Iptables basics, architecture, clearing rules, append rules, and application instances [Tutorial]

The iptables firewall can be used to create filters and NAT rules. All Linux distributions can use iptables. Therefore, understanding how to configure iptables will help you manage Linux firewalls more effectively. If you contact iptables for the first time, you will think it is very complicated, but once you understand how iptables works, you will find it very simple.

First, we will introduce the structure of iptables: iptables-> Tables-> Chains-> Rules. In short, tables consists of chains, which are also composed of rules. As shown in the following figure.

Figure: IPTables Table, Chain, and Rule Structure

I. iptables tables and links

Iptables has four built-in tables: Filter, NAT, Mangle, and Raw:

1. Filter table

Filter indicates the default table of iptables. Therefore, if you do not have a custom table, the filter table is used by default. It has the following three built-in links:

INPUT chain? Process external data.

OUTPUT chain? Process data that is sent out.

FORWARD chain? Forward data to other Nic devices on the local machine.

2. NAT table

A nat table has three built-in links:

PREROUTING chain? Process the packets that have just arrived at the local machine and are forwarded by the route. It will convert the destination ip address (destination ip address) in the data packet, usually used for DNAT (destination NAT ).

POSTROUTING chain? Process data packets that are about to leave the local machine. It will convert the source ip address in the data packet, which is usually used for SNAT (source NAT ).

OUTPUT chain? Processes data packets generated by the local machine.

3. Mangle table

The Mangle table is used to specify how data packets are processed. It can change the QoS bit in the TCP header. The Mangle table has five built-in chains:

PREROUTING

OUTPUT

FORWARD

INPUT

POSTROUTING

4. Raw table

The Raw table is used to handle exceptions. It has two built-in links:

PREROUTING chain

OUTPUT chain

5. Summary

The following figure shows the three built-in tables of iptables:

Figure: IPTables built-in table

II. IPTABLES Rules (Rules)

Keep in mind the following three-point key to understanding iptables rules:

Rules includes a condition and a target)

If conditions are met, the rule or specific value in the target will be executed.

If the condition is not met, the next Rules is determined.

Target value)

The special values you can specify in target are as follows:

ACCEPT? Allow the firewall to receive packets

DROP? Firewall discard package

QUEUE? The firewall transfers data packets to the user space.

RETURN? The firewall stops executing subsequent Rules in the current chain and returns to the call chain.

If you execute iptables -- list, you will see the available rules on the firewall. The following example shows that the system does not define a firewall. As you can see, it displays the default filter table and the default input chain, forward chain, and output chain in the table.

# Iptables-t filter -- list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

View the mangle table:

# Iptables-t mangle -- list

View the NAT table:

# Iptables-t nat -- list

View RAW table:

# Iptables-t raw -- list

/! \ Note: If the-t option is not specified, only the default filter table is displayed. Therefore, the following two command forms mean:

# Iptables-t filter -- list (or) # iptables -- list

The following example shows that there are rules in the input chain, forward chain, and output chain of the filter table:

# Iptables -- list Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.20.udp dpt: 5353 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt: 631 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 631 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 22 10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

The preceding output contains the following fields:

Num? Rule number in the specified chain

Target? The special value of target mentioned above

Prot? Protocol: tcp, udp, icmp, etc.

Source? Source IP address of the data packet

Destination? Destination IP address of the data packet

III. Clear all iptables rules

Before configuring iptables, you usually need to use the iptables -- list command or the iptables-save command to check whether there are existing rules, because sometimes you need to delete the existing iptables rules:

Iptables -- flush or iptables-F

The two commands are equivalent. However, it is not the case that everything will go well after the execution. You still need to check whether the rules are actually cleared, because on some linux distributions, this command does not clear the rules in the NAT table. In this case, you can only manually clear the rules:

Iptables-t NAT-F

IV. Permanent effect

After you delete or add rules, these changes do not take effect permanently. These rules may be restored after the system is restarted. In order for the configuration to take effect permanently, the specific operations vary depending on the platform. The following is a brief introduction:

1. Ubuntu

First, save the existing rules:

Iptables-save>/etc/iptables. rules

Create a new bash script and save it to the/etc/network/if-pre-up.d/directory:

#! /Bin/bash iptables-restore </etc/iptables. rules

In this way, the iptables rule is automatically loaded after each system restart.

/! \ Note: Do not try to execute the above commands in. bashrc or. profile, because the user is generally not root, and this can only load iptables rules at login.

2. CentOS, RedHat

# Save iptables rule service iptables save # restart iptables service iptables stop service iptables start

View the current rule:

Cat/etc/sysconfig/iptables

5. Append iptables rules

You can use the iptables-A command to Append the new rule.-A indicates Append. Therefore, the new rule is appended to the end of the chain.

Generally, the last rule is used to DROP all data packets. If you already have such A rule and use the-A parameter to add A new rule, it is useless.

1. Syntax

Iptables-A chain firewall-rule

-A chain? Chain of the rule to be appended

Firewall-rule? Specific rule parameters

2. Describe the basic parameters of the rule

The following rule parameters describe the protocol, source address, destination address, network interface that is allowed, and how to process these packets. These descriptions are basic descriptions of the rules.

-P protocol (protocol)

You can use all to specify the protocol of the rule, such as tcp, udp, and icmp.

If the-p parameter is not specified, the default value is all. This is unwise. Always specify the protocol name.

You can specify the protocol by using the protocol name (such as tcp) or protocol value (for example, 6 stands for tcp. For the ing relationship, see/etc/protocols.

What else can I use? The protocol parameter replaces the-p parameter.

-S source address (source)

SOURCE address of the specified data packet

Parameters enable IP addresses, network addresses, and host names

Example:-s 192.168.1.101 specified IP address

For example,-s 192.168.1.10/24 specifies the network address

If the-s parameter is not specified, it indicates all addresses.

What else can I use? Src or? Source

-D destination address (destination)

Destination address

The parameter is the same as-s.

What else can I use? Dst or? Destination

-J: execution target (jump to target)

-J indicates "jump to target"

-J specifies how data packets are processed when matching with rules (Rule).

Possible values: ACCEPT, DROP, QUEUE, RETURN

You can also specify other chains as the target.

-I input interface)

-I indicates the input interface)

-I specifies the interface from which the data packet is to be processed

These packets are about to enter the INPUT, FORWARD, and PREROUTE chains.

For example,-I eth0 specifies the packet to be processed through eth0.

If the-I parameter is not specified, data packets entering all interfaces will be processed.

If yes! -I eth0: All data packets entering through interfaces other than eth0 will be processed.

If-I eth + is displayed, all packets entering through interfaces starting with eth are processed.

What else can I use? In-interface parameters

-O output (out interface)-o stands for "output interface"

-O specifies the interface by which the data packet is output.

These packets are about to enter the FORWARD, OUTPUT, and POSTROUTING chains.

If the-o option is not specified, all interfaces on the system can be used as output interfaces.

If yes! -O eth0 will be output from interfaces other than eth0

If-I eth + is displayed, the output is only from the interface starting with eth.

What else can I use? Out-interface parameters

3. Describe the rule's extension parameter pair

With a basic description, we sometimes want to specify the port, TCP flag, ICMP type, and so on.

? Sport source port (source port) for-p tcp or-p udp

By default, all ports are matched.

You can specify the port number or port name, for example "? Sport 22 "and "? Sport ssh ".

The/etc/services file describes the mappings.

In terms of performance, it is better to use the port number.

Use a colon to match the port range, such "? Sport ″

You can also use "? Source-port"

? -Dport destination port (destination port) for-p tcp or-p udp

Parameter and? Sport is similar

You can also use "? Destination-port"

-? Tcp-flags TCP flag for-p tcp

Multiple parameters separated by commas can be specified.

Valid values: SYN, ACK, FIN, RST, URG, and PSH.

You can use ALL or NONE

-? Icmp-type ICMP type for-p icmp

? Icmp-type 0 indicates Echo Reply

? Icmp-type 8 indicates Echo

4. Complete append rule instance: only the SSH service is allowed.

In this example, only SSH data packets are allowed to pass through the local computer, and all other connections (including ping) are rejected.

#1. clear all iptables rules iptables-F #2. receive data packet iptables-a input-I eth0-p tcp -- dport 22-j ACCEPT #3. reject all other packets iptables-a input-j DROP

6. Change the default policy

The preceding example only filters the received data packets, but does not limit the data packets to be sent. This section describes how to change a chain policy to change the behavior of a chain.

1. Default link policy

/! \ Warning: do not test on remotely connected servers or virtual machines!

When we use the-L option to verify that the current rule is found, there is a policy ACCEPT annotation next to all links, which indicates that the default policy of the current chain is ACCEPT:

# Iptables-L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere tcp dpt: ssh DROP all -- anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

In this case, if the DROP rule is not explicitly added, the ACCEPT policy is used by default for filtering. Unless:

A) add DROP rules for the preceding three links:

Iptables-a input-j DROP iptables-a output-j DROP iptables-a forward-j DROP

B) change the default policy:

Iptables-p input drop iptables-p output drop iptables-P FORWARD DROP

Bad !! If you configure iptables strictly in accordance with the example in the previous section and use SSH to connect, the session may have been terminated!

Why? Because we have changed the OUTPUT chain policy to DROP. At this time, although the server can receive data, it cannot send data:

# Iptables-L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere tcp dpt: ssh DROP all -- anywhere Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination

7. Configure application rules

Although Section 5.4 has introduced how to restrict connections other than SSH, it is implemented when the chain's default policy is ACCEPT and there is no limit on the output data packets. This section describes how to set a firewall when the default link policy is DROP based on the port used by SSH and HTTP. Here, we will introduce a new parameter-m state and check the status field of the data packet.

1. SSH

#1. allow receiving SSH requests from remote hosts iptables-a input-I eth0-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT #2. allow sending SSH responses from local hosts to iptables-a output-o eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT

-M state: state matching module)

? -State: Parameters of the status matching module. When the first data packet of the SSH client arrives at the server, the status field is NEW. After the connection is ESTABLISHED, the status fields of the data packet are all ESTABLISHED.

? Sport 22: sshd listens to port 22. It also establishes a connection with the client and transmits data. Therefore, for an SSH server, the source port is 22.

? Dport 22: The ssh client can establish a connection with port 22 of the SSH server from the random port of the local machine. Therefore, for the SSH client, the destination port is 22.

If the server also needs to use SSH to connect to other remote hosts, add the following configuration:

#1. the destination port of the sent data packet is 22 iptables-a output-o eth0-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT #2. the source port of the received packet is 22 iptables-a input-I eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT.

2. HTTP

The HTTP configuration is similar to that of SSH:

#1. allow receiving HTTP requests from remote hosts iptables-a input-I eth0-p tcp -- dport 80-m state -- state NEW, ESTABLISHED-j ACCEPT #1. allow sending the HTTP response of the local host iptables-a output-o eth0-p tcp -- sport 80-m state -- state ESTABLISHED-j ACCEPT

3. Complete configuration

#1. delete an existing rule iptables-F #2. configure the default chain policy iptables-p input drop iptables-p forward drop iptables-p output drop #3. allow remote hosts to connect to iptables-a input-I eth0-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT iptables-a output-o eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT #4. allow local hosts to connect to iptables-a output-o eth0-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT iptables-a input-I eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT #5. allow HTTP request iptables-a input-I eth0-p tcp -- dport 80-m state -- state NEW, ESTABLISHED-j ACCEPT iptables-a output-o eth0-p tcp -- sport 80-m state -- state ESTABLISHED-j ACCEPT