Iptables Study Notes (Part 2)

Source: Internet
Author: User

Iptables machine configuration

1) view the current configuration

# Iptables-L

-V: Displays detailed information, including the number of matching packets for each rule and the number of matching bytes. The number of matching packets and flow meter of the rule in the chain is displayed.
-X: Auto unit conversion of K and M is prohibited on the basis of v)
-N: Only the IP address and port number are displayed, and the domain name and service name are not displayed.

-T:Table Name: view the rules of the corresponding table


2) Clear original rules

# Iptables-FClear all rule links in the filter of the preset table.

# Iptables-XClear the rules in the User-Defined chain in the filter of the preset table.

# Iptables-ZReturns the counter to zero.


3) set preset rules

# Iptables-p INPUT DROPBy default, data packets are discarded in addition to rules in the table.

# Iptables-p OUTPUT ACCEPTAllow all data packets by default

# Iptables-p FORWARD DROPAll Forwarding is discarded by default.

# Iptables-t nat-PPREROUTING ACCEPT

# Iptables-t nat-P POSTROUTING ACCEPT

# Iptables-t nat-P OUTPUT ACCEPT

That is, forwarding is not allowed.


4) Add Rules


INPUT chain configuration)


Enable the WEB server and port 80.

# Iptables-a input-p tcp -- dport 80-j ACCEPT


Enable email server and port 25,110

# Iptables-a input-p tcp -- dport 25-j ACCEPT

# Iptables-a input-p tcp -- dport 110-j ACCEPT


Enable FTP server and port 21

# Iptables-a input-p tcp -- dport 21-j ACCEPT

# Iptables-a input-p tcp -- dport 20-j ACCEPT


Enable DNS server and port 53

# Iptables-a input-p tcp -- dport 53-j ACCEPT


Enable SSH remote login and port 22

# Iptables-a input-p tcp -- dport 22-j ACCEPT


Only machines with 192.168.1.100 are allowed to perform SSH connection.

# Iptables-d input-p tcp -- dport 22-j ACCEPT Delete rules that allow all port 22 first

# Iptables-a input-s 192.168.1.100-p tcp -- dport22-j ACCEPT


Enable "loop" to avoid unnecessary troubles

# Iptables-a input-I lo-j ACCEPT

# Iptables-a input-I lo-j ACCEPT



OUTPUT configuration)


Disable some ports

# Iptables-a output-p tcp -- sport 1234-j DROP



FORWARDConfigure as forwarding)


The default rule for the above FORWARD chain is DROP.,

Enable the forwarding function when performing NAT)

# Iptables-a forward-I eth0-o eth1-m state -- stateRELATED, ESTABLISHED-j ACCEPT

# Iptables-a forward-I eth1-o eh0-j ACCEPT


Discard bad TCP Packets

# Iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP


Prohibit Access to a website or some IP addresses such as www.baidu.com and 192.168.1.0/24)

# Iptables-AFORWARD-d www.baidu.com-j DROP

# Iptables-AFORWARD-d 192.168.1.0/24-j DROP


Prohibit a source ip address or a certain type of ip data packet from passing through the example 192.168.1.100, 192.168.2.0/24)

# Iptables-AFORWARD-s 192.168.1.100-j DROP

# Iptables-AFORWARD-s 192.168.1.2.0/24-j DROP


Disable FTP downloading for clients using 192.168.1.0/24

# Iptables-AFORWARD-s 192.168.1.0/24-p tcp-dport 21-j DROP


Congestion:

# Iptables-a forward-p tcp-dport xxx-j DROP

# Iptables-a forward-p tcp -- dport yyy: zzz-j DROP


Accessibility:

# Iptables-a forward-p tcp -- dport xxx-j ACCEPT

# Iptables-a forward-p tcp -- dport yyy: zzz-j ACCEPT

# Iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT

Iptables-P FORWARD DROP


Nat table Configuration


Force all clients to access a website www.baidu.com)

# Iptables-t nat-a forward-I eth0-ptcp-dport 80-j DNAT-to 192.168.1 .*


Disable all connections to 192.168.1.10

# Iptables-t nat-a prerouting-d 192.168.1.1-jDROP


Disable FTP (21) Port

# Iptables-t nat-a prerouting-ptcp -- dport 21-j DROP


Publish Web Services for the host 192.168.1.100 in the Intranet. Internet users can access the Web Services of the host by accessing the IP address of eth1.

# Iptables-t nat-a forward-I eth0-ptcp-dport 80-j DNAT-to-destination 192.168.1.100: 80


Prevent Intranet IP Spoofing on the Internet (private ip connection prohibited)

# Iptables-t nat-a prerouting-I eth0-s 10.0.0.0/8-j DROP

# Iptables-t nat-a prerouting-I eth0-s 172.16.0.0/12-j DROP

# Iptables-t nat-a prerouting-I eth0-s 192.168.0.0/16-j DROP


Change the original address of the Intranet 192.168.0.0/24 to 1.1.1.1 for NAT

# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to1.1.1.1

# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to1.1.1.1-1.1.1.10

Same as above, but changed to an IP address in an address pool


Change the destination address of the packet that comes in from eth0 to 192.168.0.1.

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-jDNAT -- to 192.168.0.1

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 81-j DNAT -- to 192.168.0.2: 80

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-j DNAT -- to 192.168.0.1-192.168.0.10


Perform address conversion for packets whose source address is 192.168.0.0/24 (disguised as dynamic source address conversion)

# Iptables-t nat-a postrouting-s 192.168.0.0/24-j MASQUERADE


ADSL dial-up Internet access

# Iptables-t nat-a postrouting-s 192.168.1.0/24-o ppp0-j MASQUERADE


Matching by package statusState)-m state -- state

Status: NEW, RELATED, ESTABLISHED, INVALID

NEW: when a connection request is sent, the data packet status is NEW

ESTABLISHED: connection state. After the connection is ESTABLISHED

RELATED: derivative state. It is associated with conntrack, for example, FTP. After establishing a connection with port 21, send data through Port 20 or another port, and the data transmitted on Port 20 is RELATED)

INVALID: unable to identify which connection or no status, INVALID data packet


Allow all established connections or related data to pass through

# Iptables-AINPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT

# Iptables-a output-m state -- state RELATED, ESTABLISHED-jACCEPT


Discard invalid connection
# Iptables-a input-mstate -- state INVALID-j DROP
# Iptables-a output-m state -- state INVALID-j DROP
# Iptables-a forward-m state -- state INVALID-j DROP


Match MAC by source mac)-M mac -- mac-source MAC

Block data packets from a MAC address and use the Local Machine

# Iptables-a forward-m -- mac-sourcexx: xx-j DROP

Match limit by packet rate)-M limit -- limit matching rate [-- burst buffer quantity]

L use a certain rate for data packet de-matching
# Iptables-a forward-d 192.168.0.1-m limit -- limit 50/s-j ACCEPT


Number of IP fragments processed to prevent attacks. Up to 100 IP fragments are allowed per second.

# Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

L sets ICMP packet filtering. One packet is allowed per second. The trigger condition is 10.

# Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT

Limit only matches data packets at a certain rate, not a "limit"


Multi-port matching multiport)

-M multiport <-- sports | -- dports | -- ports> Port 1 [, Port 2,..., port n]
Multiple ports can be matched at a time to distinguish between source ports, destination ports, or unspecified ports.
# Iptables-a input-p tcp-m multiports -- ports 110,-j ACCEPT

Note: It must be used with the-p parameter.


Access $ IP1 through $ IP2: 80 $ IP3: 80

Modify the destination address and Source Address

1) modify the destination address

# Iptables-tnat-a prerouting-d $ IP2-p tcp -- dport 80-j DNAT -- to-destination $ IP3

2) modify the source address

# Iptables-tnat-a postrouting-d $ IP3-p tcp -- dport 80-j SNAT -- to-source $ IP2

3) modify the destination address

# Iptables-tnat-a prerouting-s $ IP3-p tcp -- sport 80-j DNAT -- to-destination $ IP1

4) modify the source address

# Iptables-tnat-a postrouting-s $ IP3-p tcp -- sport 80-j SNAT -- to-source $ IP2


Save rule

# Iptables save

Some commands

View Link View Current conntrack

# Cat/proc/net/ip_conntrack


Restart the iptables service

# Service iptables restart


Enable SYN Buffer

# Echo "1">/proc/sys/net/ipv4/tcp_syncookies


The ip forwarding function must be enabled when iptable is used as a nat router)

# Echo "1">/proc/sys/net/ipv4/ip_forward


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.