Iptables knowledge theory learning and practice examples

What is iptables, a learning and practice example of iptables knowledge theory? Without explanation, go to the topic. The command structure of iptables is iptables [-ttable] command [match] [target]. Next, we will introduce the learning and practice of [-ttable] part [-tt iptables knowledge theory. for example, what is iptables? Without explanation, go to the topic. The command structure of iptables is iptables [-t table] command [match] [target]. the following one describes the [-t table] section of [-t table ]. any table other than the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. There are three available table options: filter, nat, and mangle. This option is not required. if not specified, the filter is used as the default table. Filters are used to filter information packets, including INPUT, OUTPUT, and FORWARD chains. INPUT: indicates that the matched destination IP address is the local data packet OUTPUT: indicates that the matched source ip address is the local data packet FORWARD: indicates that the data packet that matches the local data packet nat is used for the information packet to be forwarded, contains PREROUTING, OUTPUT, and POSTROUTING chains. PREROUTING: modify the destination address (DNAT) POSTROUTING: modify the source address (SNAT) mangle table, ####################################### ###################################### command command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. - <链名> APPEND: append a rule (to the end). For example, iptables-t filter-a input-j DROP adds A rule (as the last rule) to the INPUT chain of the filter table ), discard all packets whose destination IP address is local. Before I enable the firewall, I can run the ping192.168.254.153 sub-host. after the firewall is turned on, the ping will fail and my ssh will be disconnected, because the firewall discards all the packets, includes ssh-linked packages. Because I can no longer use ssh links, I can only clear the firewall on the server. after clearing the firewall, I can ping the INPUT: match the destination IP address as the local data packet FORWARD passed through the local data packet, PREROUTING is used to modify the destination address (DNAT) POSTROUTING. it is used to modify the source address (SNAT). to ensure that ssh will not be disconnected when I test iptables usage, so here I add an iptables rule first, and I still enable to discard all packets whose destination IP address is the local IP address.

Then I append a policy.

As you can see, my new policy is behind the drop, that is, all packets are rejected first, so the network is different. as mentioned above, -A is the last entry added to INPUT.

The command iptables-d input-s 192.168.254.153-j ACCEPT is also used here, therefore, the usage of-D does not need to emphasize iptables-I input-s 192.168.254.153-j ACCEPT --------------- here-I refers to adding rules to the first one. you can also see the difference between the two. to repeat the command, I will use A table to compare the command function description usage example-A (or -- append) add A rule to the end of the chain iptables-t filter-a input-j DROP and add A rule at the end of the input chain, discard all packets whose destination IP address is local-D (or -- delete) delete iptables-d input-s 192.168.254.153-j ACCEPT from the chain and delete the packages matching the rule. iptables-D OUPU T 3 delete the rule 3 in the OUPUT chain-P (-- policy) to set the default target of the chain, all messages that do not match the link are forcibly used. iptables-p input drop discards all information packets that do not match any rules in the INPUT chain.-N (-- new-chain) create a new chain iptables-N allowed-chain create a chain-F (-- flush) if the chain name is specified, the chain will be deleted. if not specified, all links are deleted. iptables-f input clears the INPUT chain. iptables-F clears all links.-L (-- list) lists all rules in the chain. iptables-L (INPUT) only list (INPUT) chain Policy-I add a rule to the first iptables-I INPUT-s 192.168.254.153-j ACCEPT ################ ####### ######################################## ############ Match part ---------- optional match part of the matching condition iptables command specifies the characteristics (such as the source address and target address) that the information package matches with the rule. and protocols ). Matching can be classified into general matching and protocol-specific matching. This section describes General matching of information packages that can be used in any protocol. Use another table for comparison. Parameter function example-p (-- protocol) matching protocol, such as TCP, UDP, ICMP iptables-a input-p TCP, UDP is equivalent to iptales-a input-p! ICMP both matches TCP and UDP meaning-s (-- source) information. the source address matches iptables-a output-s 192.168.0.125-d (-- destination) IP address iptables-a input-d 192.168.0.125 ########################### ######################################## ##### example of the action parameter function that matches the target part ------------ In the future: ACCEPT, it is accepted and allowed to go to the destination iptables-a input-s 192.168.254.153-j accept drop. when the information package exactly matches the rule with the DROP target, this information package iptables-a input-s 192.168.254.153-j DROPREJECT is similar to DROP, but it is better than DROP. REJECT will send the error message back to the sender of the information package, the dead socket iptables-a forward-p TCP -- dport 22-j REJECTSNAT source address conversion is not left. SNAT supports converting to A single IP address, you can also switch to the IP address pool iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT -- to 1.1.1.1 to change the original address of the intranet 192.168.0.0/24 to 1.1.1.1 #### ######################################## ########################## simple application example iptables-t nat-a postrouting-s 10.8.0.0 /Route 255.255.0-o eth0-j SNAT -- to-source 192.168.5.3 convert all the packets in the 10.8.0.0 CIDR block into ip addresses of 192.168.5.3 and then send them out (source address conversion) iptables-t filter-a input-p icmp-j REJECT ---------------- refuse other hosts to ping iptables-t filter-I INPUT-p tcp -- dport 22-j reject ---------- prohibit access to me through ssh host iptables-t filter-a input-p tcp -- dport 22-s10.1.1.1-j ACCEPT ---------- allow 10.1.1.1 to access my host iptables-t filter-a input-m mac through ssh -- mac-source 00: 14: 5E: 28: A3: 20-p tcp -- dport 22-j ACCEPT iptables-t filter-a input-p tcp -- dport 22-j REJECT ----------------------------------- only users with this mac address can access my host iptables through ssh -t nat-a postrouting-s 192.168.0.0/24-j MASQUERADE --------- mask iptables-t filter-a input-I eth0-p tcp for packets whose source address is 192.168.0.0/24 -- dport 22-j ACCEPT iptables-t filter-a input-I eth1-p tcp -- dport 22-j reject -------------------------------------- allow users to ssh over the eth0 network port