Iptables detailed tutorial

2.1 frame chart
--> Prerouting --> [Route] --> forward --> postrouting -->
Mangle | mangle ^ mangle
Nat | filter | Nat
|
|
V |
Input Output
| Mangle ^ mangle
| Filter | Nat
V ------> Local -------> | Filter
2.2 chain and table

Table
Filter: as the name suggests, used for filtering
NAT: As the name implies, it is used for Nat
NAT: network address translator
Chain
Input: Located in the filter table. matching the destination IP address is a local data packet.
Forward: Located in the filter table, which matches the data packets that pass through the local machine,
Prerouting: Located in the NAT table, used to modify the destination address (DNAT)
Postrouting: Located in the NAT table, used to modify the source address (SNAT)

3.1 iptables syntax Overview
Iptables [-T table to be operated]
<Operation Command>
[Chain to be operated]
[Rule number]
[Matching condition]
[-J: action after matching]
3.2 command Overview
Operation commands (-a,-I,-D,-R,-P,-f)
View commands (-[vnx] L)
3.2.1-
-A <chain Name>
Append: append a rule (to the end)

For example:
Iptables-T filter-A input-J Drop

Append a rule (as the last rule) to the input chain of the filter table)
Matches all packets accessing the IP address of the Local Machine and discards the packets.
3.2.2-I
-I <chain Name> [Rule number]
Insert, insert a rule

For example:
Iptables-I input-J Drop
Insert a rule into the input chain of the filter table (1st rows)

Iptables-I input 3-J Drop
Insert a rule into the input chain of the filter table (3rd rows)

Note: 1.-T filter is not writable. If it is not written, the filter table is automatically used by default.
2.-I chain name [Rule number]. If no rule number is specified, the default value is 1.
3. Make sure that the rule number is less than or equal to (the number of existing rules + 1). Otherwise, an error is returned.
3.2.3-d
-D <chain Name> <rule number | specific rule content>
Delete: deletes a rule.

For example:
Iptables-D input 3 (matching by number)
Delete the third rule in the input chain of the filter table (no matter what the content is)

Iptables-D input-s 192.168.0.1-J Drop (by content matching)
Delete the rule "-S 192.168.0.1-J Drop" in the input chain of the filter table.
(No matter where it is located)

Note:
1. If there are multiple identical rules in the rule list, only one with the smallest sequence number is deleted based on content matching.
2. Make sure that the rule number is less than or equal to the number of existing rules. Otherwise, an error is returned.
3. Make sure that the rule exists when the rule is deleted based on content matching. Otherwise, an error is returned.

3.2.3-R
-R <chain Name> <rule number> <specific rule content>
Replace, replace a rule

For example:
Iptables-r input 3-J accept
Replace the rule content numbered 3 with "-J accept"

Note:
Make sure that the rule number is less than or equal to the number of existing rules. Otherwise, an error is returned.

3.2.4-P
-P <chain Name> <action>
Policy to set the default rules for a chain

For example:
Iptables-P input drop
The default rule for setting the input chain of the filter table is drop.

Note:
When the data packet is not matched by any rule in the rule list, follow this default rule.

3.2.5-F
-F [Chain name]
Flush, clear rules

For example:
Iptables-F Input
Clear all rules in the input chain of the filter table

Iptables-T nat-F prerouting
Clear all rules in the prerouting chain of the NAT table

Note:
1.-F only clears the chain rules, and does not affect the default rules set by-P.
2. After-P is set to drop, be careful when using-f !!!
3. If no chain name is specified, all rules in all chains in a table are cleared by default.
3.2.6-[vxn] l
-L [Chain name]
List to list rules

V: displays details, including the number of matching packages and the number of matching bytes for each rule.
X: Disable Automatic unit conversion (K, M) based on V)
N: only the IP address and port number are displayed, and the domain name and service name are not displayed.

For example:
Iptables-l
A rough list of all links and rules in the filter table

Iptables-T nat-vnl
List all the rules of all the links in the NAT table in detail. Only the IP address and port number are displayed.

Iptables-T nat-vxnl prerouting
List all the rules and detailed numbers of the NAT table prerouting chain in detail.
3.3 matching conditions
Inbound and Outbound interfaces (-I and-O)
Source and Destination addresses (-s and-d)
Protocol type (-P)
Source and Destination Ports (-- Sport and -- dport)
3.3.1 match by Network Interface
-I <network interface for matching data entry>
For example:
-I eth0
Match whether to come in from network interface eth0

-I ppp0
Match whether to come in from the network interface ppp0

-O: Network Interface for matching data outflow
For example:
-O eth0
-O ppp0
3.3.2 match by source Destination Address
-S <matched source address>
Can be IP, net, domain, or empty (any address)
For example:
-S 192.168.0.1 matches data packets from 192.168.0.1
-S 192.168.1.0/24 matches packets from the 192.168.1.0/24 network.
-S 192.168.0.0/16 matches packets from the 192.168.0.0/16 network.

-D <match Destination Address>
Can be IP, net, domain, or empty
For example:
-D 202.106.0.20: match the packet destined for 202.106.0.20
-D 202.106.0.0/16 matches packets destined for the 202.106.0.0/16 network.
-D www.abc.com: match the data packet destined for the domain name www.abc.com

3.3.3 protocol-based matching
-P <matching protocol type>
Can be TCP, UDP, ICMP, or empty
For example:
-P TCP
-P UDP
-P icmp -- ICMP-type
Ping: Type 8 pong: Type 0
3.3.4 match by source destination port
-- Sport <match source port>
It can be an individual port or a port range.
For example:
-- Sport 1000 matches data packets whose source port is 1000
-- Sport 1000: 3000 match the packet with the source port 1000-3000 (including and)
-- Sport: 3000 match data packets whose source port is less than 3000 (including 3000)
-- Sport 1000: Match data packets whose source port is more than 1000 (including 1000)

-- Dport <match destination port>
It can be an individual port or a port range.
For example:
-- Dport 80 matches data packets whose source port is 80.
-- Dport 6000: 8000 match the data packets whose source port is 6000-8000 (including 6000 and 8000)
-- Dport: 3000 match data packets whose source port is less than 3000 (including 3000)
-- Dport 1000: Match data packets whose source port is more than 1000 (including 1000)
Note: -- Sport and -- dport must be used with the-p parameter.
3.3.5 Matching Application Example
1. Port matching
-P udp -- dport 53
Match the UDP packet whose destination address is 53 in the Network

2. Address matching
-S 10.1.0.0/24-D 172.17.0.0/16
Match All data packets from 10.1.0.0/24 to 172.17.0.0/16

3. Port and address joint match
-S 192.168.0.1-D www.abc.com-p tcp -- dport 80
Match the TCP packet from 192.168.0.1 to port 80 on www.abc.com

Note:
1. -- Sport and -- dport must be used together with-P. The protocol type must be specified.
2. The more write conditions, the more detailed the matching, the smaller the matching range.
3.4 action (Handling Method)
Accept
Drop
SNAT
DNAT
Masquerade
3.4.1-J accept
-J accept
Allow data packets to pass through the chain without intercepting it
Like permit in the ACL in Cisco

For example:
Iptables-A input-J accept
Allow all packets that access the local IP address to pass through

3.4.2-J Drop
-J Drop
Discard to prevent a packet from dropping it through this chain
Similar to deny in the ACL in Cisco

For example:
Iptables-a forward-s 192.168.80.39-J Drop
Block packets whose source address is 192.168.80.39 from the Local Machine
3.4.3-J SNAT
-J snat -- to IP [-IP] [: Port-port] (the postrouting chain in the NAT table)
Source Address conversion. SNAT supports converting to a single IP address or an IP address pool.
(A group of consecutive IP addresses)
For example:
Iptables-T Nat-A postrouting-s 192.168.0.0/24/
-J snat -- To 1.1.1.1
Change the original address of the Intranet 192.168.0.0/24 to 1.1.1.1 for Nat

Iptables-T Nat-A postrouting-s 192.168.0.0/24/
-J snat -- To 1.1.1.1-1.1.1.10
Same as above, but changed to an IP address in an address pool

3.4.4-J DNAT
-J dnat -- to IP [-IP] [: Port-port] (NAT table's prerouting chain)
Destination Address conversion. DNAT supports converting to a single IP address or an IP address pool.
(A group of consecutive IP addresses)
For example:
Iptables-T Nat-A prerouting-I ppp0-P TCP -- dport 80/
-J dnat -- To 192.168.0.1
Change the destination address of the packet that comes in from ppp0 to 192.168.0.1.

Iptables-T Nat-A prerouting-I ppp0-P TCP -- dport 81/
-J dnat -- To 192.168.0.2: 80
Iptables-T Nat-A prerouting-I ppp0-P TCP -- dport 80/
-J dnat -- To 192.168.0.1-192.168.0.10

3.4.5-J Masquerade
-J Masquerade
Dynamic Source Address Translation (used in the case of dynamic IP addresses)

For example:

Iptables-T Nat-A postrouting-s 192.168.0.0/24-J Masquerade
Disguise the IP address of a packet whose source address is 192.168.0.0/24

3.5 additional modules
Matching by package status (state)
Match by source MAC)
Package rate matching (Limit)
Multiport)
3.5.1 state
-M state -- state
Status: new, related, established, invalid
New: SYN different from TCP
Established: connection status
Related: derivative state, associated with conntrack (FTP)
Invalid: unable to identify the connection or status
For example:
Iptables-A input-M state -- state related, established/
-J accept

3.5.2 Mac
-M Mac -- Mac-source MAC
Match a MAC address

For example:
Iptables-a forward-M -- Mac-source XX: XX/
-J Drop
Block data packets from a MAC address and use the Local Machine

Note:
The MAC address is not a route. Do not try to match a MAC address next to the route.

3.5.3 limit
-M limit -- limit matching rate [-- burst buffer quantity]
Match data packets at a certain rate
For example:
Iptables-a forward-D 192.168.0.1-m limit -- limit 50/S/
-J accept
Iptables-a forward-D 192.168.0.1-J Drop

Note:
Limit only matches data packets at a certain rate, not a "Limit"

3.5.4 multiport
-M multiport <-- sports | -- dports | -- Ports> Port 1 [, Port 2,..., port N]
Multiple ports can be matched at a time to distinguish between source ports, destination ports, or unspecified ports.

For example:
Iptables-A input-p tcp-M multiports -- ports/
110, 22,-J accept

Note:
Must be used with the-p Parameter

4. instance analysis
Single Server Protection
How to make a gateway
How to restrict Intranet users
How to enable external servers through the Intranet
Connection Tracing Module
4.1 Single Server Protection
Clarify external service objects
Writing rules
Network Interface lo Processing
Processing of Status Monitoring
Protocol + port Processing
Instance: a common web server
Iptables-A input-I lo-J accept
Iptables-A input-p tcp-M multiport 22,80-J accept
Iptables-A input-M state -- state related, established-J accept
Iptables-P input drop
Note: Make sure that the rules are in the correct order, clarify the logical relationship, and learn to use vnl at all times.
4.2 How To Make A gateway
Clarify the network topology
Local Internet access
Set Nat
Enable route forwarding
Address disguise SNAT/Masquerade

Instance: ADSL dial-up network topology
Echo "1">/proc/sys/NET/IPv4/ip_forward
Iptables-T Nat-A postrouting-s 192.168.1.0/24-O ppp0/
-J Masquerade

4.3 how to restrict Intranet users
Filter position filer table forward chain
Matching condition-s-d-p -- S/dport
Processing action accept drop

Instance:
Iptables-a forward-s 192.168.0.3-J Drop
Iptables-a forward-M Mac -- Mac-source 11: 22: 33: 44: 55: 66/
-J Drop
Iptables-a forward-D bbs.chinaunix.net-J Drop
4.4 how the Intranet acts as an external server
Service protocol (TCP/UDP)
External Service port
Private IP address of Internal Server
Internal real service port
Instance:
Iptables-T Nat-A prerouting-I ppp0-P TCP -- dport 80/
-J dnat -- To 192.168.1.1
Iptables-T Nat-A prerouting-I ppp0-P TCP -- dport 81/
-J dnat -- To 192.168.1.2: 80
4.5 Connection Tracing Module
Why use the Connection Tracing module?
FTP transmission principle
Traditional firewall practices

How to Use
4.5.1 FTP protocol transmission principles
Port used
Command Port
Data port

Transmission Mode
Active)
Passive Mode)
4.5.1 FTP protocol transmission principles
Active Mode
Client Server
XXXX | --- | ---------- | --> | 21
Yyyy | <-- | ---------- | --- | 20
Fw1 fw2
Passive Mode
Client Server
XXXX | --- | ---------- | ---> | 21
Yyyy | --- | ---------- | ---> | zzzz
Fw1 fw2
4.5.2 traditional firewall practices
Enable TCP/20 only in Active Mode
Firewall opens high-range ports
Configure the FTP service to reduce the port range in passive mode
4.5.3 how to use the Connection Tracing Module
Modprobe ipt_conntrack_ftp
Modprobe ipt_nat_ftp
Iptables-A input-p tcp -- dport 21-J accept
Iptables-A input-M state -- State/
Related, established-J accept
Iptables-P input drop
5. Network Management Policy
What are you afraid?
What can I do?
What to make vs not to let
Three "disciplines" and five "Notes"
Other considerations
5.1 required
Echo "1">/proc/sys/NET/IPv4/ip_forward
Echo "1">/proc/sys/NET/IPv4/tcp_syncookies
Echo "1">/
/Proc/sys/NET/IPv4/icmp_ignore_bogus_error_responses
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
5.2 optional
Congestion:
Iptables-a forward-p tcp -- dport XXX-J Drop
Iptables-a forward-p tcp -- dport yyy: zzz-J Drop

Accessibility:
Iptables-a forward-p tcp -- dport XXX-J accept
Iptables-a forward-p tcp -- dport yyy: zzz-J accept
Iptables-a forward-M state -- state related, established/
-J accept
Iptables-P forward drop
5.3 three "disciplines" and five "Notes"
Three major "disciplines" -- dedicated for table
Filter
Nat
Mangle

Five "Notes"-pay attention to the trend of data packets
Prerouting
Input
Forward
Output
Postrouting
5.4 Other considerations
Develop good habits
Iptables-vnl
Iptables-T nat-vnl
Iptables-save

Pay attention to the logical order
Iptables-A input-p tcp -- dport XXX-J accept
Iptables-I input-P TCP -- dport YYY-J accept

Learn to write simple scripts
6. faq.1
Q: I set iptables-A output-D 202. xx-J Drop
Why can Intranet users still access that address?
A: The output chain of the filter table is the only way to access the local machine. intranet data does not pass through this chain.

Q: I added iptables-a forward-D 202. xx-J Drop
Why can Intranet users still access that address?
A: Check whether the entire rule has a logic error. check whether there is an accept before drop.

Q: iptables-T Nat-A postrouting-I eth1-O eth2-J Masquerade
Why does this statement report an error?
A: The postrouting chain does not support the "inbound interface"-I parameter.
Likewise, the prerouting chain does not support the "outbound interface"-O Parameter
6. faq.2
Q: How can I view a specific module and how to use it?
A: ipitables-M Module name-H

Q: Run iptables-a forward-m xxx-J yyy.
Prompt iptables: no chain/target/match by that name
A: In the/lib/modules/'uname-R'/kernel/NET/IPv4/netfilter directory,
Files related to the xxx module are missing or files related to the YYY action are missing
The name is ipt_xxx.o (2.4 kernel) or ipt_yyy.ko (2.6 kernel)

Q: After the script is written, there is no problem accessing the Intranet. FTP access is abnormal and directories cannot be listed. Why?
A: The module ip_nat_ftp is missing. modprobe ip_nat_ftp
6. faq.3
More FAQs