Ptables Introduction
Iptables is a kernel-based firewall with very powerful features, with the iptables built-in Filter,nat and mangle three sheets.
Filter is responsible for filtering packets, including the rule chain, input,output and forward;
NAT involves network address translation, including the rule chain, prerouting,postrouting and output;
Mangle table is mainly used in modifying the contents of the packet, used to do traffic shaping, the default rule chain is: input,output,nat,postrouting,prerouting;
Input matching destination IP is a native packet, forward matches the packet flowing through the machine, prerouting used to modify the destination address used to do dnat,postrouting to modify the source address used to do snat.
Iptables Main parameters
-a adds a rule to the rule chain, which is added to the end by default
-t Specifies the table to manipulate, by default the filter
-D removes the rule from the rule chain and can specify an ordinal or matching rule to delete
-R for rule substitution
-I inserts a rule that is inserted into the header by default and the specified number is inserted into the nth row
-F clears the selected chain and resumes after reboot
-N New user-defined rule chain
-X Delete user-defined rule chain
-P is used to specify protocol numbers that can be tcp,udp,icmp, etc., or numbers.
-s Specifies the source address
-D Specify Destination Address
-I enter the interface
-O Outgoing interface
-j take the action, Accept,drop,snat,dnat,masquerade
--sport Source Port
--dport destination port, port must be used in conjunction with protocol.
Note: All chain names must be uppercase, indicating that they must be lowercase, actions must be uppercase, matching must be lowercase
Iptable Configuration Instance
Iptable Basic Operation
Iptables-l list Iptables Rules
Iptables-f Clear Iptables built-in rules
Iptables-x Clear iptables Custom rule
Set default rules
No match to rule in Iptables rule is processed using default rule
Iptables-p INPUT DROP
Iptables-p OUTPUT ACCEPT
Iptables-p FORWARD DROP
Configure SSH Rules
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT If you set the OUTPUT to drop, you need to add this rule, or SSH will not be able to log in, because the SSH service function can not be entered.
Allow SSH connections only for 192.168.0.3 machines
Iptables-a input-s 192.168.0.3-p TCP--dport 22-j ACCEPT
If you want to allow or restrict a certain IP address, you can use 192.168.0.0/24 to represent all IPs on the 192.168.0.1-255 side.
Allow loopback loopback Communication
Iptables-a input-i lo-p all-j ACCEPT
Iptables-a output-o lo-p all-j ACCEPT
Destination address translation, mapping internal address
Iptables-t nat-a prerouting-i ppp0-p tcp--dprot 81-j DNAT--to 192.168.0.2:80
Iptables-t nat-a prerouting-i ppp0-p tcp--dprot 81-j DNAT--to 192.168.0.1-192.168.0.10
Source address translation, hiding internal addresses
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 1.1.1.1
Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 1.1.1.1-1.1.1.10
Address spoofing, NAT for dynamic IP
Iptables-t nat-a postrouting-s 192.168.0.0/24-j Masquerade
The main difference between Masquerade and Snat is that the Snat is to convert the source address to a fixed IP address or address pool, and masquerade in the ADSL and other ways dial-up Internet is very useful, because it is dial-up Internet network card's external IP often change, In this way, when the address translation is to change the IP in the conversion strategy every time, using Masquerade is a good solution to this problem, he will detect the IP address of the external network card and then automatically address the conversion, so that even if the external network to obtain the IP often change without human intervention.
Turn on forwarding function
Iptables-a forward-i eth0-o eth1-m State--state Related,established-j accept only built-in connections and related links are allowed internal forwarding
Ptables-a forward-i eth1-o eh0-j accept allow external forwarding
Filter a Mac
Iptables-a Forward-m mac--mac-source mac address-j DROP
After the message is routed, the MAC information in the packet is replaced, so it is meaningless to use Mac matching in the routed iptables.
Packet rectification
Iptables-a forward-d 192.168.0.1-m limit--limit 50/s-j ACCEPT
Iptables-a forward-d 192.168.0.1-j DROP
Multi-port matching
Used to match multiple ports at once
Iptables-a input-p tcp-m muliport--dport s 21,22,25,80,110-j ACCEPT
Discard illegal connections
Iptables-a input-m State--state invalid-j DROP
Iptables-a output-m State--state invalid-j DROP
Iptables-a forward-m State--state invalid-j DROP
stored in recovery iptables rules
Iptables-save > Somefile
Iptables-restore < Somefile