Iptables Configuration Learning notes in Linux

Iptables is an excellent nat+ firewall tool under Linux, I use this tool to configure a flexible and strong firewall +nat system with the lower configuration of traditional PC, small have experience, see the Internet also have a lot of this article, but it seems to either say relatively little, or is relatively biased, content is incomplete , easy to mislead, I studied for a period of time iptables also used a lot, have a bit of experience, write for everyone's reference, but also prepare their own browsing.

The first thing to note is that the iptables operation is more than 2.4 of the kernel netfilter. So the Linux kernel needs more than 2.4. Its function and security is far more powerful than its predecessor Ipfwadm,ipchains, Iptables is roughly working in the OSI seven layer of two, three or four, its predecessors IPChains can not realize the TCP/UDP port and the definition and operation of MAC address, So I think ipchains should just work on the three floor.

Let's start with a brief overview of the NetFilter workflow, which is a packet (or packet, packet, my personal custom) when it arrives at the Linux network Interface (NIC) How to handle this package, Then we'll talk about how to use iptables to change or control the operation of this packet. NetFilter is divided into three tables, respectively, filter,nat,mangle, each table has a different chain of operations (chains). In the filter table, which is the table of his firewall function, three Chain are defined. respectively, Input,forward,output. That is, the packet into, forward, out of the definition of the three filter chain. The operation and control of this filter table is also an important means to implement the function of the firewall; in the NAT (Network address translation) table, which is the table that we use to implement address translation and port forwarding, With the definition of prerouting, postrouting,output three chains, we'll give a detailed description of these three chains, and the NetFilter mangle table is a custom table that includes the filter above and various chains in the NAT table. It allows us to do some custom operations, while the chains in this mangle table is in a preferred position in the netfilter processing process of the package, and there is a diagram that clearly depicts the processing process of the NetFilter package (which is excerpted from the Internet and who the author is, In this respect! In general, we do not use this mangle table, here we do not introduce.

You can see, prerouting this chain at the front, when a packet came to the Linux network interface before the mangle prerouting, then Nat prerouting, from the name of the chain we can see, This chain is to be passed before the route (pre-routing). Why do we have to go before the route? You can see this figure, there is a diamond section called routing, this routing part is the Linux route box, that is, the routing system, it also has a very advanced function, can implement policy Routing and so some advanced features, here we do not do detailed explanation. This prerouting chain, because in this chain we operate on the package is Dnat, that is to change the destination address and (or port), is usually used in the port forwarding, or NAT to the DMZ area of the intranet, which means that when a package comes over we have to change its destination address, we can think about, If a package before changing the destination address is thrown into the route box, so that the system to choose a good road and then change the destination address, then choose the road may be wrong, or meaningless, so, prerouting this chain must be done before entering routing. For example, our public network IP is 60.1.1.1/24, located in Linux eth0, intranet IP is 10.1.1.1/24 located in Linux eth1, our intranet has a Web server, address is 10.1.1.2/24, How can we allow Internet users to access our internal Web server through this public network IP? We can define a rule on the prerouting chain, change the destination address of the user accessing 60.1.1.1:80, change it to 10.1.1.2:80, so that the Internet users access the intranet server, of course, This port is more flexible, we can define the forwarding of any one port, not necessarily 80–>80, the specific command we described in the following example, here we only talk about the process and the concept of implementation methods.

OK, we go down, this package has passed two prerouting chain, this time, there is a branch of the transition, that is, the diamond in the bottom of the map (FORWARD), forwarding! Here's a judgment on the destination address (it also shows that prerouting must be in the first place, not just before Route box, even before the judgment of the destination address, because we might be able to go to a certain IP to go to our own IP rules, So Prerouting is the first to deal with this bag Chain)! If the package destination is native IP, then pack up, go into the input chain processing, and then enter the local process, if non-local, then enter the forward chain to filter, we do not introduce the input,output here to deal with, Because that is mainly for the local security of a processing, we mainly say to the forwarding of the filter and the implementation of NAT.

Forward here I would simply say that when Linux receives a destination IP address that is not a local package, Linux discards the package because by default, Linux's three-tier forwarding is turned off, and if you want to enable our Linux implementations to forward, You need to turn on this forwarding function to change one of its system parameters, using the Sysctl net.ipv4.ip_forward=1 or echo 1″>/proc/sys/net/ipv4/ip_forward command to turn on forwarding. OK, here we have Linux allow forwarding, the destination address of this package is not native, then it will go into the forward chain, in the forward chain, we can define the detailed rules, that is, whether to allow him to pass, or to the package of the direction of the process to make some changes, This is also where we implement access control, here is also Mangle_forward and then Filter_forward, we operate any chain will affect the fate of this package, in the following introduction, we ignore the mangle table, we basically do not have to operate it, So let's assume it's transparent. Let's say this bag is passed by our rules, that is accept, it will go into the postrouting part, attention! Here I noticed a detail problem, that is, the image above the data packet after the forward chain directly into the postrouitng chain, I think this is missing a link, that is, Route box, for the forwarding of the package, Linux also needs to be routed (routing) before it can be sent out, this diagram does not indicate this, I think it is after the route box to enter the postrouitng, of course, this is not very important for us to discuss iptables filter forwarding, But I think the process has this problem, or to explain.

Similarly, we can see from the name here, this postrouting chain should be a chain after the route, that is, this package to send out the last part of Linux, this is also an extremely important link!! This time Linux is finished (has done. ^_^) The route to this package (routing work), has found the right interface to send out this package, in this chain we want to carry out an important operation, is called Snat by Linux is an action, modify the source IP address! Why modify the source IP address? A lot of things need to change the source address. The most common is our intranet multiple machines need to share one or several public network IP access to the Internet, because our intranet address is private, if let Linux to route out, the source address is unchanged, this package should be able to access to the destination, but not back, because n Multiple routing nodes on the Internet do not forward private address packets, that is, without legitimate IP, our packet has no return. Some people will say: "Since this is so, I do not use private IP, I have to allocate their own legal address not?" So the bag will come back? "The answer is no, the IP address is ICANN to allocate, your packet may be sent to your destination, but when you come back, it's not going to go to you, and the routing information on the routers on the Internet will send this back to the rightful place where you get the IP, and you won't receive it. And you this behavior may be defined as an IP spoofing, many devices will be such a packet on the access to filter out, may not be to the server you want to visit, hehe.

So how does Linux do snat? For example, a network of 10.1.1.11 pc access to the 202.2.2.2 of a Web server, Linux intranet interface 10.1.1.1 after receiving this package to the original PC ip10.1.1.11 change to 60.1.1.1 's legal address and then send out, at the same time in their own ip_conntrack table to make a record, remember which IP in the intranet which port to access the Web server, its source address changed to how many, the port changed to how much, So that when the Web server returns the packet, Linux sends it back exactly to the PC that sent the request.

General data forwarding process we're done, let's see what parameters iptables use to do these things.
Before describing these specific operations, I would also like to say a few of my understanding of the concept of iptables (may not be entirely correct), which will help you understand these rules for more precise control. As we mentioned earlier, the control of the package is implemented by adding different rules to the different chain (chains), such as adding a rule to the filter table to perform the manipulation of the package. So since call chain, must be one or more rules, then there is a problem, if multiple rules on the same package to define, what will happen? In chain, all the rules are executed from top to bottom, that is, if the first row is matched, follow the rules in the first row and go down one line until you find a rule that matches the package of that type. What if you find a rule that doesn't match the package? Itpables There is a concept, that is, policy, that is, strategy. One said this thing everyone may feel more trouble, what strategy, I understand it is called this strategy is the last rule in chain, that is, if you find the same deal with the rules of dealing with this package, according to policy to do. It's much easier to understand. Iptables uses-p to set the chain policy.

Well, let's get to the point, say iptables how to achieve the control of the package

The

First describes how Iptables operates a chain
on a chain,-I (insert)-A (append)-R (replace)-D (delete)-L (List display)
This is to say that I will put the rule in the first line, and-a will be on the last line.
For example we want to add a rule to the FORWARD chain of the filter table
iptables-t filter-a forward-s 10.1.1.11-d 202.1.1.1-j ACCEPT
The above command means: Append a gauge To the end of the forward chain in the filter table, allow (-j ACCEPT) The source address is 10.1.1.11 The destination address for the 202.1.1.1 packet pass. where T is followed by the table name, followed by the chain name, followed by the lowercase-s as the source address,-D as the destination address, and-j as the processing direction.
in iptables, the default table name is filter, so this can be omitted from-t filter written directly: Iptables-a forward-s 10.1.1.11-d 202.1.1.1-j ACCEPT

Matching parameters in Iptables:
We'll introduce several commonly used parameters here, and in detail you can look at the online documentation for man iptables and you'll have an unexpected gain.
-S match Source address
-D Match Destination Address
-P Protocol Matching
-I-Enter interface matching
-O Outbound interface matching
–sport,–dport Source and destination ports match
-j jump, which is the direction of the package
There's one more! parameter, use! is to take the opposite meaning. Let's briefly give a few examples to introduce.
-S This parameter is the specified source address, if you use this parameter to tell NetFilter how to deal with a package that matches such a source address, you can specify a single unicast IP address, or you can specify a network, if a single IP address implicitly implies a 32-bit subnet mask, Like-s 10.1.1.11 is actually the-s 10.1.1.11/32 also we can specify different masks to implement the rules of the source network address, such as a class C address we can specify with the-s 10.1.1.0/24.
The-d parameter is the same as the-s format.
The-i parameter is a network interface that specifies the interface, such as I only allow packets from the Eth3 interface to pass through the FORWARD chain, so you can specify Iptables-a forward-i eth3-j
-O is out of the interface, with the same.

We use a few simple examples to see the specific configuration method of the iptables.

Example one: A simple NAT router

Environment Introduction:
Linux 2.4 +
2 Network Interfaces
LAN Port: 10.1.1.254/24 eth0
Wan Port: 60.1.1.1/24 eth1
Objective: To realize the controllable access to the Internet by the nodes in the intranet (10.1.1.0/24).

First, point the LAN's node PC gateway to 10.1.1.254
Make sure that your Linux IP is configured correctly and that you can properly ping the address inside and out. Also use the route command to view the Linux local routing table, confirming that the default gateway provided by the available ISP is specified.
Use Sysctl net.ipv4.ip_forward=1 to turn on the forwarding function of Linux.

Iptables-p FORWARD DROP
Set the policy of the forward chain to drop, so that the purpose is to control the IP on the intranet, which one can add a rule if you allow access to the Internet, and no IP in the rule will be able to access the Internet.

Iptables-a forward-m state–state established,related-j ACCEPT
This rule provides for the approval of any address to any address of the confirmation package and the associated package passed. Be sure to add this one, otherwise you will only allow LAN IP access is not used, as for why, the following we say in detail.

Iptables-t nat-a postrouting-s 10.1.1.0/24-j snat–to 60.1.1.1
This rule makes a snat, which is the source address translation, converts the address from 10.1.1.0/24 to 60.1.1.1

With these few rules, a simple NAT router is implemented. Then you can add the IP that allows access to the forward chain, and they can access the Internet.

For example, I would like to have 10.1.1.9 this address to the Internet, then you can add the following command on it.
Iptables-a forward-s 10.1.1.9-j ACCEPT

can also accurately control his access address, such as I allow 10.1.1.99 access to 3.3.3.3 this IP
Iptables-a forward-s 10.1.1.99-d 3.3.3.3-j ACCEPT

Or only allow them to access port 80.
Iptables-a forward-s 10.1.1.0/24-p tcp–dport http-j ACCEPT
More control can be done flexibly, or consult iptables's online documentation.

Instance two: Port forwarding

Environment Introduction:
Linux 2.4 +
2 Network Interfaces
LAN Port: 10.1.1.254/24 eth0
Web server:10.1.1.1:80 in LAN
FTP server:10.1.1.2:21 in LAN
Wan Port: 60.1.1.1/24 eth1
Objective: To carry out port forwarding for internal server to realize Internet User Access intranet server

Also confirm that your Linux configuration is normal, and can access the intranet.
Iptables-p FORWARD DROP
Iptables-a forward-m state–state established,related-j ACCEPT
It is also necessary to include the approval package and the associated package.

If you want to forward a 60.1.1.1:80 packet to a LAN Web server, use the following command
Iptables-t nat-a prerouting-d 60.1.1.1-p tcp–dport 80-j dnat–to 10.1.1.1:80
The FTP service also has the following commands:
Iptables-t nat-a prerouting-d 60.1.1.1-p tcp–dport 21-j dnat–to 10.1.1.2:21

OK, the command is complete, port forwarding also done, this example can forward it? No, why not? I'll analyze it in detail below. For the iptables seems to be access to the configuration is relatively easy, and the internal forwarding seems to have some problems, in the beginning of the first I said some of the netfilter process issues, then I simply said that the configuration after doing so why may not it?

There are a number of reasons why this configuration failed, and we have to say:
First, in this case, our forward strategy is drop, so in other words, no compliant package will be discarded, whether inside or outside, we still do not discuss the confirmation package and the associated package, we do not have to consider his question, I will say in detail about this thing, So how do you make this case successful? Add the following rule.
Iptables-a forward-d 10.1.1.1-p tcp–dport 80-j ACCEPT
Iptables-a forward-d 10.1.1.2-p tcp–dport 21-j ACCEPT
Do you feel some dizzy? Why is the destination address 10.xxx instead of 60.xxx people internet users are not visited 60.xxx? Oh, go back to look at the map, forward chain in what position, it is after prerouting, that is, when the packet reached the forward chain, the destination address has become 10.xxx, if the request of Internet users is so 202.1.1.1 : 1333–>60.1.1.1:80, after passing our prerouting chain will become 202.1.1.1:1333–>10.1.1.1:80, this time if you set a destination address of 60.xxx rules useful? Oh, this is a question. This time should be able to complete the port forwarding access, but some time or not? Why? See question two.
Second, intranet server IP configuration problem, here we take the Web server as an example to illustrate (FTP situation has some special, the following we discussed in detail, said to confirm the package and the associated package when discussing this issue), said above, sometimes can visit, sometimes not, is this web Server's IP Setup problem, if the Web server does not specify a default gateway, the Web server will receive requests for the Internet after the above configuration, but he doesn't know where to go. People's Local routing table does not know your Internet ip,202.1.1.1 how to go. If you use the Truncation tool to view the Web server, you will find that the server received a request from 202.1.1.1:1333–>10.1.1.1:80, because you did not configure the default gateway to the Web server, it does not know how to go back, So there was a situation where there was no communication. What do we do? Two solutions: one is to configure a default gateway to this server, of course, to point to this configuration port forwarding Linux, this example is 10.1.1.254, configured well, you must be able to access. Have a question? Don't you need to set a rule on the forward chain that allows Web server IP addresses to access the extranet? Can it get out of the bag? The answer is yes, can go out. Because our one allows you to confirm the rules of the package and associated packages, it is not going to get out of the way. The second approach is more cumbersome, but it seems safer for the server. The way to do this is to snat the package again, which is to add the rules to the postrouting chain. The order is as follows:
Iptables-t nat-a postrouting-d 10.1.1.1-p tcp–dport 80-j snat–to 10.1.1.254
The FTP method is the same. This order is not very understood. In fact, if you use this command, then your Web server will not need to set a default gateway, you can receive this request, as long as he and Linux LAN IP address is able to exchange visits (that is, Web server and Linux LAN IP in a broadcast domain), We are based on the above NetFilter flow chart to analyze how the package is how we are, first of all, a request 202.1.1.1:1333–> 60.1.1.1:80 was received by Linux, into the prerouting, found a rule (iptables -T nat-a prerouting-d 60.1.1.1-p tcp–dport 80-j dnat–to) match, OK, change your destination address, so this bag becomes 10.1.1.1:80. 1:80, continue to go forward, into the FORWARD chain, okay, there is also a rule allows through (iptables-a forward-d 10.1.1.1-p tcp–dport), into the 80-j box selection, find the right path, Keep going into the postrouting chain, yes? Also found a compliance rule (iptables-t nat-a postrouting-d 10.1.1.1-p tcp–dport 80-j snat–to), originally a 10.1.1.254, changed your source address, so this bag became 10 .1.1.254:xxxx–>10.1.1.1:80. Why use XXXX, the port here is random, I do not know what will be. And the entire two changes in the process will be recorded in the Linux Ip_conntrack, when the Web server received this package, found that the original is a network of their own brothers to the request, and in a broadcast domain, do not find a gateway, the return package directly to the switch, After receiving the return package, Linux returns the real Internet user by two transformations based on the entries in his ip_conntrack, and completes this visit.
Look at the above two examples, do not know if you are aware of the iptables forwarding process, I hope to help you, we will say that I have been mentioned above on the established,related of the rule is how, in the end what is the use. Say this thing to simply say the network data communication way, we know that the network access is two-way, that is, a client and server to complete data exchange between the two sides of the contract and receive the package. In NetFilter, there are several states, namely new, Established,related,invalid. When a client, in the example of this article, the intranet of a machine access to the extranet, we set the rules allow him to go out, but there is no set to allow the return rule ah, how to complete the visit? This is the state mechanism of NetFilter, when a LAN user through this Linux access to the extranet, it sent a request package, the state of the package is new, when the extranet back to the package when his state is established, so, Linux know, Oh, The packet was sent out by a machine in my intranet and he released it. When the extranet tries to initiate a new connection internally, his state is new, so Linux doesn't even bother about it. That's why we want to add this sentence. And that related, he is a state of association, what will be used? TFTP,FTP will be used because their transport mechanism determines that it is not like HTTP access, client_ip:port–>server:80 then Server:80–>client_ip:port, FTP uses TCP21 to establish a connection, using 20 port to send data, there are two ways, one active active mode, a passive passive mode, active mode, the client uses the port command to tell the server which port I use to accept data, The server then initiates a request for this port. In passive mode, the server uses the port command to tell the client that it listens to the ports, and then the client initiates the data transfer to him, so this is a hassle for a firewall, because there may be a new state of the packet, but it is a reasonable request, This is the time to use this related state, he is an association, in Linux, there is a module called Ftp_conntrack, it can identify the port command, and then the corresponding ports to release.
At one breath wrote so many things, do not know the quality, we gather together and see it, hope that a lot of exchanges and common progress, I am still a beginner of Linux, it is inevitable that a lot of errors, I hope the master to make corrections, with a view to continuous improvement.
Yes, there are several practical (also more useful:-)) of the command parameters, written for your reference

Iptables-l-N
Such a list will skip Linux domain lookup, sometimes use iptables-l will be slower, because Linux will try to resolve IP domain name, really wordy, if your DNS server is not good, iptables-l will make you very uncomfortable, It would be nice to add a-n parameter. The list is brushed out. Of course, if your Linux is to do firewall, suggest to remove nameserver, in/etc/resolve.conf inside, because sometimes use route command will also be more slowly listed, very uncomfortable.

Iptables-l-V
This command will show the chain of the rules of the packet and the number of flowmeters, hey, look at which kids use the flow so much, with TC limit him.

Cat/proc/net/ip_conntrack
See the current conntrack, may be more oh, preferably add a |grep "keyword" to see you interested in link tracking

Wc-l/proc/net/ip_conntrack
Take a look at the total number of links.

Iptables-save >/etc/iptables
All the current chain back up, the reason is put under the/etc called Iptables, because so when the machine will automatically load all the chain, often back up, otherwise, if the chain more, in case of electricity to restart, you will still be more painful.

See some configuration examples below

For some reason, in order to allow their machines to be able to access the Internet must be through a colleague of an IP 192.168.1.34

Native IP is 192.168.1.54

There is also a machine IP for 192.168.1.44

Colleague 192.168.1.34 added a routing table

Iptables-t nat-a postrouting-s 192.168.1.54-o eth0-j SNAT--to 192.168.1.34

My 192.168.1.54 can either set the gateway gateways of this machine to 192.168.1.34 and then surf the Internet.

So I tried to send my 192.168.1.44 packets through 192.168.1.54 to the 192.168.1.34 on the Internet.

Iptables-t nat-a postrouting-s 192.168.1.44-o eth0-j SNAT--to 192.168.1.54

In my native (192.168.1.54) to execute the above command, the Internet can theoretically be

See Iptables's NAT table information as follows

debian:~# iptables-t Nat-l
Chain prerouting (Policy ACCEPT)
Target Prot opt source destination

Chain postrouting (Policy ACCEPT)
Target Prot opt source destination
SNAT All--2013-1022-1630.local anywhere to:192.168.1.54

Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination

But setting the gateway of 192.168.1.44 to 192.168.1.54 is not going to go on, it's depressing.

So try to modify the destination NAT

Iptables-t nat-d postrouting-s 192.168.1.44-o eth0-j SNAT--to 192.168.1.54//delete added source NAT

Add to

Iptables-t nat-a prerouting-s 192.168.1.54-i eth0-j dnat--to 192.168.1.44

Still not, but it's more interesting when I have an HTTP service on my 192.168.1.54, so I'm on the 192.168.1.44

HTTP requests are answered and all URLs are displayed for It works.

My local 80 port occupancy situation, I do have a small lighttpd HTTP server, feel a bit interesting.

debian:~# lsof-i:80
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Chrome 4065 zz 182u IPv4 1172731 TCP debian:33229->117.79.157.251:www (established)
Chrome 4065 zz 260u IPv4 1172394 TCP debian:54820->117.79.157.201:www (established)
LIGHTTPD 7536 Www-data 4u IPv6 905182 TCP *:www (LISTEN)

Accidentally found on the internet need to open

/proc/sys/net/ipv4/ip_forward

Perform

Echo 1 >/proc/sys/net/ipv4/ip_forward

Delete the forwarding above
Iptables-t nat-d prerouting-s 192.168.1.54-i eth0-j dnat--to 192.168.1.44

Re-add

Iptables-t nat-a postrouting-s 192.168.1.44-o eth0-j SNAT--to 192.168.1.54

192.168.1.44 can pass through the 192.168.1.54 and then through the 192.168.1.34 fluent Internet.

Some of the following online excerpts
The NAT table requires three chains:
1.PREROUTING: You can define the rules for the destination NAT here, because routers only check the destination IP address of the packet, so in order for the packet to be routed properly, we must do the destination NAT before routing;
2.POSTROUTING: The rules for source NAT can be defined here, and the system executes the rules in the chain after it determines the routing of the Packet.
3.OUTPUT: Defines the destination NAT rules for locally generated packets.

Several action options to use: (really in the context of uppercase)

REDIRECT redirects packets to a port on another host, typically with transparent proxies and some services in the open intranet.
Snat Source Address conversion, change the source address of the packet
Dnat Destination address conversion, changing the destination address of the packet
Masquerade IP Camouflage, only applicable to ADSL and other dynamic dial-up Internet IP Camouflage, if the host IP is statically allocated, use Snat

Prerrouting:dnat, REDIRECT (before routing) only supports-I and does not support-O. Modify the destination address before making a route
Postrouting:snat, Masquerade (after routing) only supports-O and does not support-I. Modify the source address after the route is made
The Output:dnat, REDIRECT (native) Dnat and REDIRECT rules are used to process outbound packets generated from the NAT host itself.

The configuration of different actions of NAT
1) Masquerade: IP Camouflage for dynamically allocating IP: Add a rule to the postrouting chain of the NAT table: all packets sent from the PPP0 port will be disguised (masquerade)

Iptables-t nat-a postrouting-o Ppp0-j Masquerade

To automatically implement NAT when the system starts, add the end of the/etc/rc.d/rc.local file
#echo "1" >/proc/sys/net/ipv4/ip_forward
#/sbin/iptables-t nat-a postrouting-o Ppp0-j Masquerade
2) SNAT: The general normal sharing of the Internet use this.
All packets from the Eth0 (external network card) from the source address to 61.99.28.1 (a network segment specified here, generally can not be specified)
Iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j SNAT--to 61.99.28.1

3) Dnat: Destination NAT is used in smart DNS
Smart DNS: Is the client in the DNS entry, regardless of the input of any IP, will be directed to his server designated a dnsip up.
All packets from the destination port of 53 that were entered from the Eth0 (internal network card) before routing are sent to the 1.2.3.4 server for resolution.

Iptables-t nat-i prerouting-i eth0-p UDP--dport 53-j dnat--to-destination 1.2.3.4:53
Iptables-t nat-i prerouting-i eth0-p tcp--dport 53-j dnat--to-destination 1.2.3.4:53


4 REDIRECT: Redirect, this must be used in squid transparent agent
All data entered from eth1 into the 80 and 82 ports are forwarded to 80 ports and processed by squid.
Iptables-t nat-a prerouting-i eth1-p tcp-m multiport--dports 80,82-j REDIRECT--to-ports 80