Iptables generally understand

TCP/IP protocol network on a node, door open, socket session, requires IP and port, check socket packet, socket and TCP/IP protocol differences. Host firewall, working on the host. Enter the network card, to the TCP/IP protocol stack in the kernel, work on the TCP/IP protocol stack, on some of the protocol stack on some locations placed on the card whistle, in the set check rules.

Network firewall, outside the network.

Firewall: Work with the host or network edge, for the incoming and outgoing messages according to the defined rules to check, and then the rules matched to the message most appropriate processing package;

Network layer firewall, check the message frame header, IP header, TCP header, the data content can not be checked.

Iptables/netfilter, NetFilter is the card whistle on the TCP/IP protocol stack, adding rules with iptables

The rule priority is high to low and can work in the position of the card whistle:

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" 1 "border=" 0 "alt=" 1 "src=" http://s3.51cto.com/wyfs02/M01/70/21/ Wkiom1wx9e3z5y0daaq5e6typiu581.jpg "" 1028 "height=" 624 "/>

650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" 212632317 "border=" 0 "alt=" 212632317 "src=" http://s3.51cto.com/wyfs02/M02/70/1E/ Wkiol1wx9jtqm3tnaambhek5jwa686.jpg "" 1028 "height="/>

Raw: The target is to turn off connection tracking on the NAT table, prerouting OUTPUT

mangle; Modify some features of the TCP/IP header, anywhere.

Nat: Address translation, postrouting prerouting OUTPUT

Filter INPUT ForWord OUTPUT

INPUT: The whistle that is set when the data enters the application space is also called a chain.

ForWord: The card whistle for the host routing process

OUTPUT: The card that the data passes through when it is emitted from the application

Prerouting: The card whistle before the data enters the network card for routing strategy

Postrouting: Data last select Nic to leave before the card whistle

Data message Flow: With native internal communication, prerouting INPUT OUTPUT postrouting

Data forwarded by this machine: Prerouting ForWord postrouting

Pay attention to the flow of data packets, determine the source IP destination IP.

Iptables: User space Tools, write rules, and automatically send to NetFilter, effective immediately.

Basic syntax

Iptables "-t TABLE" –A link name matching condition –j processing target

The default table filter

COMMAND: There are a few of the following questions

1. Some commands for the rules on the chain-a: Add a rule to the back

-I: Inserting a new rule

-D: Delete rule

-R: Substitution rules

-L: Query rule –l-n: Number format displays address and port. -L-V: Verbose format--line-numbers show Rule line number –x do not make unit conversions for counter count results, display exact values.

2. Some commands to the chain:-F: empty the rule chain

-N: Self-building a chain that can only be called

-X Delete a custom chain

-Z Counter zeroed

-P: Sets the default policy, for the filter table, the default rule is accept or drop

-E: Rename a custom chain

Iptables "-t TABLE" –A link name matching condition –j processing target

Match condition: Generic match

-S Address: Specify the source IP address matching range: can be IP or network address can be used! Reverse.

-D Address: Message Destination IP address

-P protocol, specifying the protocol type of the matching message, General TCP UDP ICMP

-I: Data packets into the network card: only in the first half of the data incoming prerouting INPUT ForWord

-O: Data Outflow network card: can only function in the second half of the data passed ForWord OUTPUT postrouting

Extended match call NetFilter with-M

Implicit extension: The corresponding module is called by default when using one of the-p {tcp|udp|icmp}, you can use the extended option directly

-p TCP to TCP/IP protocol effective:--sport Specify source port –dport destination port

--tcp-flags syn,ack,rst,fin syn All (select all, or value 1) None (value is 0)

--tcp-flags Syn,ack,rst,fin SYN This is the first time the TCP handshake is defined

--syn All can also define the TCP first handshake

-p ICMP main limit ping:--icmp-type 8 is able to request message type, 0 refers to the type of response message

Explicit extensions: You must explicitly indicate which module to use for scaling to use the extended options

-M Extension Module name (This module should be available on both iptables and NetFilter)

1) multiport is used to match non-contiguous or continuous ports, and to specify 15 more ports

--sports "Port,port:port" specifies the source port

--dports Destination Port

The--ports source and target all contain

192.168. 0.0/192.168. 147.128 A- J Accept is a host firewall, added on the target host, the implementation of a specific IP can connect to the host HTTP and SSH services do not specify a table on the filter table by default to implement filtering, On the input chain, from 192.168 segments to 192. 168.147. 128 TCP Messages use the Multiport module to specify 192. 168.147. 128 ports on the host can accept messages

2) IPRange: matches addresses within a specified range, matching a contiguous address rather than the entire network.

[!] --src-range Ip[-p]

[!] -dst-range Ip[-p]

3) String: Strings match to detect strings in the beginning text of the application. String algorithm, KMP, BM

Private Option--ALGO{KMP|BM}

--string

--hex-string 16 binary string

4) state: Status check requires the state connection function to be turned on, not for high concurrent servers.

--state

Status in a connection trace

NEW: Create a session

Established: Established connection

Related: Associated connection

INVALID: Unrecognized connection

Adjust the maximum number of connections that can be accommodated by the connection tracking function

/proc/sys/net/nf_conntrack_max

All connections currently being traced

/proc/net/nf_conntrack

Track properties when tracking different protocols or connection types

/proc/sys/net/netfilter Directory

Release the FTP service in passive mode

1. Install in module/lib/modules/kernel_version/kernel/net/netfilter/

Module: nf_conntrack_ftp

Modeprobe Loading Module

2. Release message request

A. Release the new status request for Port 21

B. Release all established and ralated status messages

3. Release response messages

Release all established and ralated status messages limit: rate limiting

--limit N [/second/minute/hour/day]

--limit-burst N: Can save up to a few

Time: Make access control based on times

--datestart

--datestop

--timestart

--timestop

--weeks

Connlimit; Number of connections limit, the number of concurrent connections per IP can be initiated

--connlimit-above N

Processing target:

Built-in targets:

Drop: Silently Discard

REJECT: Tough rejection

Accept: Acceptance

Write rules: First determine the function (table), determine the message flow, determine the target to achieve, determine the matching conditions

Flow direction: 1. Accessing the native process, prerouting INPUT

2. Outgoing messages, OUTPUT postrouting

3. Native forwarding, pretouting FORWARD postronting

4. Response, pretouting FORWARD postronting

iptables grammar Check NetFilter immediate effect

Remember: Before you write, add a session to release yourself

Permanent, rule file, or script rule file is/etc/sysconfig/iptables

Save Rules Iptables-save >/etc/sysconfig/iptables

Service Iptables Save

Effective Iptables-restore </etc/sysconfig/iptables

Service Iptables Restart

Set Default Policy

Iptables–p chain Target

modifying rules

Iptables–r OUTPUT 1 Specifies the first rule on the chain of that table, followed by the complete change rule

Optimization rules: Minimize rule entries, irrelevant rules put the traffic on the top, the matching specifications belonging to the same function strictly placed on top.

To better manage the rules, customize the chain;

Iptables–t Filter–n http_in

To delete an empty custom chain

Iptables–x http_in

Rename a custom chain

Iptables–e oldname newname

Address Translation Snat original address translation

--to-source

Masquerade: Automatically get the address of the transformation

DNAT Destination Address Translation

--to-destination

Pnat Port Conversion

Full NAT Conversion

Iptables–t nat–a postrouting  192.168.  1.0/172.16. 100.7 The original address is converted into 172. 16.100. 17 Host Address

Iptables generally understand