Iptables knowledge Summary

Iptables knowledge summary recently I used the iptables command in a job, mainly for port ing. I checked a lot of information on the Internet. Although there are many examples, I still had to understand it for several days. Here we will summarize the learned knowledge. The following are my personal opinions. (Some of them are summarized from the network and are constantly improving ...) i. Basic knowledge (1) iptables introduction iptables is an excellent nat + Firewall tool in Linux. iptables operates on netfilter with more than 2.4 kernels, so it requires more than 2.4 linux kernels. Its functionality and security are far more powerful than those of its predecessors ipforward and ipchains. iptables generally works on Layer 2, Layer 3, and Layer 4 of OSI. First, let's briefly introduce the general workflow of netfilter, that is, how to process a packet (or group, packet) when it reaches the network interface (NIC) of linux. Then we will introduce how to use iptables to change or control this packet. Does netfilter have three internal tables: filter, nat, and mangle. Each table has a Chain ). In the filter table, the firewall function table defines three chains: INPUT, FORWARD, and OUTPUT (three chains defining packet entry, forwarding, and OUTPUT ), the operation on this filter table is an important means to implement the firewall function. The Network Address Translation (nat) Table defines three links: PREROUTING, POSTROUTING, and OUTPUT, which are mainly used for Address Translation and port forwarding. The mangle table is a custom table, including the filters and various chains in the nat table above. It allows us to perform some custom operations. The chains in the mangle table exist. netfilter has a priority in the packet processing process (we do not know much about this table. Generally, we cannot use this mangle table. We will not introduce it here ). The following figure clearly depicts the netfilter packet processing process (2) Basic operation ① iptables command start, stop, restart, and save: #/etc/init. d/iptables start # service iptables start #/etc/init. d/iptables stop #/etc/init. d/iptables restart # service iptables restart #/etc/init. d/iptables save 2. Application (1) Port ing premise: a Linux dual-nic computer IP address: 192.168.1.2, 202.201.1.2, the Intranet has a Web server 192.168.1.6 requirement: Enter 202.201.1.2 in the Internet browser: 8000 detailed configuration of accessing the 80 Web Service port of 192.168.1.6: Note: before that, enable the port forwarding service/etc/sysctl. net in the conf configuration file. Ipv4.ip _ forward = 1 The default value is 0 and you can get root permission modification. You can also run the following command: echo "1">/etc/sysctl. conf/net. ipv4.ip _ forward ① clear original rules # iptables-F-t nat # iptables-F-t filter #/etc/init. d/iptables save ② configure the ing rule # iptables-t nat-a prerouting-d 202.201.1.2-t tcp -- dport 8000-t tcp-j DNAT-to -- destination 192.168.1.6: 80 # iptables-t nat-a postrouting-d 192.168.1.6-p tcp -- dport 80-j SNAT -- to 192.168.1.2 # iptables- FORWARD-o eth0-d 192.168.1.6-p tcp -- dport 80-j ACCEPT # iptables-a forward-I eth0-s192.168.1.6-p tcp -- dport 80-j ACCEPT # iptables-A FORWARD -m state -- state ESTABLISHED, RELATED-j ACCEPT ③ save and start the service #/etc/init. d/iptables save # service iptables restart note: In the/proc/net/ip_conntrack file, there is a packet flow direction (2) IP ing premise: Linux first adds an IP address to a network card, A Nic on Linux can have multiple IP addresses. For LINUX dual-nic, the IP addresses are eth0: 192.168.1.2/24, and eth1: 192.168.2.2/24. Requirements: set IP: 192.168.2.5 ing to 192.168.1.2 on LINUX ① append the eth0 web site of linux # ip address add 1.1.1.1/30 brd + dev eth0 ② iptables configuration # iptables-a forward-s 192.168.12.95-j ACCEPT # iptables-a forward-d 192.168.12.95-j ACCEPT # iptables-t nat-a prerouting-d 202.201.1.2-j DNAT-to -- destination 192.168.1.6 # iptables-t nat-a postrouting-d 192.168.1.6-j SNAT -- to-source 192.168.1.2 #/etc/init. d/iptables save # service iptables restart