Introduction to iptables inbound and outbound sites and NAT instances, iptablesnat
-------------- This article is a summary of my work notes. suitable ones can be used directly. If not, modify them as appropriate! ---------------
Iptbales uses the default ACCEPT policy, which is also called a pass policy. In this case, an intercept policy can be implemented, and a blocking policy can be used to enable the rule. (I prefer a blocking policy, and I need to enable what to do. The following example is based on this)
Iptables parameter names:
Four tables and five links: ter table, NAT table, Mangle table, and Raw table. INPUT chain, OUTPUT chain, FORWARD chain, PREROUTING chain, POSTROUTING chain
INPUT chain-process external data.
OUTPUT chain-process data that is sent out.
FORWARD chain-FORWARD data to other Nic devices on the local machine.
PREROUTING chain-processes data packets that have just arrived at the local machine and are forwarded before the route. It will convert the destination ip address (destination ip address) in the data packet, usually used for DNAT (destination NAT ). (Linux route net. ipv4.ip _ forward = 1 must be enabled for the NAT table)
POSTROUTING chain-processes packets that are about to exit the local machine. It will convert the source ip address in the data packet, which is usually used for SNAT (source NAT ).
OUTPUT chain-processes data packets generated by the local machine.
All records when iptables is created
Iptables-F
Iptables-X
Iptables-F-t mangle
Iptables-t mangle-X
Iptables-F-t nat
Iptables-t nat-X
Open 22 SSH port
Iptables-a input-p tcp -- dport 22-j ACCEPT (allow external access to port 22 of the local machine)
Iptables-a output-p tcp -- sport 22-j ACCEPT)
For example, a complete SSH port restriction (meaning: SSH access from eth0 is not limited except for 192.168.16.0/24, all other addresses are limited to a maximum of five SSH connections from each ip address, and only NEW and ESTABLISHED connections are allowed. All others are rejected)
Iptables-a input-I eth0! -S 192.168.16.0/24-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-m connlimit -- connlimit-above 5-j REJECT
----
Iptables-a output-p tcp -- dport 22-j ACCEPT (Allow Local Machine to ssh port 22 of other servers)
Iptables-a input-p tcp -- sport 22-j ACCEPT
Set the default rule to DROP
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
In this case, do not use service iptables save. first use the client ssh to connect to the server and see if the server can be connected? If it doesn't work, you can at least restart the system. It doesn't take effect if the rule is not saved and restarted. If it is saved, it will be troublesome if it cannot be found!
When we find that SSH is available, we can continue with the following steps!
Open the loopback address. For local access, such as accessing the database locally
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Enable the Server ping function. I think it is necessary to enable it to detect the server status.
Iptables-a input-p icmp-m icmp -- icmp-type 0-j ACCEPT (these two rules allow the local machine to ping the Internet ip address, excluding the domain name, where 8 is an icmp request and 0 is an icmp response)
Iptables-a output-p icmp-m icmp -- icmp-type 8-j ACCEPT
----
Iptables-a input-p icmp-m icmp -- icmp-type 8-j ACCEPT (the two rules allow external ping to the local machine)
Iptables-a output-p icmp-m icmp -- icmp-type 0-j ACCEPT
Allow internal ping of external domain names
Iptables-a input-p udp -- sport 53-j ACCEPT
Iptables-a output-p udp -- dport 53-j ACCEPT
Allow external access to 80 services on the local machine, and only allow newly connected and connected sessions (status detection)
Iptables-a input-p tcp -- dport 80-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-p tcp -- sport 80-m state -- state ESTABLISHED-j ACCEPT
Allow external access to multiple local ports such as 8082, and. Only new connections are allowed. connected and connected sessions are extended to new connections.
Iptables-a input-p tcp-m multiport -- dport 8080,8081, 8082-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT
Iptables-a output-p tcp-m multiport -- sport 8080,8081, 8082-m state -- state ESTABLISHED-j ACCEPT
Allow external access to port 81 of the local machine, and the local machine can only have 200 connections at first. If the number of connections exceeds this limit, two new connections are added per second, if the access limit is exceeded, the access is rejected (this method can restrict some attacks)
Iptables-a input-p tcp -- dport 81-m limit -- limit 2/s -- limit-burst 200-j ACCEPT
Iptables-a output-p tcp -- sport 81-j ACCEPT
Limit the number of IP connections except 192.168.16.99 to 50 (equivalent to granting the privilege to yourself ^_^)
Iptables-a forward-p tcp-s! 192.168.16.99-m connlimit -- connlimit-above 50-j REJECT
TCP matching extended protocol -- tcp-flags
Iptables-a input-p tcp -- tcp-flags SYN, FIN, ACK, rst syn (the SYN, FIN, ACK, and RST identifiers are checked, but only the SYN identifiers are matched)
Iptables-a input-p tcp -- syn (if this is to match the SYN flag, you can also write it like this. Option-syn is equivalent to "-- tcp-flags SYN, RST, short for ack syn .)
Instance:
// Nmap-xmas
Iptables-a input-p tcp -- tcp-flags all fin, URG, PSH-j DROP (check the flag to match the discarded fin urg psh)
// Nmap-push
Iptables-a input-p tcp -- tcp-flags all syn, RST, ACK, FIN, URG-j DROP (check the flag to match the discarded syn rst ack fin urg)
// Null
Iptables-a input-p tcp -- tcp-flags all none-j DROP (check the flag and discard the flag without Flag)
Iptables-a input-p tcp -- tcp-flags SYN, rst syn, RST-j DROP (check SYN, RST identification bit, match SYN, RST discard, SYN is establish connection, RST resets the connection, so such a package is faulty)
Iptables-a input-p tcp -- tcp-flags SYN, fin syn, FIN-j DROP (check SYN, FIN identification bit, match to SYN, FIN discard, SYN is establish connection, FIN ends the connection, so there is a problem with such a package)
Iptables-a input-p tcp -- tcp-flags all fin, URG, PSH-j DROP
Iptables-a input-p tcp -- tcp-flags all syn, RST, ACK, FIN, URG-j DROP
SNAT and DNAT
SNAT:
If I want to allow all IP addresses in the 192.168.10.0/24 segment to access the Internet through eth0: 123.123.123.123 on the linux Server
Iptables-t nat-a postrouting-s 192.168.10.0/24-j SNAT -- to-source 123.123.123.123
DNAT
GATEWAY eth0: 123.123.123.123 eth1: 192.168.10.1 Intranet HOST: 192.168.10.10
To automatically Jump 80 accessing 123.123.123.123 to port 80 of 192.168.10.10
Iptables-t nat-a prerouting-p tcp-d 123.123.123.123 -- dport 80-j DNAT -- to-destination 192.168.10.10: 80
Iptables-t nat-a postrouting-p tcp-d 192.168.10.10 -- dport 80-j SNAT -- to-source 192.168.10.1 (nat is added between Intranets)
Article 1: Change the destination address of the external data packet to the specified port of the Intranet host.
Article 2: Change the external source address to an intranet local address before forwarding