Introduction to Linux under Iptables

• Ptables Introduction

  Iptables is a kernel-based firewall with very powerful features, with the iptables built-in Filter,nat and mangle three sheets.

  Filter is responsible for filtering packets, including the rule chain, input,output and forward;

  NAT involves network address translation, including the rule chain, prerouting,postrouting and output;

  Mangle table is mainly used in modifying the contents of the packet, used to do traffic shaping, the default rule chain is: input,output,nat,postrouting,prerouting;

  Input matching destination IP is a native packet, forward matches the packet flowing through the machine, prerouting used to modify the destination address used to do dnat,postrouting to modify the source address used to do snat.

  Iptables Main parameters

  -a adds a rule to the rule chain, which is added to the end by default

  -t Specifies the table to manipulate, by default the filter

  -D removes the rule from the rule chain and can specify an ordinal or matching rule to delete

  -R for rule substitution

  -I inserts a rule that is inserted into the header by default and the specified number is inserted into the nth row

  -F clears the selected chain and resumes after reboot

  -N New user-defined rule chain

  -X Delete user-defined rule chain

  -P is used to specify protocol numbers that can be tcp,udp,icmp, etc., or numbers.

  -s Specifies the source address

  -D Specify Destination Address

  -I enter the interface

  -O Outgoing interface

  -j take the action, Accept,drop,snat,dnat,masquerade

  --sport Source Port

  --dport destination port, port must be used in conjunction with protocol.

  Note: All chain names must be uppercase, indicating that they must be lowercase, actions must be uppercase, matching must be lowercase

  Iptable Configuration Instance

  Iptable Basic Operation

  Iptables-l list Iptables Rules
  Iptables-f Clear Iptables built-in rules
  Iptables-x Clear iptables Custom rule

  Set default rules

  No match to rule in Iptables rule is processed using default rule

  Iptables-p INPUT DROP
  Iptables-p OUTPUT ACCEPT
  Iptables-p FORWARD DROP

  Configure SSH Rules

  Iptables-a input-p TCP--dport 22-j ACCEPT
  Iptables-a output-p TCP--sport 22-j ACCEPT If you set the OUTPUT to drop, you need to add this rule, or SSH will not be able to log in, because the SSH service function can not be entered.

  Allow SSH connections only for 192.168.0.3 machines

  Iptables-a input-s 192.168.0.3-p TCP--dport 22-j ACCEPT

  If you want to allow or restrict a certain IP address, you can use 192.168.0.0/24 to represent all IPs on the 192.168.0.1-255 side.

  Allow loopback loopback Communication

  Iptables-a input-i lo-p all-j ACCEPT
  Iptables-a output-o lo-p all-j ACCEPT

  Destination address translation, mapping internal address

  Iptables-t nat-a prerouting-i ppp0-p tcp--dprot 81-j DNAT--to 192.168.0.2:80
  Iptables-t nat-a prerouting-i ppp0-p tcp--dprot 81-j DNAT--to 192.168.0.1-192.168.0.10

  Source address translation, hiding internal addresses

  Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 1.1.1.1
  Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 1.1.1.1-1.1.1.10

  Address spoofing, NAT for dynamic IP

  Iptables-t nat-a postrouting-s 192.168.0.0/24-j Masquerade

  The main difference between Masquerade and Snat is that the Snat is to convert the source address to a fixed IP address or address pool, and masquerade in the ADSL and other ways dial-up Internet is very useful, because it is dial-up Internet network card's external IP often change, In this way, when the address translation is to change the IP in the conversion strategy every time, using Masquerade is a good solution to this problem, he will detect the IP address of the external network card and then automatically address the conversion, so that even if the external network to obtain the IP often change without human intervention.

  Turn on forwarding function

  Iptables-a forward-i eth0-o eth1-m State--state Related,established-j accept only built-in connections and related links are allowed internal forwarding
  Ptables-a forward-i eth1-o eh0-j accept allow external forwarding

  Filter a Mac

  Iptables-a Forward-m mac--mac-source mac address-j DROP

  After the message is routed, the MAC information in the packet is replaced, so it is meaningless to use Mac matching in the routed iptables.

  Packet rectification

  Iptables-a forward-d 192.168.0.1-m limit--limit 50/s-j ACCEPT
  Iptables-a forward-d 192.168.0.1-j DROP

  Multi-port matching

  Used to match multiple ports at once

  Iptables-a input-p tcp-m muliport--dport s 21,22,25,80,110-j ACCEPT

  Discard illegal connections

  Iptables-a input-m State--state invalid-j DROP
  Iptables-a output-m State--state invalid-j DROP
  Iptables-a forward-m State--state invalid-j DROP

  stored in recovery iptables rules

  Iptables-save > Somefile
  Iptables-restore < Somefile

Introduction to Linux under Iptables