Iptables command details and examples

I can see that this configuration is easy to understand on the Internet, so I will turn around. let's take a look at it and hope it will be helpful for your work. The security awareness of network administrators is much more important than shouting Linux security. Iptables-Fiptables-Xiptables-F-tmangleiptables-tmangle-Xiptables-F-tnatiptables-tnat-X first

I can see that this configuration is easy to understand on the Internet, so I will turn around. let's take a look at it and hope it will be helpful for your work.
The security awareness of network administrators is much more important than shouting Linux security.

Iptables-F
Iptables-X
Iptables-F-t mangle
Iptables-t mangle-X
Iptables-F-t nat
Iptables-t nat-X
First, empty the three tables and empty the self-built rules.

Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD ACCEPT
Set the default policy of INPUT and OUTPUT to DROP and FORWARD to ACCEPT.

Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Open the "loop" first to avoid unnecessary troubles.

Iptables-a input-I eth +-p icmp -- icmp-type 8-j ACCEPT
Iptables-a output-o eth +-p icmp -- icmp-type 0-j ACCEPT
Enable the ping function on all NICs for easy maintenance and detection.
Iptables-a input-I eth0-s 192.168.100.250-d 192.168.100.1-ptcp -- dport 22-j ACCEPT
Iptables-a output-o eth0-d 192.168.100.250-s 192.168.100.1-ptcp -- sport 22-j ACCEPT
Open port 22 to allow remote management. (Many additional conditions are set: the IP address of the management machine must be 250 and must be entered from the eth0 NIC)

Iptables-a input-I eth0-s 192.168.100.0/24-p tcp -- dport3128-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-d 192.168.100.0/24-p tcp -- sport 3128-m state -- state ESTABLISHED-j ACCEPT
Iptables-a input-I eth1-s 192.168.168.0/24-p tcp -- dport 3128-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth1-d 192.168.168.0/24-p tcp -- sport 3128-m state -- state ESTABLISHED-j ACCEPT
Iptables-a input-I eth2-p tcp -- dport 32768: 61000-m state -- state ESTABLISHED-j ACCEPT
Iptables-a output-o eth2-p tcp -- sport 32768: 61000-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth2-p udp -- dport 53-j ACCEPT
Iptables-a input-I eth2-p udp -- sport 53-j ACCEPT
The above statements are a headache. I will explain them one by one.

Iptables-a input-I eth0-s 192.168.100.0/24-p tcp -- dport3128-m state -- state NEW, ESTABLISHED-j ACCEPT
Allow machines in the 192.168.100.0/24 network segment to send data packets from the eth0 Nic. If the data packet is tcp and the destination port is 3128 (because REDIRECT has changed 80 to 3128. The PREROUTING of the nat table is before the INPUT of the filter table .) And the data packet status must be NEW or ESTABLISHED (NEW represents the "first hold" of the tcp three-segment handshake, in other words, allow the client machine to send a link request to the server. ESTABLISHED indicates that a link has been ESTABLISHED through a handshake.

Iptables-a output-o eth2-p tcp -- sport 32768: 61000-m state -- state NEW, ESTABLISHED-j ACCEPT
Let's take a look at this sentence first. Now your data packets have entered the linux server firewall. Squid needs to be accessed in place of you. Therefore, the server becomes the role of the client, so it needs to use private ports from 32768 to 61000 for access. (It should be 1024 to 65535. In fact, the private ports defined in CentOS linux are 32768 to 61000. you can check them through cat/proc/sys/net/ipv4/ip_local_port_range .) Statement again: squid accesses other servers as a client, so the source port here is 32768: 61000, not 3128!
Iptables-a input-I eth2-p tcp -- dport 32768: 61000-m state -- state ESTABLISHED-j ACCEPT
Of course, data goes back.

Iptables-a output-o eth0-d 192.168.100.0/24-p tcp -- sport3128-m state -- state ESTABLISHED-j ACCEPT
Data packets must be forwarded to the intranet Nic through the server. Note that squid helps you access the website you want to access. Therefore, in the intranet, your machine is a client role, while squid is a server role. This is different from the external access process. So here, the source port is 3128 instead of 32768: 61000.

Iptables-a output-o eth2-p udp -- dport 53-j ACCEPT
Iptables-a input-I eth2-p udp -- sport 53-j ACCEPT
Of course, DNS is indispensable.

Iptables-a input-I eth +-p tcp -- dport 80-j LOG -- log-prefix "iptables_80_alert" -- log-level info
Iptables-a input-I eth +-p tcp -- dport 21-j LOG -- log-prefix "iptables_21_alert" -- log-level info
Iptables-a input-I eth +-p tcp -- dport 22-j LOG -- log-prefix "iptables_22_alert" -- log-level info
Iptables-a input-I eth +-p tcp -- dport 25-j LOG -- log-prefix "iptables_25_alert" -- log-level info
Iptables-a input-I eth +-p icmp -- icmp-type 8-j LOG -- log-prefix "iptables_icmp8_alert" -- log-level info
Of course, some log records will be helpful to network administrators.

Iptables basic commands

I. basic chain operations
1. clear all rules.
1) clear all rules in the rule chain in the filter of the preset table.
# Iptables-F
2) clear the rules in the user-defined chain in the filter of the preset table.
# Iptables-X
# Iptables-Z
2. set the default link policy. There are two methods.
1) allow all packages first, and then prohibit dangerous packages from passing through the fire wall.
# Iptables-P INPUT ACCEPT
# Iptables-P OUTPUT ACCEPT
# Iptables-P FORWARD ACCEPT
2) deny all packages first, and then allow specific packages to pass through the firewall according to the required services.
# Iptables-P INPUT DROP
# Iptables-P OUTPUT DROP
# Iptables-P FORWARD DROP
3. list all rules in a table or chain. By default, only filter tables are listed.
# Iptables-L
4. add rules to the chain. The following statement is used to open a network interface:
# Iptables-a input-I lo-j ACCEPT
# Iptables-a output-o lo-j ACCEPT
# Iptables-a input-I eth0-j ACEPT
# Iptables-a output-o eth1-j ACCEPT
# Iptables-a forward-I eth1-j ACCEPT
# Iptables-a forward-0 eth1-j ACCEPT
Note: Because the local process does not pass through the FORWARD chain, the loopback interface lo only applies to the INPUT and OUTPUT chains.
5. user-defined chain.
# Iptables-N custom
# Iptables-A custom-s 0/0-d 0/0-p icmp-j DROP
# Iptables-a input-s 0/0-d 0/0-j DROP
2. set basic rule matching
1. specify protocol matching.
1) match the specified protocol.
# Iptables-a input-p tcp
2) match all protocols other than the specified protocol.
# Iptables-a input-p! Tcp
2. match the specified address.
1) specify the matched host.
# Iptables-a input-s 192.168.0.18
2) specify the matched network.
# Iptables-a input-s 192.168.2.0/24
3) match the address other than the specified host.
# Iptables-a forward-s! 192.168.0.19
4) match networks outside the specified network.
# Iptables-a forward-s! 192.168.3.0/24
3. match the specified network interface.
1) specify a single network interface match.
# Iptables-a input-I eth0
# Iptables-a forward-o eth0
2) specify network interfaces of the same type to match.
# Iptables-a forward-o ppp +
4. match the specified port.
1) specify a single port match.
# Iptables-a input-p tcp -- sport www
# Iptables-a input-p udp? Dport 53
2) match the port other than the specified port.
# Iptables-a input-p tcp? Dport! 22
3) match the port range.
# Iptables-a input-p tcp? Sport 22: 80
4) match the ICMP port and ICMP type.
# Iptables-a inout-p icmp? Icimp-type 8
5) specify ip fragmentation.
Each
Each network interface has a MTU (maximum transmission unit). This parameter defines the maximum size of data packets that can be passed. If a data packet exceeds this parameter value, the system divides it into smaller data packets.
(Called ip fragments), and the receiver reassembles these ip fragments to restore the entire package. This will cause a problem: when the system divides large data packets into ip fragments for transmission, the first shard contains
Complete packet header information (IP + TCP, UDP, and ICMP), but only part of the packet header information (such as the source address and destination address) is contained in the subsequent parts ). Therefore, check the header of the ip fragmentation
TCP, UDP, and ICMP) is impossible. Suppose there is a rule like this:
# Iptables-a forward-p tcp-s 192.168.1.0/24-d 192.168.2.100? Dport 80-j ACCEPT
In this case, when the FORWARD policy is DROP, the system will only let the first ip fragment pass, and the remaining fragment cannot pass because the packet header information is incomplete. You can use the-fragment/-f option to specify the second and later ip fragmentation to solve the above problem.
# Iptables-a forward-f-s 192.168.1.0/24-d 192.168.2.100-jACCEPT
Note that there are many instances that conduct ip fragmentation attacks, such as DoS attacks. Therefore, it is a security risk to allow ip fragmentation to pass through. you can use iptables matching extension to limit this.
3. set extended rule matching (for example, the target action has been ignored)
1. multi-port matching.
1) match multiple source ports.
# Iptables-a input-p tcp-m multiport? Sport 22, 53, 80,110
2) match multiple destination ports.
# Iptables-a input-p tcp-m multiport? Dpoort 22, 53, 80
3) match multiple ports (source port or destination port)
# Iptables-a input-p tcp-m multiport? Port 22, 53, 80,110
2. specify TCP matching extension
Use? The tcp-flags option can be filtered based on the flag bit of the tcp packet.
# Iptables-a input-p tcp? Tcp-flags SYN, FIN, ACK SYN
# Iptables-a froward-p tcp? Tcp-flags all syn, ACK
In the instance, the first flag indicates that SYN, ACK, and FIN are checked, but only SYN matches. The second sign indicates ALL (SYN, ACK, FIN, RST, URG, PSH) is checked, but only SYN and ACK matching are set.
# Iptables-a forward-p tcp -- syn
Option-syn is equivalent to "-- tcp-flags SYN, RST, ack syn.
3. expansion of limit rate matching.
1) specify the number of data packets allowed to pass in a unit of time. the unit time can be/second,/minute,/hour,/day, or use the first child mother.
# Iptables-a input-m limit -- limit 300/hour
2) specify the threshold value for the trigger event.
# Iptables-a input-m limit? Limit-burst 10
It is used to compare whether there are more than 10 incoming packets at a time. packets exceeding this limit will be discarded directly.
3) specify both the speed limit and trigger threshold values.
# Iptables-a input-p icmp-m limit? -Limit 3/m? Limit-burst 3
The maximum number of packets per minute is the maximum rate (3 in this example) plus the current trigger threshold value burst. Under any circumstances, three packets can pass through, and the trigger threshold burst is equivalent to the number of additional packets allowed.
4) state-based scaling (connection tracking)
Each network connection includes the following information: source address, target address, source port, and destination port, known as socket pair (socketpairs); protocol type, connection status (TCP protocol)
And timeout. The firewall calls this information stateful ). The status packet filtering firewall can maintain a table with the tracking status in the memory, which is more secure than the simple packet filtering firewall. the command format is as follows:
Iptables-m state? -State [!] State [, state]
The state table is a comma-separated list used to specify the connection status. There are four types:
> NEW: This package wants to start a NEW connection (reconnection or connection redirection)