Iptables machine configuration
1) view the current configuration
# Iptables-L
-V: Displays detailed information, including the number of matching packets for each rule and the number of matching bytes. The number of matching packets and flow meter of the rule in the chain is displayed.
-X: Auto unit conversion of K and M is prohibited on the basis of v)
-N: Only the IP address and port number are displayed, and the domain name and service name are not displayed.
-T:Table Name: view the rules of the corresponding table
2) Clear original rules
# Iptables-FClear all rule links in the filter of the preset table.
# Iptables-XClear the rules in the User-Defined chain in the filter of the preset table.
# Iptables-ZReturns the counter to zero.
3) set preset rules
# Iptables-p INPUT DROPBy default, data packets are discarded in addition to rules in the table.
# Iptables-p OUTPUT ACCEPTAllow all data packets by default
# Iptables-p FORWARD DROPAll Forwarding is discarded by default.
# Iptables-t nat-PPREROUTING ACCEPT
# Iptables-t nat-P POSTROUTING ACCEPT
# Iptables-t nat-P OUTPUT ACCEPT
That is, forwarding is not allowed.
4) Add Rules
INPUT chain configuration)
Enable the WEB server and port 80.
# Iptables-a input-p tcp -- dport 80-j ACCEPT
Enable email server and port 25,110
# Iptables-a input-p tcp -- dport 25-j ACCEPT
# Iptables-a input-p tcp -- dport 110-j ACCEPT
Enable FTP server and port 21
# Iptables-a input-p tcp -- dport 21-j ACCEPT
# Iptables-a input-p tcp -- dport 20-j ACCEPT
Enable DNS server and port 53
# Iptables-a input-p tcp -- dport 53-j ACCEPT
Enable SSH remote login and port 22
# Iptables-a input-p tcp -- dport 22-j ACCEPT
Only machines with 192.168.1.100 are allowed to perform SSH connection.
# Iptables-d input-p tcp -- dport 22-j ACCEPT Delete rules that allow all port 22 first
# Iptables-a input-s 192.168.1.100-p tcp -- dport22-j ACCEPT
Enable "loop" to avoid unnecessary troubles
# Iptables-a input-I lo-j ACCEPT
# Iptables-a input-I lo-j ACCEPT
OUTPUT configuration)
Disable some ports
# Iptables-a output-p tcp -- sport 1234-j DROP
FORWARDConfigure as forwarding)
The default rule for the above FORWARD chain is DROP.,
Enable the forwarding function when performing NAT)
# Iptables-a forward-I eth0-o eth1-m state -- stateRELATED, ESTABLISHED-j ACCEPT
# Iptables-a forward-I eth1-o eh0-j ACCEPT
Discard bad TCP Packets
# Iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP
Prohibit Access to a website or some IP addresses such as www.baidu.com and 192.168.1.0/24)
# Iptables-AFORWARD-d www.baidu.com-j DROP
# Iptables-AFORWARD-d 192.168.1.0/24-j DROP
Prohibit a source ip address or a certain type of ip data packet from passing through the example 192.168.1.100, 192.168.2.0/24)
# Iptables-AFORWARD-s 192.168.1.100-j DROP
# Iptables-AFORWARD-s 192.168.1.2.0/24-j DROP
Disable FTP downloading for clients using 192.168.1.0/24
# Iptables-AFORWARD-s 192.168.1.0/24-p tcp-dport 21-j DROP
Congestion:
# Iptables-a forward-p tcp-dport xxx-j DROP
# Iptables-a forward-p tcp -- dport yyy: zzz-j DROP
Accessibility:
# Iptables-a forward-p tcp -- dport xxx-j ACCEPT
# Iptables-a forward-p tcp -- dport yyy: zzz-j ACCEPT
# Iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT
Iptables-P FORWARD DROP
Nat table Configuration
Force all clients to access a website www.baidu.com)
# Iptables-t nat-a forward-I eth0-ptcp-dport 80-j DNAT-to 192.168.1 .*
Disable all connections to 192.168.1.10
# Iptables-t nat-a prerouting-d 192.168.1.1-jDROP
Disable FTP (21) Port
# Iptables-t nat-a prerouting-ptcp -- dport 21-j DROP
Publish Web Services for the host 192.168.1.100 in the Intranet. Internet users can access the Web Services of the host by accessing the IP address of eth1.
# Iptables-t nat-a forward-I eth0-ptcp-dport 80-j DNAT-to-destination 192.168.1.100: 80
Prevent Intranet IP Spoofing on the Internet (private ip connection prohibited)
# Iptables-t nat-a prerouting-I eth0-s 10.0.0.0/8-j DROP
# Iptables-t nat-a prerouting-I eth0-s 172.16.0.0/12-j DROP
# Iptables-t nat-a prerouting-I eth0-s 192.168.0.0/16-j DROP
Change the original address of the Intranet 192.168.0.0/24 to 1.1.1.1 for NAT
# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to1.1.1.1
# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to1.1.1.1-1.1.1.10
Same as above, but changed to an IP address in an address pool
Change the destination address of the packet that comes in from eth0 to 192.168.0.1.
# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-jDNAT -- to 192.168.0.1
# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 81-j DNAT -- to 192.168.0.2: 80
# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-j DNAT -- to 192.168.0.1-192.168.0.10
Perform address conversion for packets whose source address is 192.168.0.0/24 (disguised as dynamic source address conversion)
# Iptables-t nat-a postrouting-s 192.168.0.0/24-j MASQUERADE
ADSL dial-up Internet access
# Iptables-t nat-a postrouting-s 192.168.1.0/24-o ppp0-j MASQUERADE
Matching by package statusState)-m state -- state
Status: NEW, RELATED, ESTABLISHED, INVALID
NEW: when a connection request is sent, the data packet status is NEW
ESTABLISHED: connection state. After the connection is ESTABLISHED
RELATED: derivative state. It is associated with conntrack, for example, FTP. After establishing a connection with port 21, send data through Port 20 or another port, and the data transmitted on Port 20 is RELATED)
INVALID: unable to identify which connection or no status, INVALID data packet
Allow all established connections or related data to pass through
# Iptables-AINPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT
# Iptables-a output-m state -- state RELATED, ESTABLISHED-jACCEPT
Discard invalid connection
# Iptables-a input-mstate -- state INVALID-j DROP
# Iptables-a output-m state -- state INVALID-j DROP
# Iptables-a forward-m state -- state INVALID-j DROP
Match MAC by source mac)-M mac -- mac-source MAC
Block data packets from a MAC address and use the Local Machine
# Iptables-a forward-m -- mac-sourcexx: xx-j DROP
Match limit by packet rate)-M limit -- limit matching rate [-- burst buffer quantity]
L use a certain rate for data packet de-matching
# Iptables-a forward-d 192.168.0.1-m limit -- limit 50/s-j ACCEPT
Number of IP fragments processed to prevent attacks. Up to 100 IP fragments are allowed per second.
# Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT
L sets ICMP packet filtering. One packet is allowed per second. The trigger condition is 10.
# Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT
Limit only matches data packets at a certain rate, not a "limit"
Multi-port matching multiport)
-M multiport <-- sports | -- dports | -- ports> Port 1 [, Port 2,..., port n]
Multiple ports can be matched at a time to distinguish between source ports, destination ports, or unspecified ports.
# Iptables-a input-p tcp-m multiports -- ports 110,-j ACCEPT
Note: It must be used with the-p parameter.
Access $ IP1 through $ IP2: 80 $ IP3: 80
Modify the destination address and Source Address
1) modify the destination address
# Iptables-tnat-a prerouting-d $ IP2-p tcp -- dport 80-j DNAT -- to-destination $ IP3
2) modify the source address
# Iptables-tnat-a postrouting-d $ IP3-p tcp -- dport 80-j SNAT -- to-source $ IP2
3) modify the destination address
# Iptables-tnat-a prerouting-s $ IP3-p tcp -- sport 80-j DNAT -- to-destination $ IP1
4) modify the source address
# Iptables-tnat-a postrouting-s $ IP3-p tcp -- sport 80-j SNAT -- to-source $ IP2
Save rule
# Iptables save
Some commands
View Link View Current conntrack
# Cat/proc/net/ip_conntrack
Restart the iptables service
# Service iptables restart
Enable SYN Buffer
# Echo "1">/proc/sys/net/ipv4/tcp_syncookies
The ip forwarding function must be enabled when iptable is used as a nat router)
# Echo "1">/proc/sys/net/ipv4/ip_forward