Iotables Software Firewall Basic command Explanation (i)

Iptables basic Commands

Background:

It is often necessary to use the firewall configuration and summarize the commands commonly used in the work. We all know that Iptables has four watches and five chains, which is not explained here. Post-update.

First, the basic operation of the chain

1, clear all the rules.

1) Clear the rules in all rule chains in the preset table filter.

# iptables-f

Clears all rules in the chain,

Note: This default cannot be cleared if Iptables-p input-j Drop/accept was previously run.

2) Clear the rules in the user-defined chain of the preset table filter.

#iptables-X [chain-name] cannot be cleared if there are rules in the chain that are being applied.

#iptables-Z

2. Set the default policy for the chain. Generally there are two ways.

1) First allow all installation packages, and then prohibit the acceptance of the dangerous installation package through the fire wall. It is important to note that you are careful to check your installation package for error-free operation.

#iptables-P INPUT ACCEPT

#iptables-P OUTPUT ACCEPT

#iptables-P FORWARD ACCEPT

2) First prohibit all installation packages and then allow the specific installation package to pass through the firewall as required.

#iptables-P INPUT DROP

#iptables-P OUTPUT DROP

#iptables-P FORWARD DROP

3. List all rules in the table/chain. Only the filter table is listed by default.

#iptables-L

4. Add rules to the chain. The following statement is used for open network interfaces:

#iptables-A input-i lo-j ACCEPT

#iptables-A output-o lo-j ACCEPT

#iptables-A input-i eth0-j acept

#iptables-A output-o eth1-j ACCEPT

#iptables-A forward-i eth1-j ACCEPT

#iptables-A FORWARD-0 eth1-j ACCEPT

Note: Because the local process does not go through the forward chain, the loopback interface lo only acts on input and output two chains.

5, user-defined chain.

#iptables-N Custom

#iptables-A custom-s 0/0-D 0/0-P icmp-j DROP

#iptables-A input-s 0/0-D 0/0-j DROP

Second, set the basic rule matching

1. Specify protocol matching.

1) match the specified protocol.

#iptables-A input-p TCP

2) match all protocols except the specified protocol.

#iptables-A input-p!tcp

2, the specified address matches.

1) Specify a matching host.

#iptables-A input-s 192.168.0.18

2) specify a matching network.

#iptables-A input-s 192.168.2.0/24

3) matches an address other than the specified host.

#iptables-A forward-s!192.168.0.19

4) match a network outside the specified network.

#iptables-A Forward-s! 192.168.3.0/24

3, specify the network interface matching.

1) Specify a single network interface match.

#iptables-A input-i eth0

#iptables-A Forward-o eth0

2) Specify the same type of network interface matching.

#iptables-A Forward-o ppp+

4. Specify port matching.

1) Specify a single port match.

#iptables-A input-p TCP--sport www

#iptables-A input-p udp–dport 53

2) match a port other than the specified port.

#iptables-A input-p tcp–dport!22

3) match the port range.

#iptables-A input-p tcp–sport 22:80

4) match ICMP port and ICMP type.

#iptables-A inout-p Icmp–icimp-type 8

5) Specify IP fragmentation.

Each network interface has an MTU (maximum transmission unit), which defines the maximum size of the packets that can be passed. If a packet is larger than this parameter value, the system divides it into smaller packets (known as IP fragments) for transmission, and the receiving party reorganizes the IP fragments to restore the entire package. This can cause a problem: when the system divides large packets into IP fragmentation, the first fragment contains the complete header information (IP+TCP, UDP, and ICMP), but the subsequent fragments are only some of the information in the header (such as the source address, destination site). Therefore, it is not possible to check the head of the subsequent IP fragments (as with TCP, UDP, and ICMP). If there is such a rule:

#iptables-A forward-p tcp-s 192.168.1.0/24-d 192.168.2.100–dport 80-j ACCEPT

And at this time the forward policy is drop, the system will only let the first IP fragment through, and the remaining fragments because the Baotou information is incomplete and can not pass. You can use the-FRAGMENT/-F option to specify the second and subsequent IP fragments to resolve the above problem.

#iptables-A forward-f-S 192.168.1.0/24-d 192.168.2.100-j ACCEPT

Note There are now many instances of IP fragmentation attacks, such as Dos attacks, so allowing IP fragmentation to pass is a security risk, which can be limited by iptables matching extensions.

Set the rule match for the extension (for example, the target action is ignored)

1, multi-port matching.

1) match multiple source ports.

#iptables-A input-p tcp-m multiport–sport 22,53,80,110

2) match multiple destination ports.

#iptables-A input-p tcp-m multiport–dpoort 22,53,80

3) matching multiport (either source port or destination port)

#iptables-A input-p tcp-m multiport–port 22,53,80,110

2. Specify TCP matching Extension

Use the –tcp-flags option to filter based on the flag bit of the TCP packet.

#iptables-A input-p tcp–tcp-flags syn,fin,ack SYN

#iptables-A froward-p tcp–tcp-flags all Syn,ack

The first flag in the previous instance that represents a SYN, ACK, fin is checked, but only SYN matches. The second flag that represents all (SYN,ACK,FIN,RST,URG,PSH) is checked, but only a match of SYN and ACK is set.

#iptables-A forward-p TCP--syn

The option-syn corresponds to the shorthand for "--tcp-flags syn,rst,ack SYN".

3, limit rate matching expansion.

1) Specify the number of packets allowed within the unit time, either/second,/minute,/hour,/day, or using the first child.

#iptables-A input-m limit--limit 300/hour

2) Specify thresholds for triggering events.

#iptables-A input-m Limit–limit-burst 10

The packets that exceed this limit will be discarded directly if there are more than 10 packets that have been poured in at a time.

3) Specify both the rate limit and the trigger threshold.

#iptables-A input-p icmp-m limit–-limit 3/m–limit-burst 3

Indicates the maximum allowable number of packets per minute is the limit rate (in this case 3) plus the current trigger threshold burst number. In any case, 3 packets are guaranteed to pass, triggering a threshold of burst equivalent to the number of additional packages allowed.

==============

Example of a port speed limit

# Vim Control_flow.sh

#!/bin/bash

Iptables-f

Iptables-a input-p tcp-s 192.168.2.0/24--dport 8080-m limit--limit 800/s-j ACCEPT

Iptables-a input-p tcp-s 192.168.2.0/24--dport 8080-j DROP

==============

4) State-based matching extension (connection tracking)

Each network connection includes the following information: Source address, Destination address, source port, destination port, called socket pair (socket pairs), protocol type, connection status (TCP protocol)

and time-out times. The firewall calls this information state (stateful). A stateful packet filtering firewall can maintain a tracking status table in memory, which is more secure than a simple packet filtering firewall with the following command format:

Iptables-m state–-state [!] State [, State,state,state]

Where the state table is a comma-delimited list of 4 types of connection states:

>new: The package wants to start a new connection (reconnect or connect redirect)

>related: The package is a new connection established by an already established connection. Example:

The FTP connection between data transmission and control is a related relationship.

>established: The package belongs to an already established connection.

>invalid: The package does not match any connections, usually these packets are drop.

For example:

(1) Add a rule to the input chain to match the established connection or the new connection established by the established connection. That is, all TCP response packets are matched.

#iptables-A input-m state–state related,established

(2) Add a rule to the input chain to match all connection request packets from the non-eth0 interface.

#iptables-A input-m State-–state new-i!eth0

As another example, for FTP connections you can use the following connection tracking:

(1) Passive (Passive) FTP connection mode.

#iptables-A input-p TCP--sport 1024x768:--dport 1024x768:-M state–-state established-j ACCEPT

#iptables-A output-p TCP--sport 1024x768:--dport:-M

State-–state Established,related-j ACCEPT

(2) Active (Active) FTP connection mode

#iptables-A innput-p tcp--sport 20-m state–-state established,related-j ACCEPT

#iptables-A output-p tcp–output-p tcp–dport 20-m State--state established-j ACCEPT

5) TOS matching extension.

Iv. Setting the target extension

The target extension consists of kernel modules, and an optional extension of iptables provides new command-line options.

========================================================

#!/bin/bash

#Flush all policy and add default policy

Iptables-f

Iptables-t filter-p INPUT DROP

#Open port and limit rate from 80

Iptables-t filter-a input-p TCP--dport 80-j ACCEPT

Iptables-a input-p tcp-s 0/0--dport 80-m limit--limit 800/s-j ACCEPT

Iptables-a input-p tcp-s 0/0--dport 80-j DROP

#Open Port 192.168.2.45

Iptables-t filter-a input-s 192.168.2.45-p tcp--dport 22-j ACCEPT

# iptables-t Filter-a input-s! 192.168.2.45-p TCP--dport 22-j DROP

#Open the protocal ICMP for all users

Iptables-t filter-a input-p icmp-j ACCEPT

#Make sure this host can connect to any hosts

Iptables-t filter-a input-m State--state established,related-j ACCEPT

=======================================================

Sometimes the gateway is dynamic and uncertain when connected to an Internet connection. such as ADSL

Iptables-t nat-a output-s 192.168.0.0.1/24-j marsuerade

Not to be continued.

This article is from the "• m ¹d#̧ô 6" blog, please be sure to keep this source http://mifan6.blog.51cto.com/9954601/1713064

Iotables Software Firewall Basic command Explanation (i)