iptables [-t TABLE] COMMAND CHAIN (chain) rule (match condition and rule)-j target-t TABLE nat,mangle,raw,filter, default to filter
COMMAND -f:flush, empty the rule chain # iptables-t Nat-f==> clears the rules on all links on the NAT table -Z: Counter zeroed -p:policy, set default policy to the filter table, the default rule is accept or drop # iptables-t Mangle-p FORWARD DROP ==> Setting the forward chain of the mangle table the default policy is drop -n:new self-defined chain, can only be called by the main chain # iptables-n httpd==> Define a custom chain named httpd in the filter table
-e:rename, rename the custom connection # IPTABLES-E httpd http==> Modifying a custom chain in the filter table httpd is named HTTP -x:delete Deletes a custom empty chain, but requires 0 references
Rules in the chain: -a:append, adding a rule (added to the last bar of the rule) -i:insert, insert a new rule (the default is inserted into the first bar of the rule) -d:delete, deleting rules -r:replace, substitution rules # iptables-d INPUT 2
Inquire:
-l:list -N: Display host address and service in numeric format, IP and port not reversed -V: Verbose format-VV,-VVV --line-number: Show rule number
-x:exactly, do not make unit conversions for counter count results, and display their exact values # iptables-l-NVX==> rules for querying the filter table
Match condition: Generic match-S address: Specifies the range of packet source IP address matching; either IP or network segment(in the format 172.16.0.0/16 or 172.16.0.0/255.255.0.0), can be used! take the reverse; --src,--source -D Address: Specifies the range of packet destination IP address matching; --dst,--destination -P protocol: Specifies the protocol type of the matched message, typically three TCP, UDP, and icmp; -I INTERFACE: Data packet inflow interface; prerouting, INPUT, forward -o INTERFACE: interface for data packet outflow, OUTPUT, FORWARD, postrouiting extension match: Call NetFilter additional modules implement special check mechanism (use to related function, use iptables-m which module) implicit extension: When using-p { TCP|UDP|ICMP}, you can use the extended private option directly; -p TCP [-M tcp] --sport Port[-port]: Specify source port --dport Port[-port]: Specify Destination port --tcp-flags: To check the list of flags (separated by commas) must be a 1 flag list (comma delimited) For example:--tcp-filgs Syn,ack,rst,fin syn ==> equals--syn all none ==> full 0 all ==> Full 1 -p UDP [-M udp] --sport --dport - P ICMP [-M icmp] --icmp-type 0:echo-reply,ping Response 8:echo-request,ping requests The default policy for input and output chains in the filter table is drop, which allows for an out-of-ping, external host cannot ping the local host
# iptables-i output-p ICMP--icmp-type 8-j ACCEPT
# iptables-i input-p ICMP--icmp-type 0-j ACCEPT
You can ping 127.0.0.1 by releasing the loop-back traffic.
# iptables-i Input-i lo-j ACCEPT
# iptables-i Output-o lo-j ACCEPT Explicit extension: You must explicitly specify which module to use to extend, and then use its extended private options; modules: Iptables,netfilter each own part of the code (1) Mutiport: Multi-port matching, can be used to match a discontinuous or continuous port; Specify up to 15 ports--source-ports,--sprots Port[,port,port]--destination-ports,--dports --ports Input and output chains in the filter tableRelease22 Ports and 80 ports: # iptables-i input-d 172.16.2.1-p tcp-m multiport--dports 22,80-j ACCEPT # iptables-i output-s 172.16.2.1-p tcp-m multiport--sports 22,80-j ACCEPT
(2) IPRange: matches addresses within a specified range, and is useful for matching a contiguous address rather than the entire network; private options: [!] --src-range Ip[-ip][!] --dst-rangeallow 172.16.2.1-172.16.2.100 address range to access local 23 ports in input and output of the filter table
# iptables-a input-d 172.16.2.1-p tcp--dport 23-m iprange--src-range 172.16.2.1-172.16.2.100-j ACCEPT# iptables-a output-s 172.16.2.1-p tcp--sport 23-m iprange--dst-range 172.16.2.1-172.16.2.100-j ACCEPT
(3) String: string matching to detect the efficient algorithm of string character matching check in the application layer of the messageKMP, BM-specific options:--algo {KMP|BM}--string "string"--hex-string "hex_string": hex_string as a string encoded in 16 binary format;drops a packet with the admin character in the output chain in the filter table
# iptables-i output-m string--algo kmp--string "admin"-j DROP
(4) Time: Access control-specific options based on timing:--datestart Yyyy[-mm][-dd[thh[:mm[:ss]]--datestop--timestart Hh:mm[:ss]--timestop Hh:mm[:ss]--weekdays Day[,day] Mon, Tue,thu,friOn the input chain of the filter table, define the Tuesday to Sunday 10:00am reject to native80 Portsof theFlow Rate# iptables-i input-d 172.16.2.1-p TCP--dport 80-m time--timestart 10:00am--timestop 18:00! --weekdays mon-j REJECT
(5) Connlimit: Limit the number of connections per IP to be able to initiate concurrent connections:[!] --connlimit-above [n]: there are n connections# iptables-a input-d 172.16.100.7-p tcp--dport 22-m connlimit--connlimit-above 2-j DROP
(6) Limit: Rate limiting special option:--limit N[/second|/minute|/hour|/day] ==> send a pass at a fixed rate--limit-burst N ==> a token bucket used for idle time, such as issuing n tokens at once when idlelimit the number of ping packets, 20 per minute, 5 responses in idle time, a bit different from the measurements
# iptables-r INPUT 1-p ICMP--icmp-type 8-m limit--limit 20/minute--limit-burst 5-j ACCEPT==> Modify the first rule in the input chain of the filter table, allowing the ping request# iptables-r OUTPUT 1-p ICMP--icmp-type 0-j ACCEPT
(7) State: Status check, connection tracking, TCP or UDP, high concurrent requests cannot enable private options:--state status in the connection tracking:NEW: Create a sessionEstablished: Established connection (the condition that the packet triggers the established state is that the NetFilter connection tracking subsystem has seen the packet in two directions of a connection (such as an acknowledgment packet in a TCP connection where the data has been exchanged))Related: Connection of the associated relationshipINVALID: Unrecognized connection (a sudden arrival TCP fin packet (that is, it does not belong to any TCP session) will match the INVALID
/proc/sys/net/nf_conntrack_max==> Adjust the maximum data for connections that can be accommodated by the connection tracking function/proc/net/nf_conntrack==> All connections currently being traced/proc/sys/net/netfilter Directory==> properties When tracking different protocols or connection types
Release the passive mode ft /lib/modules/2.6.32-504.el6.x86_64/kernel/net/netfilter/nf_conntrack==> See if this module is available# rpm-ql Iptables |# modprobe Nf_conntrack_ftp==> Temporary effect
# Vim/etc/sysconfig/iptables-config==> ModificationIptables_modules= "Nf_conntrack_ftp" permanently valid
# Lsmod | # iptables-a input-d 172.16.2.1-p TCP--dport 21-m State--state related-j ACCEPT # iptables-r OUTPUT 1-s 172.16.2.1-m State--state established,related-j ACCEPT
Nat:network Address translation# vim/etc/sysctl.confg==>Net.ipv4.ip_forward change to 1 turn on IP forwarding # sysctl-p==> Immediate effectOriginal intention in order to safely hide the real IP address, later in order to save the IP of a scheme
SNAT: postrouting, OUTPUT--to-source SIP==>which source address to convert to,for fixed IPMasquerade==>automatically pick a suitable one for dynamic dialing# iptables-t Nat-r postrouting 1-s 192.168.1.0/24-p tcp--dport 80-j SNAT--to-source 172.16.2.2when ==>C3 accesses C1, the source address becomes 172.16.2.2;snat applied to Clinet->server
DNAT: prerouting--to-destination# iptables-t nat-a prerouting-s 172.16.0.0/16-p tcp--dport 80-j DNAT--to-destination 192.168.1.5==> The C2 Web service is forwarded to C3 when it is accessed, Dnat applies to Clinet->server
Pnat:Port address Translation
Full NAT:Full Address Translation
Iptables Basic Configuration
