Instructions on iptables

The directory where the iptables configuration file is located:/etc/sysconfig/iptables command syntax: iptables [-ttable] command [match] [-jtarget/jump]-t parameter is used to specify the rule table, there are three built-in rule tables: nat, mangle, and filter. If no rule table is specified, the table is regarded as a filter. Rules

IptablesDirectory of the configuration file:/etc/sysconfig/

Iptables command

Syntax:
Iptables [-t table] command [match] [-j target/jump]
The-t parameter is used to specify the rule table. the built-in rule table has three rules: nat, mangle, and filter. if the rule table is not specified, it is regarded as a filter.
Rule tables have the following functions:

Nat

This rule table has two rule chains: Prerouting and postrouting. The main function is to perform one-to-one, one-to-many, and many-to-many website translation (SNATDNAT). due to the characteristics of translation, source url translation is not required for packets that need to be translated from the destination URL, and vice versa. therefore, to improve the rewrite packet rate, when the firewall is operating, each packet only goes through this rule table once. If we define the packet filtering rule in this data table, it will cause the same packet to be unable to be compared multiple times. Therefore, this rule table is not translated as a URL, do not use it for other purposes.

Mangle

This rule table has three rule chains: Prerouting, FORWARD, and postrouting.
In addition to modifying the packets for website translation, some special applications may have to rewrite the packets (TTL, TOS) or set the MARK (MARK the packets, in this case, you must define the work in the mangle rule table. because the usage is not high, we do not intend to discuss the mangle usage here.

The filter rule table is a preset rule table with three rule chains: INPUT, FORWARD, and OUTPUT. The rule table, as its name suggests, is used to filter packets (for example: DROP, LOG, ACCEPT, or REJECT), we will create the basic rules in this rule table.

List of common commands:

Command-A, -- append
Example iptables-a input...
It indicates that a new rule is added to a rule chain and will become the last rule in the rule chain.

Command-D, -- delete
Example iptables-d input -- dport 80-j DROP
Iptables-d input 1
This indicates to delete a rule from a rule chain. you can enter a complete rule or directly specify a rule number to delete it.

Command-R, -- replace
Example iptables-r input 1-s 192.168.0.1-j DROP
It indicates that the current rule is replaced, and the Order of the rule is not changed after it is replaced.

Command-I, -- insert
Example iptables-I INPUT 1 -- dport 80-j ACCEPT
It indicates that a rule is inserted. The rule at the specified position will move a forward position.

Command-L, -- list
Example iptables-L INPUT
Lists all rules in a rule chain.

Command-F, -- flush
Example iptables-F INPUT
Deletes all rules in a rule chain.

Command-Z, -- zero
Example iptables-Z INPUT
This indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks.

Command-N, -- new-chain
Example iptables-N allowed
Define a new rule chain.

Command-X, -- delete-chain
Example iptables-X allowed
Deletes a rule chain.

Command-P, -- policy
Example iptables-P INPUT DROP
Define a filter policy. That is, the default processing method for packets that do not meet the filtering conditions.

Command-E, -- rename-chain
Example iptables-E allowed disallowed
Modifies the name of a custom rule chain.

Common packet comparison parameters:

Parameter-p, -- protocol
Example iptables-a input-p tcp
It indicates whether the communication protocol type is consistent and can be used! The operator performs reverse comparison, for example,-p! Tcp, which means other types except tcp, including udp, icmp, etc. If you want to compare all types, you can use the all keyword, for example,-p all.

Parameter-s, -- src, -- source
Example iptables-a input-s 192.168.1.1
The description is used to compare the source IP address of the packet. it can be compared to a single machine or network. when comparing the network, use a number to block it. for example,-s 192.168.0.0/24 can be used to compare the IP address! The operator performs reverse comparison, for example,-s! 192.168.0.0/24.

Parameter-d, -- dst, -- destination
Example iptables-a input-d 192.168.1.1
Description used to compare the destination IP address of the packet. the setting method is the same as above.

Parameter-I, -- in-interface
Example iptables-a input-I eth0
The description is used to compare the network card from which the package Enters. you can use wildcard character + to perform large-scale comparison. for example,-I eth + indicates all ethernet network cards. you can also use it! The operator performs reverse comparison, for example,-I! Eth0.

Parameter-o, -- out-interface
Example iptables-a forward-o eth0
Specifies the network card from which the packet is sent.

Parameter -- sport, -- source-port
Example iptables-a input-p tcp -- sport 22
It indicates that the source port number of the packet can be compared to a single port or a range, for example, -- sport 22: 80, indicating that the port from 22 to 80 is qualified, to compare multiple non-consecutive ports, you must use the -- multiport parameter. For more information, see the following section. You can use it when comparing the port number! The operator performs reverse comparison.

Parameter -- dport, -- destination-port
Example iptables-a input-p tcp -- dport 22
Description used to compare the destination port number of the package. the setting method is the same as above.

Parameter -- tcp-flags
Example iptables-p tcp -- tcp-flags SYN, FIN, ACK SYN
This section compares the status flag of TCP packets. the parameters are divided into two parts: the first part lists the flag to be compared, and the second part lists which of the aforementioned banners are set, the unenumerated flag must be empty. TCP status banners include: SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), PSH (forced push) can be used in parameters. In addition, you can use the keywords ALL and NONE for comparison. You can use it when comparing the banners! The operator performs reverse comparison.

Parameter -- syn
Example iptables-p tcp -- syn
The description is used to compare whether a TCP packet is online. it works exactly the same as iptables-p tcp -- tcp-flags SYN, FIN, and ACKSYN. if Yes! The operator can be used to compare non-required online packets.

Parameter-m multiport -- source-port
Example iptables-a input-p tcp-m multiport -- source-port22, 110
The description is used to compare multiple source ports that are not consecutive. up to 15 ports can be compared at a time. you can use this description! The operator performs reverse comparison.

Parameter-m multiport -- destination-port
Example iptables-a input-p tcp-m multiport -- destination-port22, 110
The description is used to compare non-consecutive destination port numbers. the setting method is the same as above.

Parameter-m multiport -- port
Example iptables-a input-p tcp-m multiport -- port 80,110
This parameter is special and used to compare packets with the same source port number and destination port number. the setting method is the same as above. Note: In this example, if the source port number is 80 and the destination port number is 110, this packet does not meet the condition.

Parameter -- icmp-type
Example iptables-a input-p icmp -- icmp-type 8
The description is used to compare the type numbers of ICMP. you can use code or number numbers for comparison. Please call iptables-p icmp -- help to check which code is available.

Parameter-m limit -- limit
Example iptables-a input-m limit -- limit 3/hour
The description is used to compare the average traffic of packets within a certain period of time. the example above is used to compare whether the average traffic per hour exceeds three packets at a time. In addition to the average time per hour, it can also be an average time per second, every minute or every day. the default value is an average time per hour. parameters such as:/second,/minute,/day. In addition to comparing the number of packets, Setting this parameter will also suspend the packet comparison when conditions are met to avoid service interruption due to the use of the flood attack method by hackers.

Parameter -- limit-burst
Example iptables-a input-m limit -- limit-burst 5
The description is used to compare the quantity of a large number of packets in an instant. the example above is used to compare whether the number of packets that flood in at a time exceeds 5 (this is the default value). packets that exceed this limit will be discarded directly. The usage effect is the same as that.

Parameter-m mac -- mac-source
Example iptables-a input-m mac -- mac-source 00: 00: 00: 00: 01
The description is used to compare the hardware address of the packet source network interface. this parameter cannot be used in OUTPUT and Postrouting rule refining. this is because the packet must be sent to the network.
Then, the NIC driver can identify the MAC address of the destination through the ARP communication protocol. Therefore, iptables does not know that the packet will be sent
Network interfaces.

Parameter -- mark
Example iptables-t mangle-a input-m mark -- mark 1
The description is used to compare whether a number is indicated by a packet. when the packet is compared successfully, we can MARK a number with the maximum number through MARK processing.
It cannot exceed 4294967296.

Parameter-m owner -- uid-owner
Example iptables-a output-m owner -- uid-owner 500
It indicates whether the packets from the local machine are generated by a specific user. This prevents the server from sending sensitive data using root or other identities.
To reduce the loss of the system. Unfortunately, this function cannot compare the packets from other hosts.

Parameter-m owner -- gid-owner
Example iptables-a output-m owner -- gid-owner 0
The description is used to compare whether the packets from the local machine are generated by a specific user group. The usage time is the same as above.

Parameter-m owner -- pid-owner
Example iptables-a output-m owner -- pid-owner 78
The description is used to compare the packets from the local machine and determine whether the packets are generated for a specific trip.

Parameter-m owner -- sid-owner
Example iptables-a output-m owner -- sid-owner 100
The description is used to compare the response packets from the local machine and whether the packets are the response packets of a specific online (Session ID.

Parameter-m state -- state
Example iptables-a input-m state -- state RELATED, ESTABLISHED
The description is used to compare the online status. There are four online statuses: INVALID, ESTABLISHED, NEW, and RELATED.

INVALID indicates that the package's online number (Session ID) cannot be identified or the number is incorrect.
ESTABLISHED indicates that the package belongs to a ESTABLISHED online network.
NEW indicates that the package wants to start online (reset online or redirect online ).