Iptables Study Notes (Part 2)

Source: Internet
Author: User

Iptables machine configuration

1) view the current configuration

# Iptables-L

-V: Displays detailed information, including the number of matching packets for each rule and the number of matching bytes. The number of matching packets and flow meter of the rule in the chain is displayed.
-X: Auto unit conversion of K and M is prohibited on the basis of v)
-N: Only the IP address and port number are displayed, and the domain name and service name are not displayed.

-T:Table Name: view the rules of the corresponding table

2) Clear original rules

# Iptables-FClear all rule links in the filter of the preset table.

# Iptables-XClear the rules in the User-Defined chain in the filter of the preset table.

# Iptables-ZReturns the counter to zero.

3) set preset rules

# Iptables-p INPUT DROPBy default, data packets are discarded in addition to rules in the table.

# Iptables-p OUTPUT ACCEPTAllow all data packets by default

# Iptables-p FORWARD DROPAll Forwarding is discarded by default.



# Iptables-t nat-P OUTPUT ACCEPT

That is, forwarding is not allowed.

4) Add Rules

INPUT chain configuration)

Enable the WEB server and port 80.

# Iptables-a input-p tcp -- dport 80-j ACCEPT

Enable email server and port 25,110

# Iptables-a input-p tcp -- dport 25-j ACCEPT

# Iptables-a input-p tcp -- dport 110-j ACCEPT

Enable FTP server and port 21

# Iptables-a input-p tcp -- dport 21-j ACCEPT

# Iptables-a input-p tcp -- dport 20-j ACCEPT

Enable DNS server and port 53

# Iptables-a input-p tcp -- dport 53-j ACCEPT

Enable SSH remote login and port 22

# Iptables-a input-p tcp -- dport 22-j ACCEPT

Only machines with are allowed to perform SSH connection.

# Iptables-d input-p tcp -- dport 22-j ACCEPT Delete rules that allow all port 22 first

# Iptables-a input-s tcp -- dport22-j ACCEPT

Enable "loop" to avoid unnecessary troubles

# Iptables-a input-I lo-j ACCEPT

# Iptables-a input-I lo-j ACCEPT

OUTPUT configuration)

Disable some ports

# Iptables-a output-p tcp -- sport 1234-j DROP

FORWARDConfigure as forwarding)

The default rule for the above FORWARD chain is DROP.,

Enable the forwarding function when performing NAT)

# Iptables-a forward-I eth0-o eth1-m state -- stateRELATED, ESTABLISHED-j ACCEPT

# Iptables-a forward-I eth1-o eh0-j ACCEPT

Discard bad TCP Packets

# Iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP

Prohibit Access to a website or some IP addresses such as www.baidu.com and

# Iptables-AFORWARD-d www.baidu.com-j DROP

# Iptables-AFORWARD-d DROP

Prohibit a source ip address or a certain type of ip data packet from passing through the example,

# Iptables-AFORWARD-s DROP

# Iptables-AFORWARD-s DROP

Disable FTP downloading for clients using

# Iptables-AFORWARD-s tcp-dport 21-j DROP


# Iptables-a forward-p tcp-dport xxx-j DROP

# Iptables-a forward-p tcp -- dport yyy: zzz-j DROP


# Iptables-a forward-p tcp -- dport xxx-j ACCEPT

# Iptables-a forward-p tcp -- dport yyy: zzz-j ACCEPT

# Iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT


Nat table Configuration

Force all clients to access a website www.baidu.com)

# Iptables-t nat-a forward-I eth0-ptcp-dport 80-j DNAT-to 192.168.1 .*

Disable all connections to

# Iptables-t nat-a prerouting-d

Disable FTP (21) Port

# Iptables-t nat-a prerouting-ptcp -- dport 21-j DROP

Publish Web Services for the host in the Intranet. Internet users can access the Web Services of the host by accessing the IP address of eth1.

# Iptables-t nat-a forward-I eth0-ptcp-dport 80-j DNAT-to-destination 80

Prevent Intranet IP Spoofing on the Internet (private ip connection prohibited)

# Iptables-t nat-a prerouting-I eth0-s DROP

# Iptables-t nat-a prerouting-I eth0-s DROP

# Iptables-t nat-a prerouting-I eth0-s DROP

Change the original address of the Intranet to for NAT

# Iptables-t nat-a postrouting-s SNAT -- to1.1.1.1

# Iptables-t nat-a postrouting-s SNAT -- to1.1.1.1-

Same as above, but changed to an IP address in an address pool

Change the destination address of the packet that comes in from eth0 to

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-jDNAT -- to

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 81-j DNAT -- to 80

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-j DNAT -- to

Perform address conversion for packets whose source address is (disguised as dynamic source address conversion)

# Iptables-t nat-a postrouting-s MASQUERADE

ADSL dial-up Internet access

# Iptables-t nat-a postrouting-s ppp0-j MASQUERADE

Matching by package statusState)-m state -- state


NEW: when a connection request is sent, the data packet status is NEW

ESTABLISHED: connection state. After the connection is ESTABLISHED

RELATED: derivative state. It is associated with conntrack, for example, FTP. After establishing a connection with port 21, send data through Port 20 or another port, and the data transmitted on Port 20 is RELATED)

INVALID: unable to identify which connection or no status, INVALID data packet

Allow all established connections or related data to pass through

# Iptables-AINPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT

# Iptables-a output-m state -- state RELATED, ESTABLISHED-jACCEPT

Discard invalid connection
# Iptables-a input-mstate -- state INVALID-j DROP
# Iptables-a output-m state -- state INVALID-j DROP
# Iptables-a forward-m state -- state INVALID-j DROP

Match MAC by source mac)-M mac -- mac-source MAC

Block data packets from a MAC address and use the Local Machine

# Iptables-a forward-m -- mac-sourcexx: xx-j DROP

Match limit by packet rate)-M limit -- limit matching rate [-- burst buffer quantity]

L use a certain rate for data packet de-matching
# Iptables-a forward-d limit -- limit 50/s-j ACCEPT

Number of IP fragments processed to prevent attacks. Up to 100 IP fragments are allowed per second.

# Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

L sets ICMP packet filtering. One packet is allowed per second. The trigger condition is 10.

# Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT

Limit only matches data packets at a certain rate, not a "limit"

Multi-port matching multiport)

-M multiport <-- sports | -- dports | -- ports> Port 1 [, Port 2,..., port n]
Multiple ports can be matched at a time to distinguish between source ports, destination ports, or unspecified ports.
# Iptables-a input-p tcp-m multiports -- ports 110,-j ACCEPT

Note: It must be used with the-p parameter.

Access $ IP1 through $ IP2: 80 $ IP3: 80

Modify the destination address and Source Address

1) modify the destination address

# Iptables-tnat-a prerouting-d $ IP2-p tcp -- dport 80-j DNAT -- to-destination $ IP3

2) modify the source address

# Iptables-tnat-a postrouting-d $ IP3-p tcp -- dport 80-j SNAT -- to-source $ IP2

3) modify the destination address

# Iptables-tnat-a prerouting-s $ IP3-p tcp -- sport 80-j DNAT -- to-destination $ IP1

4) modify the source address

# Iptables-tnat-a postrouting-s $ IP3-p tcp -- sport 80-j SNAT -- to-source $ IP2

Save rule

# Iptables save

Some commands

View Link View Current conntrack

# Cat/proc/net/ip_conntrack

Restart the iptables service

# Service iptables restart

Enable SYN Buffer

# Echo "1">/proc/sys/net/ipv4/tcp_syncookies

The ip forwarding function must be enabled when iptable is used as a nat router)

# Echo "1">/proc/sys/net/ipv4/ip_forward

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.