The last blog post explains some of Iptable's common sense.
Here's a brief recap.
The Linux firewall consists of 2 parts, which are netfilte in kernel space and iptables of user space.
And iptable can define 4 types of rules
Filter: The core of the firewall
Nat: Address Translation
Mangle: Implementing packet modifications, such as TTL
Raw: Not used, this is not a long explanation.
Priority order: Raw-mangle-nat-filter
Rules defined in iptable are delivered to the netfilte in the kernel to be effective
There are generally 2 modes of defining firewall rules. One is more stringent, only allow packets allowed to pass, the rest of the packet block all. There is also a looser way to block only packets that are not allowed to pass. In the enterprise application, the general use of the first, according to the business needs to release the corresponding packets.
Iptable general mechanism for defining rules (more specific syntax referencing man documents)
iptable [-t table] sub_command CHAIN [num] [Cretiria] [-j acction]
-T:
Filter is not specified by default, or you can specify Mangle,nat,raw
Sub_command:
Rule
-A (Append): Append
-I (insert): Inserting, as-I INPUT 3
-D (delete): Delete, specify Standard or num like-D OUTPUT 8
-R (replace): replacing-R FORWARD 6
Chain
-F (Flush): Empty chain
-N (New): Add a new chain
-X: Delete user-defined empty chains
-Z: Emptying counters
About counters: Each rule has 2 counters
1: Record the number of packages that are matched to this rule
2: Record The sum of the volume of the packages to which this rule is to be matched
-E: Renaming chains
Policy
-P Chain {accept| DROP}
Exsample:
Modify the default policy for the input chain to drop
Iptables-t filter-p intput DROP
View
-l Display defined rules
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/
-N: Using this option, you will not be able to reverse resolution of the IP address host name, speed up the viewing speed
-V: More information, you can add a few more V, more details
-X: Accurate display of packet volume
--line-numbers
Match criteria:
Universal match:
-S ip/network: Source Address
-D ip/network: Destination Address
-P {TCP|UDP|ICMP}: Specifying protocol
-I Input interface: Specifies the interface into which the packet enters
-O Output interface: Specifies a packet out of interface
Example
Prohibit 192.168.1.0/24 network segment ping192.168.2.1 host
Iptables-t fliter-a intup-s 192.168.1.0/24-d 192.168.2.1-p icmp-j DROP
Extended Match
Implicit extension: An extension of the protocol specified in the-p option
-P {tcp|udp|icmp}
--sport Portnum Source Port
--dport Portnum Target Port
--tcpflags flag bit for TCP
The packet type--icmp-type ICMP.
Extend the exapmle above
Iptables-t fliter-a intup-s 192.168.1.0/24-d 192.168.2.1-p icmp–icmp-type DROP
Here explicitly rejected the 192.168.1.0/24 network segment Icmp-request package, 8 is Icmp-request package, 0 is Icmp-echo package
Example
Deny 192.168.2.1 host access to native Web services
Iptables-t fliter-a input-s 192.168.2.1-p--dport 80-j DROP
Iptables-t fliter-a input-s 192.168.2.1-p--dport 443-j DROP
Rules can be written in a variety of ways, but also in the output chain, but not high efficiency input, and if written on output, it should be written
Iptables-t fliter-a output-d 192.168.2.1-p–sport 80-j DROP
Iptables-t fliter-a output-d 192.168.2.1-p–sport 443-j DROP
According to the needs of the specific writing, analysis of the direction of the packet will be
Explicit extensions: Use-m to specify the extensions to load (described in the next chapter)
-j TARGET: Jump to the chain common to have the following 3 kinds
ACCEPT
DROP
REJECT
The basic usage first come here, the next one will specifically say that the explicit extension