Iptables common parameters and configuration rules

The principles of IPtables and common parameters of iptables are described in the previous two articles. I will use examples to illustrate common iptables configurations. These configurations can be directly used in the production environment after small modifications, if you have any need, you can carefully study the explanations to learn and use them. The rules created by using the iptables program are saved only to the principles and IptablesIn this article, I will use examples to illustrate common parameters IptablesConfiguration, these configurations can be directly used in the production environment through small modifications. if you need them, you can carefully study the explanations in order to learn and use them.

Save rule
Rules created using the iptables program will only be stored in the memory. generally, after we modify the iptables rules and restart iptables, the previously modified rules will disappear. How can we save the newly created rules?
Method 1: for RHEL and ceontos systems, you can use service iptablessave to save the rules in the current memory /Etc/sysconfig/iptablesFile
[Root @ lampbo ~] # Service iptables save
Method 2: modify/etc/sysconfig/iptables-config and set IPTABLES_SAVE_ON_STOP = "no ", change "no" to "yes", so that the existing rules will be automatically saved in the/etc/sysconfig/iptables file before the service is stopped.

Rule example
First, review the iptables format:
Iptables [-t table] command [match] [-j target/jump]
The-t parameter is used to specify the rule table. the built-in rule table has three rules: nat, mangle, and filter. if the rule table is not specified, it is regarded as a filter.
The functions of each rule table are as follows:
NatThis rule table has two rule chains: Prerouting and postrouting. The main function is to perform one-to-one, one-to-many, and many-to-many url conversion (SNAT, DNAT). due to the conversion feature, data packets that need to be converted from the destination url do not need to be converted from the source URL, and vice versa. Therefore, in order to improve the efficiency of rewrite packets, when the firewall is operating, each packet only goes through this rule table once. If we define a data packet filtering rule in this data table, it will cause the same packet to be unable to be compared multiple times. Therefore, this rule table is not only used for URL conversion, do not use it for other purposes. Mangle this rule table has three rule chains: Prerouting, FORWARD, and postrouting.
In addition to modifying Packets During website translation, some special applications may have to rewrite data packets (TTL, TOS) or set the MARK (MARK data packets, in order to filter), you must define these tasks in the mangle rule table.
MangleThe table is mainly used to modify specified data packets. in linux versions after kernel version 2.4.18, the table contains the following link: INPUT link (processing incoming data packets ), RORWARD chain (processing forwarded packets), OUTPUT chain (processing locally generated packets) POSTROUTING chain (modifying outgoing packets), PREROUTING chain (modifying incoming packets) LINUX tutorial CentosTutorial
FilterThis rule table is a preset rule table with three rule chains: INPUT, FORWARD, and OUTPUT. this rule table, as its name suggests, is used to filter packets (for example: DROP, LOG, ACCEPT, or REJECT), we will create the basic rules in this rule table.

(1) examples of common commands:
1. command-A, -- append
Example: Iptables-a input-p tcp -- dport 80-jACCEPT
Note: when a rule is added to the INPUT rule chain, it receives inbound connections from all data packets whose destination port is 80. this rule will become the last rule in the rule chain.
2. Command-D, -- delete
Example: Iptables-d input-p tcp -- dport 80-jACCEPT
Or: Iptables-d input 1
Note: If you delete the rule created above from the INPUT rule chain, you can enter the complete rule or directly specify the rule number to delete it.
3. Command-R, -- replace
Example: Iptables-r input 1-s 192.168.0.1-jDROP
It indicates that the current first rule is replaced, and the Order of the rule is not changed after it is replaced.
4. Command-I, -- insert
Example: Iptables-I INPUT 1-p tcp -- dport 80-jACCEPT
Note: insert a rule before the first rule. The rule at this position will move a forward position.
5. Command-L, -- list
Example: Iptables-L INPUT
Description: lists all rules in the INPUT rule chain.
6. Command-F, -- flush
Example: Iptables-F INPUT
Delete all rules in the INPUT rule chain.
7. Command-Z, -- zeroLINUX tutorial centos tutorial
Example: Iptables-Z INPUT
This indicates that the data packet counter in the INPUT chain is reset to zero. It is a tool used to calculate the number of occurrences of the same data packet and filter out blocking attacks.
8. Command-N, -- new-chain
Example: Iptables-N denied
Description: defines a new rule chain.
9. Command-X, -- delete-chain
Example: Iptables-X denied
Deletes a rule chain.
10. Command-P, -- policy
Example: Iptables-P INPUT DROP
Description: defines the default filtering policy. If no matching policy is found for the data packet, it is processed according to this preset method.
11. Command-E, -- rename-chain
Example: Iptables-E denied disallowed
Modifies the name of a custom rule chain.

(2) Common packet comparison parameters:
1. parameter-p, -- protocol
Example: Iptables-a input-p tcpLINUX tutorial centos tutorial
Note: it can be used to compare the communication protocol types! The operator performs reverse comparison, for example,-p! Tcp, which means other types except tcp, including udp, icmp, etc. If you want to compare all types, you can use the all keyword, for example,-p all.
2. parameters-s, -- src, -- source
Example: Iptables-a input-s 192.168.1.100
Note: the source IP address used to compare the data packet can be compared to a single machine or network. when comparing the network, use a number to block it. for example,-s 192.168.0.0/24 can be used to compare the IP address! The operator performs reverse comparison, for example,-s! 192.168.0.0/24.
3. parameter-d, -- dst, -- destination
Example: Iptables-a input-d 192.168.1.100
Note: This method is used to compare the destination IP address of the package.
4. parameter-I, -- in-interface
Example Iptables-a input-I lo
Note: This interface is used to compare the network card from which the data packet enters. you can use wildcard character + to perform large-scale comparison. for example,-I eth + indicates all ethernet network cards. you can also use it! The operator performs reverse comparison, for example,-I! Eth0. Here, lo refers to the local return interface.
5. parameter-o, -- out-interface
Example: Iptables-a forward-o eth0
Description: used to compare the NIC from which the data packet will flow. the setting method is the same as above.
6. parameter -- sport, -- source-port
Example: Iptables-a input-p tcp -- sport 22
Note: the source port number used to compare the data package can be compared to a single port or a range, for example, -- sport 22: 80, indicating that the port from 22 to 80 is considered a conformity, to compare multiple discontinuous ports, you must use the -- multiport parameter. For more information, see the following section. You can use it when comparing the port number! The operator performs reverse comparison.
7. parameter -- dport, -- destination-port
Example Iptables-a input-p tcp -- dport 22
Description used to compare the destination port number of the package. the setting method is the same as above.
8. parameter -- tcp-flags
Example: Iptables-p tcp -- tcp-flags SYN, FIN, ACKSYN
Note: compare the status flag number of a TCP packet. the parameters are divided into two parts. The first part lists the flag number to be compared, and the second part lists which of the above mark numbers are set, the marker that is not listed must be empty. TCP status flag numbers include SYN (synchronous), ACK (reply), FIN (end), RST (reset), URG (urgent) PSH (forced push) can be used in parameters. In addition, you can use the keywords ALL and NONE for comparison. You can use it when comparing the logo number! Returns the reverse comparison of the subrow.
9. parameter -- syn
Example: Iptables-p tcp -- syn
Note: it is used to compare whether a TCP packet is required to be online. it works exactly the same as iptables-p tcp -- tcp-flags SYN, FIN, and ACKSYN. if Yes! The operator can be used to compare non-required online packets.
10. parameter-m multiport -- source-port
Example: Iptables-a input-p tcp-m multiport -- source-port22, 110,-j ACCEPT
The description is used to compare multiple source port numbers that are not consecutive. up to 15 ports can be compared at a time. you can use this description! The operator performs reverse comparison.
11. parameter-m multiport -- destination-port
Example: Iptables-a input-p tcp-m multiport -- destination-port 22,53, 80,110-j ACCEPT
Description: used to compare the port numbers of multiple destinations that are not consecutive. the setting method is the same as above.
12. parameter-m multiport -- port
Example: Iptables-a input-p tcp-m multiport -- port22, 53,80, 110-j ACCEPT
Note: this parameter is special. it is used to compare data packets with the same source port number and destination port number. the setting method is the same as above. Note: In this example, if the source port number is 80 and the destination port number is 110, this packet does not meet the condition.
13. parameter -- icmp-type
Example: Iptables-a input-p icmp -- icmp-type 8-jDROP
Description: used to compare the type numbers of ICMP. you can use code or number numbers for comparison. Please call iptables-p icmp -- help to check which code is available. Ping is prohibited. However, ping from the host is allowed.
14. parameter-m limit -- limit
Example: Iptables-a input-m limit -- limit3/hour
Note: it is used to compare the average traffic of data packets within a certain period of time. the above example is used to compare whether the average traffic per hour exceeds three data packets at a time. In addition to the average times per hour, it can also be an average time per second, minute, or every day. the default value is an average time per hour. the parameters include:/second,/minute, and/day. In addition to comparing the number of data packets, Setting this parameter will also suspend the data packet comparison when conditions are met to avoid service interruption due to flood attacks.
15. parameter -- limit-burst
Example: Iptables-a input-m limit -- limit-burst5
Note: This is used to compare the quantity of a large number of packets in an instant. the above example is used to compare the number of packets that flood into each time (this is the default value). The mails that exceed this limit will be discarded directly. The usage effect is the same as that.
16. parameter-m mac -- mac-source
Example: Iptables-a input-m mac -- mac-source00: 00: 00: 00: 01-j ACCEPT
Note: this parameter is used to compare the hardware address of the packet source network interface. it cannot be used in the OUTPUT or Postrouting rule chain because the packet must be sent to the network, only when the NIC driver detects the MAC address of the destination through the ARP communication protocol, iptables does not know that the packet will be sent to a network interface during packet comparison. Linux basics
17. parameter -- mark
Example: Iptables-t mangle-a input-m mark -- mark1
Note: it is used to compare whether a number is indicated by a packet. when the packet is compared successfully, we can MARK a number through the MARK processing action. The number cannot exceed 4294967296. Linux basics
18. parameter-m owner -- uid-owner
Example: Iptables-a output-m owner -- uid-owner500
Note: it is used to compare the packets from the local machine and whether the packets are generated by a specific user. This prevents the server from sending sensitive data using root or other identities, it can reduce the loss of the system. Unfortunately, this function cannot compare the packets from other hosts.
19. parameter-m owner -- gid-owner
Example: Iptables-a output-m owner -- gid-owner0
Note: it is used to compare the data packets from the local machine and determine whether the data packets are generated by a specific user group.
20. parameter-m owner -- pid-owner
Example: Iptables-a output-m owner -- pid-owner78
Note: it is used to compare the data packets from the local machine and determine whether the packets are generated for a specific trip.
21. parameter-m owner -- sid-owner
Example: Iptables-a output-m owner -- sid-owner100
Note: it is used to compare the data packets from the local machine and determine whether the response packet is a specific online (Session ID.
22. parameter-m state -- state
Example: Iptables-a input-m state -- state