This section describes iptables concepts and usage instructions in iptables, which must be case sensitive. The main syntax differences between ipchains and iptables are as follows: 1. in ipchains, for example, the input chain uses lower-case chains. in iptables, use upper-case INPUT instead. 2. in
IptablesGetting started
This section describes iptables concepts and usage.
Commands in iptables must be case sensitive.
The main syntax differences between ipchains and iptables are as follows:
1. in ipchains, for example, the input chain uses a lowercase name. in iptables, use uppercase INPUT instead.
2. in iptables, you must specify the rule to be applied to that rule table (use-t to specify, such as-t nat). If this parameter is not specified, the default value is used to filter the table.
3. in ipchains,-I refers to the interface, but in iptables,-I refers to the inbound direction, and more-o represents the outbound direction.
4. in iptables, the source port should use the keyword -- sport or -- source-port.
5. in iptables, the destination port uses the keyword -- dport or -- destination-port.
6. in iptables, the disposal action of "discard" will no longer use the target DENY, and use DROP instead.
7. the ipchains record file function-l has been changed to the target-jLOG, and the title of the record file can be specified.
8.-y in ipchains can be used in iptables -- syn or -- tcp-flag SYN, ACK, FIN SYN
9. in iptables, add the keyword -- icmp-type to the imcp messages type, for example:
Iptables-a output-o eth0-p icmp-s $ FW_IP -- icmp-type 8-d any/0-j ACCEPT
Iptables example
When setting iptables packet filtering rules, there are several examples. if you are familiar with them first, you can apply them on your own. so you can quickly enter the world.
######################################## ######
##--------##
Preparations
##--------##
First, check the settings of iptables on the machine.
The procedure is as follows:
Iptables-L-n
Iptablse-t nat-L-n
Define the IP address of the variable referenced in the following example
$ FW_IP = "163.26.197.8"
To enable the core forward function, follow these steps:
###-----------------------------------------------------###
# Enable the forward function
###-----------------------------------------------------###
Echo "1">/proc/sys/net/ipv4/ip_forward
Or add
FORWARD_IPV4 = yes
Enable forwarding
To clear all rules, follow these steps ::
In the first step, you must clear all rules and start again to prevent the old rules from affecting the new settings. The procedure is as follows:
###-----------------------------------------------------###
# Clear previous settings
###-----------------------------------------------------###
# Clear all rules in the rule chain in the filter of the preset table
Iptables-F
# Clear the rules in the user-defined chain in the filter of the preset table
Iptables-X
# Clear all rules in the rule chain in the mangle table
Iptables-F-t mangle
# Clear the rules in the custom link in the mangle table
Iptables-t mangle-X
# Clear all rules in the rule chain in the nat table
Iptables-F-t nat
# Clear the rules in the user-defined link in the nat table
Iptables-t nat-X
######################################## ###########
Select a preset policy
Next, you need to select different rule chains and the predefined policies. The procedure is as follows:
Default discard all:
###-----------------------------------------------------###
# Set the filter table preset policy
###-----------------------------------------------------###
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP
Or accept all by default:
###-----------------------------------------------------###
# Set the filter table preset policy
###-----------------------------------------------------###
Iptables-P INPUT ACCEPT
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT
** The preset policies of each rule chain can be set independently without being affected by other chains. **
In the following example, if the target is DROP (discard), set policy to ACCEPT (ACCEPT). If the target is ACCEPT, set policy to DROP to see the effect.
Open an interface
The procedure is as follows:
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT
Note: The packet flow of IPFW or Netfilter does not pass through the FORWARD Chain,
Therefore, lo serves only the INPUT and OUTPUT chains.
Iptables-a input-I eth1-j ACCEPT
Iptables-a output-o eth1-j ACCEPT
Iptables-a forward-I eth1-jACCEPT
Iptables-a forward-o eth1-jACCEPT
IP camouflage (SNAT application)
After the packets in the intranet are disguised, the external eth0 Nic is used as the proxy number for external connections. The procedure is as follows:
###-----------------------------------------------------###
# Start internal external address transfer
###-----------------------------------------------------###
Iptables-t nat-a postrouting-o eth0-s 172.16.0.0/16-j SNAT -- to-source $ FW_IP
The preceding command indicates that the network segment 172.16.0.0/16 is disguised as $ FW_IP.
Virtual host (DNAT application)
Internet packets can be sent to server hosts in the intranet by means of address and port forwarding, which is commonly known as virtual hosts. This method protects most of the ports on the server host from being exported.
It only opens public service channels (such as Web Server port80), so the security is high.
The procedure is as follows:
###-----------------------------------------------------###
# Start external address translation
###-----------------------------------------------------###
# Anyone connected to $ FW_IP: 80 will be directed to 172.16.255.2: 80
Iptables-t nat-a prerouting-I eth0-ptcp-d $ FW_IP -- dport 80-j DNAT -- to-destination172.16.255.2: 80
Enable the internal host to telnet to the external host
Open the intranet and telnet to the external host.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open external host telnet port 23
###-----------------------------------------------------###
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 23-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 23-d $ FW_IP -- dport 1024: 65535-j ACCEPT
Mail transfer channel
Open any Mail host to send a packet to your Mail Server, and your MailServer can also send the packet.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open SMTP port 25
###-----------------------------------------------------###
# The following is a message that someone else can send to you:
Iptables-a input-I eth0-p tcp-sany/0 -- sport 1024: 65535-d $ FW_IP -- dport 25-j ACCEPT
Iptables-a output-o eth0-p tcp! -- Syn-s $ FW_IP -- sport 25-d any/0 -- dport 1024: 65535-jACCEPT
# You can send emails to others
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 25-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 25-d $ FW_IP -- dport 1024: 65525-j ACCEPT
Open channels for offline mailing downloads
Enable intranet for receiving mails from POP3 servers on the Internet.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open POP3 port 110 for external hosts
###-----------------------------------------------------###
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 110-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 110-d $ FW_IP -- dport 1024: 65535-j ACCEPT
Open webpage viewing Channel
You can open the intranet to view Internet websites.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open HTTP port 80 for external hosts
###-----------------------------------------------------###
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 80-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 80-d $ FW_IP -- dport 1024: 65535-j ACCEPT
Open DNS host for querying the Internet
Open the intranet to query any DNS host on the Internet.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open DNS port 53
###-----------------------------------------------------###
# Udp packets will be used for the first query
Iptables-a output-o eth0-p udp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 53-j ACCEPT
Iptables-a input-I eth0-p udp-sany/0 -- sport 53-d $ FW_IP -- dport 1024: 65535-j ACCEPT
# If an error occurs, tcp packets are used for query.
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 53-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 53-d $ FW_IP -- dport 1024: 65535-j ACCEPT
# Enable interactive query between DNS on this host and external DNS host: use udp
Iptables-a output-o eth0-p udp-s $ FW_IP -- sport 53-d any/0 -- dport 53-j ACCEPT
Iptables-a input-I eth0-p udp-sany/0 -- sport 53-d $ FW_IP -- dport 53-j ACCEPT
# Enable the interactive query between DNS on this host and external DNS host: use tcp
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 53-d any/0 -- dport 53-j ACCEPT
Iptables-a input-I eth0-p tcp! -Y-sany/0 -- sport 53-d $ FW_IP -- dport 53-j ACCEPT
Open internal hosts to ssh to external hosts
Enable intranet and ssh to external hosts.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open external host ssh port 22
###-----------------------------------------------------###
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 22-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 22-d $ FW_IP -- dport 1024: 65535-j ACCEPT
# The following are differences between ssh protocols:
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1020:1023-d any/0 -- dport 22-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 22-d $ FW_IP -- dport 1020:1023-j ACCEPT
Enable internal hosts to ftp to external hosts
Enable intranet and ftp to external hosts.
The procedure is as follows: (the default policy is DROP)
###-----------------------------------------------------###
# Open to external host ftp port 21
###-----------------------------------------------------###
# Open the command channel 21
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 21-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 21-d $ FW_IP -- dport 1024: 65535-j ACCEPT
# Open channel 20
Iptables-a input-I eth0-p tcp-sany/0 -- sport 20-d $ FW_IP -- dport 1024: 65535-j ACCEPT
Iptables-a output-o eth0-p tcp! -- Syn-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 20-jACCEPT
# Open the passive mode FTP data channel
Iptables-a output-o eth0-p tcp-s $ FW_IP -- sport 1024: 65535-d any/0 -- dport 1024: 65535-j ACCEPT
Iptables-a input-I eth0-p tcp! -- Syn-s any/0 -- sport 1024: 65535-d $ FW_IP -- dport 1024: 65535-jACCEPT
Open ping
You can ping any host externally.
The procedure is as follows: (the default policy is DROP)
Iptables-a output-o eth0-p icmp-s $ FW_IP -- icmp-type 8-d any/0-j ACCEPT
Iptables-a input-I eth0-p icm-sany/0 -- icmp-type 0-d $ FW_IP-j ACCEPT
**************************************** **************************************** **************************************** *********************************
Append:
Question 1: Why does each function use two links of INPUT and OUTPUT? does their function allow the output of the Gateway machine and then allow the LAN to the Gateway machine?
_____
/\.
Incoming --> [Routing] ---> | FORWARD | -------> Outgoing
[Demo-] \ _____/^
|
V _____
____/\
// \ | OUTPUT |
| INPUT | \______/
\____/^
|
----> Local Process ----
Analyze the handling process of the package in the chain!
Three circles represent the preceding three chains. when a package arrives at one of the chains, the corresponding chains will be tested (examined) to determine how to deal with the package. If the chain thinks
The packet should be dropped. if the chain thinks it should ACCEPT the packet, it will continue to traverse in the figure.
(1) when a package enters, the kernel first looks at the destination of the package. if the destination address is the local machine, the package goes down to the INPUT chain. if the destination address can pass the detection, the package is processed later.
Program.
(2) if the destination address is not the local host, but the kernel does not enable the forwarding function, or the kernel does not know how to forward the package, the package will be discarded.
(3) If the destination address is not the local machine and the forwarding function is enabled, the package will be directed to the FORWARD link on the right. If the package is accepted, it will be sent out.
(4) a program running on the local machine sends a network package, and the package passes through the OUTPUT chain directly. if it is accepted, the package will be sent to the network interface specified by the package.
Note: Incoming & Outgoing can be intranet or Internet, and Local Process is a server that provides proxy or IP address filtering.
Now that you know the functions of each chain, you will be able to understand the meaning of the INPUT and OUTPUT rule statements at the same time.