Http: // 10.1.1.35/ule_exec/exec09_iptables.txt

--

Iptables


--
1. packet filtering Firewall
Packet selection at the network layer mainly filters the protocol, port, source address and target address used by the data packet.

2. Proxy Gateway
The Intranet and the Internet are completely isolated. Direct TCP communication between the Intranet and the Internet is not allowed, and must be handled through the Proxy gateway.

3. Status Detection
TCP has three handshakes. Common web, file download, sending and receiving emails are all TCP
In addition to packet filtering, the status detection firewall also cares about the packet connection status.



Netfilter/iptables -- This component is integrated after the full name of iptables is 2.4.

-- Check the iptables module.

Ls/lib/modules/2.6.18-164. EL5/kernel/NET/Netfilter/
Ls/lib/modules/2.6.18-164. EL5/kernel/NET/IPv4/Netfilter/

* Stateless packet filtering (IPv4 and IPv6)
* Stateful packet filtering (IPv4 and IPv6)
* All kinds of network address and port translation, e.g. NAT/napt (IPv4 only)
* Flexible and extensible infrastructure
* Multiple layers of API's for 3rd party extensions
* Large number of plugins/modules kept in 'patch-o-matic 'Repository


Basic concepts of iptables


Four tables: chain in the table)

Filter: used for packet filtering: input output forward
NAT: used for network address translation: network address translation, which allows an intranet address block to be converted to a public IP address through NAT to achieve access to the public network.
Prerouting postroutingoutput

Mangle: used to mark data packets
Prerouting input output forward postrouting


Raw: processing of raw data packets
Preroutingoutput

Iptables
-A adds a rule. By default, it is added later.
-D Delete
-L list rules
-N is displayed as a numerical value.
-I insert rules at the beginning
-V: Display statistics


-F: clear rules.
-Z: Clear the counter
-X clear the custom key

-T followed by the table name
-P post-Link name
-P followed by protocol name
-- Dport
-- Sport
-D
-S
-I: interface for accessing the NIC
-O interfaces connected to the nic and Interfaces of the outbound Nic
-J answer

Action Category:

Accept receives data packets
Drop dropped data packets
Reject rejects data packets. The difference between reject and drop is that reject will return an error message, and drop will not
The masqueread IP address is disguised. It is converted to an Internet IP address through NAT and can be pulled by PPP (the Internet IP address is not fixed)
SNAT source address conversion. The difference between SNAT and masqueread is that SNAT is connected to a fixed IP address.
DNAT target address translation
Log



Example 1: column rules

Iptables-l -- the filter table is used by default.
Iptables-l-T Filter

Iptables-l-T Nat
Iptables-l-T mangle
Iptables-l-t raw



Example 2: Ping Control

Disable ICMP
# Iptables-T filter-A input-p icmp-J Drop
-- No information is returned when drop is used.

# Iptables-T filter-A input-p icmp-J reject
-- Use reject to return information

I want to allow 10.1.1.35 (for example, the administrator in the real environment) to ping the ICMP protocol.

# Iptables-T filter-A input-s 10.1.1.35-p icmp-J accept
-- Use this sentence for 35 to allow,-s to connect to the source address


However, you must note that the above rules cannot be pinged after being written, because the rules are an access control list (ACL) and the read order is matched from the top to the next, if one rule is matched, the next rule is not matched, and the Default policy is matched.
Therefore, the correct method should be to allow 10.1.1.35 to be written at the beginning.

Deletion method:
Method 1:
# Iptables-T filter-D input-s 10.1.1.35-p icmp-J accept
-- How to Write when adding, and how to replace a with d When deleting
Method 2;
# Iptables-l-N -- Line
# Iptables-D input 2
-- When there are many rules or it is difficult to write rules, you can use -- line or -- line-number to list the row numbers and then delete them.

Delete the rule and add it to the rejected rule.
# Iptables-T filter-I input-s 10.1.1.35-P ICMP-J accept
-- I parameter indicates inserting to the beginning
Now 10.1.1.35 can be pinged, and no other can be pinged.



Example 3: Save and restore rules
# Iptables-save>/etc/sysconfig/iptables -- save the current rule to this file. The file can be customized.

# Iptables-F
# Iptables-x
# Iptables-z -- use these three items to clear the filter table. If other tables need to be cleared, add-t to clear the table name once.

# Iptables-Restore </etc/sysconfig/iptables -- restore the stored rules


Example 4: Modify the Default policy
# The default iptables-P input drop--Input key policy is changed to drop. You can change "Drop" to "accept ".
# Change the default policy of iptables-P output drop-output to drop



Example 5: Allow SSH to access and SSH to exit. Reject all other requests.
# Iptables-P input drop
# Iptables-P output drop

The following two definitions allow SSH
# Iptables-A input-p tcp -- dport 22-J accept
# Iptables-A output-p tcp -- Sport 22-J accept
The following two definitions allow SSH
# Iptables-A input-p tcp -- Sport 22-J accept
# Iptables-A output-p tcp -- dport 22-J accept


Example 6,
Ping yourself on the basis of Example 5. local loopback 127.0.0.1 and 10.1.1.35 (Administrator)
The following two definitions can ping yourself and 127 local loopback
# Iptables-A input-I lo-J accept
# Iptables-A output-O lo-J accept
The following two definitions can ping 35 machines.
# Iptables-A input-p icmp-s 10.1.1.35-J accept
# Iptables-A output-p icmp-D 10.1.1.35-J accept


Example 7,
Add 10.1.1.0 to allow access to the HTTPd service.
# Iptables-A input-s 10.1.1.0/24-p tcp -- dport 80-J accept
# Iptables-A output-D 10.1.1.0/24-p tcp -- Sport 80-J accept


Example 8
On the basis of the above, add the DNS that allows others to access the server.
# Iptables-A input-p udp -- dport 53-J accept
# Iptables-A output-p udp -- Sport 53-J accept
# Iptables-A input-p tcp -- dport 53-J accept
# Iptables-A output-p tcp -- Sport 53-J accept

In addition, allow access to others' DNS servers (if one domain is configured to forward others, it is also equivalent to DNS access to others)
# Iptables-A input-p udp -- Sport 53-J accept
# Iptables-A output-p udp -- dport 53-J accept
# Iptables-A input-p tcp -- Sport 53-J accept
# Iptables-A output-p tcp -- dport 53-J accept


# Iptables-A input-p tcp -- dport 25-J accept
# Iptables-A output-p tcp -- Sport 25-J accept


Example 9
On the basis of the above, you can send and receive emails.
Iptables-A input-p tcp -- dport 25-J accept
Iptables-A output-p tcp -- Sport 25-J accept
Iptables-A input-p tcp -- dport 110-J accept
Iptables-A output-p tcp -- Sport 110-J accept
Iptables-A input-p tcp -- dport 143-J accept
Iptables-A output-p tcp -- Sport 143-J accept

Iptables-A input-p tcp -- Sport 25-J accept
Iptables-A output-p tcp -- dport 25-J accept
Iptables-A input-p tcp -- Sport 110-J accept
Iptables-A output-p tcp -- dport 110-J accept
Iptables-A input-p tcp -- Sport 143-J accept
Iptables-A output-p tcp -- dport 143-J accept



FTP
Active and passive Modes
21. Transmission command
20 transmit data

The Active Server actively connects the client to a port greater than 1024 on Port 20.
Passive clients connect to 20 of the server with larger ports than 1024


Use iptables to enable ftp access in Active Mode

The following two statements implement the connection of the command port
# Iptables-A input-p tcp -- dport 21-J accept
# Iptables-A output-p tcp -- Sport 21-J accept
-- If you do not add these two statements, you cannot log on to the client during access. If you add them, you can log on. However, if you use ls to list the FTP shared information, you will find that you cannot, this is because no rules have been set for Port 20.

# Iptables-A input-p tcp -- dport 20-J accept
# Iptables-A output-p tcp -- Sport 20-J accept
-- The active mode is Port 20 for active connection, so the above two are connected in active mode. Note: if you use the Linux FTP command to perform an experiment, after logging on, use the passive command to turn off the passive mode and try again.

Passive Mode

Vim/etc/vsftpd. conf
Add
Pasv_enable = Yes
Pasv_min_port = 3000
Pasv_max_port = 3100 -- the minimum port range and maximum port range can be customized.

/Etc/init. d/vsftpd restart -- restart the service

The following two statements are the allow rules set for the above passive configuration.
# Iptables-A input-p tcp -- dport 3000: 3100-J accept
# Iptables-A output-p tcp -- Sport 3000: 3100-J accept


Last saved
# Iptables-save>/etc/sysconfig/iptables
----------------------------------------------------------------

Some special writing methods
Connection Port
Iptables-A input-p tcp -- dport 1:1000-J accept
Iptables-A input-p tcp-M multiport -- dport 22, 80, 110-J accept

Hardware address
Iptables-A input-M Mac -- Mac-source 00: 23: CD: 95: da: 0b-P all -- dport 80-J accept



----------------------------------------------------------------


Prepare two VMS and three VMS for the experiment.

Vm1gatewayvm2
Eth0 vmnet1 eth0eth0
172.16.234.129 --> 172.16.234.1 route 10.1.1.35 --> 10.1.1.209
The gateway points to 172.16.234.1 the gateway points to 10.1.1.35.

Add the gateway with the routing function

Echo "1">/proc/sys/NET/IPv4/ip_forward -- takes effect temporarily

Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1

Sysctl-p -- Use this command after modification to make the modification take effect permanently


After the routing function is added, the gateway points to the gateway physical machine, so the two machines in the two network segments can ping each other.



Example 1:

Limits Intranet VM1 on the forward chain
# Iptables-a forward-p icmp-J reject

# Iptables-a forward-D station209.cluster.com-p tcp -- dport 80-J reject

# Iptables-a forward-s 172.16.234.129-p tcp -- dport 80-J reject



Example 2,
SNAT source address conversion

# Iptables-T Nat-A postrouting-O eth0-j snat -- to-source 10.1.1.35

# Iptables-T Nat-A postrouting-O eth0-J Masquerade


Example 3,
DNAT Destination Address Translation

# Iptables-T Nat-A prerouting-I eth0-J DNAT -- to-destination 172.16.234.129