Iptables instance analysis (1)

InIptablesAfter a long configuration, I have several Iptables Application Instances for your reference!

I. single rule instance

Iptables-F?

#-F indicates clearing. It is used to clear all the chain rules of the filtre table.

Iptables-a input-s 172.20.20.1/32-m state -- state NEW, ESTABLISHED, RELATED-j ACCEPT

# In the FILTER table, the source address of the INPUT chain is 172.20.20.1, And the statuses are NEW, ESTABLISHED, and RELATED.

Iptables-a input-s 172.20.20.1/32-m state -- state NEW, ESTABLISHED-p tcp-m multiport -- dport 123,110-j ACCEPT

#-P specifies the protocol and-m specifies the module. The multiport module can be used to continuously match multiple non-adjacent port numbers. The complete meaning is that the source address is 172.20.20.1, And the status is NEW, ESTABLISHED, RELATED, TCP, and data packets with the destination ports 123 and 110 can both pass through.

Iptables-a input-s 172.20.22.0/24-m state -- state NEW, ESTABLISHED-p tcp-m multiport -- dport 123,110-j ACCEPT

Iptables-a input-s 0/0-m state -- state NEW-p tcp-m multiport -- dport 123,110-j DROP

# This indicates that all TCP packets in the NEW State with the source address of 0/0 are forbidden to access ports 123 and 110.

Iptables-a input-s! 172.20.89.0/24-m state -- state NEW-p tcp-m multiport -- dport 1230,110-j DROP

#"! . That is, all IP addresses except 172.20.89.0 are dropped.

Iptables-r input 1-s 192.168.6.99-p tcp -- dport 22-j ACCEPT

Replace the first rule in the INPUT chain

Iptables-t filter-l input-vn

Display the INPUT chain rules of the filter table in Number Format

# ------------------------------- Nat ip --------------------------------------

# The following operations are completed in the nat table. Please note.

Iptables-t nat-F

Iptables-t nat-a prerouting-d 192.168.102.55-p tcp -- dport 90-j DNAT -- to 172.20.11.1: 800

#-A prerouting specifies the route before routing. The complete meaning is in the nat table routing pre-processing, the destination is 192.168.102.55 destination port is 90 we do DNAT processing, give him to 172.20.11.1: 800 there.

Iptables-t nat-a postrouting-d 172.20.11.1-j SNAT -- to 192.168.102.55

#-A postrouting. This means that after the nat table route is processed, We will convert all the routes destined for 172.20.11.1 to SNAT and rewrite the source address to 192.168.102.55.

Iptables-a input-d 192.168.20.0/255.255.255.0-I eth1-j DROP

Iptables-a input-s 192.168.20.0/255.255.255.0-I eth1-j DROP

Iptables-a output-d 192.168.20.0/255.255.255.0-o eth1-j DROP

Iptables-a output-s 192.168.20.0/255.255.255.0-o eth1-j DROP

# In the above example, eth1 is a connection to the External Internet, while 192.168.20.0 is the network number of the Intranet. The above rules are used to prevent IP spoofing, because the ip address used to access the eth1 package should be a public IP Address

Iptables-a input-s limit 255-I eth0-j DROP

Iptables-a input-s 224.0.0.0/224.0.0.0-I eth0-j DROP

Iptables-a input-d 0.0.0.0-I eth0-j DROP

# Prevent the broadcast package from accessing the LAN from the IP Proxy Server:

Iptables-a input-p tcp-m tcp -- sport 5000-j DROP

Iptables-a input-p udp-m udp -- sport 5000-j DROP

Iptables-a output-p tcp-m tcp -- dport 5000-j DROP

Iptables-a output-p udp-m udp -- dport 5000-j DROP

# Shield port 5000

Iptables-a input-s 211.148.130.129-I eth1-p tcp-m tcp -- dport 3306-j DROP

Iptables-a input-s 192.168.20.0/255.255.255.0-I eth0-p tcp-m tcp -- dport 3306-j ACCEPT

Iptables-a input-s 211.148.130.128/255.255.255.240-I eth1-p tcp-m tcp -- dport 3306-j ACCEPT

Iptables-a input-p tcp-m tcp -- dport 3306-j DROP

# Prevent Internet users from accessing the MySQL server (Port 3306)

Iptables-a forward-p TCP -- dport 22-j REJECT -- reject-with tcp-reset

# REJECT, similar to DROP, but replies the information specified by -- reject-with to the host sending the package, so that the existence of the firewall can be well hidden.