Iptables Detailed Tutorial

2.1 Frame Chart
-->prerouting-->[route]-->forward-->postrouting-->
mangle | mangle ^ mangle
Nat | Filter | Nat
| |
| |
V |
INPUT OUTPUT
| mangle ^ mangle
| Filter | Nat
V------>local------->| Filter
2.2 Chain and table


Table
Filter: As the name suggests, when used for filtering
Nat: As the name suggests, when NAT is used
Nat:network Address Translator
Chain
INPUT: Located in the filter table, matching destination IP is the local packet
FORWARD: Located in the filter table, matching packets across this machine,
Prerouting: In the NAT table, for modifying the destination address (Dnat)
Postrouting: In the NAT table, for modifying the source address (SNAT)

3.1 iptables Syntax overview
iptables [-t table to manipulate]
< operations Command >
[Chain to manipulate]
[Rule number]
[Match criteria]
[-j match to later action]
3.2 Command Overview
Action Commands (-A,-I,-D,-R,-P,-f)
View Commands (-[VNX]L)
3.2.1-a
-A < chain name >
APPEND, append a rule (put to the end)

For example:
Iptables-t filter-a input-j DROP

Append a rule to the INPUT chain of the filter table (as the last rule)
Match all packets accessing the native IP, matching the discarded
3.2.2-i
-I < chain name > [Rule number]
Insert, inserting a rule

For example:
Iptables-i input-j DROP
Insert a rule in the INPUT chain of the filter table (insert as 1th)

Iptables-i INPUT 3-j DROP
Insert a rule in the INPUT chain of the filter table (insert as 3rd)

Note: 1, T-Filter does not write, does not write automatically default is the filter table
2,-i chain name [rule number], if not write the rule number, the default is 1
3, to ensure that the rule number ≤ (already have the number of rules + 1), or error
3.2.3-d
-D < chain name > < rule number | Specific rules content >
Delete, remove a rule

For example:
Iptables-d INPUT 3 (match by number)
Delete the third rule in the INPUT chain of the filter table (regardless of its content)

iptables-d input-s 192.168.0.1-j DROP (match by content)
Delete the rule in the filter table INPUT chain that contains "s 192.168.0.1-j DROP"
(no matter where it's located)

Attention:
1, if there are more than one rule in the list of rules, by content matching only delete the smallest sequence number
2, according to the number matching delete, to ensure that the rule number ≤ already have the number of rules, or error
3, according to content matching Delete, to ensure that the rules exist, or error

3.2.3-r
-R < chain name > < rule number > < specific rules content >
Replace, replacing a rule

For example:
Iptables-r INPUT 3-j ACCEPT
Replace the rule content with the original number 3 with "-j ACCEPT"

Attention:
Make sure the rule number ≤ the number of rules, or error

3.2.4-p
-P < chain name > < action >
POLICY, set the default rule for a chain

For example:
Iptables-p INPUT DROP
The default rule for setting the filter table INPUT chain is DROP

Attention:
When a packet is not matched by any rule in the rules list, this default rule is processed

3.2.5-f
-F [Chain name]
FLUSH, clear the rules.

For example:
Iptables-f INPUT
Empty all rules in the INPUT chain of the filter table

Iptables-t nat-f prerouting
Clear all rules in the prerouting chain of the NAT table

Attention:
1.-F is just a purge of the rules in the chain and does not affect the default rules for-p settings
2,-P set the DROP, use-f must be careful ...
3, if not write chain name, the default empty a table all the rules in the chain
3.2.6-[vxn]l
-l [chain name]
List, listing rules

V: Display details, including the number of matching packets per rule and the number of matched bytes
x: On the basis of V, the automatic unit conversion is prohibited (K, M)
N: Display only IP address and port number, do not display domain name and service name

For example:
Iptables-l
A rough list of all the chains and all the rules of the filter table

Iptables-t NAT-VNL
Lists all the rules for all chains in the NAT table in detail, showing only IP addresses and port numbers

Iptables-t NAT-VXNL prerouting
Lists all the rules and detailed numbers of the NAT table prerouting chain in detail, no inverse solution
3.3 Matching Criteria
Inflow and outflow interface (-I, O)
source, Destination address (-s,-D)
Protocol type (-P)
Source, Destination Port (--sport 、--dport)
3.3.1 Match by Network interface
-I < Matching data entry network interface >
For example:
-I. eth0
Whether the match came in from the network interface eth0

-I. PPP0
Whether the match came in from the network interface ppp0

The network interface for-O matched data outflow
For example:
-O eth0
-O ppp0
3.3.2 Match by Source destination address
-S < matching source address >
Can be IP, NET, DOMAIN, and can be empty (any address)
For example:
-s 192.168.0.1 matching packets from 192.168.0.1
-s 192.168.1.0/24 matching packets from 192.168.1.0/24 network
-s 192.168.0.0/16 matching packets from 192.168.0.0/16 network

-D < match Destination address >
It can be IP, NET, DOMAIN, or empty
For example:
-D 202.106.0.20 matching packets to 202.106.0.20
-D 202.106.0.0/16 matching packets to 202.106.0.0/16 network
-D www.abc.com matching packets to domain www.abc.com

3.3.3 Match by protocol type
-P < matching protocol types >
Can be TCP, UDP, ICMP, and so on, can also be empty
For example:
-P TCP
-P UDP
-P ICMP--icmp-type type
Ping:type 8 Pong:type 0
3.3.4 Match by Source destination port
--sport < matching source port >
Can be an individual port, can be a port range
For example:
--sport 1000 matching the source port is 1000 packets
--sport 1000:3,000 Matching Source port is 1000-3000 packets (including 1000, 3000)
--sport:3000 matching source port is 3000 packets (including 3000)
--sport 1000: Matching the source port is more than 1000 packets (including 1000)

--dport < matching destination ports >
Can be an individual port, can be a port range
For example:
--dport 80 matching the source port is 80 packets
--dport 6,000:8,000 Matching Source port is 6000-8000 packets (including 6000, 8000)
--dport:3000 matching source port is 3000 packets (including 3000)
--dport 1000: Matching the source port is more than 1000 packets (including 1000)
Note:--sport and--dport must be used with the-p parameter
Examples of 3.3.5 matching applications
1, Port matching
-P UDP--dport 53
UDP protocol packets with a destination address of 53 in the matching network

2, address matching
-S 10.1.0.0/24-d 172.17.0.0/16
Match all packets from 10.1.0.0/24 to 172.17.0.0/16

3, port and address joint matching
-S 192.168.0.1-d www.abc.com-p TCP--dport 80
Matching TCP protocol packets from 192.168.0.1 to www.abc.com 80 ports


Attention:
1 、--Sport 、--dport must be used in conjunction with-p and must indicate what the protocol type is
2, the more The condition is written, the more detailed the match, the smaller the matching range
3.4 Action (processing mode)
ACCEPT
DROP
SNAT
Dnat
Masquerade
3.4.1-j ACCEPT
-j ACCEPT
By allowing the packet to pass through this chain without intercepting it
Like the permit inside the Cisco ACL

For example:
Iptables-a input-j ACCEPT
Allow all packets accessing native IP to pass

3.4.2-j DROP
-j DROP
Discard, block packets from being discarded by this chain
Like a deny in an ACL in Cisco

For example:
Iptables-a forward-s 192.168.80.39-j DROP
Block packets from source address to 192.168.80.39 via native
3.4.3-j SNAT
-j SNAT--to ip[-ip][: Port-Port] (postrouting chain of NAT tables)
Source address translation, SNAT support conversion to single IP, also support conversion to IP address pool
(a continuous set of IP addresses)
For example:
Iptables-t nat-a postrouting-s 192.168.0.0/24/
-j SNAT--to 1.1.1.1
The original address of intranet 192.168.0.0/24 is modified to 1.1.1.1 For NAT

Iptables-t nat-a postrouting-s 192.168.0.0/24/
-j SNAT--to 1.1.1.1-1.1.1.10
Ditto, except to modify the IP in an address pool

3.4.4-j Dnat
-j Dnat--to ip[-ip][: Port-Port] (prerouting chain of NAT tables)
Destination address translation, Dnat support conversion to single IP, also support conversion to IP address pool
(a continuous set of IP addresses)
For example:
Iptables-t nat-a prerouting-i ppp0-p TCP--dport 80/
-j Dnat--to 192.168.0.1
Change the destination address of the packet to access TCP/80 from Ppp0 to 192.168.0.1

Iptables-t nat-a prerouting-i ppp0-p TCP--dport 81/
-j Dnat--to 192.168.0.2:80
Iptables-t nat-a prerouting-i ppp0-p TCP--dport 80/
-j Dnat--to 192.168.0.1-192.168.0.10

3.4.5-j Masquerade
-j Masquerade
Dynamic Source address translation (used in the case of dynamic IP)

For example:

Iptables-t nat-a postrouting-s 192.168.0.0/24-j Masquerade
Address camouflage of a packet with a source address of 192.168.0.0/24

3.5 Additional Modules
Match by Package status (state)
Mac match by Source (MAC)
Match by package rate (limit)
Multi-port matching (multiport)
3.5.1 State
-M State--state status
Status: NEW, RELATED, established, INVALID
NEW: Syn that is different from TCP
Established: Connection state
RELATED: Derivative state, associated with Conntrack (FTP)
INVALID: cannot be recognized as belonging to which connection or no State
For example:
Iptables-a input-m State--state related,established
-j ACCEPT

3.5.2 Mac
-M Mac--mac-source mac
Match a MAC address

For example:
Iptables-a forward-m--mac-source xx:xx:xx:xx:xx:xx/
-j DROP
Block packets from a MAC address, through the local

Attention:
MAC address But route, do not attempt to match a MAC address behind a route

3.5.3 Limit
-m limit--limit matching rate [--burst buffer quantity]
Matching packets at a certain rate
For example:
Iptables-a forward-d 192.168.0.1-m limit--limit 50/s/
-j ACCEPT
Iptables-a forward-d 192.168.0.1-j DROP

Attention:
Limit only a certain rate to match the packet, not "limit"

3.5.4 multiport
-M multiport <--sports|--dports|--ports> Port 1[, Port 2,.., Port N]
Match multiple ports at once to differentiate between source port, destination port, or unspecified port

For example:
Iptables-a input-p tcp-m multiports--ports/
21,22,25,80,110-j ACCEPT

Attention:
Must be used with the-p parameter

4. Example Analysis
Single-Server protection
How to do the gateway
How to restrict intranet users
Intranet How to Do external server
Connection Tracking Module
4.1 Single-Server protection
Figure out the external service object
Writing rules
Processing of network Interface lo
Treatment of State Monitoring
Protocol + port Processing
Instance: an ordinary Web server
Iptables-a input-i lo-j ACCEPT
Iptables-a input-p tcp-m multiport 22,80-j ACCEPT
Iptables-a input-m State--state related,established-j ACCEPT
Iptables-p INPUT DROP
Note: Make sure the rules are in order, understand the logical relationship, and learn to use-VNL at all times
4.2 How to do the gateway
Figure out the network topology
Local Internet
Set NAT
Enable routing forwarding
Address Camouflage Snat/masquerade

Example: ADSL dial-up Internet topology
echo "1" >/proc/sys/net/ipv4/ip_forward
Iptables-t nat-a postrouting-s 192.168.1.0/24-o ppp0/
-j Masquerade

4.3 How to restrict intranet users
Filter position filer table FORWARD chain
Matching Criteria-s-d-P--s/dport
Handling Action ACCEPT DROP

Instance:
Iptables-a forward-s 192.168.0.3-j DROP
Iptables-a Forward-m mac--mac-source 11:22:33:44:55:66/
-j DROP
Iptables-a forward-d bbs.chinaunix.net-j DROP
4.4 Intranet How to do external server
Service Agreement (TCP/UDP)
External service ports
Internal server private Network IP
Internal true Service port
Instance:
Iptables-t nat-a prerouting-i ppp0-p TCP--dport 80/
-j Dnat--to 192.168.1.1
Iptables-t nat-a prerouting-i ppp0-p TCP--dport 81/
-j Dnat--to 192.168.1.2:80
4.5 Connection Tracking Module
Why to use the connection tracking module
The transmission principle of FTP protocol
The practice of traditional firewalls

How to use
4.5.1 FTP Protocol Transmission principle
Using ports
Command port
Data port

Transfer mode
Active mode (Active)
Passive mode (passive)
4.5.1 FTP Protocol Transmission principle
Active mode
Client Server
xxxx |---|----------|-->| 21st
yyyy |<--|----------|---| 20
FW1 FW2
Passive mode
Client Server
xxxx |---|----------|--->| 21st
yyyy |---|----------|--->| Zzzz
FW1 FW2
The practice of 4.5.2 traditional firewalls
Use active mode only, open TCP/20
Firewall open High Range port
Configure the FTP service to reduce the passive mode port range
4.5.3 How to use the connection tracking module
Modprobe ipt_conntrack_ftp
Modprobe ipt_nat_ftp
Iptables-a input-p TCP--dport 21-j ACCEPT
Iptables-a input-m State--state/
Related,established-j ACCEPT
Iptables-p INPUT DROP
5. Network management strategy
Afraid of what?
What can I do?
Let what vs don't let anything
Three "disciplines" five "attention"
Other considerations
5.1 Must add Item
echo "1" >/proc/sys/net/ipv4/ip_forward
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
echo "1" >/
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
5.2 Optional Options
Blocking:
Iptables-a forward-p TCP--dport xxx-j DROP
Iptables-a forward-p TCP--dport yyy:zzz-j DROP

Flux
Iptables-a forward-p TCP--dport xxx-j ACCEPT
Iptables-a forward-p TCP--dport yyy:zzz-j ACCEPT
Iptables-a forward-m State--state related,established
-j ACCEPT
Iptables-p FORWARD DROP
5.3 Three "disciplines" five "attention"
Three major "disciplines"-Special tables
Filter
Nat
Mangle

Five "attention"--note the trend of the packet
Prerouting
INPUT
FORWARD
OUTPUT
Postrouting
5.4 Other considerations
Develop a good habit
Iptables-vnl
Iptables-t NAT-VNL
Iptables-save

Note Logical order
Iptables-a input-p TCP--dport xxx-j ACCEPT
Iptables-i input-p TCP--dport yyy-j ACCEPT

Learn to write simple scripts
6. Faq.1
Q: I set the iptables-a output-d 202.xx.xx.xx-j DROP
Why intranet users still have access to that address.
The OUTPUT chain of the A:filter table is the only way outside the local access, the intranet data does not go through the chain

Q: I added the iptables-a forward-d 202.xx.xx.xx-j DROP
Why intranet users still have access to that address.
A: Check the entire rule for logic errors to see if there are ACCEPT before DROP

Q:iptables-t nat-a postrouting-i eth1-o eth2-j Masquerade
Why the statement is an error.
A:postrouting chain does not support the "inflow interface"-I parameter
Similarly, the prerouting chain does not support the outgoing interface-o parameter
6. faq.2
Q: How do I see how a particular module should be used?
A:IPITABLES-M Module Name-H

Q: Perform iptables-a forward-m xxx-j yyy
Tip Iptables:no Chain/target/match by that name
a:/lib/modules/' uname-r '/kernel/net/ipv4/netfilter directory,
Missing files related to the XXX module, or missing files related to the YYY action
Name is IPT_XXX.O (2.4 kernel) or Ipt_yyy.ko (2.6 kernel)

Q: The script has been written well, the intranet network is no problem, FTP access is not normal, can not list the directory, why.
A: Missing ip_nat_ftp this module, modprobe ip_nat_ftp
6. faq.3
More FAQ Content