Iptables rules and links

Iptables rules and links
By providing a firewall with instructions on what to do for information packets from a source, to a destination, or with a specific protocol type, rules control the filtering of information packets. Use the Special Command iptables provided by the Netfilter/iptables system to create these rules and add them to the chain in the specific information package filter table of the kernel space. The general syntax of the command for adding, removing, and editing rules is as follows:

$ Iptables [-T table] command [Match] [target]

Table)
The [-T table] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available: filter, Nat, and mangle. This option is not required. If not specified, the filter is used as the default table.

The filter table is used for filtering information packets. It contains the input, output, and forward chains. The NAT table is used to forward information packets. It contains prerouting, output, and postrouting chains. Use the mangle table if any changes are made to the information package and its header. This table contains rules to mark the information packages used for advanced routing. This table contains prerouting and output chains.

Note: The prerouting chain is composed of rules that change a specified information package once it reaches the firewall, and the postrouting chain is composed of rules that change a specified legitimate information package when it intends to leave the firewall.

Command)
The mandatory command section in the preceding command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. The following are the most common commands:

-A or -- append: This command attaches a rule to the end of the chain.
Example:
$ Iptables-A input-s 205.168.0.1-J accept

The command in this example attaches a rule to the end of the input chain, and determines that the information package from the source address 205.168.0.1 can be accept.

-D or -- delete: Use-D to specify the rule to be matched or specify the rule's position number in the chain. This command deletes the rule from the chain. The following example shows the two methods.
Example:
$ Iptables-D input -- dport 80-J Drop
$ Iptables-D Output 3

The first command deletes the rule from the input chain, which specifies to drop the information packet to port 80. The second command only deletes the rule 3 from the output chain.

-P or -- Policy: This command sets the default target of the chain, that is, the policy. All information packages that do not match any rules in the chain will be forced to use the chain policy.
Example:
$ Iptables-P input drop

This command specifies the default target of the input chain as drop. This means that all information packets that do not match any rules in the input chain will be discarded.

-N or -- New-chain: Create a new chain with the name specified in the command.
Example:
$ Iptables-N allowed-chain

-F or -- flush: if the chain name is specified, this command deletes all rules in the chain. If the chain name is not specified, this command deletes all rules in all chains. This parameter is used for quick clearing.
Example:
$ Iptables-F forward
$ Iptables-F

-L or -- list: Lists All rules in a specified chain.
Example:
$ Iptables-l allowed-chain

Match)
The optional match part of the iptables command specifies the characteristics (such as source and destination addresses, protocols, and so on) that the information package matches with the rule ). There are two types of matching: general matching and protocol-specific matching. Here, I will study generic matching that can be used for information packages that use any protocol. Below are some important and commonly used general-purpose matching examples and descriptions:

-P or -- protocol: This generic Protocol match is used to check certain protocols. The Protocol examples include a list of combinations of TCP, UDP, ICMP, and any three Protocols separated by commas (,) and all (for all protocols ). All is the default match. Available! Symbol, indicating that it does not match the item.
Example:
$ Iptables-A input-p tcp, UDP
$ Iptables-A input-P! ICMP

In the preceding example, both commands run the same task-they specify that all TCP and UDP packets will match the rule. By specifying! ICMP, we intend to allow all other protocols (in this case, TCP and UDP) and exclude ICMP.

-S or -- Source: The Source match is used to match the source IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item. The default source match matches all IP addresses.
Example:
$ Iptables-A output-s 192.168.1.1
$ Iptables-A output-s 192.168.0.0/24
$ Iptables-A output-s! 203.16.1.89

The second command specifies that the rule matches all information packets from the IP address ranges of 192.168.0.0 to 192.168.0.24. The third command specifies that this rule will match any information package except the source address 203.16.1.89.

-D or -- destination: This destination match is used to match the destination IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item.
Example:
$ Iptables-A input-D 192.168.1.1
$ Iptables-A input-D 192.168.0.0/24
$ Iptables-A output-D! 203.16.1.89

Target)
We already know that the target is the operation specified by the rule, and these operations are performed on the information packages that match those rules. In addition to allowing users to define targets, there are also many available target options. The following are common objectives, examples, and descriptions:

Accept: when the information package exactly matches the rule with an accept target, it will be accepted (allow it to go to the destination ), and it will stop the traversal chain (although the information package may traverse other chains in another table and may be discarded there ). The target is specified as-J accept.

Drop: when the information package exactly matches the rule with the drop target, the information package will be blocked and will not be further processed. The target is specified as-J Drop.

Reject: The target works in the same way as the drop target, but it is better than drop. Unlike drop, reject does not leave dead sockets on the server and client. In addition, the reject sends the error message back to the sender of the information package. The target is specified as-J reject.
Example:
$ Iptables-a forward-p tcp -- dport 22-J reject

Return: The Return target set in the rule allows the information package matching the rule to stop traversing the chain containing the rule. If a chain is a main chain such as input, use the Default policy of the chain to process information packets. It is specified as-jump return. Example:
$ Iptables-a forward-D 203.16.1.89-jump return