The iptables firewall can be used to create filtering (filter) and NAT rules. All Linux distributions can use Iptables, so understanding how to configure Iptables will help you manage your Linux firewall more effectively. If you are in contact with Iptables for the first time, you will find it very complicated, but once you understand how iptables works, you will find that it is actually very simple.
First introduce the structure of iptables: Iptables, Tables, Chains, and Rules. Simply put, tables is made up of chains, and chains is made up of rules. As shown in. Figure: IPTables table, Chain, and Rule structure, IPTables tables and chains IPTables have filter, NAT, Mangle, raw four kinds of built-in tables: 1. The Filter table filter represents the default table for iptables, so if you do not have a custom table, the filter table is used by default and has the following three built-in chains:
- Input chain – processes data from outside.
- Output chain – Processes data that is sent outward.
- Forward chain – forwards the data to other NIC devices on this computer.
2. Nat table NAT table has three kinds of built-in chains:
- Prerouting Chain – Handles packets that have just arrived at the native and before the route is forwarded. It translates the destination IP address in the packet (destination IP addresses), which is typically used for Dnat (destination NAT).
- Postrouting Chain – Processes packets that are about to leave the machine. It transforms the source IP address in the packet (the origin IP addresses), which is typically used for snat (source NAT).
- Output chain – Processes the data packets generated by the machine.
3. The Mangle table mangle table is used to specify how the packet is processed. It can change the QoS bit in the TCP header. The mangle table has 5 built-in chains:
- Prerouting
- OUTPUT
- FORWARD
- INPUT
- Postrouting
4. Raw table Raw table for handling exceptions, it has 2 built-in chains:
- Prerouting Chain
- OUTPUT Chain
5. The summary shows the three built-in tables of IPTables: Figure: IPTables built-in table II, IPTables rule (rules) keep in mind the following three-point understanding of the key to IPTables rules:
- The rules include a condition and a goal (target)
- If the condition is met, the rule or specific value in the target is executed.
- If the condition is not met, the next rule is judged.
Target values The following are the special values that you can specify in target:
- accept– allow firewalls to receive packets
- drop– Firewall Drop Package
- queue– Firewall transfers packets to user space
- The return– firewall stops executing subsequent rules in the current chain and returns to the call chain (the calling chain).
If you execute iptables–list you will see the rules available on the firewall. The following example shows that the current system does not have a firewall defined, and you can see that it shows the default filter table, as well as the default input chain in the table, the forward chain, the output chain. # iptables-t Filter–list
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
View mangle table: # iptables-t mangle–list view NAT table: # iptables-t nat–list View raw table: # iptables-t raw–list! Note: If you do not specify the-t option, only the default fi Lter table. Therefore, the following two forms of command are one meaning: # iptables-t Filter–list
(OR)
# Iptables–list The following example shows a rule in the input chain of the filter table, the forward chain, and the output chain: # iptables–list
Chain INPUT (Policy ACCEPT)
Num Target prot opt source destination
1 Rh-firewall-1-input all-0.0.0.0/0 0.0.0.0/0
Chain FORWARD (Policy ACCEPT)
Num Target prot opt source destination
1 Rh-firewall-1-input all–0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (Policy ACCEPT)
Num Target prot opt source destination
Chain Rh-firewall-1-input (2 references)
Num Target prot opt source destination
1 ACCEPT all–0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp–0.0.0.0/0 0.0.0.0/0 ICMP type 255
3 ACCEPT esp–0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah–0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp–0.0.0.0/0 224.0.0.251 UDP dpt:5353
6 ACCEPT udp–0.0.0.0/0 0.0.0.0/0 UDP dpt:631
7 ACCEPT tcp–0.0.0.0/0 0.0.0.0/0 TCP dpt:631
8 ACCEPT all–0.0.0.0/0 0.0.0.0/0 State related,established
9 ACCEPT tcp–0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:22
Ten REJECT all–0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
The above output contains the following fields:
- num– the rule number in the specified chain
target– the specific value of the target mentioned earlier
prot– protocol: TCP, UDP, ICMP, etc.
Source IP address of the source– packet
Destination IP address of the destination– packet
Three, clear all iptables rules before configuring iptables, you usually need to use the Iptables–list command or the Iptables-save command to see if there are any existing rules, because sometimes you need to delete existing iptables rules: iptables– Flush
Or
Iptables-f These two commands are equivalent. But not after it's done. You still need to check whether the rules are really emptied, because some Linux distributions on this command will not clear the rules in the NAT table, at this point can only be manually cleared: Iptables-t nat-f Four, permanent effect when you delete, add rules, these changes do not take effect permanently, These rules are most likely to be restored after the system restarts. For the configuration to take effect permanently, depending on the platform, the operation is different. The following is a brief introduction: 1. Ubuntu first, save the existing rules: Iptables-save >/etc/iptables.rules then create a new bash script and save it to the/etc/network/if-pre-up.d/directory: #!/bin/bash
Iptables-restore </etc/iptables.rules this way, iptables rules will be loaded automatically after each system reboot. Note: Do not attempt to execute the above command in. bashrc or. Profile because the user is usually not root, and this can only load the iptables rule at login time. 2.CentOS, redhat# save iptables rule
Service Iptables Save
# Restart Iptables Service
Service Iptables Stop
Service Iptables Start
View current rule: Cat/etc/sysconfig/iptables v. Append iptables rules you can use the IPTABLES-A command to append a new rule, where-a represents Append. Therefore, the new rule is appended to the end of the chain. In general, the last rule is used to discard (drop) all packets. If you already have such a rule and use the-a parameter to add a new rule, you are useless. 1. Grammar iptables-a chain Firewall-rule
- -a chain– specifies the chain to append rules to
- firewall-rule– Specific rule parameters
2. Describe the basic parameters of a rule the following rule parameters describe the protocol, source address, destination address, allowed network interface, and how to process packets. These descriptions are the basic descriptions of the rules. -P Protocol (Protocol)
- Specify the protocol for the rule, such as TCP, UDP, ICMP, and so on, you can use all to specify all protocols.
- If you do not specify the-p parameter, the default is the all value. This is not advisable, always specify the protocol name explicitly.
- The protocol can be specified using a protocol name (such as TCP) or a protocol value (such as 6 for TCP). Mapping relationships See/etc/protocols
- You can also use the –protocol parameter instead of the-p parameter
-S Source address (source)
- Specify the source address of the packet
- Parameter enables IP address, network address, host name
- Example:-s 192.168.1.101 IP address specified
- Example:-S 192.168.1.10/24 Specify network address
- If you do not specify the-s parameter, all addresses are represented
- You can also use –SRC or –source
-D Destination Address (destination)
- Specify Destination Address
- parameter is the same as-s
- You can also use –DST or –destination
-j execution target (jump to target)
- -J stands for "Jump to target"
- -J Specifies how packets are processed when matching rules (rule)
- The possible values are accept, DROP, QUEUE, RETURN
- You can also specify other chains (Chain) as targets
-I Input interface (input interface)
- -I represents the input interface (inputs interface)
- -I specifies the packet to process from which interface
- These packets are about to enter input, FORWARD, Preroute chain
- Example:-I eth0 specifies that packets to be processed via eth0
- If you do not specify the-I parameter, packets that go into all interfaces are processed
- If it appears! -I eth0, then all packets that go through an interface other than eth0 will be processed
- If-I eth+ is present, all packets entering through the interface beginning with the ETH will be processed
- You can also use the –in-interface parameter
-O output (out interface)
- -O stands for "Output Interface"
- -o Specifies which interface the packet is output from
- These packets are about to enter forward, OUTPUT, postrouting chain
- If you do not specify the-o option, all interfaces on the system can be used as output interfaces
- If it appears! -o eth0, then output from an interface other than eth0
- If the-I eth+ appears, then only the interface that starts with the ETH outputs
- You can also use the –out-interface parameter
3. After you have a basic description of the rules that describe the extended parameters of the rule, sometimes we also want to specify the port, TCP flag, ICMP type, and so on. –sport source port for-p TCP or-p UDP
- By default, all ports are matched
- You can specify a port number or a name for the ports, such as "–sport 22″ and" –sport ssh.
- The/etc/services file describes the mapping relationships described above.
- In terms of performance, using port numbers is better
- Use colons to match port ranges, such as "–sport 22:100″
- You can also use the "–source-port"
–-dport Destination port (destination port) for-p TCP or-p UDP
- The parameters are similar to –sport
- You can also use the "–destination-port"
-–tcp-flags TCP Flag for-p TCP
- You can specify multiple parameters separated by commas
- Valid values can be: SYN, ACK, FIN, RST, URG, PSH
- You can use all or none
-–icmp-type ICMP type for-p ICMP
- –icmp-type 0 means Echo Reply
- –icmp-type 8 means Echo
4. Full instance of the Append rule: Allow only SSH service the rules implemented in this example will only allow the SSH packets to pass through the local computer, and all other connections (including pings) will be rejected. # 1. Clear all iptables rules
Iptables-f
# 2. Receive packets with destination port 22
Iptables-a input-i eth0-p tcp–dport 22-j ACCEPT
# 3. Reject all other packets
Iptables-a input-j DROP
The example of changing the default policy is to filter only the packets received, but there is no limit to the packets to be sent. This section mainly describes how to change the chain policy to change the behavior of the chain. 1. Default Chain policy/!\ Warning: Do not test on a remote connected server or virtual machine! When we use the-l option to verify that the current rule is found, all chains have policy accept annotations next to them, which indicates that the current chain's default policy is accept:# iptables-l
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
ACCEPT Tcp–anywhere Anywhere TCP Dpt:ssh
DROP All–anywhere Anywhere
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
In this case, if you do not explicitly add a drop rule, the accept policy is filtered by default. Unless: a) Add the drop rule separately for each of the three chains above: iptables-a input-j drop
Iptables-a output-j DROP
Iptables-a forward-j DROPB) Change the default policy: Iptables-p INPUT DROP
Iptables-p OUTPUT DROP
Iptables-p FORWARD drop bad!! If you have configured the iptables in strict accordance with the example in the previous section, and you are using SSH to connect now, then the session is probably forced to terminate! Why is it? Because we've changed the output chain policy to drop. At this point, although the server can receive data, but cannot send data: # iptables-l
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT Tcp–anywhere Anywhere TCP Dpt:ssh
DROP All–anywhere Anywhere
Chain FORWARD (Policy DROP)
Target Prot opt source destination
Chain OUTPUT (Policy DROP)
Target Prot opt source destination
VII. Configuring application Rules Although section 5.4 already describes how to initially limit connections other than SSH, it is implemented in the case of a chain default policy of accept and does not restrict output packets. This section, based on the previous section, takes the ports used by SSH and HTTP, for example, to teach you how to make firewall settings in the case of a default chain policy of drop. Here, we will introduce a new parameter-m state and check the Status field of the packet. 1.ssh# 1. Allow SSH requests to receive remote hosts
Iptables-a input-i eth0-p tcp–dport 22-m state–state new,established-j ACCEPT
# 2. Allow the sending of the local host's SSH response
Iptables-a output-o eth0-p tcp–sport 22-m state–state established-j ACCEPT
- -M state: Enable the Status matching module (matching modules)
- –-state: The parameters of the state matching module. When the first packet of the SSH client arrives at the server, the Status field is new; the state fields of the packet are established after the connection is established.
- The –sport 22:sshd listens on port 22, and also connects and transmits data through the port and the client. So for the SSH server, the source port is 22.
- The –dport 22:SSH client program can establish a connection to port 22 on the SSH server from a random port on this computer. So for the SSH client, the destination port is 22.
If the server also needs to use SSH to connect to other remote hosts, you will also need to add the following configuration: # 1. Packets sent for destination port 22
Iptables-a output-o eth0-p tcp–dport 22-m state–state new,established-j ACCEPT
# 2. The packet is received with a port of 22
Iptables-a input-i eth0-p tcp–sport 22-m state–state established-j ACCEPT
2.HTTPHTTP configuration is similar to SSH: # 1. Allow HTTP requests to receive remote hosts
Iptables-a input-i eth0-p tcp–dport 80-m state–state new,established-j ACCEPT
# 1. Allow HTTP responses to be sent to the local host
Iptables-a output-o eth0-p tcp–sport 80-m state–state established-j ACCEPT
3. Complete configuration # 1. Delete an existing rule
Iptables-f
# 2. Configure the default chain policy
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP
# 3. Allow SSH connection to remote host
Iptables-a input-i eth0-p tcp–dport 22-m state–state new,established-j ACCEPT
Iptables-a output-o eth0-p tcp–sport 22-m state–state established-j ACCEPT
# 4. Allow the local host to make an SSH connection
Iptables-a output-o eth0-p tcp–dport 22-m state–state new,established-j ACCEPT
Iptables-a input-i eth0-p tcp–sport 22-m state–state established-j ACCEPT
# 5. Allow HTTP requests
Iptables-a input-i eth0-p tcp–dport 80-m state–state new,established-j ACCEPT
Iptables-a output-o eth0-p tcp–sport 80-m state–state established-j ACCEPT
Iptables Basic Knowledge
