iptables command, rules, parameters detailed

Tables (table)
Consists of 4 tables:
4 tables are prioritized from high to Low: Raw-->mangle-->nat-->filter
Raw---Raw tables are used only on prerouting chains and output chains because the highest priority is available, allowing the packets received to be processed before connection tracking. Once the user uses the raw table, on a chain, after the raw table is processed, the NAT table and the Ip_conntrack processing are skipped, i.e. the address translation and the link tracking of the packet are not processed.
Filter---The rule table is a default rule table with INPUT, FORWARD, and OUTPUT three rule chains, which is the name of the rule that is used for packet filtering action
NET----This rule table has prerouting and postrouting two chain of rules, the main function for a pair of one or one-to-many, many-to-many web site translation work (Snatdnat)
mangle--This rule table has prerouting, FORWARD, postrouting Three chain of rules, in addition to the translation of the URL will overwrite the packet, in some special applications may also have to rewrite the packet (ITL, TOS) or set mark (the packet is marked, For subsequent filtering) these tasks must be defined in the Mangles rules table

Common commands:
-A append rule-->iptables-a INPUT
-d Delete Rule-->iptables-d INPUT 1 (numbered)
-r Modify Rule-->iptables-r INPUT 1-s 192.168.12.0-j DROP replaces the current rule with the same order (1 is position)
-I insert rule-->iptables-i INPUT 1--dport 80-j ACCEPT Inserts a rule that the rule in the original position will move backward a bit
-l View Rule-->iptables-l INPUT lists all rules in the rule chain
-N New rule-->iptables-n allowed define a new rule

General parameters:
-P Protocol Example: Iptables-a input-p TCP
-S Source Address example: Iptables-a input-s 192.168.1.1
-D Destination Address example: Iptables-a input-d 192.168.12.1
-sport Source Port Example: Iptables-a input-p TCP--sport 22
-dport Destination Port Example: Iptables-a input-p TCP--dport 22
-I specify ingress Nic example: Iptables-a input-i eth0
-O designated Egress NIC example: Iptables-a forward-o eth0

-j specifying the processing action to take
Common action:
Drop: Discard
REJECT: Express Refusal
Accept: Acceptance
Snat conversion based on the original address
source--Specify the original address
For example, we now want all the IP of the 192.168.10.0 network segment to be converted into a 172.16.100.1 this hypothetical extranet address:
Iptables-t nat-a postrouting-s 192.168.10.0/24-j SNAT--to-source 172.16.100.1 (External network active IP)
In this way, any attempt to access the network through the NIC from the local network will be converted to the IP 172.16.100.1.
Masquerade (Dynamic camouflage)----------The external IP of home bandwidth acquisition is used for dynamic camouflage
Iptables-t nat-a postrouting-s 192.168.10.0/24-j Masquerade
Dnat Destination Address Translation
destination-Specify Destination Address
Iptables-t nat-a prerouting-d 192.168.10.18-p tcp--dport 80-j DNAT--to-destination 172.16.100.2
10.18 Access 80 port conversion to 100.2
Masquerade: Source Address Spoofing
REDIRECT: Redirect: Used primarily for port redirection
Mark: Hit the firewall tag
Return: Returns the original rule chain by using return after the custom chain has been executed.

Chain (chain)
Each table has its own set of built-in chains that customize the chain so that a set of rules can be created
Input, output, and forward chains in the filter table

Matching (match)
Each iptables rule contains a set of matches and a target, and the iptables match refers to the condition that the packet must match, only if
When a packet satisfies all matching criteria, iptables can process the packet according to the action specified by the target of the rule.
Matches are specified on the iptable command line
source--Match Source IP address or network
Destination (-D)-Match destination IP address or network
Protocol (-P)--Match IP value
In-interface (-i)--inflow interface (for example, eth0)
Out-interface (-O)--Outgoing interface
state--match a set of connection states
string--matching application layer data byte sequence
comment--to associate up to 256 bytes of annotation data in kernel memory for a rule

Goal (target)
Iptables supports a set of targets that trigger an action when a packet matches a rule
accept--allows packets to pass through
The drop--discards the packet and does not do any further processing of the packet, as if the packet had never been received by the receiving stack.
log--logging packet information to the Syslog
reject--drops packets while sending appropriate response messages (TCP critical packets for TCP connections or ICMP ports for UDP packets are unreachable)
return--continue processing of packets in the call chain

Vi/etc/sysconfig/iptables policy File
Vi/etc/sysconfig/iptables-config configuration file

Iptables default with 5 rule chains
Prerouting (Inside Out) forward (forward) postrouting (outside to inside)
Input output (outputs)


1. Chain management commands (which are immediately effective)
-P: Set Default policy (set default door is closed or open)
The default policy generally has only two
Iptables-p INPUT (drop| ACCEPT)
Default is OFF/default is on
Like what:
Iptables-p INPUT DROP
This will deny the default rule. And there is no action defined, so all the rules about the outside connection, including the Xshell connection, are rejected by the remote connection.
-f:flash, emptying the rule chain (note the administrative permissions for each chain)
Iptables-t nat-f prerouting
Iptables-t Nat-f clears all the chains of the NAT table
-n:new enables users to create a new chain
The Iptables-n inbound_tcp_web indicates that it is attached to the TCP table for checking the web.
-X: Used to delete a user-defined empty chain
The use method is the same as-N, but the chain must be emptied before it is deleted.
-E: Used to rename chain is primarily used to rename a user-defined chain
-E oldname newname
-Z: Empty The chain, and the default rule in the chain counter (there are two counters, the number of packets to match, how many bytes)
Iptables-z: Empty

2. Rule Management Commands
-A: Append, add a rule at the end of the current chain
-I num: Insert to insert the current rule into the first few.
-I 3: Insert as third article
-R num:replays Replace/modify the rules
Format: Iptables-r 3 ......
-D Num: Delete, explicitly specify delete rule

3. View the admin command "-l"
Additional subcommands
-N: Displays the IP in a digital manner, which displays the IP directly and, if not, resolves the IP back to the hostname.
-V: Show more information
-vv
-VVV: The more the more detailed
-X: Displays the exact value on the counter, does not do the unit conversion
--line-numbers: Displays the line number of the rule
-T NAT: Displays information for all levels

4.: Detailed Matching Criteria


2. Extended Match
2.1 Implied extensions: Extensions to Protocols
The extension of the-P TCP:TCP protocol. There are generally three types of extensions
--dport xx-xx: Specify the destination port, you cannot specify multiple noncontiguous ports, you can specify only a single port, such as
--dport 21 or--dport 21-23 (this means 21,22,23)
--sport: Specifying the source port
--TCP-FIAGS:TCP's Flag (Syn,ack,fin,psh,rst,urg)
For it, two parameters are usually followed:
1. Check the flag bit
2. Must be 1 of the flag bit
--tcpflags Syn,ack,fin,rst syn =--syn
Indicates that the 4 bits are checked, that the SYN in the 4 bits must be 1, and the other must be 0. So this is the first time the package is used to detect three handshakes. For this package that specifically matches the first packet of SYN 1, there is also a shorthand method called--syn
Extension of-P UDP:UDP protocol
--dport
--sport
Extension of the-P ICMP:ICMP data message
--icmp-type:
Echo-request (Request echo), generally denoted by 8来
So--icmp-type 8 matches the request Echo packet
Echo-reply (response packets) are generally expressed in

2.2 Explicit expansion (-m)
Expansion of various modules
-M Multiport: indicates enabling multiport expansion
Then we can enable it, like--dports 21,23,80.

Policy requirements:
Domain Name System (DNS) queries
File Transfer Protocol (FTP) transfer
Network Time Protocol (NTP) query
Secure Shell (SSH) session
Simple Mail Transfer Protocol (SMTP) session
Web session through Http/https
Whois query

External network scan-------(192.168.10.1 (eth1)) (192.168.10.0/24)-------LAN Client (10.50)
Extranet Web--------internet----------iptables firewall----------LAN---------------Intranet Scanner (10.200)
Extranet DNS--------(host name: iptables)----------------Web server (20.3)
(71.157.x.x (eth0))----------------DNS server (10.4)
Script:
iptables.sh
Iptables=/sbin/iptables
Modprobe=/sbin/modprobe
Int_net=192.168.10.0/24
# # # #flush existing rules and set chain policy setting to drop (reset existing rules and chain policy settings)
echo "[+] Flushing existing iptables rules ..."
$IPTABLES-F-----------------------------(empty rule chain)
$IPTABLES-F-T Nat----------------------(empty NAT table)
$IPTABLES-X-----------------------------(delete the user's empty chain)
$IPTABLES-P input DROP------------------(Close input port)
$IPTABLES-P output DROP-----------------(turn off output port)
$IPTABLES-P FORWARD DROP----------------(Close FORWARD Port)
# # #load connection-tracking modules------(Load connection module)
$MODPROBE ip_conntrack-------------------(load ip_conntrack module)
$MODPROBE Iptables_nat-------------------(load Iptables_nat module)
$MODPROBE ip_conntrack_ftp---------------(load ip_conntrack_ftp module)
$MODPROBE ip_nat_ftp---------------------(load ip_nat_ftp module)

Input chain
The input chain is built as a iptables to control whether packets that target the local system can communicate with the local socket, if the first rule in the input chain requires the iptables to be discarded so that the packet (or the policy of the input chain is set to drop), All attempts to communicate directly with the system through any IP communication (such as TCP, UDP, or ICMP) will fail. ARP works at the data link layer instead of the network layer, and iptables only filters packets on the IP and its protocols, so iptables cannot filter the messages of the ARP protocol.

# # # #INPUT chain ########
echo "[+] Setting up INPUT chain ..."
# # # #state Tracking rules####
$IPTABLES-A input-m State--state invalid-j LOG--log-prefix "DROP INVALID"--log-ip-options--log-tcp-options
$IPTABLES-A input-m State--state invalid-j DROP
$IPTABLES-A input-m State--state established,related-j ACCEPT
# #anti-spoofing Rules
$IPTABLES-A input-i eth1-s! $INI _net-j LOG--log-prefix "spoofed PKT"
$IPTABLES-A input-i eth1-s! $INT _net-j DROP

# #ACCEPT Rules
$IPTABLES-A input-i eth1-p tcp-s $INT _net--dport the--syn-m state--state new-j ACCEPT
$IPTABLES-A input-p ICMP--icmp-type echo-request-j ACCEPT

# #default INPUT LOG rule
$IPTABLES-A Input-i! Lo-j LOG--log-prefix "DROP"--log-ip-options--log-tcp-options

The commands for establishing an output chain rule set are as follows:
# # # # # #OUTPUT Chain # #
echo "[+] setting up OUTPUT chain ..."
# # #state Tracking Rules
$IPTABLES-A output-m State--state invalid-j LOG--log-prefix "DROP INVALID"--log-ip-options--log-tcp-options
$IPTABLES-A output-m State--state invalid-j DROP
$IPTABLES-A output-m State--state established,related-j ACCEPT

# # #ACCEPT rules rules for allowing connections out-interface
$IPTABLES-A output-p TCP--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A output-p TCP--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A output-p TCP--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A output-p TCP--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A output-p TCP--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A output-p TCP--dport 443--syn-m State--state new-j ACCEPT
$IPTABLES-A output-p TCP--dport 4321--syn-m State--state new-j ACCEPT
$IPTABLES-A output-p TCP--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A output-p ICMP--icmp-type echo-request-j ACCEPT

# # # Default OUTPUT LOG RULES
$IPTABLES-A Output-o! Lo-j LOG--log-prefix "DROP"--log-ip-options--log-tcp-options

FORWARD Chain
The forward chain in the filter table provides the ability to control access to packets that are forwarded through the firewall interface:
# # #FORWARD chain####
echo "[+]setting up FORWARD chain ..."
# # #state Tracking Rules
$IPTABLES-A forward-m State--state invalid-j LOG--log-prefix "DROP INVALID"-Log-ip-options--log-tcp-options
$IPTABLES-A forward-m State--state invalid-j DROP
$IPTABLES-A forward-m State--state established,related-j ACCEPT

# # #anti-spoofing Rules
$IPTABLES-A forward-i eth1-s! $INT _net-j LOG--log-prefix "spoofed PKT"
$IPTABLES-A forward-i eth1-s! $INT _net-j DROP

# # #ACCEPT Rules
$IPTABLES-A forward-p tcp-i eth1-s $INT _net--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A forward-p tcp-i eth1-s $INT _net--dport the--syn-m state--state new-j ACCEPT
$IPTABLES-forward-p tcp-i eth1-s $INT _net--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A forward-p tcp-i eth1-s $INT _net--dport,--syn-m State--state new-j ACCEPT
$IPTABLES-A forward-p TCP--dport--syn-m State--state new-j ACCEPT
$IPTABLES-A forward-p TCP--dport 443--syn-m State--state new-j ACCEPT
$IPTABLES-A forward-p tcp-i eth1-s $INT _net--dport 4321--syn-m State--state new-j ACCEPT
$IPTABLES-A forward-p tcp-p UDP--dport 53-m State--state new-j ACCEPT
$IPTABLES-A forward-p tcp ICMP--icmp-type echo-request-j ACCEPT
Allows FTP, SSH, SMTP, and WHOIS connections to be initiated through the firewall, but this class must originate from an internal subnet on the subnet interface (ETH1), allowing HTTP, HTTPS, and DNS traffic from any source address through the firewall
# # # #default Log Rule
$IPTABLES-A Forward-i! Lo-j LOG--log-prefix "DROP"--log-ip-options--log-tcp-options

Network Address Translation
The NAT table for Iptables is dedicated to defining all of the NAT rules, with two chains in the table: Prerouting and Postrouting, Use the prerouting chain to apply the rules in the NAT table to packets that have not yet passed through the kernel routing algorithm to determine which interface to transmit, and the packets processed in this chain have not been processed by the input or prerouting chain in the filter table
The postrouting chain is responsible for processing a packet that passes through the kernel's routing algorithm to determine the physical interface of the transmission and is about to go out from that interface, and the packet processed by the chain has passed the check of the output or forward chain in the filter table
# # NAT Rules
echo "[+]setting up NAT rules ..."
$IPTABLES-T nat-a prerouting-p TCP--dport 80-i eth0-j DNAT--to 192.168.10.3:80
$IPTABLES-T nat-a prerouting-p TCP--dport 443-i eth0-j DNAT--to 192.168.10.3:443
$IPTABLES-T nat-a prerouting-p TCP--dport 53-i eth0-j DNAT--to 192.168.10.4:53
$IPTABLES-T Nat-a postrouting-is ￥int_net-o eth0-j Masquerad
The IP addresses of the intranet Web servers and DNS servers are 192.168.10.3, 4, the iptables command to provide NAT functionality, and 3 prerouting rules allow extranet Web services and DNS requests to be sent to the appropriate intranet server. The postrouting rule allows connections from the internal non-routable network and points to the external Internet to look like they come from an IP address 71.157.x.x

The final step in building the iptable policy is to enable IP forwarding in the Linux kernel
# # #forwarding # #
echo "[+] enabling Ip forwarding ..."
Echo 1 >/proc/sys/net/ipv4/ip_forward

The command used to test
Hping
nc

iptables command, rules, parameters detailed