How to write the underlying rules for iptables

The last blog post explains some of Iptable's common sense.

Here's a brief recap.

The Linux firewall consists of 2 parts, which are netfilte in kernel space and iptables of user space.

And iptable can define 4 types of rules

Filter: The core of the firewall

Nat: Address Translation

Mangle: Implementing packet modifications, such as TTL

Raw: Not used, this is not a long explanation.

Priority order: Raw-mangle-nat-filter

Rules defined in iptable are delivered to the netfilte in the kernel to be effective

There are generally 2 modes of defining firewall rules. One is more stringent, only allow packets allowed to pass, the rest of the packet block all. There is also a looser way to block only packets that are not allowed to pass. In the enterprise application, the general use of the first, according to the business needs to release the corresponding packets.

Iptable general mechanism for defining rules (more specific syntax referencing man documents)

iptable [-t table] sub_command CHAIN [num] [Cretiria] [-j acction]

-T:

Filter is not specified by default, or you can specify Mangle,nat,raw

Sub_command:

Rule

-A (Append): Append

-I (insert): Inserting, as-I INPUT 3

-D (delete): Delete, specify Standard or num like-D OUTPUT 8

-R (replace): replacing-R FORWARD 6

Chain

-F (Flush): Empty chain

-N (New): Add a new chain

-X: Delete user-defined empty chains

-Z: Emptying counters

About counters: Each rule has 2 counters

1: Record the number of packages that are matched to this rule

2: Record The sum of the volume of the packages to which this rule is to be matched

-E: Renaming chains

Policy

-P Chain {accept| DROP}

Exsample:

Modify the default policy for the input chain to drop

Iptables-t filter-p intput DROP

View

-l Display defined rules

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/

-N: Using this option, you will not be able to reverse resolution of the IP address host name, speed up the viewing speed

-V: More information, you can add a few more V, more details

-X: Accurate display of packet volume

--line-numbers

Match criteria:

Universal match:

-S ip/network: Source Address

-D ip/network: Destination Address

-P {TCP|UDP|ICMP}: Specifying protocol

-I Input interface: Specifies the interface into which the packet enters

-O Output interface: Specifies a packet out of interface

Example

Prohibit 192.168.1.0/24 network segment ping192.168.2.1 host

Iptables-t fliter-a intup-s 192.168.1.0/24-d 192.168.2.1-p icmp-j DROP

Extended Match

Implicit extension: An extension of the protocol specified in the-p option

-P {tcp|udp|icmp}

--sport Portnum Source Port

--dport Portnum Target Port

--tcpflags flag bit for TCP

The packet type--icmp-type ICMP.

Extend the exapmle above

Iptables-t fliter-a intup-s 192.168.1.0/24-d 192.168.2.1-p icmp–icmp-type DROP

Here explicitly rejected the 192.168.1.0/24 network segment Icmp-request package, 8 is Icmp-request package, 0 is Icmp-echo package

Example

Deny 192.168.2.1 host access to native Web services

Iptables-t fliter-a input-s 192.168.2.1-p--dport 80-j DROP

Iptables-t fliter-a input-s 192.168.2.1-p--dport 443-j DROP

Rules can be written in a variety of ways, but also in the output chain, but not high efficiency input, and if written on output, it should be written

Iptables-t fliter-a output-d 192.168.2.1-p–sport 80-j DROP

Iptables-t fliter-a output-d 192.168.2.1-p–sport 443-j DROP

According to the needs of the specific writing, analysis of the direction of the packet will be

Explicit extensions: Use-m to specify the extensions to load (described in the next chapter)

-j TARGET: Jump to the chain common to have the following 3 kinds

ACCEPT

DROP

REJECT

The basic usage first come here, the next one will specifically say that the explicit extension