Iptables command usage illustration

I. iptables command format (more complex) iptables [-ttable] command [chain] [rules] [-jtarget] (1) table ------- specify the table name (raw table, mangle table, nat table, filter table) (2) command ------- chain Operation command (-: append rules (bottom append rules),-I

I,IptablesCommand format(More complex)
Iptables [-T Table]   Command   [Chain]  [Rules] [-J Target]
(1) table ------- specify the table name (raw table, mangle table, nat table, and filter table)
(2) command ------- chain Operation command (-A: append rule (bottom append rule),-I: insert (usually before and after the corresponding rule ))
(3) chain ------- chain name (prerouting chain, forward chain, input chain, output chain, postrouting chain)
(4) rules ------- rules
(5) target ------- how to perform the action

1,Table options(Table)

 The table option specifies which iptables built-in table the command applies to. iptables includes: filter table, nat table, mangle table, and raw table.
The used parameter is-t.+Table name. if The-t parameter is not used, the filter table is used by default.

2. command options(Command)

Command	Description
-P or -- policy+ <链名>	Define default policy
-L or -- list + <链名>	View the iptables rule list
-A or -- append+ <链名>	Add one rule at the end of the rule list
-I or -- insert+ <链名>	Insert 1 rule at the specified position
-D or -- delete+ <链名> + Number	Delete a rule from the rule list
-R or -- replace + <链名> + Number	Replace a rule in the rule list
-F or -- flush + <链名> -X or -- delete-chain + <用户自定义的链名>	Delete all rules in the table (note: the default rules cannot be cleared) Delete a user-defined chain (premise: these user-defined chains do not have any rules, so when you delete a user-defined chain, all rules on the user-defined chain must be deleted first). If the chain name is not customized with the user, all user-defined chains will be deleted) The following examples (1) iptables-TFilter-F: clear all rules in the filter table (including all rules on the built-in chain and all rules on the custom chain) (2) iptables-TFilter-FINPUT: clears all rules on the INPUT chain in the filter table. (3) iptables-tFilter-X: delete all user-defined links in the filter table (system-built links: INPUT, OUTPUT, and FOWRARD .. cannot be cleared) (4) iptables-tFilter-XMydefine: delete the custom chain mydefine in the filter table.
-Z or -- zero+ <链名> -N or -- new-chain + <用户自定义的链名>	Returns the data packet counter and traffic counter in the table to zero. Create a custom chain. the chain name must be different from the built-in chain names. For example, iptables-TFilter-N"CentOS-TCP", add a chain named "CentOS-TCP" in the filter table, which is used to process TCP packets; later, we will write the corresponding rules into the CentOS-TCP chain. For example, iptables-TFilter-N"CentOS-UDP", add a chain named "CentOS-UDP" in the filter table, which is used to process UDP packets; later, we will write the corresponding rules into the CentOS-UDP chain. Finally, we can apply them to the INPUT chains or other built-in chains of the built-in tables, such Iptables-TFilter-INPUT-PTcp-JCentOS-TCP Iptables-TFilter-INPUT-PUdp-JCentOS-UDP

 

3. matching options (Rules)

Match	Description
-I or -- in-interface + <网络接口名>	Specify the network interface from which the data packet enters, such as ppp0, eth0, and eth1. Note: this parameter can only be used for INPUT,FORWARDAndPREROUTING
-O or -- out-interface + <网络接口名>	Specify the network interface from which data packets are output, such as ppp0, eth0, and eth1. Note: this parameter can only be used for OUTPUT,POSTROUTING
-P or --- prot + <Protocol Type>	Specifies the Protocol for Packet matching, such as TCP, UDP, and ICMP.
-S or -- source + <源地址或子网> -M State -- State + status -MMac -- Mac-source + MAC address -MLimit -- Limit -MOwner	SOURCE address of the specified data packet matching Status-based matching (the status can be: NEW, ESTABLISHED, INVALID, or one of the RELATED or their combinations) MAC address-based matching (note: this parameter can only be used for PREROUTING, FORWARD or INPUT chains) Matching based on the number of packets Match based on uid and gid (note: this parameter is only valid for the OUTPUT chain)
-- Sport + <源端口号>	Specify the source port number that the data packet matches. you can use the format of "start Port: end port number" to specify a port range.
-D or -- destination + <目标地址或子网>	Specify the target address for packet matching
-- Dport + target port number	Specify the target port number for data packet Matching. you can use the format of "start Port: end port number" to specify a port range.

 

4. action options (-jTarget)

Action	Description
ACCEPT	Accept data packets
DROP	Dropped data packets
REDIRECT	Similar to DROP, the difference is that it not only blocks packets, but also returns error messages to the sender.
SNAT	Changes the source address of a data packet. For example, set the IP address (10.0.0.1/24) => Wan IP address (222.101.98.54/24) of the Lan and perform this action on the POSTROUTING link of the NAT table.
DNAT	The destination address translation changes the destination address of the data packet. For example, set the wan IP address (222.101.98.54/24) => lan ip address (10.0.0.1/24) and perform this action on the PREROUTING link of the NAT table.
MASQUERADE + IP	Disguise is often referred to as the NAT technology. MASQUERADE can only be used in the disguise of dial-up Internet IP addresses such as ADSL, that is, the IP address of the host is dynamically allocated by the ISP; if the IP address of the host is static and fixed, use SNAT
LOG	The log function records the information of data packets that comply with the rules in the log for administrator analysis and troubleshooting.

 

 

II. iptables syntax

1. Define the default policy

1) function: When a packet does not comply with any rule in the chain, iptables processes the packet according to the predefined default policy of the chain.

2) definition format of the default policy:Iptables [-TTable name] <-P>  <链名>   <动作< strong> >
Parameters are described as follows:
(1) [-t   Table name]
The table to which the default policy applies. Filter, nat, and mangleIf no table is specified, iptables uses the filter table by default.
(2) <-P>
Define default policy
(3) <链名>
The chain to which the default policy applies. The options include INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING.
(4) <动作>
The action of processing data packets. you can use ACCEPT (ACCEPT data packets) and DROP (discard data packets)  

2. View iptables rules

 

The command format for viewing iptables rules is:Iptables[-TTable name] <-L> [Chain name]
Parameters are described as follows:
(1) [-tTable name]
Lists the rules of a table. The table name can be used.Filter, nat, and mangleIf no table is specified, iptables displays the rule list of the filter table by default.
(2) <-L>
View the list of rules for a specified table and chain
(3) [chain name]
Lists the rules of a chain in a specified table. INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING can be used. If no chain is specified, the rules of all chains in a table are displayed.

3. add, insert, delete, and replace iptables rules

Iptables[-TTable name]<-A | I | D | R>Chain name[Rule number][-I | o Nic name][-P protocol type][-S source IP address | source subnet][-- Sport source port number][-D Target IP address | target subnet][-- Dport destination port number]<-J action>

For example:
Iptables-tFilter-I INPUT3-PTcp-- Dport80-JACCEPT (# insert before 3rd rules of the INPUT chain)
Iptables-tFilter-I INPUT-PTcp-- Dport80-JACCEPT (# insert before the 1st rules of the INPUT chain rule)
Iptables-tFilter-R INPUT3-p tcp -- Dport22-J ACCEPT

Parameters are described as follows:
(1) [-t table name]
Defines the table to which the default policy applies. filter, nat, and mangle can be used. If no table is specified, iptables uses the filter table by default.
(2)-
A new rule is added to the last row in the rule list. rule numbers cannot be used for this parameter.
(3)-I
Insert a rule. The rule at the specified position will be moved in sequence. If no rule number is specified, insert the rule before the first rule.
(4)-D
Delete a rule from the rule list. you can enter a complete rule or specify a rule number to delete it.
(5)-R
Replacing a rule does not change the sequence. you must specify the number of the rule to be replaced.
(6) <链名>
You can use INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING
(7) [rule number]
Rule numbers are used to insert, delete, and replace rules. they are arranged in the order of the rule list. The first rule in the rule list is numbered 1.
(8) [-I | o Nic name]
I indicates the NIC from which the data packet enters, and o indicates the NIC from which the data packet is output. You can use ppp0, eth0, and eth1 Nic names.
(9) [-p protocol type]
You can specify the protocol used by the rule, including TCP, UDP, and ICMP.
(10) [-s source IP address | source subnet]
IP address or subnet address of the source host
(11) [-- sport source port number]
SOURCE port number of the IP address of the data packet
(12) [-d Target IP address | target subnet]
IP address or subnet address of the target host
(13) [-- dport destination port number]
Destination port number of the IP address of the data packet
(14) <-j action>
For more information about the actions that process data packets, see the preceding description.

4. clear rules and counters

When creating a rule, you often need to clear the original and old rules so that they do not affect the new rules. If there are many rules, it will be very troublesome to delete them one by one. in this case, you can use the clearing rule parameters provided by iptables to quickly delete all rules.
The format of the defined parameters is:Iptables[-TTable name]<-F | Z>
Parameters are described as follows:
(1) [-t table name]
Specify the table to which the default policy applies. filter, nat, and mangle can be used. If no table is specified, iptables uses the filter table by default.
(2)-F
Deletes all rules in a specified table.
(3)-Z
Returns the data packet counter and traffic counter in the specified table to zero.

 

III. NAT

1. what is NAT

2. NAT type

1) Static NAT (Static NAT, SNAT) (Lan IP => Wan IP)
Static NAT is the simplest and easiest to implement. each host in the internal network is permanently mapped to a valid address in the external network.

2) dynamic address NAT (Pooled NAT, DNAT) (Wan IP => lan ip)
(1) dynamic address NAT defines a series of valid addresses in the external network and maps them to the internal network through dynamic allocation.
(2) dynamic address NAT only converts IP addresses. it allocates a temporary external IP address for each internal IP address and is mainly used for dialing. Dynamic NAT can also be used for frequent remote connections.

3) network address and Port translation NAPT (Port-Level NAT)
NAPT maps internal addresses to different ports of an IP address of an external network.
The most familiar conversion method. NAPT is widely used in access devices. it can hide small and medium networks behind a valid IP address. Unlike dynamic NAT, NAPT maps internal connections to a separate IP address in the external network, and adds a TCP port number selected by the NAT device to the address.

III. rule direction      Rule application sequence: from top to bottom, and finally the default rule

IV. differences between INPUT and OUTPUT

For input
-- Dport-d indicates your own port and address.
-- Sport and-s indicate the port and address of the initiator.
For output
-- Sport-s indicates your own port and address.
-- Dport-d indicates the dest address.