Article Title: Using Linux iptables for proxy server and firewall configuration (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Proxy/Firewall
1. iptables rule table
Filter (for filtering systems): INPUT, FORWARD, OUTPUT
NAT (for address translation systems): PREROUTING, POSTROUTING, INPUT, and OUTPUT
Mangle (for Policy Routing and special applications): OUTPUT and POSTROUTING
2. Installation Package
Iptables-1.2.7a-2
3. configure the firewall
1) command syntax
Usge: iptables [-t table]-[ADC] chain rule-specification [options]
Iptables [-t table]-I chain [rulenum] rule-specification [options]
Iptables [-t table]-R chain rulenum rule-specification [options]
Iptables [-t table]-D chain rulenum [options]
Iptables [-t table]-[LFZ] [chain] [options]
Iptables [-t table]-N chain
Iptables [-t table]-X [chain]
Iptables [-t table]-P chain target [options]
Iptables [-t table]-E old-chain-name new-chain-name
Rule operation parameters:
-A: add one or more rules at the end of the selected chain;
-D: delete one or more rules from the selected chain. There are two methods: Specify the deleted rule as the serial number in the chain (the first serial number is 1) or the rule to be matched;
-R: replace a rule from the selected chain. If the source address or destination address is converted to multiple addresses, the command fails. The rule sequence number starts from 1;
-I: insert one or more rules to the selected Chain Based on the given sequence number. Therefore, if the rule number is 1, the rule inserts the chain header. This is the default method when no rule serial number is specified;
-L: all the rules of the selected chain. If no link is selected, all links are displayed. It can also be used with the z option, which means the chain will be automatically listed and zeroed;
-F: clears the selected chain. This means that all rules are deleted one by one;
-Z: clears the packets and byte counters of all links;
-N: Creates a new user-defined Chain Based on the given name. This must ensure that no chain with the same name exists;
-X: deletes a specified user-defined chain. This chain must not be referenced. If it is referenced, the relevant rules must be deleted or replaced before deletion. If no parameter is provided, this command will try to delete each non-built chain;
-P: set the target rule of the chain;
-E: Re-name the specified Chain Based on the name given by the user;
Description of Rule definition parameters:
-P [!] Protocol:
Protocol for rule or package check (to be checked. The specified protocol can be either one or all of TCP, UDP, or ICMP, or a numerical value, representing one of these protocols. You can also use the Protocol name defined in/etc/protocols. Add "! "Indicates the opposite rule. The number 0 is equivalent to all. Protocol all matches all protocols, and this is a time-saving option. When combined with the check command, all can be disabled;
-S [!] Address [/mask]:
Specifies the source address, which can be the host name, network name, and clear IP address. The mask can be a network mask or a clear number. specify the number of "1" on the left of the network mask. Therefore, the value of the mask is 24 or 255.255.255.0. Add "! "Indicates that the opposite address segment is specified. Flag -- src is short for this option;
-D [!] Address [/mask]:
Specify the target address. For more information, see the description of the-s flag. Flag-dst is short for this option;
-J target:
Specify the target of the rule: that is, what the package matching should do. The target can be ACCEPT (through), DROP (delete), RETURN (RETURN), REDIRECT (repointing), SNAT (source address conversion), DNAT (target address conversion), MASQUERADE (camouflage), or user-defined chain. If the rule option is ignored, the matching process will not affect the package, but the rule counter will increase;
-I [!] [Name]:
The name of the API of the acceptable package to be selected. The package is received through this API (the package entered in the chain INPUT, FORWORD, and PREROUTING ). Before the Interface Name, use "! "After description, it refers to the opposite name. If" + "is added after the interface name, all interfaces starting with the next interface name will be matched. If this option is ignored, it is assumed to be "+", then any interface will be matched;
-O [!] [NAME]:
This is the optional exit name sent by the package through this interface, and the package is OUTPUT through this port (the package sent in the chain FORWARD, OUTPUT, and POSTROUTING ). Other settings are the same as above.
[1] [2] [3] Next page