Iptables's rule Syntax __input

A

Basic syntax

Iptables-t filter-a input-p icmp-j DROP

Advanced syntax

Iptables-t filter-a input-m mac–mac-source 00:1c:23:3b:2e:b1-j DROP

Distinguish between advanced syntax and basic syntax: first the mechanism of the filter is provided by the Iptables_filter.ko module, and the module itself has provided some simple matching filtering, and the so-called basic syntax refers to the use of only Iptable_ Filter.ko the functionality provided by the module itself. Advanced syntax must invoke the functionality of other modules. Take the example of advanced syntax, "-MMAC" is to inform the Iptables tool, we want to use the function of the Xt_mac.ko module, because it is to invoke other modules, so the syntax of the part will change with different modules, and each module syntax is not the same, this is called " Advanced syntax. "

Example 1: The ICMP packet that sent 222.24.21.195 to this machine is discarded

Syntax: iptables-a input-p icmp-s 222.24.21.195-j DROP

Syntax Explanation:

-ainput

Protecting objects

Because this example uses Inputchain, the object it protects is native

-picmp

Original	-pprotocol (agreement)
Objective	Match a particular protocol packet, this example is a packet that matches ICMP
Grammar	-P ICMP,-ptcp,-pudp-p all, etc.

-s222.24.21.195

Original	-S Source
The corresponding parameter	-ddestination
Objective	Match the IP from the source or destination side of the packet
Grammar	-s222.24.21.195-s Www.baidu.com, by example, the IP location can be represented by a single IP or standard CID network segment, as for the Qdn part, in fact, Iptables is to send the FQDN to DNS to perform parsing, and finally add to the rules or IP

-j

Objective	JUMP
Grammar	"Handle" a package that meets both of these criteria in a specific way

More common ways to handle:

ACCEPT	Allow through
DROP	Discarding the packet, which will cause the source side to mistakenly assume the packet is missing and resend the packet, which continues until the connection timeout
REJECT	The packet is discarded and a destinationunreachable ICMP packet is sent back to the sender, and the sending application terminates the connection action after receiving the error message packet.

Example 2: Do not allow the 222.24.21.195 host to perform name resolution through the native DNS service

Syntax: iptables-a input-p udp-s 222.24.21.195--dport 53-j

Syntax Explanation:

--dport53

Original	--dportdestination Port
The corresponding parameter	--sportsource Port
Objective	Matches the "source port" or "Destination port" in TCP, UDP header to determine the service to which the connection is to be accessed, for example:-pudp–dport 53 represents the 53port that the client wants to access UDP, and the 53port of UDP is the DNS service
Grammar	--dport 、--Sport80, but note that when using--dport or--sport parameters, be sure to indicate whether it is a TCP or UDP protocol. Note that as long as the "Port parameter" is used in the rule syntax, be sure to add the "-pudp or-ptcp" parameter.

Example 3: Allow the host of the 192.168.1.0/24 network segment to make any service requests to the 192.168.0.1

Syntax: iptables-a input-p all-s 192.168.1.0/24-d 192.168.0.1-j ACCEPT

Syntax Explanation:

-pall

Objective

Match all of the Protocol packs

-s192.168.1.0/24

Objective

Matching packets from source-side IP to 192.168.1.0/24 network segment

-jaccept

Objective

Open package entry in accordance with the above 3 conditions

Example 4: Native SSH services that allow only client-side hosts to access from eth1

Syntax: iptables-a input-p tcp-i eth1--dport 22-j

Syntax Explanation:

-ieth1

Original	-iin-interface
The corresponding parameter	-oout-interface
Objective	Matching the Packet Access interface
Grammar	-I. ETH1-OETH2

Example 5: Do not allow native applications to send packets from the Eth0 interface to access the Www.baidu.com Web site

Syntax: iptables-a output-o eth0-p tcp-d www.baidu.com--dport 80-j REJECT

Syntax Explanation:

-aoutput

Restricted objects

Because this example uses the Outpuchain, so the purpose is to restrict the external connection of the machine

Two

There are several examples to understand the basic syntax of iptables, the following to summarize the parameters.

(1) The matching parameters of the interface

Parameter name	-I.,-O
Parameter values	The parameter values vary depending on the physical interface used by the firewall host, and the common network interface names are listed below: * Eth0: The interface name of the Ethernet network. * The name of the PPP0:PPP interface. * Lo:localloopback interface. * Fddi0: Light interface
Usage examples	-I eth0: matching packets fed from the Eth0 interface
Significance	Matching packet entry and exit interface
Add	Can be paired with ". "To represent the reverse, for example,"-I. Eth0 "means a packet that is not entered from the Eth0 interface

(2) matching parameters of upper layer protocol (Upperlayer protocal)

Parameter name

-P

Parameter values

These parameters vary depending on the matching upper layer protocol, and commonly used parameters are as follows: * TCP: The matching upper layer protocol is the TCP protocol. * UDP: The matching upper layer protocol is the UDP protocol. * ICMP: The matching upper layer protocol is the ICMP protocol. * All: Match all upper layer protocols. For other upper layer protocols, refer to the/etc/protocols documentation, and now take out part of the content: IP 0 IP Hopopt 0 hopopt ICMP 1 ICMP IGMP 2 IGMP GGP 3 GGP Ipencap 4 Ip-encap TCP 6 TCP Note: The first and second fields are for the system to use, for example, we write-ptcp can also be written as-P6. Because the TCP code is 6, the third field is used by the administrator to identify the use.

(3) matching the source/destination IP address

The

Parameter name	-s-d
Parameter values	Source and destination IP addresses match, and their acceptable IP address formats are as follows: *192.168.0.1: matches a single IP. *172.10.0.0/16: Matches a network segment of Class B. *192.168.0.0/24: Matches a CLASSC network segment. *192.168.0.0/28: It can also be any standard CIDR network segment. * www.qq.com: can also be a URL, but the last deposit to the chain value or IP
Use example / td>	-s192.168.0.1: Matching packets sent from the 192.168.0.1 host -s192.1