I. Iptables firewall service iptables is divided into two parts
I. Iptables firewall service
Iptables is divided into two parts: one part is implemented in the kernel, and the other is the user interface command iptables. you can use this command to modify the firewall function. Therefore, to use the corresponding functions, you must add the corresponding modules to the kernel. Modprobe add Module
1: raw table of firewall matching rules ----> mangle table -------> nat table ------> filter table.
Raw: mainly for packet tracking, including rule chians (rule chain): PEREROUTING OUTPUT
Mangle: Set the packet tag (rule chain): PERE OUTPUT INPUT POST FORWARD
Nat: modify the source, destination, and mac addresses in the data packet (rule chain): POST PERE OUTPUT
Filter: filter packets. (Rule chain): INPUT OUTPUT FORWARD
A rule chain can contain many rules. a table can contain multiple chains. rules are matched in sequence and the matching is stopped.
2: for inbound and outbound data, the chain is PEREROUTING ---> INPUT ---> OUTPUT ---> POSTROUTING
3: FORWARD Data: The chain is PEREROUTING ---> FORWARD ----> POSTROUTING
The firewall matches the rules in the corresponding link according to the table sequence and the data flow.
4: The jump (action) of rules in the chain can be divided into: ACCEPT (ACCEPT), DROP (discard), REJECT (REJECT), LOG (LOG)
The action indicates the action performed by the firewall when the rule is matched. The action is discarded or passed, or recorded in the LOG. when the action is LOG, the action will continue to match downward, therefore, LOG should be written at the beginning.
II. detailed command configuration of iptables
1: iptables-nvL-n (numeric)-L (List)-v (verbose) details the rules in the filter table. the default filter table
2: iptables-t filter-p input accept the default policy for configuring the INPUT chain is ACCEPT-t (table)
3: iptables-a input adds rules to the INPUT chain, followed by the corresponding option-A (append)
4: iptables-d input rules numbers delete the rule rules numbers in the INPUT chain as the rule sequence number. -D (delete)
5: iptables-I input 4 rules insert rules in the fourth rule of INPUT-I (insert)
6: iptables-a input-m [limit/multiport/state] add the corresponding module to implement the corresponding functions.-m (model ),
7: iptables-a input-m state -- state NEW-j ACCEPT uses the state module to control data packet status matching.
8: The service iptables save rule is saved to the/etc/iptables file and will take effect automatically after the next restart.
9: iptables-save> iptables. conf: write the configuration to the iptables. conf file, iptables-restore
III. matching type
1: matching of common types.
For example, protocol type, network interface, and network address, for example,-p tcp/udp/icmp-I eth0-s 172.16.0.1 -- sport 60.
2: implicit condition matching
It is usually based on specific protocol matching.
3: Display condition matching
You need to add corresponding extension modules for implementation. For example,-m limit -- limit 5/sec-j ACCEPT enables data packet passing rate
-M multiport -- dport 80, 53, and 21 enable simultaneous control of multiple ports-mstate -- state NEW or ESTABLISHED