Iptables summary, iptables Summary

Iptables summary, iptables Summary

Iptables is a firewall in Linux that can filter data packets in Linux. The following describes the application of iptables.

① Iptables has five hook Functions in Linux)

PREROUTING: The data packet enters the host but is not yet routed.

INPUT: data packets enter the host.

FORWARD: data packets are forwarded from the current host.

POSTROUTING: data packets are immediately sent from the current level.

OUTPUT: data packets are sent from the host.

② Four links of iptables in Linux

Fileter: it can be applied to input forwardoutput.

Nat: it can be applied to preroutingpostrouting output.

Mangle: it can be applied in preroutingpostrouting output input forward.

Raw: it can be applied to PREROUTINGOUTPUT.

③ Iptables universal match

-S: Specifies the source address of the data packet to be filtered.

-D: Specify the destination address for data packet filtering.

-P: Specifies the protocol type to filter.

-I: Specifies the NIC interface for the filtered data packets to enter.

-O: Specifies the NIC interface for outbound data packets.

-J: action on the specified data packet

I: ACCEPT --------- ACCEPT the specified data packet.

II: DROP ---------- discard the specified data packet.

III: REJECT ------- discard the specified data packet.

Eg: discard the http packet that 192.168.5.1 accesses 192.168.5.10

Iptables-a input-s 192.168.5.1-d192.168.5.10-p tcp -- dport 80-j DROP

Eg: accept the action for the http packet 192.168.5.1 accesses 192.168.5.10

Iptables-a input-s 192.168.5.1-d192.168.5.10-p tcp-doprt 80-j ACCEPT

Iptables-a output-s 192.168.5.10-d192.168.5.1-p tcp-sport 80-j ACCEPT

When processing the received data packets, you must note that the data packets are processed in both directions.

Save the custom iptables rules.

Service iptables save

Iptables-L-nv -- line-numbers // view custom firewall rules.

④ Management rules

-A: Add A rule at the end of the rule.

-I: Add a rule. If the location is omitted, the default location is at the top of the rule.

-D: delete a rule.

-R: modifies a specified rule.

Manage a chain:

-F: clear all the rules on a chain.

-P: Change the default rules of the chain.

-N: define a new empty chain.

-X: deletes a custom empty chain.

 

 

⑤ Use of extension options

Eg: for http service requests, the connection status of the 192.168.5.1 server segment is controlled.

Iptables-a input-d 192.168.5.1-p tcp-dport 80-m state-state NEW, ESTABLISHED-j ACCEPT

Iptables-a output-s 192.168.5.1-p tcp-sport 80-m state-state ESTABLISHED-j ACCEPT

// The server responds to the NEW and ESTABLISHED packets of the INPUT server. The OUTPUTon server only responds to the requests of the ESTABLISHED type.

Eg: multiple ports

Iptables-a input-d 192.168.5.1-p tcp-m-multiport-destination-ports 21,22, 80-m state-state NEW, ESTABLISHED-jACCEPT

// Port, port 80, and NEW or ESTABLISHED are allowed on the INPUT chain.

Eg: Write rules. A single IP Address can have up to three ssh connections. When the number of connections exceeds three, the connection will be processed after five minutes.

Iptables-a input-d 192.168.5.1-p tcp-dport 22-m connlimit-abve 3-j DROP

Iptables-a input-d 192.168.5.1-p tcp-dport 22-m state-state NEW-m recent-set-name SSH // record the NEW connection to access ssh, record the source IP address.

Iptables-a input-d 192.168.5.1-p tcp-dport 22-m state-state NEW-m recent-update-seconds 300-hitcount 3-nameSSH-j DROP // when more than three times after, you are not allowed to connect-seconds and-hitcount within 300 seconds. They must be used with-update.

Eg: during an http request, if the requested page contains H7N9, the request is not allowed to be displayed.

Iptables-a output-d 192.168.5.1-p tcp-dport 80-m string-algo kmp-string "H7N9"-j DROP

// Note that the direction is OUTPUT.

⑥ Nat:

DNAT: Destination Address Translation

SNAT: source address conversion

Eg: when accessing the internet, convert the address 192.168.5.0/24 to 172.16.10.1.

Iptables-a postrouting-s 192.168.5.0/24-jSNAT-to-source 172.16.10.1

Iptables-a postrouting-s 192.168.5.0/24-jSNAT MASQUERADE // if the address to be converted is A dynamically changed address, you can use MASQUERADE for automatic conversion.

Eg: when accessing the outbound server 172.16.10.1, convert it to 192.168.5.1 on the Intranet for access.

Iptables-a prerouting-d 172.16.10.1-p tcp-dport 80-j DNAT-to-destination 192.168.5.1

You can also perform port ing.

Iptables-a prerouting-d 172.16.10.1-p tcp-dport 80-j DNAT-to-destination 192.168.5.1: 8080

7. When iptables is enabled. Use lsmod | grepip to view the loaded modules. In the Linux6.4 system, you can view the maximum number of connections allowed by iptables in/proc/sys/net/nf_conntrack_max. If a server is very busy, when the number of connections exceeds the number of configuration files, a large number of requests will be discarded. The status information of the current connection is recorded in/proc/net/nf_conntrack. You can also view the status information using iptstate.

 

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.