Five rules of iptables: three rule tables of PREROUTINGFORWARDPOSTROUTINGINPUTOUTPUTiptables: five rule chains are included in three rule tables: filter for packets: INPUT, FORWARD, OUTPUTnat: address Translation: PREROUTING, POSTROUTING, and OUTPUTmangle
IptablesFive rule chains:
PREROUTING
FORWARD
POSTROUTING
INPUT
OUTPUT
Three rule tables of iptables: five rule chains are included in three rule tables respectively.
Filter: filters packets. INPUT, FORWARD, OUTPUT
Nat: Address Translation PREROUTING, POSTROUTING, and OUTPUT
Mangle: Policy Routing and special applications PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD
1. install the iptables package (installed by default)
[Root @ localhost ~] # Rpm-q iptables
Iptables-1.2.11-3.1.RHEL4
[Root @ localhost ~] # Rpm-ql iptables | grep bin view the program directory of the software package
/Sbin/iptables
/Sbin/iptables-restore
/Sbin/iptables-save
|
Iptables includes three major management tools:
Iptables: management and implementation of iptables commands
Iptables-save and iptables-restore are a pair of auxiliary tools. iptables-save saves the current firewall settings,
Iptables-restore restores the configuration saved by iptables-save to the current system.
2. start and stop the iptables service:
The system runs the program using the iptables service. The startup script is saved in/etc/rc. d/init. d, and the script file name is iptables.
Default startup level 3 and 5
[Root @ localhost init. d] # chkconfig -- listiptables
Iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off |
Start and stop
# Service iptables startStart
# Service iptables stop Stop
# Service iptables statusPermitted status
|
3. iptables configuration file and policy setting file
Configuration File:/etc/sysconfig/iptables-config. you do not need to modify the kernel module loaded when the iptables service is started.
Policy setting File:/etc/sysconfig/iptables. when the iptables service is started, the iptables-restore command is called to apply the policy setting content to the firewall.
4. view the content of the iptables table
Syntax: iptables [-t table]-L
-T: Select the table to be viewed.
If-t is not added, the filter table is viewed by default.
5. manual configuration of iptables firewall
1) clear table rules
Clear all rules of the rule chain in the rule table
# Iptables-F
2) delete the rule chain in the table
Used to delete the specified rule chain in the table. if you do not specify to delete all custom rule chains in the table
# Iptables-X
3) add rules
Iptables-A rule chain-I network interface-j operations on data
-A: specify the rule chain to be added.
-I: network interface for inbound data packets
-P: Packet Protocol
-J: processing data packets. ACCEPT/DROP
For example, add a rule to the INPUT chain to allow all packets from 192.168.1.0/24 in the eth0 interface.
| # Iptables-a input-I eht0-s 192.168.1.0/24-jACCEPT |
4) import and export iptables rules:
Export: Iptables-save: for example, export to the/home/aaa file.
| # Iptables-save>/home/aaa |
Import: iptables-restore, for example, importing an aaa file
4) delete a rule
Iptables-D Deletes a specified rule.
| # Iptables-d input-I eth0-s 192.168.1.0/24-jACCEPT |
5) set the default policy of the built-in rule chain
The default rule of the rule chain is ACCEPT, and iptables-P sets the default policy of the specified rule.
For example, you can set the default policy of the INPUT chain to DROP and then add the rules one by one. this is a more rigorous method to add rules.
6) set the datagram status
Iptables-a input-m state -- state-j [ACCEPT, DROP, LOG]
-- State: the status of the received datagram:
INVALID: INVALID Datagram
ESTABLISHED: connection ESTABLISHED successfully
NEW: request to establish a connection
RELATED: indicates the series RELATED to the datagram we sent:
Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT // ACCEPT the datagram states as RELATED and ESTABLISHED datagram.
Set instance:
Allow all packets from the eth1 network interface.
The eth0 interface allows the Web, SSH, and squid proxy services, that is, open ports 80, 22, and 3128
Other data packets cannot pass
# Iptables-F
# Iptables-X
# Iptables-P INPUT DROP
# Iptables-a input-I eth1-j ACCEPT
# Iptables-a input-I eth0-p tcp -- dport 80-jACCEPT
# Iptables-a input-I eth0-p tcp -- dport 22-jACCEPT
# Iptables-a input-I eth0-p tcp -- dport 3128-jACCEPT
# Service iptables save
|
The modification to the rule takes effect immediately, but it is not saved. you can use service iptablessave to save it to the default position/etc/sysconfig/iptables. You can also use iptables-save>/tmp/iptables. new to save the firewall rules to/tmp or elsewhere, and then use iptables-restore
-P: specifies the protocol specified by the data packet.
-- Dport: specifies the destination port of the data packet.
# Service iptables save: only available in the/etc/sysconfig/iptables file after this command is used
Additional module
Matching by package status (state)
Match by source MAC)
Package rate matching (limit)
Multiport)
3.5.1 state
-M state -- state
