IPtables 3: explicit scaling rule

The first two articles: IPtables II: basic rule writing IPtables: Basic Concepts

For the differences between explicit and implicit extensions, first analyze the following two rules:
Rule 1: iptables-t filter-a input-s 192.168.1.0/24-d 172.16.100.1-p udp-dport 53-j DROP
Rule 2: iptables-t filter-a input-s 192.168.1.0/24-d 172.16.100.1-p udp-m udp-dport 53-j DROP
Compared with rule 1, the-m option is used on rule 2 to specify udp extension, and the extension port is 53.
For implicit expansion, you do not need to explicitly specify the-m option. For tcp, you can extend the flag, source, and target ports of tcp. For udp, you can expand the source and target ports, for icmp, different data packets such as request and replay can be extended.
The following describes some common explicit extensions:
 
State of one of the explicit extensions: connection status
-M state -- state {NEW | ESTABLISHED | RELATED | INVALID |}
As mentioned in the first blog, packet filtering firewalls can be classified into "status detection" and "simple packet filtering"
Next we will introduce how to use iptables to filter status detection packets.
Describes tcp connections in the following four States:
1. NEW
That is, the first time of three handshakes, a new request
Iptable-a output-o eth0-m state -- state NEW-j DROP
Analyze this rule.-m indicates extended loading of the state detection module, and -- state NEW indicates the first handshake of tcp detection, the role of the entire rule is to reject new tcp connections from the eth0 Nic.
2. ESTABLISHED
After a secondary handshake, the connection is disconnected.
3. RELATED
Related connection status, which can solve the super-troublesome protocol of ftp connection control.
4. INVALID
Unrecognized status
Application case:
Combine the NEW and ESTABLISHED statuses to implement the following rules:
Iptables-a input-d 192.168.1.1-p tcp-dport 22-m state -- state NEW, ESTABLISHED-j ACCEPT
Allow new ssh requests from outside the host
Iptables-a input-d 192.168.1.1-p tcp-dport 80-m state -- state NEW, ESTABLISHED-j ACCEPT
Allow new web connections initiated from outside to the host
Iptables-a output-s 192.168.1.1-p tcp sport 22-m state -- state ESTABLISHED-j ACCEPT
Allows the host to send external ssh packets when it is in the connection status
Iptables-a output-s 192.168.1.1-p tcp sport 80-m state -- state ESTABLISHED-j ACCEPT
Web data packets sent from the host to the outside are allowed when the host is in the connection status.
Iptables-P INTUP DROP
Reject all other incoming packets
Iptables-P OUTPUT DROP
Reject all other outgoing packets
These rules can be used on web servers. They only allow users to send ssh and web requests to the server. The server cannot actively send any connection to the server, so as to prevent the server from becoming a stepping stone for hackers.
Www.2cto.com
Explicit extension 2 mport: multi-port matching
-M {mport | multiport}
-- Source-ports
-- Destination-ports
-- Ports
This extension can specify discontinuous ports. Here, the above cases are optimized to illustrate its function.
Iptables-a input-d 192.168.1.1-m mport -- destination-ports 22,80, 443-m state -- state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-s 192.168.1.1-m mport -- source-ports 22,80, 443-m state -- state ESTABLISHED-j ACCEPT
Iptables-P INTUP DROP
Iptables-P OUTPUT DROP
Multiple ports can be added at a time, separated by commas
 
Explicit extension 3 iprange: Multi-IP match
-M iprange
-- Src-range
-- Dst-range
Here is a simple example to illustrate
Iptables-a input-d 192.168.1.1-m iprange-src-range 192.168.0.1-192.168.0.100-p tcp -- dport 80-j DROP
The IP address 192.168.0.1-192.168.0.100 is denied to access the web Service of 192.168.1.1.
 
Explicit scaling-4 connlimit: limit on the number of concurrent connection requests
-M connlimit
-- Connlimit-above
 
Explicit scaling 5 limit: Speed limit
-M limit
-- Limit average rate
-- Limit-burst rate
Iptables-a input-d 192.168.1.1-p tcp-dport 80-m limit -- limit 10/second -- limit-burst 30-j ACCEPT
This rule limits 10 packets per second. The maximum burst rate is 30 packets per second.
 
6 limit of explicit Scaling: Time limit
-M time
-- Timestart
-- Timestop
-- Days
-- Datestart
-- Datestop
Distinguish the following two methods to understand the meaning of these options
Iptables-a input-d 192.168.1.1-p tcp -- dport 80-m time -- datestart 2012: 07: 20: 08: 30: 00 -- datestop 2012: 07: 20: 14: 30: 00-j ACCEPT
Allow access to local web services from, January 1, July 20 to, January 1, July 30
Iptables-A input-d 192.168.1.1-p tcp -- dport 80-m time -- timestart 08:30:00 -- timestop 14:30:00 -- datestart -- datestop-j ACCEPT
Access to the web service on the local machine is allowed from to on October 30 to October 30.
 
7-string with explicit expansion: character restrictions (limited matching for Chinese characters)
-M string
-- Algo bm | specify the character Matching Algorithm for kmp
-- String
Iptables-A out-s 172.16.100.1-p tcp -- sport 80-m string -- algo kmp-string "baidu.com"-j DROP
All packets containing baidu.com are rejected.

Author lustlost-lost in desire blog