Iptables Rule Configuration

Common iptables tables include filter, Nat, and mangle tables.

Filters can only be performed on three chains: input, forward, and output.

Nat can only be implemented on three links: prerouting, output, and postrouting.

Mangle can be used for five links: prerouting, input, forward, output, and postrouting.

Configure the default rules for the iptables table

Iptables-P input drop

Iptables-P output drop

Iptables-P forward drop

View iptables rules

Iptables [-T table name]-l-N

View iptables rules by serial number

Iptables-l-N -- line-Number

Delete rule

Iptables-D Number

Example:

Allow access to port 22

Iptables-I input-P TCP -- dport 22-J accept

This statement adds a new rule at the top of the iptables rule.

-A is added at the end of the iptables rule.

-I add at the beginning of the iptables rule

Prohibit any access from the source address 192.168.1.2

Iptables-I input-s 192.168.1.2-J Drop

Open multiple ports

Iptables-a filter-p tcp-M multiport -- destination-port 22,53, 80,110-s 192.168.20.3-J reject

Open multiple continuous ports

Iptables-a filter-p tcp-M multiport -- source-port 80,110,-s 192.168.20.3-J reject

Iptables-a filter-p tcp -- source-Port 2: 80-s 192.168.20.3-J reject

SNAT Conversion Based on the original address

The Conversion Based on the original address is generally used when many of our Intranet users access the Internet through an Internet port. At this time, we convert our Intranet address into an Internet IP address, we can connect to other Internet IP addresses.

Therefore, we need to define how to convert in iptables:

Defined style:

For example, we want to convert all the IP addresses in the 192.168.10.0 CIDR block to the Internet address of 172.16.100.1:

Iptables-T Nat-A postrouting-s 192.168.10.0/24-j snat -- To 172.16.100.1

In this way, any attempt from a local network to access the network through the network card will be converted to 172.16.100.1.

So what if 172.16.100.1 is not fixed?

We all know that when we use China Unicom or China Telecom to access the Internet, it will generate a random Internet IP address every time you start the system, which means that the Internet address is dynamically changed. In this case, we need to replace the Internet address with the masquerade (Dynamic disguise): It can automatically find the Internet address and change it to the correct Internet address. Therefore, we need to set it as follows:

Iptables-T Nat-A postrouting-s 192.168.10.0/24-J Masquerade

Note: Address disguise does not apply to all places.

 

DNAT target address translation

For target address translation, the data flow is from the external to the external, and the external is the client, where the server side is converted through the target address, we can allow external IP addresses to access different servers on our servers through our external internet IP addresses, while our services are placed on different servers on the Intranet servers.

How do I convert the target address? :

Iptables-T Nat-A prerouting-D 192.168.10.18-p tcp -- dport 80-j dnat -- To 172.16.100.2

The destination address translation must be performed before it reaches the NIC, so it must be performed at the prerouting location.

For more detailed iptables configurations, refer to the http://blog.csdn.net/cssmhyl/article/details/7966789

This article is from the "ly12743 O & M" blog, please be sure to keep this source http://ly36843.blog.51cto.com/3120113/1653909

Iptables Rule Configuration