[Firewall iptables in Linux] [instructions] [Chinese]

Iptables command
Syntax:
Iptables [-T table] command [Match] [-J target/jump]

 
The-t parameter is used to specify the rule table. The built-in rule table has three rules: Nat, mangle, and filter. If the rule table is not specified, it is regarded as a filter.
Rule tables have the following functions:

Nat this rule table has two rule chains: prerouting and postrouting. The main function is to perform one-to-one, one-to-many, and many-to-many URL translation (SNAT)
DNAT), because of the characteristics of translation work, you do not need to translate source URLs into packets that need to be translated from destination URLs, and vice versa.
Rate. During firewall operation, each packet will only go through this rule table once. If we define the packet filtering rules in this data table, it will cause the same
The rule table is not used for other purposes except for URL translation.

Mangle this rule table has three rule chains: prerouting, forward, and postrouting.
In addition to modifying the packets for website translation, some special applications may have to rewrite the packets (TTL, TOS) or set the mark (mark the packets
In this case, the work must be defined in the mangle rule table. Because the usage is not high, we do not intend to discuss the mangle usage here.

The filter rule table is a preset rule table with three rule chains: input, forward, and output. As the name suggests, this rule table is used for packet filtering.
Action (such as drop, log, accept, or reject), we will create the basic rules in this rule table.

 
List of Common commands:
Command-a, -- append
Example iptables-A input...
It indicates that a new rule is added to a Rule chain and will become the last rule in the Rule chain.
Command-D, -- delete
Example iptables-D input -- dport 80-J Drop
Iptables-D input 1
This indicates to delete a rule from a rule chain. You can enter a complete rule or directly specify a rule number to delete it.
Command-R, -- replace
Example iptables-r input 1-s 192.168.0.1-J Drop
It indicates that the current rule is replaced, and the order of the rule is not changed after it is replaced.
Command-I, -- insert
Example iptables-I input 1 -- dport 80-J accept
It indicates that a rule is inserted. The rule at the specified position will move a forward position.
Command-L, -- list
Example iptables-l Input
Lists All rules in a rule chain.
Command-F, -- flush
Example iptables-F Input
Deletes all rules in a rule chain.
Command-Z, -- zero
Example iptables-Z Input
This indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks.
Command-N, -- New-chain
Example iptables-N allowed
Define a new rule chain.
Command-X, -- delete-chain
Example iptables-x allowed
Deletes a rule chain.
Command-P, -- Policy
Example iptables-P input drop
Define a filter policy. That is, the default Processing Method for packets that do not meet the filtering conditions.
Command-E, -- rename-chain
Example iptables-e allowed disallowed
Modifies the name of a custom rule chain.

Common packet comparison parameters:
Parameter-P, -- protocol
Example iptables-A input-P TCP
It indicates whether the communication protocol type is consistent and can be used! The operator performs reverse comparison, for example,-P! TCP, meaning other types except TCP, including
UDP, ICMP... and so on. If you want to compare all types, you can use the all keyword, for example,-P all.
Parameter-S, -- SRC, -- Source
Example iptables-A input-s 192.168.1.1
The description is used to compare the source IP address of the packet. It can be compared to a single machine or network. When comparing the network, use a number to block the IP address, for example,-s 192.168.0.0/24.
Available! The operator performs reverse comparison, for example,-s! 192.168.0.0/24.
Parameter-D, -- DST, -- destination
Example iptables-A input-D 192.168.1.1
Description used to compare the destination IP address of the packet. The setting method is the same as above.
Parameter-I, -- In-Interface
Example iptables-A input-I eth0
The description is used to compare the NIC from which the packet enters. The wildcard character + can be used to perform a wide range comparison. For example,-I ETH + indicates all Ethernet NICs.
To use! The operator performs reverse comparison, for example,-I! Eth0.
Parameter-o, -- Out-Interface
Example iptables-a forward-O eth0
Specifies the network card from which the packet is sent.
Parameter -- Sport, -- source-Port
Example iptables-A input-p tcp -- Sport 22
The source port number used to compare the packets. It can be compared to a single port or a range, for example, -- Sport 22: 80, indicating that the ports from 22 to 80 are consistent.
If you want to compare multiple non-consecutive ports, you must use the -- multiport parameter. For more information, see the following section. You can use it when comparing the port number! The operator performs reverse comparison.
Parameter -- dport, -- destination-Port
Example iptables-A input-p tcp -- dport 22
Description used to compare the destination port number of the package. The setting method is the same as above.
Parameter -- TCP-flags
Example iptables-p tcp -- TCP-flags SYN, FIN, Ack SYN
This section compares the status flag of TCP packets. The parameters are divided into two parts: the first part lists the flag to be compared, and the second part lists which of the aforementioned banners are set
The unenumerated flag must be empty. TCP status banners include: SYN (synchronous), Ack (response), FIN (ended), RST (reset), URG (urgent)
Psh (Force push) and so on can be used in the parameter, in addition to this, you can also use the keyword all and none for comparison. You can use it when comparing the banners! Operator
Reverse comparison of rows.
Parameter -- SYN
Example iptables-p tcp -- SYN
The description is used to compare whether a TCP packet is online. It works exactly the same as iptables-p tcp -- TCP-flags SYN, fin, and ACK syn. If yes!
The operator can be used to compare non-required online packets.
Parameter-M multiport -- source-Port
Example iptables-A input-p tcp-M multiport -- source-port 80,110
The description is used to compare multiple source ports that are not consecutive. Up to 15 ports can be compared at a time. You can use this description! The operator performs reverse comparison.
Parameter-M multiport -- destination-Port
Example iptables-A input-p tcp-M multiport -- destination-port 80,110
The description is used to compare non-consecutive destination port numbers. The setting method is the same as above.
Parameter-M multiport -- Port
Example iptables-A input-p tcp-M multiport -- Port 80,110
This parameter is special and used to compare packets with the same source port number and destination port number. The setting method is the same as above. Note: In this example, if the source port number is 80
The destination port number is 110, which does not meet the condition.
Parameter -- ICMP-type
Example iptables-A input-p icmp -- ICMP-type 8
The description is used to compare the type numbers of ICMP. You can use code or number numbers for comparison. Please call iptables-p icmp -- help to check what code is available
.
Parameter-m limit -- limit
Example iptables-A input-m limit -- limit 3/hour
The description is used to compare the average traffic of packets within a certain period of time. The example above is used to compare whether the average traffic per hour exceeds three packets at a time. Except for the hourly average
In addition, it can also be an average time per second, minute, or every day. The default value is an average time per hour. parameters such as:/second,/minute,/day. In addition
When this parameter is set, the packet comparison will be suspended when the condition is met to prevent the hacker from using the flood attack method and thus the service will be blocked.
Parameter -- limit-burst
Example iptables-A input-m limit -- limit-burst 5
The description is used to compare the quantity of a large number of packets in an instant. The example above is used to compare whether more than five packets flood at a time (this is the default value ).
Will be directly discarded. The usage effect is the same as that.
Parameter-M Mac -- Mac-Source
Example iptables-A input-M Mac -- Mac-source 00: 00: 00: 00: 01
The description is used to compare the hardware address of the packet source network interface. This parameter cannot be used in output and postrouting rule refining. This is because the packet must be sent to the network.
Then, the NIC driver can identify the MAC address of the destination through the ARP communication protocol. Therefore, iptables does not know that the packet will be sent
Network interfaces.
Parameter -- Mark
Example iptables-T mangle-A input-m mark -- Mark 1
The description is used to compare whether a number is indicated by a packet. When the packet is compared successfully, we can mark a number with the maximum number through mark processing.
It cannot exceed 4294967296.
Parameter-M owner -- UID-owner
Example iptables-A output-M owner -- UID-owner 500
It indicates whether the packets from the local machine are generated by a specific user. This prevents the server from sending sensitive data using root or other identities.
To reduce the loss of the system. Unfortunately, this function cannot compare the packets from other hosts.
Parameter-M owner -- GID-owner
Example iptables-A output-M owner -- GID-owner 0
The description is used to compare whether the packets from the local machine are generated by a specific user group. The usage time is the same as above.
Parameter-M owner -- PID-owner
Example iptables-A output-M owner -- PID-owner 78
The description is used to compare the packets from the local machine and determine whether the packets are generated for a specific trip.
Parameter-M owner -- Sid-owner
Example iptables-A output-M owner -- Sid-owner 100
The description is used to compare the response packets from the local machine and whether the packets are the response packets of a specific online (session ID.
Parameter-M state -- state
Example iptables-A input-M state -- state related, established
The description is used to compare the online status. There are four online statuses: Invalid, established, new, and related.

Invalid indicates that the package's online number (session ID) cannot be identified or the number is incorrect.
Established indicates that the package belongs to a established online network.
New indicates that the package wants to start online (reset online or redirect online ).
Related indicates that the packet belongs to a newly established online host. For example, FTP-DATA online must be from an FTP online.

 

Common handling actions:
-The-J parameter is used to specify the action to be processed. common actions include accept, reject, drop, redirect, masquerade, log, DNAT,

SNAT, mirror, queue, return, and Mark are described as follows:
After the accept completes the processing, it will not compare other rules and directly jump to the next rule refining (natostrouting ).
The reject blocks the packet and sends the packet to notify the other party. You can select ICMP port-unreachable, ICMP echo-reply, or
TCP-Reset (this packet will require the other party to shut down online). After this processing, the filter program will be directly interrupted instead of comparing other rules. Example:
Iptables-a forward-p tcp -- dport 22-J reject -- reject-with TCP-Reset
Drop discarded packets are not processed. After this operation, the filter program is directly interrupted instead of comparing other rules.
Redirect redirects the packet to another port (pnat). After this action is completed, it will continue to compare with other rules. This function can be used to implement transparent
Porxy can be used to protect Web servers. For example, iptables-T Nat-A prerouting-p tcp -- dport 80-J redirect -- to-ports 8080
Masquerade changes the source IP address of the packet to the nic ip address of the firewall. You can specify the port range. After this operation is completed, it directly jumps to the next rule.
(Mangleostrouting ). This function is slightly different from SNAT. When the IP address is disguised, you do not need to specify the IP address to be disguised as. The IP address will be directly read from the NIC.
When a dial connection is used, the IP address is usually assigned by the DHCP server of the ISP company. In this case, masquerade is particularly useful. Example:
Iptables-T Nat-A postrouting-p tcp-J masquerade -- to-ports 1024-31000
Log records packets related information in/var/log. For details about the location, see the/etc/syslog. conf configuration file.
Rules. For example:
Iptables-A input-p tcp-J log -- log-prefix "input packets"
SNAT modifies the source IP address of the packet to a specific IP address or IP address range. You can specify the port range. After this operation is completed, it will directly jump to the next rule.
(Mangleostrouting ). Example:
Iptables-T Nat-A postrouting-p tcp-O eth0-j snat -- to-source 194.236.50.155-194.236.50.160: 1024-32000
DNAT modifies the IP address of the destination packet to a specific IP address or IP address range. You can specify the port range. After this operation, the IP address will jump directly to the next rule.
(Filter: input or filter: forward ). Example:
Iptables-T Nat-A prerouting-p tcp-D 15.45.23.67 -- dport 80-j dnat -- to-destination
192.168.1.1-192.168.1.10: 80-100
Mirror package, that is, after the source IP address and the destination IP address are reversed, the package is sent back. After this operation, the filter program will be interrupted.
The queue interrupt filtering program puts the packets into the queue and submits them to other programs for processing. Other applications can be implemented through self-developed processing programs, such as online fee calculation.
... And so on.
The return statement ends with the filtering program in the current rule refining process. The return result is the master rule refining process to continue filtering. If you think of custom rule refining as a sub-program, this action is equivalent
Early completion of the subroutine and return to the main program.
Mark marks a code on the package to provide a judgment basis for the filter conditions. After this processing, the mark will continue to compare with other rules. Example:
Iptables-T mangle-A prerouting-p tcp -- dport 22-J mark -- Set-mark 2

This article is reproduced from http://linux.chinaunix.net/bbs/viewthread.php? Tid = 620183