Introduction to the meaning of iptables command parameters in Linux firewall configuration __linux

Point I entered the original

Introduction to the Iptables command

Original link

The iptables firewall can be used to create filtering (filter) and NAT rules. All Linux distributions can use Iptables, so understanding how to configure Iptables will help you manage the Linux firewall more effectively. If you are in contact with Iptables for the first time, you will find it very complicated, but once you understand how iptables works, you will see that it is very simple.

First, introduce the structure of iptables: iptables-> Tables-> chains-> Rules. Simply put, tables are made up of chains, and chains is made up of rules. As shown in the following figure.


Figure: IPTables table, Chain, and rule Structure one, IPTables tables and chains

Iptables has filter, NAT, mangle, raw four kinds of built-in table: 1. Filter Table

Filter represents the default table for iptables, so if you don't have a custom table, the filter table is used by default, which has the following three built-in chains: the input chain – processing data from the outside. Output chain – handles outgoing data. Forward chain – forwards data to other network card devices on this computer. 2. Nat Table

The NAT table has three kinds of built-in chains: the Prerouting chain-handles packets that have just arrived at the local computer and are forwarding before routing. It converts the destination IP address (destination IP addresses) in the packet, which is typically used for Dnat (destination NAT). Postrouting Chain – Handles packets that are about to leave the computer. It converts the source IP address in the packet, which is typically used for snat (source NAT). Output chain – handles the data packets generated by the machine. 3. mangle table

The mangle table is used to specify how packets are processed. It can change the QoS bit in the TCP header. The mangle table has 5 built-in chains: prerouting OUTPUT FORWARD INPUT postrouting 4. Raw Table

Raw tables are used to handle exceptions, which have 2 built-in chains: Prerouting chain OUTPUT chain 5. Summary

The following figure shows the three built-in tables for iptables:

Figure: IPTables built-in table II, the IPTables rule (rules)

Keep in mind the key to the following three-point understanding of the Iptables rule: rules include a condition and a target (target) to execute a rule or a specific value in the target if it satisfies the criteria. If the condition is not met, the next rule is judged. destination Value ( target values)

Here are the special values that you can specify in target: accept– allows the firewall to receive packets drop– firewall discards packets queue– firewalls transfer packets to user space return– firewall stops executing subsequent rules in the current chain and returns to the call chain (the CA Lling chain).

If you perform iptables--list you will see the rules available on the firewall. The following example shows that the current system does not have a firewall defined, and you can see that it shows the default filter table and the default input chain in the table, the forward chain, the output chain.

# iptables-t Filter--list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     Prot opt source               destination

View Mangle table:

# iptables-t Mangle--list

To view the NAT table:

# iptables-t Nat--list

View Raw TABLE:

# Iptables-t Raw--list

/!\ Note: If you do not specify the-t option, only the default filter table is displayed. Therefore, the following two forms of command are one meaning:

# iptables-t Filter--list
(or)
# iptables--list

The following example shows that there are rules in the input chain of the filter table, in the forward chain, in the output chain:

# iptables--list Chain INPUT (policy ACCEPT) num Target prot opt source destination 1 rh-firewall-1               -input All--0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num Target prot opt source      Destination 1 Rh-firewall-1-input All--0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) Num Target               Prot opt source Destination Chain rh-firewall-1-input (2 references) num target prot opt source            Destination 1 ACCEPT All--0.0.0.0/0 0.0.0.0/0 2 ACCEPT ICMP--0.0.0.0/0 0.0.0.0/0 ICMP type 255 3 ACCEPT ESP--0.0.0.0/0 0.0.0.0/0 4 ACCEPT AH--0.     0.0.0/0 0.0.0.0/0 5 ACCEPT UDP--0.0.0.0/0 224.0.0.251 UDP dpt:5353 6 ACCEPT           UDP--0.0.0.0/0 0.0.0.0/0 UDP dpt:631 7 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0   TCP dpt:631 8 ACCEPT All--0.0.0.0/0 0.0.0.0/0 State related,established 9 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:22 REJECT All--0.0.0.0/0 0.0.0.0/0 Rej
 Ect-with icmp-host-prohibited

The above output contains the following fields: num– The rule number in the specified chain

target– the special value of target mentioned earlier

prot– protocol: TCP, UDP, ICMP, etc.

source– the source IP address of the packet

destination– packet Destination IP address Three, clear all iptables rules

Before configuring iptables, you usually need to use the Iptables--list command or the Iptables-save command to see if there are any existing rules, because there are times when you need to delete existing iptables rules:

Iptables--flush
or
iptables-f.

These two commands are equivalent. But not after the implementation of everything. You still need to check that the rules are really empty, because this command on some Linux distributions does not erase the rules in the NAT table and can only be cleaned manually at this time:

Iptables-t nat-f

Iv. Permanent entry into force

When you delete and add a rule, these changes do not take effect permanently, and these rules are likely to revert to the original after the system restarts. In order for the configuration to take effect permanently, depending on the platform, the operation is different. Here's a brief introduction: 1.Ubuntu

First, save the existing rule:

Iptables-save >/etc/iptables.rules

Then create a new bash script and save it to the/etc/network/if-pre-up.d/directory:

#!/bin/bash
Iptables-restore </etc/iptables.rules

In this way, the iptables rule is automatically loaded every time the system restarts.
/!\ Note: Do not attempt to execute the above command in. bashrc or. Profile because the user is not usually root, and this can only load the iptables rule at logon. 2.CentOS, RedHat

# Save Iptables Rule Service
iptables save

# restart Iptables services
iptables stop
service iptables start

To view the current rule:

Cat  /etc/sysconfig/iptables

v. Additional iptables rules

You can use the IPTABLES-A command to append a new rule, where-a indicates append. Therefore, the new rule is appended to the end of the chain.
Generally, the last rule is used to discard (drop) all packets. If you already have such a rule, and you add a new rule with the-a argument, you're not working hard. 1. Grammar

Iptables-a chain Firewall-rule

-a chain– specifies the chain to append the rule firewall-rule– specific rule parameters 2. Describe the basic parameters of the rule

The following rule parameters describe the protocol of the packet, the source address, the destination address, the network interface that is allowed, and how to process the packets. These descriptions are the basic descriptions of the rules. The -P Protocol (protocol) specifies protocols for rules, such as TCP, UDP, ICMP, and so on, and all can be used to specify all protocols. If the-p argument is not specified, the all value is the default. This is unwise, always explicitly specify the protocol name. You can specify a protocol by using either a protocol name (such as TCP) or a protocol value (such as 6 for TCP). Mapping relationships See/etc/protocols You can also use the –protocol parameter instead of the-p parameter -s source address (source) to specify the packet's source address parameters so that the IP address, network address, host name, for example:-S 192.168.1.101 specifies an IP address, for example:-S 192.168.1.10/24 Specify a network address if you do not specify the-s parameter, you can also use –SRC or –source -D Destination Address (destination) Specify the destination address parameter and the-s same, you can also use –DST or –destination