Iptables usage Overview

1. Add a port disabling command, iptables-A input-p tcp -- dport 8702-J Drop;

2. Delete all added rules: iptables-F

3. Restart the NIC. Service Network restart;

4. Service iptables save: the settings for iptables are permanently valid even if the service network restart is enabled.

5. delete an iptables rule, iptables-D input-p tcp -- dport 8702-J Drop.

 

Appendix:

What is iptables?

Iptables is created in Netfilter
A package filtering management tool based on the architecture is mainly used for firewall or transparent proxy. Iptables from ipchains
With its development, it has become more powerful. Iptables provides three functions: packet filtering, NAT (Network Address Translation), and general pre-route packet.
Mangling. Package filtering: used to filter packets without modifying the content of the package. Compared with ipchians in packet filtering, iptables
It is faster and easier to use. NAT: Nat can be divided into source address Nat and destination address Nat.

Iptables
You can append, insert, or delete a packet filtering rule. In fact, netfilter and its related modules (such as the iptables module and Nat
Module ). Netfilter is a general architecture at the core of Linux. It provides a series of "tables", each of which consists of several
A chain can contain one or more rules.

The default table is
"Filter". The table contains three links: input, forward, and output.

Each chain can have one or more rules.
The rules are defined as follows: if the data packet header meets such a condition, the packet is processed in this way. When a packet arrives at a chain, the system checks from the first rule to see if it meets the rules.
Defined conditions:
If yes, the system will process the data packet according to the method defined by the rule; if not, continue to check the next rule. Finally, if the packet does not comply with any rule in the chain, the system will
The chain pre-defined policy to process the data packet.

? Table, chain, rule

Iptables can be manipulated by 3
Tables: Filter table, NAT table, and mangle table.

Nat and general mangle use-T
The parameter specifies the table to be operated on. Filter is the default table. If the-t parameter is not set, the filter table is operated by default.

Rule
Rules: filter rules and port forwarding rules. For example, if any machine is prohibited from pinging our server, you can set a rule on the server:

Iptables-
Input-s! 127.0.0.1-p icmp-J Drop

It is a rule from-S,-J
The first is the condition of the rule, and-J is the action (Purpose) of the rule ). The entire command is interpreted as inserting a rule in the input rule chain of the filter table. All source addresses are not
All ICMP packets of 127.0.0.1 are discarded.

Chain rule chain: consists of a series of rules, each packet goes through the chain order
Each rule in. Chain is divided into system chain and user-created chain. The following describes the system chain.

Filter Table System
Chain: input, forwad, output

System chain of the NAT table:
Prerouting, postrouting, output

System chain of the mangle table:
Prerouting, output

Chain of each system
It is checked at a specified location. For example, in packet filtering, If the destination address is a local package, it will enter the input rule chain, and the package going out from the local will enter the output rule chain.

Institute
Some tables and chains are empty at startup. the iptables setting method is to add corresponding rules in the appropriate table and system chain.

--------------------------------------------------------------

Iptables Syntax:

Table: iptables is named after the three tables used (filter, Nat, and mangle,
Only filter tables are used for packet filtering. filter or default tables are not required.

Operation Command: add, delete, update, and so on.

Chain:
For packet filtering, you can use the input, output, and forward chains in the filter table, or you can use custom chains.

Rule matching: You can specify
Various rules, such as IP addresses, ports, and packet types.

Target action: when a rule matches a package, the tasks to be executed are commonly used:

Accept
Allow package pass

Drop dropped packets

Some expansion goals include:

Reject
Reject a packet. Discard the packet and send an unaccepted notification to the sender.

Log information about the log package is recorded in the log

ToS value of the TOS rewrite package

Is
To make the forward rule take effect, you can use one of the following two methods:

[Root @ rhlinux root] # vi
/Proc/sys/NET/IPv4/ip_forward
[Root @ rhlinux root] # echo "1">
/Proc/sys/NET/IPv4/ip_forward

[Root @ rhlinux root] # vi
/Etc/sysconfig/Network
[Root @ rhlinux root] # echo "forward_ipv4 = true"
>/Etc/sysconfig/Network

--------------------------------------------------------

The iptables syntax can be simplified as follows:

Iptables [-T table] cmd [Chain]
[Rule-matcher] [-J target]

--------------------------------------------------------

Common operation commands:

-A or-append adds one or more rules to the end of the selected chain

-D or
-Delete: deletes one or more rules at the end of the selected chain.

-R or-replace to replace a matching rule in the selected chain

-I or
-Insert inserts one or more rules into the selected chain with the given rule number. If the rule number is 1, it is in the chain header.

-L or-list
Lists All rules in a chain. If no chain is specified, all rules in the chain are listed.

-F or-flush clears the rules in the specified chain and table,
If no chain is specified, all chains will be cleared.

-N or-New-chain creates a new user-defined chain with the specified name, and cannot be the same as the existing chain name.

-X
Or-delete-chain: to delete a specified user-defined curtain, you must ensure that the rules in the chain are not used before deletion. If no chain is specified, all user chains are deleted.

-P
Or-Policy
Specify a default rule for the permanent curtain (built-in chain Policy). If you define no default rule for the curtain, the default rule also makes the last rule in the Rule chain, it is displayed in the first line when-L is used.

-C
Or-check whether the specified package matches the rule of the specified chain.

-Z or-zero
Clears the byte counter of the Rule packet in the specified curtain.

-H: displays help information.

-------------------------------------------------------------

Common rule matching tool:

-P, [!] Protocol indicates the protocol to be matched, which can be TCP, UDP, ICMP,
All, prefix! Indicates all protocols except the protocol.

-S [!] Address [/mask] specifies the source address or address range.

-Sport
[!] Port [: Port] specifies the source port number or range. You can use the port number or the name in the/etc/services file.

-D [!]
Address [/mask] specifies the destination address or address range.

-Dport [!] Port [: Port]
Specify the destination port number or range. You can use the port number or the name in the/etc/services file.

-ICMP-type [!]
Typename specifies the ICMP information type that matches the rule (you can use iptables-p icmp-h to view valid ICMP type names)

-I
[!] Interface Name [+]
Matches an independent API or a type of API. If this parameter is ignored, all APIs are used by default "! "To match the packet of a specified prey interface. The interface parameter is the interface name, as shown in figure
Eth0, eht1,
Ppp0 and so on. specifying an interface that does not currently exist is completely legal and the rule takes effect only when the interface is working. Compromise specifying is very useful for similar connections such as PPP. "+" indicates that all types are matched.
Interface. This option is only for input, and the forward and prerouting chains are valid.

-O [!] Interface
Name [+] indicates the external network interface that matches the rule. This option is valid only for output, forward, and postrouting chains.

[!]
-- SYN only matches TCP packets with SYN bits and removes ack and fin bits.
These packages indicate the TCP connection initiated by the request. blocking such a packet from an interface will block external TCP connection requests. however, the output TCP connection requests will not be affected. this parameter is only used when the protocol type is set
This parameter can be used only when it is set to TCP "! "Flag matches an existing return packet, which is generally used to limit network traffic. That is, only existing packets are allowed to be returned from connections sent to the outside.

----------------------------------------------------------

How to create a permanent rule set:

The/etc/sysconfig/iptables file is iptables.
The default rule set file called by the daemon.

You can use the following command to save the iptables command that has been executed:

/Sbin/iptables-save
>/Etc/sysconfig/iptables

To restore the original rule repository, you can use:

/Sbin/iptables-Restore
</Etc/sysconfig/iptables

The iptables command is the same as the route command. It will be restored after restart, so:

[Root @ rhlinux root] # service iptables save
Store the current rule
/Etc/sysconfig/iptables: [OK]

One method is/etc/rc. d/init. d/iptables.
Is the startup script of iptables, so:

[Root @ rhlinux root] #
/Etc/rc. d/init. d/iptables save
Save the current rule to/etc/sysconfig/iptables :[
OK]

You can use only one of the preceding methods.

To customize the script, you can directly use the iptables command to write a rule
Then the script is executed at startup:

For example, if the rule uses the script file name/etc/FW/rule,
You can add the following code to/etc/rc. d/rc. Local:

If [-x/etc/FW/rule]; then
/Etc/FW/Sule; FI;

In this way, the rule script is executed at each start. If this method is used, we recommend that you stop iptables in ntsysv.

----------------------------------------------------------

Instance:

Basic link operations:

[Root @ rh34 root] # iptables-l-N
(Column
For all the rules in the output table/chain, the packet filtering Firewall uses the filter table by default. Therefore, this command will list all the content in the filter table. The-N parameter can accelerate the display speed, or-n.
Parameters .)

[Root @ rh34 root] # iptables-F
(Clear all rules in the Rule chain in the filter of the preset table)

[Root @ rh34
Root] # iptables-x
(Clear the rules in the User-Defined chain in the filter of the preset table)

[Root @ rh34
Root] # iptables-z
(Clears all packet byte counters in the specified chain rule)

------------------------------------------------------------

Set the chain's default policy. All are allowed by default, or all are discarded:

[Root @ rh34 root] # iptables-P
Input accept
[Root @ rh34 root] # iptables-P output accept
[Root @ rh34
Root] # iptables-P forward accept
(We set the default allow policy in different directions above. If discarded, the policy should be drop, strictly
In other words, the firewall should be drop and then allow specific)

---------------------------------------------------------------

Add a rule to a chain. The following example shows how to open a specified network interface (it is more practical to use a trusted interface ):

[Root @ rh34 root] #
Iptables-A input-I eth1-J accept
[Root @ rh34 root] # iptables-
Output-O eth1-J accept
[Root @ rh34 root] # iptables-a forward-I
Eth1-J accept
[Root @ rh34 root] # iptables-a forward-O eth1-J
Accept

--------------------------------------------------------------

Use custom links:

[Root @ rh34 root] # iptables-N Brus
(Create a user
User-Defined blockchain called Brus)

[Root @ rh34 root] # iptables-A Brus-s 0/0-D 0/0
-P icmp-J Drop
(A rule is set in this link)

[Root @ rh34 root] # iptables-
Input-s 0/0-D 0/0-J Brus
(Add a rule to the default input chain so that all packages are processed by the Brus custom chain)

----------------------------------------------------------------

Basic matching rule instance:

Matching protocol:

Iptables-A input-P TCP
(Refers
Set the matching protocol to TCP)

Iptables-A input-P! TCP
(Specify a Protocol other than TCP)

Horse
Configuration address:

Iptables-A input-s 192.168.1.1
(Matching host)