Introduction to Linux under Iptables

Source: Internet
Author: User

  • Ptables Introduction

    Iptables is a kernel-based firewall with very powerful features, with the iptables built-in Filter,nat and mangle three sheets.

    Filter is responsible for filtering packets, including the rule chain, input,output and forward;

    NAT involves network address translation, including the rule chain, prerouting,postrouting and output;

    Mangle table is mainly used in modifying the contents of the packet, used to do traffic shaping, the default rule chain is: input,output,nat,postrouting,prerouting;

    Input matching destination IP is a native packet, forward matches the packet flowing through the machine, prerouting used to modify the destination address used to do dnat,postrouting to modify the source address used to do snat.

    Iptables Main parameters

    -a adds a rule to the rule chain, which is added to the end by default

    -t Specifies the table to manipulate, by default the filter

    -D removes the rule from the rule chain and can specify an ordinal or matching rule to delete

    -R for rule substitution

    -I inserts a rule that is inserted into the header by default and the specified number is inserted into the nth row

    -F clears the selected chain and resumes after reboot

    -N New user-defined rule chain

    -X Delete user-defined rule chain

    -P is used to specify protocol numbers that can be tcp,udp,icmp, etc., or numbers.

    -s Specifies the source address

    -D Specify Destination Address

    -I enter the interface

    -O Outgoing interface

    -j take the action, Accept,drop,snat,dnat,masquerade

    --sport Source Port

    --dport destination port, port must be used in conjunction with protocol.

    Note: All chain names must be uppercase, indicating that they must be lowercase, actions must be uppercase, matching must be lowercase

    Iptable Configuration Instance

    Iptable Basic Operation

    Iptables-l list Iptables Rules
    Iptables-f Clear Iptables built-in rules
    Iptables-x Clear iptables Custom rule

    Set default rules

    No match to rule in Iptables rule is processed using default rule

    Iptables-p INPUT DROP
    Iptables-p OUTPUT ACCEPT
    Iptables-p FORWARD DROP

    Configure SSH Rules

    Iptables-a input-p TCP--dport 22-j ACCEPT
    Iptables-a output-p TCP--sport 22-j ACCEPT If you set the OUTPUT to drop, you need to add this rule, or SSH will not be able to log in, because the SSH service function can not be entered.

    Allow SSH connections only for 192.168.0.3 machines

    Iptables-a input-s 192.168.0.3-p TCP--dport 22-j ACCEPT

    If you want to allow or restrict a certain IP address, you can use 192.168.0.0/24 to represent all IPs on the 192.168.0.1-255 side.

    Allow loopback loopback Communication

    Iptables-a input-i lo-p all-j ACCEPT
    Iptables-a output-o lo-p all-j ACCEPT

    Destination address translation, mapping internal address

    Iptables-t nat-a prerouting-i ppp0-p tcp--dprot 81-j DNAT--to 192.168.0.2:80
    Iptables-t nat-a prerouting-i ppp0-p tcp--dprot 81-j DNAT--to 192.168.0.1-192.168.0.10

    Source address translation, hiding internal addresses

    Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 1.1.1.1
    Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 1.1.1.1-1.1.1.10

    Address spoofing, NAT for dynamic IP

    Iptables-t nat-a postrouting-s 192.168.0.0/24-j Masquerade

    The main difference between Masquerade and Snat is that the Snat is to convert the source address to a fixed IP address or address pool, and masquerade in the ADSL and other ways dial-up Internet is very useful, because it is dial-up Internet network card's external IP often change, In this way, when the address translation is to change the IP in the conversion strategy every time, using Masquerade is a good solution to this problem, he will detect the IP address of the external network card and then automatically address the conversion, so that even if the external network to obtain the IP often change without human intervention.

    Turn on forwarding function

    Iptables-a forward-i eth0-o eth1-m State--state Related,established-j accept only built-in connections and related links are allowed internal forwarding
    Ptables-a forward-i eth1-o eh0-j accept allow external forwarding

    Filter a Mac

    Iptables-a Forward-m mac--mac-source mac address-j DROP

    After the message is routed, the MAC information in the packet is replaced, so it is meaningless to use Mac matching in the routed iptables.

    Packet rectification

    Iptables-a forward-d 192.168.0.1-m limit--limit 50/s-j ACCEPT
    Iptables-a forward-d 192.168.0.1-j DROP

    Multi-port matching

    Used to match multiple ports at once

    Iptables-a input-p tcp-m muliport--dport s 21,22,25,80,110-j ACCEPT

    Discard illegal connections

    Iptables-a input-m State--state invalid-j DROP
    Iptables-a output-m State--state invalid-j DROP
    Iptables-a forward-m State--state invalid-j DROP

    stored in recovery iptables rules

    Iptables-save > Somefile
    Iptables-restore < Somefile

Introduction to Linux under Iptables

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.