Introduction to iptables inbound and outbound sites and NAT instances, iptablesnat

Introduction to iptables inbound and outbound sites and NAT instances, iptablesnat

 

-------------- This article is a summary of my work notes. suitable ones can be used directly. If not, modify them as appropriate! ---------------

Iptbales uses the default ACCEPT policy, which is also called a pass policy. In this case, an intercept policy can be implemented, and a blocking policy can be used to enable the rule. (I prefer a blocking policy, and I need to enable what to do. The following example is based on this)

Iptables parameter names:

Four tables and five links: ter table, NAT table, Mangle table, and Raw table. INPUT chain, OUTPUT chain, FORWARD chain, PREROUTING chain, POSTROUTING chain

INPUT chain-process external data.
OUTPUT chain-process data that is sent out.
FORWARD chain-FORWARD data to other Nic devices on the local machine.

PREROUTING chain-processes data packets that have just arrived at the local machine and are forwarded before the route. It will convert the destination ip address (destination ip address) in the data packet, usually used for DNAT (destination NAT ). (Linux route net. ipv4.ip _ forward = 1 must be enabled for the NAT table)
POSTROUTING chain-processes packets that are about to exit the local machine. It will convert the source ip address in the data packet, which is usually used for SNAT (source NAT ).
OUTPUT chain-processes data packets generated by the local machine.

All records when iptables is created

Iptables-F
Iptables-X
Iptables-F-t mangle
Iptables-t mangle-X
Iptables-F-t nat
Iptables-t nat-X

Open 22 SSH port

Iptables-a input-p tcp -- dport 22-j ACCEPT (allow external access to port 22 of the local machine)

Iptables-a output-p tcp -- sport 22-j ACCEPT)

For example, a complete SSH port restriction (meaning: SSH access from eth0 is not limited except for 192.168.16.0/24, all other addresses are limited to a maximum of five SSH connections from each ip address, and only NEW and ESTABLISHED connections are allowed. All others are rejected)

Iptables-a input-I eth0! -S 192.168.16.0/24-p tcp -- dport 22-m state -- state NEW, ESTABLISHED-m connlimit -- connlimit-above 5-j REJECT

----

Iptables-a output-p tcp -- dport 22-j ACCEPT (Allow Local Machine to ssh port 22 of other servers)

Iptables-a input-p tcp -- sport 22-j ACCEPT

Set the default rule to DROP

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

In this case, do not use service iptables save. first use the client ssh to connect to the server and see if the server can be connected? If it doesn't work, you can at least restart the system. It doesn't take effect if the rule is not saved and restarted. If it is saved, it will be troublesome if it cannot be found!

When we find that SSH is available, we can continue with the following steps!

Open the loopback address. For local access, such as accessing the database locally

Iptables-a input-I lo-j ACCEPT

Iptables-a output-o lo-j ACCEPT

Enable the Server ping function. I think it is necessary to enable it to detect the server status.

Iptables-a input-p icmp-m icmp -- icmp-type 0-j ACCEPT (these two rules allow the local machine to ping the Internet ip address, excluding the domain name, where 8 is an icmp request and 0 is an icmp response)

Iptables-a output-p icmp-m icmp -- icmp-type 8-j ACCEPT

----

Iptables-a input-p icmp-m icmp -- icmp-type 8-j ACCEPT (the two rules allow external ping to the local machine)

Iptables-a output-p icmp-m icmp -- icmp-type 0-j ACCEPT

Allow internal ping of external domain names

Iptables-a input-p udp -- sport 53-j ACCEPT

Iptables-a output-p udp -- dport 53-j ACCEPT

Allow external access to 80 services on the local machine, and only allow newly connected and connected sessions (status detection)

Iptables-a input-p tcp -- dport 80-m state -- state NEW, ESTABLISHED-j ACCEPT

Iptables-a output-p tcp -- sport 80-m state -- state ESTABLISHED-j ACCEPT

Allow external access to multiple local ports such as 8082, and. Only new connections are allowed. connected and connected sessions are extended to new connections.

Iptables-a input-p tcp-m multiport -- dport 8080,8081, 8082-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT

Iptables-a output-p tcp-m multiport -- sport 8080,8081, 8082-m state -- state ESTABLISHED-j ACCEPT

Allow external access to port 81 of the local machine, and the local machine can only have 200 connections at first. If the number of connections exceeds this limit, two new connections are added per second, if the access limit is exceeded, the access is rejected (this method can restrict some attacks)

Iptables-a input-p tcp -- dport 81-m limit -- limit 2/s -- limit-burst 200-j ACCEPT

Iptables-a output-p tcp -- sport 81-j ACCEPT

Limit the number of IP connections except 192.168.16.99 to 50 (equivalent to granting the privilege to yourself ^_^)

Iptables-a forward-p tcp-s! 192.168.16.99-m connlimit -- connlimit-above 50-j REJECT

TCP matching extended protocol -- tcp-flags

Iptables-a input-p tcp -- tcp-flags SYN, FIN, ACK, rst syn (the SYN, FIN, ACK, and RST identifiers are checked, but only the SYN identifiers are matched)

Iptables-a input-p tcp -- syn (if this is to match the SYN flag, you can also write it like this. Option-syn is equivalent to "-- tcp-flags SYN, RST, short for ack syn .)

Instance:

// Nmap-xmas

Iptables-a input-p tcp -- tcp-flags all fin, URG, PSH-j DROP (check the flag to match the discarded fin urg psh)

// Nmap-push

Iptables-a input-p tcp -- tcp-flags all syn, RST, ACK, FIN, URG-j DROP (check the flag to match the discarded syn rst ack fin urg)

// Null

Iptables-a input-p tcp -- tcp-flags all none-j DROP (check the flag and discard the flag without Flag)

Iptables-a input-p tcp -- tcp-flags SYN, rst syn, RST-j DROP (check SYN, RST identification bit, match SYN, RST discard, SYN is establish connection, RST resets the connection, so such a package is faulty)

Iptables-a input-p tcp -- tcp-flags SYN, fin syn, FIN-j DROP (check SYN, FIN identification bit, match to SYN, FIN discard, SYN is establish connection, FIN ends the connection, so there is a problem with such a package)

Iptables-a input-p tcp -- tcp-flags all fin, URG, PSH-j DROP

Iptables-a input-p tcp -- tcp-flags all syn, RST, ACK, FIN, URG-j DROP

 

SNAT and DNAT

SNAT:

If I want to allow all IP addresses in the 192.168.10.0/24 segment to access the Internet through eth0: 123.123.123.123 on the linux Server

Iptables-t nat-a postrouting-s 192.168.10.0/24-j SNAT -- to-source 123.123.123.123

DNAT

GATEWAY eth0: 123.123.123.123 eth1: 192.168.10.1 Intranet HOST: 192.168.10.10

To automatically Jump 80 accessing 123.123.123.123 to port 80 of 192.168.10.10

Iptables-t nat-a prerouting-p tcp-d 123.123.123.123 -- dport 80-j DNAT -- to-destination 192.168.10.10: 80

Iptables-t nat-a postrouting-p tcp-d 192.168.10.10 -- dport 80-j SNAT -- to-source 192.168.10.1 (nat is added between Intranets)

Article 1: Change the destination address of the external data packet to the specified port of the Intranet host.
Article 2: Change the external source address to an intranet local address before forwarding