iptables command Explanation

The firewall is the kernel configuration, iptables is the tool that uses the firewall

Iptables Syntax:

iptables [-t table name] action chain name match condition-j target action or jump

Detailed

Name table

1. Raw table: Determines whether the packet is status-tracked (the target is to turn off the connection tracking feature enabled on the NAT table).

2. mangle table: Set the tag for the packet.

3, NAT table: Address Translation, modify the source in the packet, destination IP address or port; enable Connection_track; Snat,dnat,pnat

4, Filter table: Filtering, determine whether to release the packet

The default is the filter table

Second, the action command

1, for the chain action:

-f:flush, empty the rule chain;

-n:new, self-built a custom chain

-x:delete, deleting a custom empty chain

-z:zero, (Packet and flow) counter zeroed

-p:policy, set the default policy, for the filter table, the default rule is accept or drop, cannot be reject;

-E: Rename a custom chain

2, for the action of the rules in the chain:

-A: Adds a rule to the chain that inserts the last bar of all rules by default.

-I: Inserts a rule into the chain and inserts the first one of all rules by default.

Iptables-i INPUT 2

That is to add a rule before the 2nd rule in the chain.

-D: Removes a rule from the chain.

-r: A rule in the substitution chain.

3. Query action:

-L

-N: The number format displays the host address and port;

-V: Verbose format,-VV,-VVV

--line-numbers: Show rule number

-x:exactly, do not make unit conversions for counter count results, and display their exact values

Third, the chain name chain

Prerouting: Before routing, processing packets before routing is selected

INPUT: The inbound packet is processed by the message that arrives inside the machine

FORWARD: The packet forwarded by the local machine, processing the forwarding packet

OUTPUT: The only way to send messages from this machine is to process the outbound packets

Postrouting: After routing, processing packets after routing

four, matching conditions Cretiria

1. Universal Matching

-S IP Address: Specifies the range of packet source IP address matching, can be IP or network address, can use!

--SRC,--source

-D IP Address: Specifies the range of packet destination IP address matching;

--DST,--destination

-P Protocol: Specifies the protocol type of the matching message, generally there are three kinds of TCP, UDP and ICMP;

-I network interface name: the interface of data packet inflow; prerouting, INPUT, FORWARD

-O Network interface name: interface for data packet outflow; OUTPUT, FORWARD, postrouiting

2. Extended Match

(1) Implicit extension: When using one of the-p {tcp|udp|icmp}, the extended private option can be used directly;

-P TCP:

--sport Source Port number: Specify Source ports

--dport Target Port number: Specify Destination ports

-P UDP:

--sport Source Port number: Specify Source ports

--dport Target Port number: Specify Destination ports

-P ICMP [-M ICMP]

--icmp-type

0:echo-reply, ping response

8:echo-request, ping request

(2) Explicit extension: You must explicitly specify which module to use to expand, and then use its extended private options;

-m:match the filter module used by the specified packet rule

Usage:

-M Extension Module name

-M State--state

Example: matching source MAC address

-M Mac--mac-source MAC address

Module:

1 "multiport: Multi-port matching, can be used to match a discontinuous or continuous port; Specify up to 15 ports;

Dedicated options:

--source-ports,--sports Port[,port,port]

--destination-ports,--dports

--ports

Example: Iptables-i input-d 172.16.100.7-p tcp-m multiport--dports 22,80-j ACCEPT

2 "IPRange: matches addresses within a specified range, and is useful for matching a contiguous address rather than the entire network;

Dedicated options:

[!] --src-ragne Ip[-ip]

[!] --dst-range

Example: Iptables-a input-d 172.16.100.7-p tcp--dport 23-m iprange--src-range 172.16.100.1-172.16.100.100-j ACCEPT

Example: Iptables-a output-s 172.16.100.7-p tcp--sport 23-m iprange--dst-range 172.16.100.1-172.16.100.100-j ACCEPT

3 "string: string matching to detect strings in the application layer of the message

Dedicated options:

--string "string"

--hex-string "hex_string": hex_string as a string encoded in 16 binary format;

Example: Iptables-i output-m string--algo kmp--string "Sex"-j DROP

4 "Time: Access control based on timing

Dedicated options:

--datestart Yyyy[-mm][-dd[thh[:mm[:ss]]

--datestop

--timestart Hh:mm[:ss]

--timestop Hh:mm[:ss]

--weekdays Day[,day]

Mon, Tue,

Example: Iptables-i input-d 172.16.100.7-p TCP--dport 80-m time--timestart 08:20--timestop 18:40--weekdays Mon,Tue,Thu,Fr I-j REJECT

5 "Connlimit: Limit of number of connections, limit the number of concurrent connections each IP can initiate;

Dedicated options:

[!] --connlimit-above [n]

Example: Iptables-a input-d 172.16.100.7-p tcp--dport 22-m connlimit--connlimit-above 2-j DROP

6 "Limit: rate limit

Dedicated options:

--limit N[/second|/minute|/hour|/day]

--limit-burst N

Example: Iptables-a input-d 172.16.100.7-p ICMP--icmp-type 8

V. Target ACTION targets

1. ACCEPT

2, Drop: Discard packets are not processed, after this processing will no longer compare to other rules, directly interrupt the filter program.

3, REJECT: Block the packet, and return the packet to notify the other side, can return the packet.

4. LOG: Store the Iptables log in the/var/log/messages file.

[[email protected] log]# iptables-l-v# display parameters Simple explanation

Chain: Chain

Policy: Default Policies

Pkts: The rule handles the number of packets

Bytes: The rule handles packet size (traffic)

Target: Object action

Prot: Protocol (condition)

OPT: Other options

Source: Origin Address

Destination: Destination Address

All of the above are theoretical points of knowledge, after encountering specific instances back to continue to add.

iptables command Explanation