One, iptables command help information
1.1 Actual test Iptables rules
1.1.1 Starting and viewing iptables status
/etc/init.d/iptables start
Iptables-l-N or iptables-l-n-v-X
Example Demo 1:
[Email protected] ~]# iptables-viptables v1.4.7[[Email protected]~]# Iptables-hiptables v1.4.7Usage:iptables-[ACD] Chain rule-specification [options] Iptables-I chain [rulenum] rule-specification [options] Iptables-R chain Rulenum rule-specification [options] Iptables-D chain Rulenum [options] iptables-[ LS] [chain [Rulenum]] [options] iptables-[FZ] [chain] [options] iptables-[NX] chain iptables-E Old-chain-name new-chain-name Iptables-P chain Target [options] iptables-h (Print this Help information) Commands:eitherLongOr Shortoptions are allowed. --append-A chain Append to Chain--CHECK-C chain Check forThe existence of a rule--delete-D chain Delete matching rule from chain--delete-D chain rulenum Delete rule rulenum (1=First ) from chain--insert-I chain [rulenum] InsertinchChain as Rulenum (default1=First )--replace-R chain rulenum Replace rule rulenum (1= first)inchchain--list-L [Chain [Rulenum]] List the rulesincha chain or all chains--list-rules-S [Chain [Rulenum]] Print the rulesincha chain or all chains--flush-f [chain] Delete all rulesinchchain or all chains--zero-Z [Chain [Rulenum]] Zero countersinchchain or all chains--new-n chain Create a new user-defined chain--delete-chain-X [chain] Delete a user-defined chain--policy-P chain Target change policy on chain to target--rename-chain-E Old-chain new-chain Change chain name, (moving any references) options:[!] --proto-p proto Protocol:by number or name, eg. ' TCP'[!] --source-s address[/Mask] [...] SOURCE specification[!] --destination-d address[/Mask] [...] Destination specification[!] --inch-interface-i input name[+] Network interface name ([+] forwildcard)--jump-J Target Target forrule (May load target extension)--goto-g chain jump to chain with no return--match-m match extended match (May load extension)--numeric-n numeric output of addresses and ports[!] --out-interface-o Output name[+] Network interface name ([+] forwildcard)--table-t table table to manipulate (default: ' Filter')--verbose-v Verbose mode--line-numbers Print line numbers when listing--exact-x Expand numbers (display exact values) [!] --fragment-F match second or further fragments only--modprobe=<command>try to insert modules using the This command--set-counters pkts BYTES Set the counter during insert/append[!] --VERSION-V Print package version.
IPTABLES-F//Clears all rules and does not process the default rules.
Iptables-x//delete user-defined chains.
The register of the Iptables-z//chain is zeroed.
Example Demo 2:
[Email protected] ~]# iptables-~]# iptables--~]# iptables-~]# iptables--delete- ~]# iptables-~]# iptables--~]# iptables-l-nchain INPUT (policy ACCEPT) target prot opt source Destination Chain FORWARD (Policy accept) target prot opt source destination Chain OUTPUT (policy accept) target Prot opt source destination
1.1.3 Prohibition Rules
#禁止ssh端口
(1) Find the SSH port of the current machine
[Email protected] ~]# netstat-lntup| grep SSH TCP 0 0 0.0. 0.0: 0.0. 0.0:* LISTEN 2073/sshd tcp 0 0 ::: LISTEN:::* 2073
(2) Disable the current SSH port, this is 22
syntax: usage:iptables -t [table]-[ad] Chain rule- specification [options] Specific command: [[email protected] ~]# iptables-a input-p TCP --dport 22 -j drop[[email protected] ~]# iptables-t filter-a input-p tcp--dport 22 -j DROP
Note:
1, iptables The default is the filter table, so the above two commands are equivalent to
2, where the input drop to uppercase
3 、--jump -j target
target for rule (may load Target extension)
basic processing behavior: Accept, drop (discard), REJECT (reject)
compare: DROP better than REJECT
4, The rules executed by the command line are only temporarily active in memory
(3) Restore the SSH connection that was just disconnected
1) go to the computer room to restart the system or log in to delete just the forbidden rule
2) Let the computer room personnel restart the server or let the computer room personnel take the user name password login
3) through the Server Remote management card management
4) write a scheduled task first , every 5 minutes stop the firewall
5) test environment Test Good, written script, batch execution
(4) using the order of-I and-a, firewall filtering according to the order of the rules.
-A is the addition of the rule to the end of the specified chain, and the last bar.
-I is the first one that adds a rule to the beginning of a specified chain. You can also specify the insertion position.
to the second line:
[[email protected] ~]# iptables-i INPUT 2-p tcp--dport 8080-j drop
(5) Summarize the method of deleting the rule: 1) iptables-d input-p TCP--dport 8080-j drop
2) iptables-f Delete all rules
3) iptables-d INPUT rule ordinal
4)/etc/in It.d/iptables Restart (commands configured with the Iptables command line are temporarily in effect)
Second, knowledge point collation
1, prevent 10.0.0.0 network segment from connecting:
iptables-t filter-a input-i eth0-s 10.0.0.0/24-j DROP
2 . The source address is not a forbidden connection for 10.0.0.101 single IP
Iptables-t filter-i input-i eth0! -S 10.0.0.101-j DROP
3, The source address is not 10.0.0.0/24 network segment prohibit connection
Iptables-t filter-i input-i eth0! -S 10.0.0.0/24-j DROP
4, Source address is not 10.0.0.0/24 forbidden Ping
Iptables-t filter-i input-p ICMP--icmp-type 8-i eth0! -S 10.0.0.0/24-j DROP
5. seal off 3306 ports
Iptables-a input-p TCP--dport 3306-j DROP
6.Matching Rules
match all protocols outside the specified protocol
Iptables-a input-p! Tcp
Match Host Source IP
Iptables-a input-s 10.0.0.14
Iptables-a input-s! 10.0.0.14
Matching network segments
Iptables-a input-s 10.0.0.0/24
Iptables-a input-s! 10.0.0.0/24
match a single port
Iptables-a input-p TCP--sport 53
Iptables-a input-p UDP--dport 53
matches a port other than the specified port
Iptables-a input-p TCP--dport! 22
Iptables-i input-p TCP! --dport 22-s 10.0.0.123-j DROP
Matching port range
Iptables-a input-p TCP--sport 22:80
Iptables-i input-p tcp-m multiport--dport 21,22,23,24-j ACCEPT
Iptables-i input-p TCP--dport 3306:8809-j ACCEPT
Iptables-i input-p TCP--dport 18:80-j DROP
matching ICMP types
Iptables-a input-p ICMP--icmp-type 8
Iptables-a input-p ICMP--icmp-type 8-j DROP
Iptables-a input-p icmp-m ICMP--icmp-type any-j ACCEPT
matches the specified network interface
Iptables-a input-i eth0
Iptables-a Forward-o eth0
Memory Method:
--in-interface-i [!] Input name[+]
Network interface name ([+] for wildcard)
--out-interface-o [!] Output name[+]
Network interface name ([+] for wildcard)
Match Network status
-M State--state
NEW: The connection has been or will be started
Established: Established connection
Related: Starting a new connection
INVALID: illegal or unrecognized
7. Configure a corporate firewall
[Email protected] ~]# iptables-~]# iptables-~]# iptables-~]# iptables-a input-p TCP c5>2210.0. 0.0 /~]# iptables-a input-i lo-~]# iptables-a input-o lo-J Accep T ~]# iptables-a output-o lo-j ACCEPT
To allow legal entry:
Iptables-a input-s124.43.62.96/ --P All-J Acceptiptables-A Input-s192.168.1.0/ --P All-J Acceptiptables-A Input-s10.0.0.0/ --P All-J ACCEPT Iptables-A Input-s203.83.24.0/ --P All-J Acceptiptables-A Input-s201.82.34.0/ --P All-J Acceptiptables-A input-p ICMP--icmp-type8-J Accept#others Related FTP protocol # allows the associated State pack iptables-A input-m state--state established,related-J Acceptiptables-A output-m state--state established,related-j ACCEPT
8.Enterprise Iptables interview question: Custom chain processing SYN attack
Iptables-n Syn-flood
Iptables-a input-i eth0-syn-j Syn-flood
Iptables-a syn-flood-m limit-limit 5000/s-limit-burst 200-j RETURN
Iptables-a syn-flood-j DROP
9.two command methods for LAN sharing:
Method 1: Suitable for fixed extranet addresses:
Iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j SNAT--to-source 10.0.0.7
(1)-S 192.168.1.0/24 office or IDC intranet network segment.
(2)-O eth0 is the gateway's external NIC interface.
(3)-j SNAT--to-source 10.0.0.19 is the network gateway IP address.
Method 2: Suitable for changing the external network address (ADSL):
Iptables-t nat-a postrouting-s 192.168.1.0/24-j masquerade? disguise.
10.mapping multiple extranet IP networks
Iptables-t nat-a postrouting-s 10.0.0.0/255.255.240.0-o eth0-j SNAT--to-source 124.42.60.11-124.42.60.16
Iptables-t nat-a postrouting-s 172.16.1.0/255.255.255.0-o eth0-j SNAT--to-source 124.42.60.103-124.42.60.106
11.go to port 80 of access 10.0.0.7 to 192.168.1.8 9000
Iptables-t nat-a prerouting-d 10.0.0.7-p tcp--dport 80-j DNAT--to-destination 192.168.1.8:9000
12.Save Iptables Rules
Iptables-save >/etc/sysconfig/iptables
13.allows the associated state package to pass through (the FTP service is special and requires a stateful connection.) )
#允许关联的状态包
Iptables-a input-m State--state established,related-j ACCEPT
Iptables-a output-m State--state established,related-j ACCEPT
Analogy: Go to the movies to get out of the WC or pick up a phone, and come back to be allowed in.
-M limit
--limit N/{second/minute/hour}: The rate of request rate "n" for the specified time, followed by time: seconds, minutes, hours
--limit-burst [n]: Allow the request to pass at the same time "n" as a number, do not specify a default of 5
FG: Native Address: 172.16.14.1, allow 172.16.0.0/16 network ping native, but limit requests per minute to no more than 20, each concurrent cannot exceed 6
Iptables-a input-s 172.16.0.0/16-d 172.16.14.1-p ICMP--icmp-type 8-m limit--limit 20/min--limit-burst 6-j ACCEPT
Iptables-a output-s 172.16.14.1-d 172.16.0.0/16-p ICMP--icmp-type 0-j ACCEPT
14.Configure Zebra routing on Linux:
Client (config) #inteth0client (config-if) #ip Add10.1.34.81 255.255.255.0Client (config-if)#inteth1client (config-if) #ip Add110.233.24.96 255.255.255.224Client (config) #ip Route0.0.0.0 0.0.0.0 10.1.32.1Client (config) #ip Route110.233.24.96/ -Eth1
15,iptables production of common scenes:
1) Implement the firewall function of the server itself, using the filter table.
2) Implementation of LAN Gateway, using NAT table, gateway can also use the filter table as a firewall.
3) Implement NAT functions, such as: mapping from external IP to internal server IP (including port), using NAT table.
4) Other ... Slightly.
16. see the relevant knowledge
(1) Production environment more than 254 machine segment and routing solution 01
Http://v.youku.com/v_show/id_XNTAyMjAwMzI0.html
(2) Linux route command in layman's and actual case explaining
http://oldboy.blog.51cto.com/2561410/1119453
17 . See if the appropriate modules are loaded
Lsmod | Egrep " Nat|filter " modprobe Ip_tables modprobe Iptable_filter modprobe Iptable_nat modprobe Ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state
Iptables rule Sorting
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
