Iptables Study Notes (Part 2)

Iptables machine configuration

1) view the current configuration

# Iptables-L

-V: Displays detailed information, including the number of matching packets for each rule and the number of matching bytes. The number of matching packets and flow meter of the rule in the chain is displayed.
-X: Auto unit conversion of K and M is prohibited on the basis of v)
-N: Only the IP address and port number are displayed, and the domain name and service name are not displayed.

-T:Table Name: view the rules of the corresponding table

2) Clear original rules

# Iptables-FClear all rule links in the filter of the preset table.

# Iptables-XClear the rules in the User-Defined chain in the filter of the preset table.

# Iptables-ZReturns the counter to zero.

3) set preset rules

# Iptables-p INPUT DROPBy default, data packets are discarded in addition to rules in the table.

# Iptables-p OUTPUT ACCEPTAllow all data packets by default

# Iptables-p FORWARD DROPAll Forwarding is discarded by default.

# Iptables-t nat-PPREROUTING ACCEPT

# Iptables-t nat-P POSTROUTING ACCEPT

# Iptables-t nat-P OUTPUT ACCEPT

That is, forwarding is not allowed.

4) Add Rules

INPUT chain configuration)

Enable the WEB server and port 80.

# Iptables-a input-p tcp -- dport 80-j ACCEPT

Enable email server and port 25,110

# Iptables-a input-p tcp -- dport 25-j ACCEPT

# Iptables-a input-p tcp -- dport 110-j ACCEPT

Enable FTP server and port 21

# Iptables-a input-p tcp -- dport 21-j ACCEPT

# Iptables-a input-p tcp -- dport 20-j ACCEPT

Enable DNS server and port 53

# Iptables-a input-p tcp -- dport 53-j ACCEPT

Enable SSH remote login and port 22

# Iptables-a input-p tcp -- dport 22-j ACCEPT

Only machines with 192.168.1.100 are allowed to perform SSH connection.

# Iptables-d input-p tcp -- dport 22-j ACCEPT Delete rules that allow all port 22 first

# Iptables-a input-s 192.168.1.100-p tcp -- dport22-j ACCEPT

Enable "loop" to avoid unnecessary troubles

# Iptables-a input-I lo-j ACCEPT

# Iptables-a input-I lo-j ACCEPT

OUTPUT configuration)

Disable some ports

# Iptables-a output-p tcp -- sport 1234-j DROP

FORWARDConfigure as forwarding)

The default rule for the above FORWARD chain is DROP.,

Enable the forwarding function when performing NAT)

# Iptables-a forward-I eth0-o eth1-m state -- stateRELATED, ESTABLISHED-j ACCEPT

# Iptables-a forward-I eth1-o eh0-j ACCEPT

Discard bad TCP Packets

# Iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP

Prohibit Access to a website or some IP addresses such as www.baidu.com and 192.168.1.0/24)

# Iptables-AFORWARD-d www.baidu.com-j DROP

# Iptables-AFORWARD-d 192.168.1.0/24-j DROP

Prohibit a source ip address or a certain type of ip data packet from passing through the example 192.168.1.100, 192.168.2.0/24)

# Iptables-AFORWARD-s 192.168.1.100-j DROP

# Iptables-AFORWARD-s 192.168.1.2.0/24-j DROP

Disable FTP downloading for clients using 192.168.1.0/24

# Iptables-AFORWARD-s 192.168.1.0/24-p tcp-dport 21-j DROP

Congestion:

# Iptables-a forward-p tcp-dport xxx-j DROP

# Iptables-a forward-p tcp -- dport yyy: zzz-j DROP

Accessibility:

# Iptables-a forward-p tcp -- dport xxx-j ACCEPT

# Iptables-a forward-p tcp -- dport yyy: zzz-j ACCEPT

# Iptables-a forward-m state -- state RELATED, ESTABLISHED-j ACCEPT

Iptables-P FORWARD DROP

Nat table Configuration

Force all clients to access a website www.baidu.com)

# Iptables-t nat-a forward-I eth0-ptcp-dport 80-j DNAT-to 192.168.1 .*

Disable all connections to 192.168.1.10

# Iptables-t nat-a prerouting-d 192.168.1.1-jDROP

Disable FTP (21) Port

# Iptables-t nat-a prerouting-ptcp -- dport 21-j DROP

Publish Web Services for the host 192.168.1.100 in the Intranet. Internet users can access the Web Services of the host by accessing the IP address of eth1.

# Iptables-t nat-a forward-I eth0-ptcp-dport 80-j DNAT-to-destination 192.168.1.100: 80

Prevent Intranet IP Spoofing on the Internet (private ip connection prohibited)

# Iptables-t nat-a prerouting-I eth0-s 10.0.0.0/8-j DROP

# Iptables-t nat-a prerouting-I eth0-s 172.16.0.0/12-j DROP

# Iptables-t nat-a prerouting-I eth0-s 192.168.0.0/16-j DROP

Change the original address of the Intranet 192.168.0.0/24 to 1.1.1.1 for NAT

# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to1.1.1.1

# Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to1.1.1.1-1.1.1.10

Same as above, but changed to an IP address in an address pool

Change the destination address of the packet that comes in from eth0 to 192.168.0.1.

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-jDNAT -- to 192.168.0.1

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 81-j DNAT -- to 192.168.0.2: 80

# Iptables-t nat-a prerouting-I eth0-p tcp -- dport 80-j DNAT -- to 192.168.0.1-192.168.0.10

Perform address conversion for packets whose source address is 192.168.0.0/24 (disguised as dynamic source address conversion)

# Iptables-t nat-a postrouting-s 192.168.0.0/24-j MASQUERADE

ADSL dial-up Internet access

# Iptables-t nat-a postrouting-s 192.168.1.0/24-o ppp0-j MASQUERADE

Matching by package statusState)-m state -- state

Status: NEW, RELATED, ESTABLISHED, INVALID

NEW: when a connection request is sent, the data packet status is NEW

ESTABLISHED: connection state. After the connection is ESTABLISHED

RELATED: derivative state. It is associated with conntrack, for example, FTP. After establishing a connection with port 21, send data through Port 20 or another port, and the data transmitted on Port 20 is RELATED)

INVALID: unable to identify which connection or no status, INVALID data packet

Allow all established connections or related data to pass through

# Iptables-AINPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT

# Iptables-a output-m state -- state RELATED, ESTABLISHED-jACCEPT

Discard invalid connection
# Iptables-a input-mstate -- state INVALID-j DROP
# Iptables-a output-m state -- state INVALID-j DROP
# Iptables-a forward-m state -- state INVALID-j DROP

Match MAC by source mac)-M mac -- mac-source MAC

Block data packets from a MAC address and use the Local Machine

# Iptables-a forward-m -- mac-sourcexx: xx-j DROP

Match limit by packet rate)-M limit -- limit matching rate [-- burst buffer quantity]

L use a certain rate for data packet de-matching
# Iptables-a forward-d 192.168.0.1-m limit -- limit 50/s-j ACCEPT

Number of IP fragments processed to prevent attacks. Up to 100 IP fragments are allowed per second.

# Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT

L sets ICMP packet filtering. One packet is allowed per second. The trigger condition is 10.

# Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT

Limit only matches data packets at a certain rate, not a "limit"

Multi-port matching multiport)

-M multiport <-- sports | -- dports | -- ports> Port 1 [, Port 2,..., port n]
Multiple ports can be matched at a time to distinguish between source ports, destination ports, or unspecified ports.
# Iptables-a input-p tcp-m multiports -- ports 110,-j ACCEPT

Note: It must be used with the-p parameter.

Access $ IP1 through $ IP2: 80 $ IP3: 80

Modify the destination address and Source Address

1) modify the destination address

# Iptables-tnat-a prerouting-d $ IP2-p tcp -- dport 80-j DNAT -- to-destination $ IP3

2) modify the source address

# Iptables-tnat-a postrouting-d $ IP3-p tcp -- dport 80-j SNAT -- to-source $ IP2

3) modify the destination address

# Iptables-tnat-a prerouting-s $ IP3-p tcp -- sport 80-j DNAT -- to-destination $ IP1

4) modify the source address

# Iptables-tnat-a postrouting-s $ IP3-p tcp -- sport 80-j SNAT -- to-source $ IP2

Save rule

# Iptables save

Some commands

View Link View Current conntrack

# Cat/proc/net/ip_conntrack

Restart the iptables service

# Service iptables restart

Enable SYN Buffer

# Echo "1">/proc/sys/net/ipv4/tcp_syncookies

The ip forwarding function must be enabled when iptable is used as a nat router)

# Echo "1">/proc/sys/net/ipv4/ip_forward