Iptables command usage

The iptables command uses iptables [-t table] command [match] [-j target/jump] [-t table] to specify the rule table-t parameter, there are three built-in rule tables: nat, mangle, and filter. If no rule table is specified, the table is regarded as a filter. Rule tables have the following functions: nat: This rule table has two rule chains: PREROUTING and POSTROUTING, the main function is to perform one-to-one, one-to-many, multi-to-many, and other URL conversion (SNAT, DNAT). This rule table is not used for other purposes except for URL conversion. Mangle: This rule table has three rule chains: PREROUTING, FORWARD, and POSTROUTING. In addition to modifying the packets for URL conversion, some special applications may have to rewrite the packets (TTL, TOS) or set the MARK (MARK the packets, in this case, you must define the work in the mangle rule table. Because the usage is not high, we do not intend to discuss the mangle usage here. Filter: This rule table is the default rule table and has three rule chains: INPUT, FORWARD, and OUTPUT. This rule table, as its name suggests, is used to filter packets (for example: DROP, LOG, ACCEPT, or REJECT), we will create the basic rules in this rule table. Command common command list: command-A, -- append sample iptables-a input... indicates that the rule is added to A Rule chain and will become the last rule in the Rule chain. Command-D, -- delete example iptables-d input -- dport 80-j DROPiptables-d input 1 indicates to delete a rule from a rule chain. You can enter the complete rule, or directly specify the rule number to delete it. Command-R, -- replace example iptables-r input 1-s 192.168.0.1-j DROP description replaces the current rule. After the rule is replaced, the order is not changed. Command-I, -- insert example iptables-I INPUT 1 -- dport 80-j ACCEPT indicates that a rule is inserted, and the rule at the original location will move a forward digit. Command-L, -- list Example 1 iptables-l input describes how to list all rules in a rule chain. Example 2 iptables-t nat-L describes how to list all the rules in all links in the nat table. Command-F, -- flush example iptables-f input: delete all rules of the INPUT chain in the filter table. Command-Z, -- zero example iptables-z input indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks. Command-N, -- new-chain example iptables-N allowed indicates defining a new rule chain. Command-X, -- delete-chain example iptables-X allowed indicates deleting a rule chain. Command-P, -- policy Example iptables-p input drop describes how to define a filtering policy. That is, the default Processing Method for packets that do not meet the filtering conditions. Command-E, -- rename-chain example iptables-E allowed disallowed indicates modifying the name of a custom rule chain. [Match] common packet matching parameter-p, -- protocol sample iptables-a input-p tcp indicates whether the matching communication protocol type is consistent. This parameter can be used! Operator for reverse matching, for example,-p! Tcp means other types except tcp, such as udp, icmp. If you want to match all types, you can use the all keyword, for example,-p all Parameter-s, -- src, -- source example iptables-a input-s 192.168.1.1 indicates that it is used to match the source IP address of the packet. It can match A single machine or network. When matching the network, use A number to represent the subnet mask. For example: -s 192.168.0.0/24 can be used to match the IP address! Operator for reverse matching, for example,-s! 192.168.0.0/24. The parameter-d, -- dst, -- destination example iptables-a input-d 192.168.1.1 indicates the destination IP address used to match the packet. The parameter-I, -- in-interface Example iptables-a input-I eth0 indicates the NIC from which the packet enters. You can use wildcard character + to perform large-scale matching. For example: -I eth + indicates that all ethernet NICs can also be used! -I! The eth0 parameter-o, -- out-interface Example iptables-a forward-o eth0 indicates the NIC from which the packet is sent. The setting method is the same as the preceding method. Parameter -- sport, -- source-port example iptables-a input-p tcp -- sport 22 indicates that the source port used to match the packet can match A single port or A range, for example: -- sport 22: 80 indicates that ports 22 to 80 are both qualified. To match multiple discontinuous ports, you must use the -- multiport parameter. For details, see the following section. You can use it when matching the port number! Operator for reverse matching. Parameter -- dport, -- destination-port example iptables-a input-p tcp -- dport 22 indicates the destination port number used to match the packet, the setting method is the same as that of the preceding parameter -- tcp-flags sample iptables-p tcp -- tcp-flags SYN, FIN, and ack syn. The parameters are divided into two parts, the first part lists the logos to be matched, and the second part lists which of the above flags have been set. unenumerative flags must be empty. TCP status signs include: SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), PSH (forced push) can be used in parameters. In addition, the keyword ALL and NONE can be used for matching. You can use it when matching a flag! Returns the reverse match of the operator line. Parameter -- syn example iptables-p tcp -- syn description is used to indicate that the SYN bit is opened in the TCP communication protocol, and the ACK and FIN bit are closed in the group, that is, the initial connection of TCP, it works exactly the same as iptables-p tcp -- tcp-flags SYN, FIN, and ack syn! Can be used to match packets that do not require connection. Parameter-m multiport -- source-port example iptables-a input-p tcp-m multiport -- source-port 80,110, indicates that it is used to match multiple discontinuous source ports, A maximum of 15 ports can be matched at a time! Operator for reverse matching. The parameter-m multiport -- destination-port example iptables-a input-p tcp-m multiport -- destination-port 80,110, indicates that it is used to match multiple discontinuous destination port numbers, the setting method is the same as that of the-m multiport -- port sample iptables-a input-p tcp-m multiport -- port 80,110 and. this parameter is special, used to match packets with the same source port and destination port. The setting method is the same as above. Note: In this example, if the source port number is 80 and the destination port number is 110, this packet does not meet the conditions. The parameter -- icmp-type example iptables-a input-p icmp -- icmp-type 8 indicates that it is used to match the type number of ICMP. You can use code or number numbers for matching. Please call iptables-p icmp -- help to check which code is available. The parameter-m limit -- limit example iptables-a input-m limit -- limit 3/hour indicates that the parameter is used to match the average traffic of packets within A certain period of time. The above example is used to match: whether the average traffic per hour exceeds three packets at a time. In addition to the average times per hour, it can also be an average time per second, minute, or every day. The default value is an average time per hour. The parameters include:/second,/minute, And/day. In addition to matching the number of packages, setting this parameter will also suspend the matching action when the condition is met to avoid service interruption due to the use of the flood attack method by hackers. Parameter -- limit-burst example iptables-a input-m limit -- limit-burst 5 indicates the number of packets that are used to match A large number of packets in an instant, the above example is used to match whether more than five packets flood at a time (this is the default value). packets exceeding this limit will be discarded directly. The usage effect is the same as that. Parameter-m mac -- mac-source example iptables-a input-m mac -- mac-source 00: 00: 00: 00: 00: 01 indicates the hardware address used to match the packet source network interface. This parameter cannot be used on the OUTPUT and POSTROUTING rule chains. This is because the packets are sent to the network card, only when the NIC Driver detects the MAC address of the destination through the ARP communication protocol, iptables does not know the network interface to which the packet will be sent during packet matching. Parameter -- mark example iptables-t mangle-a input-m mark -- mark 1 indicates whether A number is used to match A packet. When the packet is successfully matched, we can MARK a number through the MARK processing action. The maximum number of The number cannot exceed 4294967296. Parameter-m owner -- uid-owner example iptables-a output-m owner -- uid-owner 500 indicates whether to match the packets from the local machine and whether the packets are generated by A specific user, this prevents the server from sending sensitive data using root or other identities, and reduces the loss of system hacking. Unfortunately, this function cannot match the packets from other hosts. The parameter-m owner -- gid-owner example iptables-a output-m owner -- gid-owner 0 indicates whether to match the packets from the local machine and whether the packets are generated by A specific user group, the time of use is the same as the time of use. Parameter-m owner -- pid-owner example iptables-a output-m owner -- pid-owner 78 indicates whether to match the packets from the local machine and whether the packets are generated by A specific process, the time of use is the same as the time of use. Parameter-m owner -- sid-owner example iptables-a output-m owner -- sid-owner 100 indicates whether the parameter is used to match packets from the local machine and whether it is A specific connection (Session ID). Parameter-m state -- state example iptables-a input-m state -- state RELATED, ESTABLISHED indicates that it is used to match the connection status. There are four connection statuses: INVALID, ESTABLISHED, NEW, and RELATED. INVALID indicates that the Session ID of the packet cannot be identified or the number is incorrect. ESTABLISHED indicates that the packet belongs to a ESTABLISHED connection. NEW indicates that the packet wants to start a connection (reset the connection or redirect the connection ). RELATED indicates that the packet belongs to a established connection and the new connection is established. For example, the FTP-DATA connection must be from an FTP connection. [-J target/jump] common processing actions: the-j parameter is used to specify the action to be processed. Common processing actions include: ACCEPT, REJECT, DROP, REDIRECT, MASQUERADE, LOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, and MARK are described as follows: ACCEPT: allow packets, after this action is completed, other rules are no longer matched and directly jumped to the next rule chain (natostrouting ). REJECT: block the packet and send the packet to notify the other party. You can choose to transfer the packet: ICMP port-unreachable, ICMP echo-reply, or tcp-reset (this packet will require the other party to close the connection). After this operation, no other rules will be matched, directly interrupt the filter program. Example: iptables-a forward-p TCP -- dport 22-j REJECT -- reject-with tcp-reset DROP: discarded packets are not processed, the filter program will be interrupted directly without matching other rules. REDIRECT: redirects the packet to another port (PNAT). After the processing, other rules will be matched. This function can be used to implement transparent proxy or to protect web servers. For example, iptables-t nat-a prerouting-p tcp -- dport 80-j REDIRECT -- to-ports 8080 MASQUERADE: rewrite the source IP address of the packet to the nic ip address of the firewall, you can specify the range corresponding to the port. After this operation is completed, the system directly jumps to the next rule chain (manglepostrouting ). This function is slightly different from SNAT. When the IP address is disguised, you do not need to specify the IP address to be disguised as. The IP address will be directly read from the NIC. When the dial number is used in succession, the IP address is usually assigned by the DHCP server of the ISP company. In this case, MASQUERADE is particularly useful. Example: iptables-t nat-a postrouting-p TCP-j MASQUERADE -- to-ports 1024-31000 LOG: Record packets related information in/var/log, for details, refer to/etc/syslog. conf configuration file. After this operation is completed, the rule will continue to be matched. For example, iptables-a input-p tcp-j LOG -- log-prefix "INPUT packets" SNAT: rewrite the source IP address of the packet to A specific IP address or IP address range, you can specify the range corresponding to the port. After this operation is completed, it will jump directly to the next rule (mangleostrouting ). Example: iptables-t nat-a postrouting-p tcp-o eth0-j SNAT -- to-source? 194.236.50.155-194.236.50.160: 1024-32000 DNAT: rewrite the IP address of the encapsulation destination to a specific IP address or IP address range. You can specify the port range, it will directly jump to the next rule chain (filter: input or filter: forward ). Example: iptables-t nat-a prerouting-p tcp-d 15.45.23.67 -- dport 80-j DNAT -- to-destination 192.168.1.1-192.168.1.10: 80-100 MIRROR: MIRROR packet, that is, after the source IP address and destination IP address are reversed, the packet is sent back. After this operation, the filter program will be interrupted. QUEUE: interrupt filtering program, put the packet into the QUEUE, and hand it to other programs for processing. Other applications can be implemented through self-developed processing programs, such as computing connection fees. RETURN: ends the filtering program in the current rule chain and returns the primary rule chain to continue filtering. If you think of the custom rule chain as a sub-program, then this action, it is equivalent to early completion of the subroutine and return to the main program. MARK: MARK the package with a code to provide a judgment basis for the filter conditions. After this action is completed, other rules will be matched. Example: iptables-t mangle-a prerouting-p tcp -- dport 22-j MARK -- set-mark 2