For more information about firewall settings in Linux-Linux Enterprise applications-Linux server applications, see the following. By: nest of xwg999
Iptables is a tool, also known as Userspace ). It makes it easy to insert, modify, and remove rules from the information packet filtering table.
Install Iptables
You are familiar with the installation of Iptables. The following is a command:
# Bzip2-d iptables-1.2.6a.tar.bz2
# Tar-xvf iptables-1.2.6a.tar
# Cd iptables-1.2.6a
# Make KERNEL_DIR =/usr/src/linux/
# Make install KERNEL_DIR =/usr/src/linux/
Match
The optional match part of the iptables command specifies the characteristics (such as source and destination addresses, and protocols) that the information package and rule match should have ). Here we will study generic matching for information packages that use any protocol. Below are some important and commonly used general-purpose matching examples and descriptions:
-P or -- protocol this generic protocol match is used to check certain protocols. The Protocol examples include the combination list of TCP, UDP, ICMP, and any of the three protocols separated by commas (,) and ALL. ALL is the default match for ALL protocols. Users can use it! Symbol indicates that it does not match this item. Example:
In the preceding example, both commands run the same task. They specify that all TCP and UDP information packages will match the rule. By specifying! ICMP. You can allow the TCP and UDP protocols and exclude ICMP.
-S or -- source: This source match is used to match the source IP addresses of the information package. This match can be used to match IP addresses in a certain range! Symbol indicates that it does not match this item. The default source match matches all IP addresses. Example:
The first command specifies that the rule matches all information packets from the IP address range 192.168.0.0 to 192.168.0.24. The second command specifies that this rule will match any information package except the source address 203.16.1.89.
-D or -- destination: This destination match is used to match the destination IP addresses of the information package. This match can be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item. Example:
The target is the operation specified by the rule. The following are common objectives, examples, and descriptions:
When the ACCEPT information package exactly matches the rule with an ACCEPT target, it will be accepted (allow it to go to the destination), and it will stop the traversal chain s. The target is specified as-j ACCEPT.
When the information package exactly matches the rule with the DROP target, the information package will be blocked and will not be further processed. The target is specified as-j DROP.
REJECT the target works in the same way as the DROP target, but it is better than DROP. Unlike DROP, REJECT does not leave dead sockets on the server and client. In addition, the REJECT sends the error message back to the sender of the information package. The target is specified as-j REJECT. Example:
# Iptables-a forward-p TCP -- dport 22-<REJECT>
RETURN: Set RETURN in the rule to stop traversing the chain containing the rule with the information packet matching the rule. If a chain is a main chain such as INPUT, use the Default policy of the chain to process information packets. It is specified as-jump RETURN. Example:
# Iptables-a forward-d 203.16.1.89-jump RETURN
With the above foundation, you can use the corresponding Iptables rule chain to protect your computer.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
