defined policy for that chain.


Use of the iptables command:

Iptables "-t table" command chain matching standard-J processing method

-t:filternatmangleraw
Command: The management chain:-F [CHAIN]: Clear the specified chain of rules, if omitted CHAIN can be implemented to delete the corresponding table all the chain-P [CHAIN]: Set the default policy for the specified chain-n: Customize a new empty chain-x: Delete a custom empty chain-Z : Set 0 counters for all rules in the specified chain-e: Rename the custom chain Management rule:-A: Attach a rule, add the tail of the chain-I china[num]: Insert a rule, insert the corresponding CHAIN in the NUM Bar-D Chain[num]: Delete the num rule in the specified chain-R Chain[num]: replace the NUM rule in the specified Chain view class:-L Displays the rule in the specified table-N: Displays the host address and port number as a number format-V: Displays the details of the chain and rules-VV : Show more detailed information about chains and rules-X: Displays the exact value of the counter--line-numbers: Displays the sequence number of the rule ==--line


Chain: preroutinginputoutputforwardpostrouting

Matching Criteria:

Generic match:

-O INTERFACE: Specifies the outgoing interface of the data packet-I INTERFACE: Specifies the interface of the data packet-s;--SRC: Specify the source address-D;--DST: Specify the Destination address-p {tcp|udp|icmp}: Specify the protocol

Implied extensions:

-p tcp--sport Port Source port--dport Port Destination--tcp-flags mask Comp Only check mask specified flag bit is comma delimited list of flags
Comp: The flags that appear in this list must not appear in 1,comp, and the mask must be 0
Eg:--tcp-flagssyn,fin,ack,rst SYN = =--syn--syn-p ICMP--icmp-type [num]num:0:echo-reply response message 8:echo-request Request message
-p UDP--sport port--dport PORT

Show Extensions:

-M state--state combined with Ip_constack to track the status of the session New: Connection request established: Established connection invalid: Illegal connection Related: Associated, set specifically for FTP

Exercise: 192.168.137.11 as a server, allowing only new data to be requested, and not allowing TCP/22 (80) to send new requests

First change the default policy for Iptables to Dropiptables-p INPUT dropiptables-p OUTPUT dropiptables-p FORWARD dropiptables-a input-d 192.168.1 37.11-p TCP--dport 22-m State--state new,established-j ACCEPT iptables-a output-s 192.168.137.11-p TCP--sport 22 -M state--state established-j ACCEPT iptables-a input-d 192.168.137.11-p TCP--dport 80-m State--state New,establis Hed-j ACCEPT iptables-a output-s 192.168.137.11-p TCP--sport 80-m State--state established-j accept-m multiport away Multi-port matching--source-port--destination-port--port of lines

Exercise: 22,80,21 ports that are open on a rule at the same time on a service 192.168.137.11

Iptables-a input-d 192.168.137.11-p tcp-m miltiport--destination-port 22,21,80-j ACCEPT-m iprange: address range matching extension--src-r Ange Ip-ip--dst-range Ip-ip

Exercise: Allow 172.16.100.3-172.168.100.100 IP all services to come in on the 192.168.137.11 server

Iptables-a input-m iprange--src-range 172.16.100.3-172.168.100.100-j accept-m connlimit-about N: The limit of the number of connections that are less than n can be accessed- M limit--limit Rate: 5/min--limit-burst N: How many-M string--algo (KMP|BM)--string ("string") can be uploaded for the first time

Practice:

-j:accept: Allow drop: Discard reject: Deny Dnat: Destination address translation Snat: Source address translation log: Log--log-prefix "string": Add prefix Mark: Hit sign return: return



---------------------------------

Cat/proc/net/ip_conntrack IP Message Tracking information iptstate:iptable status information-T displays all the connection number status information meaning: New: Connection request established: Established connection invalid : Illegal connection Related: Associated, set specifically for FTP.


It is not recommended to use this module on busy servers:

Load ip_conntrack module: Service iptables stopmodprobe ip_conntrack reprint kernel module, can work alone cat/proc/net/ip_conntrackcat/proc/net/ Ipv4/ip_conntrack_mak maximum entries, it is necessary to increase this maximum value, but on very busy servers, it is not recommended to start this module

Uninstalling the Ip_conntrack module:

Modprobe-r ip_conntrack Note: iptables-t nat-l automatically starts ip_conntrack when using this command, so when it is turned off at work, use it with caution.



-----------------------------------------

The rule entries in the command line are required to be saved:

First: Service iptables save---> Default location:/etc/sysconfig/iptables will automatically load into iptables rules after booting. Second type: iptables-save >/etc/sysconfig/iptables-20150326iptables-restore </etc/sysconfig/ iptables-20150326 does not automatically load after booting the iptables rule, need to be loaded manually, generally used for backup recovery.


------------------------------------------------------------

Practice:

Change the default routing policy for the iptables of 192.168.137.10 to drop

Iptables-t filter-p input-j dropiptables-t filter-p output-j dropiptables-t filter-p forward-j dropiptables-l-N

Test whether services such as SSH Ping http are working

SSH 192.168.137.10:22 Ping 192.168.137.11http://192.168.137.11:80

Open the SSH:22 connection service:

Iptables-t filter-a input-s 192.168.137.0/24-d 192.168.137.10-p tcp--dport 22-j acceptiptables-t filter-a OUTPUT -S 192.168.137.10-d 192.168.137.0/24-p TCP--sport 22-j ACCEPT

To test the SSH service:

SSH 192.168.137.10:22


To open the HTTP service:

Iptables-t filter-a input-d 192.168.137.10-p tcp--dport 80-j ACCEPT iptables-t filter-a output-s 192.168.137.10 -P TCP--sport 80-j ACCEPT test http service: http://192.168.137.10:80

To turn on the ping feature:

You can ping others, others can't ping you:

Native Ping other host, go out to other host request message 8, other host returned is response message 0iptables-t filter-a output-s 192.168.137.10-p icmp-type 8-j acceptiptables-t Filter-a input-d 192.168.137.10-p icmp-type 0-j Accept test ping function: Ping 192.168.137.10ping 192.168.137.11


Others can ping you:

Other host to ping you, send a request message to the machine, so into the machine is the request message 8, the local response message to the requesting host, so go out is the response message 0.iptables-t filter-a input-d 192.168.137.10-p ICMP- -icmp-type 8-j accpet iptables-t filter-a output-s 192.168.137.10-p ICMP--icmp-type 0-j ACCEPT


Practice:

192.168.137.11 as a server that only allows new data to be requested, TCP/22 (80) is not allowed to send a new request first change the iptables default policy to dropiptables-p INPUT dropiptables-p OUTPUT Dropiptables-p FORWARD dropiptables-a input-d 192.168.137.11-p TCP--dport 22-m State--state new,established-j ACCE PT iptables-a output-s 192.168.137.11-p TCP--sport 22-m State--state established-j ACCEPT iptables-a input-d 192. 168.137.11-p TCP--dport 80-m State--state new,established-j ACCEPT iptables-a output-s 192.168.137.11-p TCP--spor T 80-m State--state Established-j ACCEPT


This article is from the "Tiandaochouqin" blog, make sure to keep this source http://luzhi1024.blog.51cto.com/8845546/1650741

Firewall Management command for Linux: iptables

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.