Iptables Study Notes

Source: Internet
Author: User

1. Table:
Mangle: Change the (Tos/ttl/mark) property of the package. It is recommended that no filtering be added.
NAT: The source address and destination address used to convert the package. The first packet of the stream will be matched, and the following package will do the same as the first packet. including Dnat/snat/masquerade.
Filter: For filtering, the choice of the package accept or drop.

2. Chain:
Prerouting: All incoming packets are first entered into the chain
Postrouting: The last chain of all sending packets
INPUT: Enter the local chain
OUTPUT: a locally sent chain
FORWARD: Forwards the chain, does not enter the local

There are usually three states:
A) Enter the local package:network--> (mangle) prerouting--> (NAT) prerouting-->--> (mangle) input--> (filter) input-- >
b) Packet:--> (mangle) output--> (NAT) output--> (filter) output--> (mangle) postrouting--> (NAT) emitted from the local Postrouting-->network
c) routed packet:network--> (mangle) prerouting--> (NAT) prerouting-->--> (mangle) forward--> (filter) forward-- > (mangle) postrouting--> (NAT) Postrouting-->network

3. State firewall: All state changes and calculations are done in the prerouting chain and the output chain in the NAT table.

4. Status Record table:/proc/net/ip_conntrack
[Unreplied] Connection has not received a response
[Assured] two directions no flow
Records that do not have a [assured] tag are deleted when the record table is slow.
Number of record bars can be set:/proc/sys/net/ipv4/ip_conntrack_max

5. Four states of the packet:
New:conntrack saw the first packet of a connection and did not receive an answer from the other.
Established: Data has been transferred in two directions. If there is a response, such as an ICMP error, return the packet.
Related: When there is a new connection to the established state. Like Ftp-data and Ftp-control.
INVALID: invalid, usually drop.

Syntax: iptables [-t table] command [match] [Target/jump]
The table to which tables are manipulated, by default, the filter table
Match based on what is matched to the package
What packets are handled by the target match

1. command can see Iptables's help Iptables-h
2. Match. -P matching protocol. The protocol is defined in/etc/protocols. The default is tcp,udp,icmp.
3. Match. -s,-d matches the source address and destination address. Can be either a single IP or a network address. 192.168.0.0/24
4. Match. -F matches the second slice of the package being fragmented and all the slices behind it.
5. Match. -M multiport--source-port 22,110 multi-port matching
6. Match. -M owner--pid-owner 78 matches a process (also--uid-owner,--sid-owner)
7. DNAT target overwrites the destination IP address and can only be used in the prerouting chain and the output chain in the NAT table.
SNAT target overwrites the source IP address and is used only in the postrouting chain in the NAT table.
Iptables-t nat-a prerouting-p tcp-d 15.45.23.67--dport 80-j DNAT--to-destination 192.168.1.9
# All access to the 15.45.23.67:80 port data is Dnat sent to 192.168.1.9:80
If and 192.168.1.9 in the same intranet machine to access 15.45.23.67, firewall also need to do settings, change the source IP for fire period intranet IP 192.168.1.1. Otherwise the packet is sent directly to the intranet machine, and the other party discards it.
Iptables-t nat-a postrouting-p tcp--dst 15.45.23.67--dport 80-j SNAT--to-source 192.168.1.1
# Change the packet source IP of all Access 15.45.23.67:80 ports to 192.168.1.1
If the firewall also needs access to the 15.45.23.67:80, it needs to be added in the output chain because the firewall itself emits packets that are not prerouting.
Iptables-t nat-a OUTPUT--dst 15.45.23.67--dport 80-j DNAT--to-destination 192.168.1.9
8. Masquerade Target
Similar to the Snat target. Do not use--to-source, because masquerading, do not need to specify the source IP, only choose--to-ports designated port. For static IPs, it is common to use Snat, which preserves connection tracking, and for dynamic IPs, it is common to use masquerade, which does not preserve connection tracking, but consumes more overhead.
9. MIRROR Target
Reverse the source address and destination address in the IP header, and then forward.
Ten. REDIRECT Target
The packet is forwarded to another port within the firewall and is used only in the prerouting chain and output chain of the NAT table. Commonly used in transparent proxies.
Iptables-t nat-a prerouting-p tcp--dport 80-j REDIRECT--to-ports 8080-8090
REJECT Target
It's basically the same as drop. However, the drop does not return an error message, and reject can specify the error message that is returned.
Iptables-a forward-p TCP--dport 22-j REJECT--reject-with icmp-net-unreachable
RETURN Target
Return to the previous layer, in order: the child-to-parent chain-to-default policy.
TTL Target
Used to change the TTL of a package, some ISPs use TTL to determine if there is more than one machine sharing connection to the Internet.
Iptables-t mangle-a prerouting-i eth0-j TTL--ttl-set 64
Iptables-t mangle-a prerouting-i eth0-j TTL--ttl-dec 1
# When you leave the firewall, the TTL is actually 2, because the firewall itself-11 times.
Iptables-t mangle-a prerouting-i eth0-j TTL--ttl-inc 1
# When leaving the firewall does not increase or decrease, tracert is not good use, hehe.
. LOG Target
Log in the kernel space, dmesg wait to see.
Ulog Target
Logs are logged in the user space.

Turn on forwarding IP feature (IP forwarding):
echo "1" >/proc/sys/net/ipv4/ip_forward
If you use a dynamic IP such as PPP, DHCP, and so on, you need to open:
echo "1" >/proc/sys/net/ipv4/ip_dynaddr


Iptables Study Notes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.