The iptables firewall can be used to create filters and NAT rules. All Linux distributions can use iptables. Therefore, understanding how to configure iptables will help you manage Linux firewalls more effectively. If you contact iptables for the first time, you will think it is very complicated, but once you understand how iptables works, you will find it very simple.
First, we will introduce the structure of iptables: iptables-> Tables-> Chains-> Rules. In short, tables consists of chains, which are also composed of rules. As shown in the following figure.
Figure: IPTables Table, Chain, and Rule Structure
I. iptables tables and links
Iptables has four built-in tables: Filter, NAT, Mangle, and Raw:
1. Filter table
Filter indicates the default table of iptables. Therefore, if you do not have a custom table, the filter table is used by default. It has the following three built-in links:
INPUT chain? Process external data.
OUTPUT chain? Process data that is sent out.
FORWARD chain? Forward data to other Nic devices on the local machine.
2. NAT table
A nat table has three built-in links:
PREROUTING chain? Process the packets that have just arrived at the local machine and are forwarded by the route. It will convert the destination ip address (destination ip address) in the data packet, usually used for DNAT (destination NAT ).
POSTROUTING chain? Process data packets that are about to leave the local machine. It will convert the source ip address in the data packet, which is usually used for SNAT (source NAT ).
OUTPUT chain? Processes data packets generated by the local machine.
3. Mangle table
The Mangle table is used to specify how data packets are processed. It can change the QoS bit in the TCP header. The Mangle table has five built-in chains:
PREROUTING
OUTPUT
FORWARD
INPUT
POSTROUTING
4. Raw table
The Raw table is used to handle exceptions. It has two built-in links:
PREROUTING chain
OUTPUT chain
5. Summary
The following figure shows the three built-in tables of iptables:
Figure: IPTables built-in table
II. IPTABLES Rules (Rules)
Keep in mind the following three-point key to understanding iptables rules:
Rules includes a condition and a target)
If conditions are met, the rule or specific value in the target will be executed.
If the condition is not met, the next Rules is determined.
Target value)
The special values you can specify in target are as follows:
ACCEPT? Allow the firewall to receive packets
DROP? Firewall discard package
QUEUE? The firewall transfers data packets to the user space.
RETURN? The firewall stops executing subsequent Rules in the current chain and returns to the call chain.
If you execute iptables -- list, you will see the available rules on the firewall. The following example shows that the system does not define a firewall. As you can see, it displays the default filter table and the default input chain, forward chain, and output chain in the table.
# Iptables-t filter -- list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
View the mangle table:
# Iptables-t mangle -- list
View the NAT table:
# Iptables-t nat -- list
View RAW table:
# Iptables-t raw -- list
/! \ Note: If the-t option is not specified, only the default filter table is displayed. Therefore, the following two command forms mean:
# Iptables-t filter -- list (or) # iptables -- list
The following example shows that there are rules in the input chain, forward chain, and output chain of the filter table:
# Iptables -- list Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.20.udp dpt: 5353 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt: 631 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 631 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED, ESTABLISHED 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt: 22 10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
The preceding output contains the following fields:
Num? Rule number in the specified chain
Target? The special value of target mentioned above
Prot? Protocol: tcp, udp, icmp, etc.
Source? Source IP address of the data packet
Destination? Destination IP address of the data packet
III. Clear all iptables rules
Before configuring iptables, you usually need to use the iptables -- list command or the iptables-save command to check whether there are existing rules, because sometimes you need to delete the existing iptables rules:
Iptables -- flush or iptables-F
The two commands are equivalent. However, it is not the case that everything will go well after the execution. You still need to check whether the rules are actually cleared, because on some linux distributions, this command does not clear the rules in the NAT table. In this case, you can only manually clear the rules:
Iptables-t NAT-F
IV. Permanent effect
After you delete or add rules, these changes do not take effect permanently. These rules may be restored after the system is restarted. In order for the configuration to take effect permanently, the specific operations vary depending on the platform. The following is a brief introduction:
1. Ubuntu
First, save the existing rules:
Iptables-save>/etc/iptables. rules
Create a new bash script and save it to the/etc/network/if-pre-up.d/directory:
#! /Bin/bash iptables-restore </etc/iptables. rules
In this way, the iptables rule is automatically loaded after each system restart.
/! \ Note: Do not try to execute the above commands in. bashrc or. profile, because the user is generally not root, and this can only load iptables rules at login.
2. CentOS, RedHat
# Save iptables rule service iptables save # restart iptables service iptables stop service iptables start
View the current rule:
Cat/etc/sysconfig/iptables
5. Append iptables rules
You can use the iptables-A command to Append the new rule.-A indicates Append. Therefore, the new rule is appended to the end of the chain.
Generally, the last rule is used to DROP all data packets. If you already have such A rule and use the-A parameter to add A new rule, it is useless.
1. Syntax
Iptables-A chain firewall-rule
-A chain? Chain of the rule to be appended
Firewall-rule? Specific rule parameters
2. Describe the basic parameters of the rule
The following rule parameters describe the protocol, source address, destination address, network interface that is allowed, and how to process these packets. These descriptions are basic descriptions of the rules.
-P protocol (protocol)
You can use all to specify the protocol of the rule, such as tcp, udp, and icmp.
If the-p parameter is not specified, the default value is all. This is unwise. Always specify the protocol name.
You can specify the protocol by using the protocol name (such as tcp) or protocol value (for example, 6 stands for tcp. For the ing relationship, see/etc/protocols.
What else can I use? The protocol parameter replaces the-p parameter.
-S source address (source)
SOURCE address of the specified data packet
Parameters enable IP addresses, network addresses, and host names
Example:-s 192.168.1.101 specified IP address
For example,-s 192.168.1.10/24 specifies the network address
If the-s parameter is not specified, it indicates all addresses.
What else can I use? Src or? Source
-D destination address (destination)
Destination address
The parameter is the same as-s.
What else can I use? Dst or? Destination
-J: execution target (jump to target)
-J indicates "jump to target"
-J specifies how data packets are processed when matching with rules (Rule).
Possible values: ACCEPT, DROP, QUEUE, RETURN
You can also specify other chains as the target.
-I input interface)
-I indicates the input interface)
-I specifies the interface from which the data packet is to be processed
These packets are about to enter the INPUT, FORWARD, and PREROUTE chains.
For example,-I eth0 specifies the packet to be processed through eth0.
If the-I parameter is not specified, data packets entering all interfaces will be processed.
If yes! -I eth0: All data packets entering through interfaces other than eth0 will be processed.
If-I eth + is displayed, all packets entering through interfaces starting with eth are processed.
What else can I use? In-interface parameters
-O output (out interface)-o stands for "output interface"
-O specifies the interface by which the data packet is output.
These packets are about to enter the FORWARD, OUTPUT, and POSTROUTING chains.
If the-o option is not specified, all interfaces on the system can be used as output interfaces.
If yes! -O eth0 will be output from interfaces other than eth0
If-I eth + is displayed, the output is only from the interface starting with eth.
What else can I use? Out-interface parameters
3. Describe the rule's extension parameter pair
With a basic description, we sometimes want to specify the port, TCP flag, ICMP type, and so on.
? Sport source port (source port) for-p tcp or-p udp
By default, all ports are matched.
You can specify the port number or port name, for example "? Sport 22 "and "? Sport ssh ".
The/etc/services file describes the mappings.
In terms of performance, it is better to use the port number.
Use a colon to match the port range, such "? Sport ″
You can also use "? Source-port"
? -Dport destination port (destination port) for-p tcp or-p udp
Parameter and? Sport is similar
You can also use "? Destination-port"
-? Tcp-flags TCP flag for-p tcp
Multiple parameters separated by commas can be specified.
Valid values: SYN, ACK, FIN, RST, URG, and PSH.
You can use ALL or NONE
-? Icmp-type ICMP type for-p icmp
? Icmp-type 0 indicates Echo Reply
? Icmp-type 8 indicates Echo
4. Complete append rule instance: only the SSH service is allowed.
In this example, only SSH data packets are allowed to pass through the local computer, and all other connections (including ping) are rejected.
#1. clear all iptables rules iptables-F #2. receive data packet iptables-a input-I eth0-p tcp -- dport 22-j ACCEPT #3. reject all other packets iptables-a input-j DROP
6. Change the default policy
The preceding example only filters the received data packets, but does not limit the data packets to be sent. This section describes how to change a chain policy to change the behavior of a chain.
1. Default link policy
/! \ Warning: do not test on remotely connected servers or virtual machines!
When we use the-L option to verify that the current rule is found, there is a policy ACCEPT annotation next to all links, which indicates that the default policy of the current chain is ACCEPT:
# Iptables-L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere tcp dpt: ssh DROP all -- anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
In this case, if the DROP rule is not explicitly added, the ACCEPT policy is used by default for filtering. Unless:
A) add DROP rules for the preceding three links:
Iptables-a input-j DROP iptables-a output-j DROP iptables-a forward-j DROP
B) change the default policy:
Iptables-p input drop iptables-p output drop iptables-P FORWARD DROP
Bad !! If you configure iptables strictly in accordance with the example in the previous section and use SSH to connect, the session may have been terminated!
Why? Because we have changed the OUTPUT chain policy to DROP. At this time, although the server can receive data, it cannot send data:
# Iptables-L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere tcp dpt: ssh DROP all -- anywhere Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination
7. Configure application rules
Although Section 5.4 has introduced how to restrict connections other than SSH, it is implemented when the chain's default policy is ACCEPT and there is no limit on the output data packets. This section describes how to set a firewall when the default link policy is DROP based on the port used by SSH and HTTP. Here, we will introduce a new parameter-m state and check the status field of the data packet.
1. SSH
#1. allow receiving SSH requests from remote hosts iptables-a input-I eth0-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT #2. allow sending SSH responses from local hosts to iptables-a output-o eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT
-M state: state matching module)
? -State: Parameters of the status matching module. When the first data packet of the SSH client arrives at the server, the status field is NEW. After the connection is ESTABLISHED, the status fields of the data packet are all ESTABLISHED.
? Sport 22: sshd listens to port 22. It also establishes a connection with the client and transmits data. Therefore, for an SSH server, the source port is 22.
? Dport 22: The ssh client can establish a connection with port 22 of the SSH server from the random port of the local machine. Therefore, for the SSH client, the destination port is 22.
If the server also needs to use SSH to connect to other remote hosts, add the following configuration:
#1. the destination port of the sent data packet is 22 iptables-a output-o eth0-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT #2. the source port of the received packet is 22 iptables-a input-I eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT.
2. HTTP
The HTTP configuration is similar to that of SSH:
#1. allow receiving HTTP requests from remote hosts iptables-a input-I eth0-p tcp -- dport 80-m state -- state NEW, ESTABLISHED-j ACCEPT #1. allow sending the HTTP response of the local host iptables-a output-o eth0-p tcp -- sport 80-m state -- state ESTABLISHED-j ACCEPT
3. Complete configuration
#1. delete an existing rule iptables-F #2. configure the default chain policy iptables-p input drop iptables-p forward drop iptables-p output drop #3. allow remote hosts to connect to iptables-a input-I eth0-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT iptables-a output-o eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT #4. allow local hosts to connect to iptables-a output-o eth0-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT iptables-a input-I eth0-p tcp -- sport 22-m state -- state ESTABLISHED-j ACCEPT #5. allow HTTP request iptables-a input-I eth0-p tcp -- dport 80-m state -- state NEW, ESTABLISHED-j ACCEPT iptables-a output-o eth0-p tcp -- sport 80-m state -- state ESTABLISHED-j ACCEPT