Overview IPTABLES-ADC rules for a specified chain [-A add-D Delete-C modify] iptables-ri iptables-d chain rule NUM[OPTION]&NBSP;IPTABLES-LFZ Chain Name [option] iptables-[nx] Specify chain iptables-p chain TARGET[OPTIONS]&NBSP;IPTABLES-E old-chain-name new-chain-name& nbsp; description Iptalbes is used to set up, maintain, and check the IP packet filtering rules of the Linux kernel. can define different tables, each containing several internal chains, or a user-defined chain. Each chain is a list of rules that match the corresponding package: Each rule specifies how the package that matches it should be handled. This is called ' target ' and can also jump to a user-defined chain within the same table. The rules of the targets firewall specify the characteristics, and targets, of the checked package. If the package does not match, it is sent to the next rule check in the chain, and if it matches, the following rule is determined by the target value. The target value can be either a user-defined link name, or a private value such as accept[through], drop[delete], queue[queued], or return[back]. ACCEPT says let this package pass. DROP indicates that the package is discarded. QUEUE means to pass this package to the user space. RETURN means to stop the matching of this chain and start the rule again to the previous chain. If a built-in chain is reached (the end), or the rule that encounters the built-in chain is RETURN, the fate of the package is determined by the target specified by the chain criteria. tables currently has three tables (which table is the current table depends on the kernel configuration option and the current module). -t table This option specifies the table of the matching package to which the command is to operate. If the kernel is configured to load the module automatically, then if the module is not loaded, the (System) will attempt to load the appropriate module (for that table). These tables are as follows: filter , this is the default table that contains the built-in chain input (processing incoming packets), ForWord (processing throughpackages) and output (processing locally generated packages). nat This table is queried when it encounters a package that generates a new connection, consisting of three built-in chains that make up the:prerouting (modified incoming package), OUTPUT (the package that was local before the route was modified), postrouting (Modify the package that is ready to go). mangle This table is used to modify the specified package. It has two built-in rules: prerouting (the package that modifies the before routing) and output (the package that is local before the route is modified). options these options that can be iptables identified can be distinguished by different kinds. commands These options specify an explicit action: if there is no other provision under the command line, the line can only specify one option. For long-form commands and option names, the letter length is as long as it is guaranteed that iptables can differentiate the directive from other options. -A-append add one or more rules at the end of the selected chain. When the source (address) or/and destination (address) is converted to more than one (multiple) addresses, this rule is added to all possible addresses (combinations). -D-delete deletes one or more rules from the selected chain. This command can be used in two ways: the deleted rule can be specified as the ordinal in the chain (the first ordinal is 1), or it is specified as the rule to match. -R-replace replaces a rule from the selected chain. If the source (address) or/and destination (address) are converted to multiple addresses, the command fails. The rule number starts at 1. -I-insert inserts one or more rules into the selected chain based on the given rule sequence number. So, if the rule ordinal is 1, the rule is inserted into the head of the chain. This is also the default mode when you do not specify a rule number. -L-list displays all rules for the selected chain. If no chain is selected, all chains will be displayed. can also be used with the z option, when the chain is automatically listed and zeroed. The exact output is affected by other given parameters. -F-flush empties the selected chain. This is tantamount to deleting all the rules. --Z-zero empty all chain packets and byte counters. It can be used in conjunction with-L, in the clear view of the counter, see the previous article. -N-new-chain creates a new user-defined chain based on the given name. This must ensure that no chain with the same name exists. -x-delete-chain deletes the specified user-defined chain. The chain must not be referenced, and if it is referenced, you must delete or replace the rules associated with it before deleting it. If no parameters are given, this command will try to delete each non-built chain. -P-policy set the target rules for the chain. -E-rename-chain renames the specified chain based on the name given by the user, which is merely a modification and has no effect on the structure of the entire table. The targets parameter gives a valid target. Rules are available only for non-user-defined chains, and neither the built-in chain nor the user-defined chain can be the target of the rule. -h help. Help. Gives a very brief description of the current command syntax. Parameters The following parameters form the details of the rules, such as for Add, delete, replace, append, and check commands. -p-protocal [!] protocol the protocol for the rule or package check (package to be checked). Specifies that the protocol can be one or all of TCP, UDP, ICMP, or a numeric value that represents one of these protocols. Of course, you can also use the protocol name defined in/etc/pro tocols. Add "!" in front of the protocol name Represents the opposite rule. The number 0 corresponds to all. Protocol all matches all protocols, and this is the default option. When combined with the check command, all can be used. -s-source [!] address[/mask] Specifies the source address, which can be a host name, a network name, and a clear IP address. The mask description can be a netmask or a clear number, specifying the number of "1" to the left of the netmask on the left side of the netmask, so that the mask value is 24 equals 255.255.255.0. Add "!" before the specified address The description specifies the opposite address segment. The flag --src is shorthand for this option. -d--destination [!] address[/mask] Specify the destination address, for detailed instructions see the description of the-s flag. The flag--dst is shorthand for this option. -j--jump target (-j target jump) specifies the target of the rule, that is, if the package matches what should be done. The target can be a user-defined chain (not the one in which the rule resides), a dedicated built-in target that immediately determines the fate of the package, or an extension (see extensions below). If this option for the rule is ignored, then the matching process is notwill have an impact on the package, but the counter for the rule will increase. -i-in-interface [!] [name] (I-Enter the (network) interface [!] [Name]) This is the optional entry name that the package receives via this interface, which is received by the packet (packets entered in the chain input, ForWord, and prerouting). When using "!" in front of the interface name After the description, it refers to the opposite name. If the interface name is followed by a "+", all interfaces that begin with this interface name will be matched. If this option is ignored, it is assumed to be "+", then any interface will be matched. -o--out-interface [!] [name] (-o--output interface [name]) This is the optional exit name that the package sends through the interface, which is output through the port (packets sent in the chain forward, output, and postrouting). When using "!" in front of the interface name After the description, it refers to the opposite name. If the interface name is followed by a "+", all interfaces that begin with this interface name will be matched. If this option is ignored, it is assumed to be "+", then all interfaces will be matched. [!]-F,--fragment ([!]-F--sharding) This means that in a fragmented package, the rule only asks for the second and subsequent slices. Since then, since the source or destination port (or ICMP type) of this packet cannot be judged, such packages will not match any rules that specify matching them. If "!" The description is used before the "-F" flag to indicate the opposite meaning. Tp-c,--set-counters pkts BYTES This enables the Administrater to initialize the packet and byte counters of a rule (Duri Ng INSERT, APPEND, REPLACE Operations) Other options you can also specify the following additional options: -v--verbose verbose output. This option lets the list command display the interface address, rule options (if any), and the TOS (Type of Service) mask. The package and byte counters are also displayed, with K, M, and G (prefixes) representing 1000, 1,000,000, and 1,000,000,000 times (but see the-X flag changing it), for adding, inserting, deleting, and replacing commands, which causes the details of one or more rules to be printed. -n--numeric digital output. The IP address and port arePrinted in the form of numbers. By default, the program tries to display the host name, network name, or service (as long as it is available). -x-exact expand Numbers. Displays the exact value of the packet and byte counter, instead of the approximate number represented by the k,m,g. This option can only be used with the-l command. --line-numbers When the list displays rules, precede each rule with a line number that corresponds to the position of the rule in the chain. The extension iptables for can use some extension packages that match the module. The following are the expansion packs that are included in the basic package, and most of them can be added by the front to indicate the opposite meaning. tcp These extensions are loaded when--protocol TCP is specified and other matching extensions are not specified. It offers the following options: --source-port [!] [port[:p ort]] Source port or port range specified. This can be a service name or port number. Use the format port: The port can also specify the inclusive (port) range. If the first port number is ignored, the default is "0", if the end number is ignored, the default is "65535", if the second? Nightmares silk sunfaith Waxy trunk boaster Huan bocal? The cavity Basha Call arc u supper threadfin ∠ The alias of the--sport. --destionation-port [!] [port:[port]] the destination port or port range specified. This option can be replaced with the--dport alias. --tcp-flags [!] Mask comp matches the specified TCP token. The first parameter is the tag we want to check, a comma-separated list, and the second parameter is a comma-separated tag table, which must be set. The flags are as follows: SYN ACK fin rst URG PSH all NONE. So this command: iptables-a forward-p tcp--tcp-flags syn, Ack, fin, rst SYN matches only those packets that the SYN tag is set while the ACK, FIN, and RST tags are not set. [!]--syn matches only those TCP packets that have the SYN bit set and the ACK and fin bits cleared. These packets are used to make a request when the TCP connection is initialized, for example, when a large number of such packets enter an interface where a blockage prevents incoming TCP connections and the outgoing TCP connection is not affected. This equals--tcp-flags syn, RST, ACK syn. If "--syn" is preceded by "!"A mark that indicates the opposite meaning. --tcp-option [!] number matches the TCP option set. &NBSP;&NBSP;UDP These extensions are loaded when protocol UDP is specified, and other matching extensions are not specified, it provides the following options: --source-port [!] [port:[port]] the source port or port range specified. See the--source-port option description for TCP extensions. --destination-port [!] [port:[port]] the destination port or port range specified. See the--destination-port option description for TCP extensions. &NBSP;&NBSP;ICMP when protocol ICMP is specified and other matching extensions are not specified, the extension is loaded. It offers the following options: --icmp-type [!] typename This option allows you to specify the ICMP type, which can be a numeric type of ICMP? Noisy stop? The ant is good? iptables-p the ICMP type name displayed by the icmp-h . mac--mac-source [!] address matches the physical address. Must be a format such as XX:XX:XX:XX:XX. Note that it is valid only for packets from the Ethernet device and into the prerouting, ForWord, and input chains. limit This module matching flag is matched with a certain speed with a tag bucket filter, which is used in conjunction with the log target to give a limited number of logins. When this limit value is reached, the rules that use this expansion pack are matched. (unless "!" is used.) Mark) --limit rate maximum average match rate: assignable values are '/second ', '/minute ', '/hour ', or '/day ' units, which are 3/hour by default. --limit-burst number The maximum number of initial packets to match: If the previously specified limit has not yet reached this value, the approximate number is 1. The default value is 5 multiport This module matches a set of source or destination ports , you can specify a maximum of 15 ports. Can only be used with-p TCP or-p UDP attached. --source-port [port[, port]] if the source port is one of the given ports matches --destination-port [port[, port]] if the destination port is one of the given ports then match --port [port[, port]] Matches if the source port and destination port are equal and equal to a given port. mark This module and matches the NetFilter filter marker field (you can set it to use the mark tag below). --mark value [/mask] matches the packages of those unsigned tag values (if you specify mask, the mask is preceded by a logical token before comparison). owner This module tries to match the different characteristics of the package creator for the local build package. Can only be used for the output chain, and even if such packages (such as ICMP ping answers) may not have owners, they will never match. --uid-owner userid If a valid user ID is given, the package generated by the process that matches it. --gid-owner groupid If a valid group ID is given, the package generated by the process that matches it. --sid-owner seessionid matches the package generated by the process based on the given conversation group. state This module allows access to the connection tracking status of a package when used in conjunction with connection tracking. --state state Here the state is a comma-delimited list of matching connection states. The possible status is: INVALID indicates that the package is an unknown connection, established represents a two-way transfer connection, new indicates that the package is a new connection, otherwise it is non-bidirectional, and related means that the package starts with a new connection, but with an existing connection, such as FTP data transfer, or an ICMP error. unclean This module has no options, but it tries to match those strange, uncommon packages. In the experiment. tos This module matches the 8-bit TOS (service type) field of the IP packet header (that is, included in the precedence bit). --tos tos This parameter can be a standard name, (see the list with iptables-m tos-h), or a value. target Extensionsiptables can use the extended target module: The following are included in the Standard Edition. log Open the kernel record for the matching package. When set in the ruleThis option, the Linux kernel will print some information about all matching packages (such as the IP header field) through PRINTK (). --log-level level Record level (number or see syslog.conf (5)). --log-prefix prefix adds a specific prefix to the record information: up to 14 letters long to distinguish it from other information in the record. --log-tcp-sequence logs the TCP serial number. If the record can be read by the user then there is a security risk. --log-tcp-options logs options from the TCP packet header. --log-ip-options record options from the IP packet header. The mark is used to set the NetFilter tag value of the package. Applies to mangle tables only. reject returns an incorrect package as a response to a matching package: In other cases, the drop is the same. This target applies only to input, forward, and output chains, and to user-defined chains that call these chains. These options control the properties of the returned error packet: --reject-with Type type can be icmp-net-unreachable, icmp-host-unreachable, Icmp-port-nreachable, Icmp-prot o-unreachable, icmp-net-prohibited or icmp-host-prohibited, The type returns the appropriate ICMP error message (default is port-unreachable). The option echo-reply is also allowed; it can only be used to specify the icmp ping package in the rules that generate a ping response. Finally, the option Tcp-reset can be used in the input chain, or from the input chain to invoke the rules, matching only the TCP protocol: a TCP&NBSP;&NBSP;RST packet will be responded to. The tos is used to set the IP packet's header eight-bit TOS. Can only be used for mangle tables. --set-tos tos You can use a numeric TOS value, or use Iptables-j tos-h to view the list of valid TOS names. mirror thisis a pilot demonstration target that can be used to convert the source address and destination address in the IP header field, then transfer the package and only apply to input, forward, and output chains, as well as user-defined chains that only invoke them. snat This target applies only to the postrouting chain of the NAT table. It specifies that the source address of the package be modified (all packages will be affected after this connection), stopping the check of the rule, which contains the option: --to-source <ipaddr>[-<ipaddr>][:p ort-port] You can specify a single new IP address, an IP address range, or you can attach a range of ports (only in the rules that specify-p TCP or-p UDP). If no port range is specified, the port below 512 in the source port will be placed under the other 512 ports, 512 to 1024 ports will be placed below 1024, and the other ports will be placed at 1024 or higher. If possible, the port is not modified. --to-destiontion <ipaddr>[-<ipaddr>][:p ort-port] can specify a single new IP address, an IP address range, You can also attach a range of ports (only in the rules that specify-p TCP or-P&NBSP;&NBSP;UDP). If no port range is specified, the destination port is not modified. masquerade is used only for postrouting chains of NAT tables. Can only be used to dynamically obtain an IP (dial-up) connection: If you have a static IP address, you need to use Snat. Spoofing is the equivalent of setting an image to the IP address of the interface through which the packet was issued, and terminating the connection when the interface is closed. This is because the next time the dial-up is not necessarily the same interface address (all subsequent connections will be closed). It has an option: --to-ports <port>[-port>] Specifies the source port range to use, overriding the default Snat source address selection (see above). This option applies only to rules that specify-p TCP or-P UDP. The redirect applies only to the prerouting and output chains of the NAT table, and only to the user-defined chains that invoke them. It modifies the destination IP address of the package to send the packet to the machine itself (the locally generated package is placed as address 127.0 --to-ports <port>[<port>] Specifies the destination port or port range used: If not specified, the target sideThe port will not be modified. Can only be used to specify the rules for-p TCP or-P UDP. diagnosing different error messages is printed as a standard error: Exit code 0 indicates correct. Errors like incorrect or abusive command-line arguments return error code 2, and other error return codes are 1. bug Check is not complete yet. compatibility with IPChains compatibility with IPChains this iptables are very similar to IPChains by Rusty Russell. The main difference is that the chains INPUT and OUTPUT is only traversed for packets coming into t He local host and originating from the local host respectively. Hence Every pack only passes through one of the three chains; Previously a forwarded packet would pass through all three. The other main difference is that-i refers to input interface; -o refers to the output interface, and both is available for packets entering the FORWARD chain. Iptables is a pure packet filter when using the the default filter ' table, with optional extension modules. This should simplify much of the previous confusion over the combination of IP Masquerading and PACKet filtering seen previously. So the following options is handled differently:-j masq-m-s-m-L There is several other chaines in Iptabl Es iptables and Rusty Russell are very similar to ipchains. The main difference is that the input chain is used only for packets that go into the local host, and output is used only for packages generated from the local host. So each packet passes only one of three chains, and the previously forwarded packet passes through all three chains. The other main difference is the-I reference to the interface;-o reference the output interface, both of which apply to packets entering the forward chain. When using the default filter table with the optional extension module, iptables is a pure packet filter. This can greatly reduce the previous confusion with IP spoofing and packet filtering, so the following options are handled differently:-j masq-m-s-m-L has several different chains in iptables. snat: Source Address translation postrouting outputdnat: Destination Address translation prerouting Iptables default has 5 rule chains prerouting----------->---------------------- FORWARD-----------------------------------postrouting & nbsp | , &NB Sp | | &NBSP , &NB sp;| | , &NB Sp | input &NBSP ; , &NB Sp Output iptables tables and Chains: Raw tables: prerouting outputmangle tables: Used to set up applications such as network traffic shaping prerouting postrouting INPUT output forwardnat table: For setting address translation prerouting &NBS P Postrouting Outputfilter table: For set packet filtering input FORWARD output prepouting (prepouting pre-route): Check before routing, access the firewall itself to go to the input link, access others on the go forward input ): Someone else accesses the native firewall forward (forward forwarding): When receiving a packet output that needs to be sent through the firewall to another address (output output): The native firewall accesses someone else postrouting (postrouting route): Basic syntax format for iptables after routing a packet iptables [-t table name] Command parameter [link name] [condition match] [-j target action or jump] //default will use the last table and nbsp [-t table name]: No indicates the last table filter operation {Raw table, mangle table, NAT table, filter Table} Common command parameters:-A: Adds a new rule at the end of the specified chain-d: Deletes a rule in the specified chain, Determine the rule to delete by rule number or content-I: Inserts a new rule in the specified chain, or, if no insertion position is specified, inserts the-R at the beginning of the chain by default: Modify, replace, specify a rule in the chain, determine the rule to replace by the sequence number or content-L: Lists all rules in the specified chain, Lists the contents of all the chains in the table-F: Empties all rules in the specified chain, clears the contents of all chains in the table if no chain name is specified-N: Creates a new user-defined rule chain-x: Deletes the user-defined rule chain in the specified table-p: Sets the default policy for the specified chain-V: Version information-n Display output as a number-V: Show detailed information when viewing the list of rules-H: View command Help--line-numbers: List display order number [chain name]:{ prerouting postrouting INPUT output FORWARD} condition Matching: 1. Protocol matching TCP, UDP, ICMP, POP3, SNMP, SMTP, all, etc. format-P protocol name (in front of the protocol name Plus!) 2. Address Match -s: Source address (can be IP address or network segment)-D: Destination address (can be IP address or network segment)-I: Network interface name (incoming NIC)-O: Network interface name (out of NIC) 3. Port Matching--sport: sourcePort --dport: Destination Port 4. TCP tag Matching--tcp-flags: syn,rst,ack and so on 5.ICMP type matching this match must be based on-p ICMP--icmp-type:echo-request (the number code is 5 requests), Echo-reply (number code 0 replies), Destination-unreachable (digital Code 3 target unreachable) 6.MAC match-M Mac--mac-source MAC address 7. Multi-port matching-M multiport 20,21,228. Multi-Address matching format:-m iprange [parameter]-m iprange [--src-range Source address range,--dst-range destination address range]9. State match format:-m status--state [parameter] Parameters: NEW (unrelated to any connection) established (response request or established connection) related (related to an existing connection) [-j target action or jump]: format:-j [parameter] Accept: Allow packets to pass drop: drop packets directly, do not give any response information reject: Deny packet pass, if necessary, send the data to the end of a response information log: Logging Eg:1. Add a firewall rule at the end of the input chain of the filter table Iptables-t filter-a input-p tcp-j ACCEPT2. Insert a firewall rule in the input chain of the filter table iptables -I input-p tcp-j ACCEPT3. Inserts a firewall rule (as a second rule) in the input chain of the filter table iptables -i INPUT 2-p tcp-j ACCEPT4. Delete the second rule of the filter table I Ptables -d INPUT 25. Clears the rules in all tables Iptables-f6. Set the default policy for the chain iptables-t nat-p output DROP //set the output chain in the NAT table the default policy is DROP7 The packet for all ICMP protocols that are denied access to the firewall iptables-i input-p icmp-j REJECT8. Allow the firewall to forward all packets except ICMP protocol iptables-a FORWORD-P! Icmp-j REJECT9. Reject forwardingData from the 192.168.1.0/24 network segment iptables-a forword-s 192.168.1.0/24-j REJECT10. Drop the source address from the extranet interface eth1 into the firewall is 1.2.3.0/16iptables-a Input-i eth1-s 1.2.3.0/16-j DROP11. Allow system administrators to log on to the firewall host remotely using SSH from the 202.13.0.0/16 network segment iptables-a input-p TCP--dport 22-s 202.1 3.0.0/16-j REJECT12. Allow native open from TCP port 20-1024 to provide app service iptables-a input-p TCP--dport 20:1024-j acceptiptables-a output-p TCP --sport 20:1024-j ACCEPT13. Allow forwarding of DNS resolution requests from 192.168.0.0/24 network segments iptables-a forward-p udp-s 192.168.0.0/24--dport 53-j ACCEP Tiptables-a forward-p udp-d 192.168.0.0/24--sport 53-j ACCEPT14. Prevent other hosts from pinging the firewall, but allow the firewall to ping other hosts Iptables-a input-p ICM P--icmp-type echo-request-j dropiptables-a input-p ICMP--icmp-type echo-reply-j acceptiptables-a input-p ICMP--ic Mp-type destination-unreachable-j ACCEPT15. Disable forwarding of packets from a host with MAC address 00:0c:25:24:24:21 iptables-a Forward-m mac-- Mac-source 00:0c:25:24:24:21-j DROP //-m Add a module keyword 16. Allow firewall native to open to TCP port 20,21, 25,110 and Passive mode port FTP port 1250--1280iptables-a input-p tcp-m multiport-dport 20,21,25,110,1250:1280-j ACCEPT17. Disallow forwarding of TCP packets with a source IP address of 192.168.1.20--192.168.1.99 iptables-a forward-p tcp-m iprange-- Src-range 192.168.1.20--192.168.1.99-j drop 18. Disallow forwarding of non---syn request packets unrelated to normal TCP connections (such as some illegal attack packets that may exist in the network) iptables-a FORWARD -m State--state new-p TCP! --syn -j DROP19. Open native Web service, FTP service (21,20,20450---20480), release the external host to the other port of the server reply packet, the other inbound packets are discarded processing iptables-i INPUT- P tcp-m multiport--dport 20,21,80-j acceptiptables-i input-p tcp --dport 20450:20480-j acceptiptables-i INPUT &NBSP;-M State--state established -j dropiptables-p input DROP20. Logging frequency is limited to an average of three times per minute, allowing a peak of eight times iptables-r input 1-p TCP--dport 22-m limit--limit 3/minute--limit-burst 8-j LOG21. Customize a new chain Mylan, the packets that are forwarded from the 192.168.1.0/24 network segment are handed to the rule processing in the chain IPTABL Es-t filter-n mylaniptables-a forward-s 192.168.1.0/24-j mylaniptables-a forward-d 192.168.1.0/24-j MyLANipt Ables-a mylan-p icmp-j drop Import and Export firewall rules iptables-save >/etc/sysconfig/iptables ===== Service IPTables Save Export Iptables-restore </etc/sysconfig/iptables import service iptables restart
Iptables of the firewall