Iptables getting started

Source: Internet
Author: User
Tags ssh port
This section describes iptables concepts and usage instructions in iptables, which must be case sensitive. The main syntax differences between ipchains and iptables are as follows: 1. in ipchains, for example, the input chain uses lower-case chains. in iptables, use upper-case INPUT instead. 2. in

IptablesGetting started

This section describes iptables concepts and usage.

Commands in iptables must be case sensitive.

The main syntax differences between ipchains and iptables are as follows:

1. in ipchains, for example, the input chain uses a lowercase name. in iptables, use uppercase INPUT instead.

2. in iptables, you must specify the rule to be applied to that rule table (use-t to specify, such as-t nat). If this parameter is not specified, the default value is used to filter the table.

3. in ipchains,-I refers to the interface, but in iptables,-I refers to the inbound direction, and more-o represents the outbound direction.

4. in iptables, the source port should use the keyword -- sport or -- source-port.

5. in iptables, the destination port uses the keyword -- dport or -- destination-port.

6. in iptables, the disposal action of "discard" will no longer use the target DENY, and use DROP instead.

7. the ipchains record file function-l has been changed to the target-jLOG, and the title of the record file can be specified.

8.-y in ipchains can be used in iptables -- syn or -- tcp-flag SYN, ACK, FIN SYN

9. in iptables, add the keyword -- icmp-type to the imcp messages type, for example:

Iptables-a output-o eth0-p icmp-s $ FW_IP -- icmp-type 8-d any/0-j ACCEPT

Iptables example

When setting iptables packet filtering rules, there are several examples. if you are familiar with them first, you can apply them on your own. so you can quickly enter the world.

######################################## ######

##--------##

Preparations

##--------##

First, check the settings of iptables on the machine.

The procedure is as follows:

Iptables-L-n

Iptablse-t nat-L-n

Define the IP address of the variable referenced in the following example

$ FW_IP = "163.26.197.8"

To enable the core forward function, follow these steps:

###-----------------------------------------------------###

# Enable the forward function

###-----------------------------------------------------###

Echo "1">/proc/sys/net/ipv4/ip_forward

Or add

FORWARD_IPV4 = yes

Enable forwarding

To clear all rules, follow these steps ::

In the first step, you must clear all rules and start again to prevent the old rules from affecting the new settings. The procedure is as follows:

###-----------------------------------------------------###

# Clear previous settings

###-----------------------------------------------------###

# Clear all rules in the rule chain in the filter of the preset table

Iptables-F

# Clear the rules in the user-defined chain in the filter of the preset table

Iptables-X

# Clear all rules in the rule chain in the mangle table

Iptables-F-t mangle

# Clear the rules in the custom link in the mangle table

Iptables-t mangle-X

# Clear all rules in the rule chain in the nat table

Iptables-F-t nat

# Clear the rules in the user-defined link in the nat table

Iptables-t nat-X

######################################## ###########

Select a preset policy

Next, you need to select different rule chains and the predefined policies. The procedure is as follows:

Default discard all:

###-----------------------------------------------------###

# Set the filter table preset policy

###-----------------------------------------------------###

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

Iptables-P FORWARD DROP

Or accept all by default:

###-----------------------------------------------------###

# Set the filter table preset policy

###-----------------------------------------------------###

Iptables-P INPUT ACCEPT

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD ACCEPT

** The preset policies of each rule chain can be set independently without being affected by other chains. **

In the following example, if the target is DROP (discard), set policy to ACCEPT (ACCEPT). If the target is ACCEPT, set policy to DROP to see the effect.

Open an interface

The procedure is as follows:

Iptables-a input-I lo-j ACCEPT

Iptables-a output-o lo-j ACCEPT

Note: The packet flow of IPFW or Netfilter does not pass through the FORWARD Chain,

Therefore, lo serves only the INPUT and OUTPUT chains.

Iptables-a input-I eth1-j ACCEPT

Iptables-a output-o eth1-j ACCEPT

Iptables-a forward-I eth1-jACCEPT

Iptables-a forward-o eth1-jACCEPT

IP camouflage (SNAT application)

After the packets in the intranet are disguised, the external eth0 Nic is used as the proxy number for external connections. The procedure is as follows:

###-----------------------------------------------------###

# Start internal external address transfer

###-----------------------------------------------------###

Iptables-t nat-a postrouting-o eth0-s 172.16.0.0/16-j SNAT -- to-source $ FW_IP

The preceding command indicates that the network segment 172.16.0.0/16 is disguised as $ FW_IP.

Virtual host (DNAT application)

Internet packets can be sent to server hosts in the intranet by means of address and port forwarding, which is commonly known as virtual hosts. This method protects most of the ports on the server host from being exported.

It only opens public service channels (such as Web Server port80), so the security is high.

The procedure is as follows:

###-----------------------------------------------------###

# Start external address translation

###-----------------------------------------------------###

# Anyone connected to $ FW_IP: 80 will be directed to 172.16.255.2: 80

Iptables-t nat-a prerouting-I eth0-ptcp-d $ FW_IP -- dport 80-j DNAT -- to-destination172.16.255.2: 80

Enable the internal host to telnet to the external host

Open the intranet and telnet to the external host.

The procedure is as follows: (the default policy is DROP)

###-----------------------------------------------------###

# Open external host telnet port 23

###-----------------------------------------------------###

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 23-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 23-d $ FW_IP -- dport 1024: 65535-j ACCEPT

Mail transfer channel

Open any Mail host to send a packet to your Mail Server, and your MailServer can also send the packet.

The procedure is as follows: (the default policy is DROP)

###-----------------------------------------------------###

# Open SMTP port 25

###-----------------------------------------------------###

# The following is a message that someone else can send to you:

Iptables-a input-I eth0-p tcp-sany/0 -- sport 1024: 65535-d $ FW_IP -- dport 25-j ACCEPT

Iptables-a output-o eth0-p tcp! -- Syn-s $ FW_IP -- sport 25-d any/0 -- dport 1024: 65535-jACCEPT

# You can send emails to others

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 25-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 25-d $ FW_IP -- dport 1024: 65525-j ACCEPT

Open channels for offline mailing downloads

Enable intranet for receiving mails from POP3 servers on the Internet.

The procedure is as follows: (the default policy is DROP)

###-----------------------------------------------------###

# Open POP3 port 110 for external hosts

###-----------------------------------------------------###

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 110-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 110-d $ FW_IP -- dport 1024: 65535-j ACCEPT

Open webpage viewing Channel

You can open the intranet to view Internet websites.

The procedure is as follows: (the default policy is DROP)

###-----------------------------------------------------###

# Open HTTP port 80 for external hosts

###-----------------------------------------------------###

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 80-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 80-d $ FW_IP -- dport 1024: 65535-j ACCEPT

Open DNS host for querying the Internet

Open the intranet to query any DNS host on the Internet.

The procedure is as follows: (the default policy is DROP)

###-----------------------------------------------------###

# Open DNS port 53

###-----------------------------------------------------###

# Udp packets will be used for the first query

Iptables-a output-o eth0-p udp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 53-j ACCEPT

Iptables-a input-I eth0-p udp-sany/0 -- sport 53-d $ FW_IP -- dport 1024: 65535-j ACCEPT

# If an error occurs, tcp packets are used for query.

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 53-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 53-d $ FW_IP -- dport 1024: 65535-j ACCEPT

# Enable interactive query between DNS on this host and external DNS host: use udp

Iptables-a output-o eth0-p udp-s $ FW_IP -- sport 53-d any/0 -- dport 53-j ACCEPT

Iptables-a input-I eth0-p udp-sany/0 -- sport 53-d $ FW_IP -- dport 53-j ACCEPT

# Enable the interactive query between DNS on this host and external DNS host: use tcp

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 53-d any/0 -- dport 53-j ACCEPT

Iptables-a input-I eth0-p tcp! -Y-sany/0 -- sport 53-d $ FW_IP -- dport 53-j ACCEPT

Open internal hosts to ssh to external hosts

Enable intranet and ssh to external hosts.

The procedure is as follows: (the default policy is DROP)

###-----------------------------------------------------###

# Open external host ssh port 22

###-----------------------------------------------------###

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 22-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 22-d $ FW_IP -- dport 1024: 65535-j ACCEPT

# The following are differences between ssh protocols:

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1020:1023-d any/0 -- dport 22-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 22-d $ FW_IP -- dport 1020:1023-j ACCEPT

Enable internal hosts to ftp to external hosts

Enable intranet and ftp to external hosts.

The procedure is as follows: (the default policy is DROP)

###-----------------------------------------------------###

# Open to external host ftp port 21

###-----------------------------------------------------###

# Open the command channel 21

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 21-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 21-d $ FW_IP -- dport 1024: 65535-j ACCEPT

# Open channel 20

Iptables-a input-I eth0-p tcp-sany/0 -- sport 20-d $ FW_IP -- dport 1024: 65535-j ACCEPT

Iptables-a output-o eth0-p tcp! -- Syn-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 20-jACCEPT

# Open the passive mode FTP data channel

Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 1024: 65535-j ACCEPT

Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 1024: 65535-d $ FW_IP -- dport 1024: 65535-jACCEPT

Open ping

You can ping any host externally.

The procedure is as follows: (the default policy is DROP)

Iptables-a output-o eth0-p icmp-s $ FW_IP -- icmp-type 8-d any/0-j ACCEPT

Iptables-a input-I eth0-p icm-sany/0 -- icmp-type 0-d $ FW_IP-j ACCEPT

**************************************** **************************************** **************************************** *********************************

Append:

Question 1: Why does each function use two links of INPUT and OUTPUT? does their function allow the output of the Gateway machine and then allow the LAN to the Gateway machine?

_____

/\.

Incoming --> [Routing] ---> | FORWARD | -------> Outgoing

[Demo-] \ _____/^

|

V _____

____/\

// \ | OUTPUT |

| INPUT | \______/

\____/^

|

----> Local Process ----

Analyze the handling process of the package in the chain!

Three circles represent the preceding three chains. when a package arrives at one of the chains, the corresponding chains will be tested (examined) to determine how to deal with the package. If the chain thinks

The packet should be dropped. if the chain thinks it should ACCEPT the packet, it will continue to traverse in the figure.

(1) when a package enters, the kernel first looks at the destination of the package. if the destination address is the local machine, the package goes down to the INPUT chain. if the destination address can pass the detection, the package is processed later.

Program.

(2) if the destination address is not the local host, but the kernel does not enable the forwarding function, or the kernel does not know how to forward the package, the package will be discarded.

(3) If the destination address is not the local machine and the forwarding function is enabled, the package will be directed to the FORWARD link on the right. If the package is accepted, it will be sent out.

(4) a program running on the local machine sends a network package, and the package passes through the OUTPUT chain directly. if it is accepted, the package will be sent to the network interface specified by the package.

Note: Incoming & Outgoing can be intranet or Internet, and Local Process is a server that provides proxy or IP address filtering.

Now that you know the functions of each chain, you will be able to understand the meaning of the INPUT and OUTPUT rule statements at the same time.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.