Learning iptables from links and tables

Please try it out. thank you for the Filter table: Filter data packets, default table. (1) INPUT chain: filter all data packets whose destination address is local (filter incoming data packets) (2) OUTPUT chain: filter all data packets generated by the local machine (filter data packets from the source address) (3) FORWARD chain: filter all data packets passing by the local machine (source

If it is useful, please try it out. thank you.

FilterTable: filter data packets. default table.

(1) INPUT chain: filter data packets whose destination address is local (filter data packets that enter the local host)

(2) OUTPUT chain: filter all data packets generated by the local machine (filter the data packets obtained from the source address)

(3) FORWARD chain: filter all packets passing by the local machine (both the source address and the target address are not local data packets.

NATTable: Network address translation (Network AddressTranslation)

If the first data packet allows NAT or Masquerade, other data packets will be subjected to the same action, that is to say, other packets will not be NAT One by one (packets belonging to a stream will only pass through this table once). do not filter any link in this table at any time.

Includes three actions

(1) DNAT: change the destination address of the data packet so that the packet can be rerouted to a machine.

(Enable Internet access to the server on the LAN)

(2) SNAT: change the source address of the data packet (enable LAN access to the Internet)

(3) NASQUERADE: like SNAT, the local area network can access the public network. without a fixed IP address, the public network can be connected to the Internet through dialing such as PPP. PPPoE.

NatTable inclusion3Links:

(1) PREROUTING chain: change the destination address of the packet when the packet arrives at the firewall.

(2) OUTPUT chain: change the destination address of locally generated data packets.

(3) POSTROUTING: changes the source address of the data packet when the data packet leaves the firewall.

MangleTable: modify the packet header.(TTL, TOS, MARK)

(1) TOS: set to change the service type of data packets. do not use TOS to set packages sent to the Internet. unless you plan to rely on TOS for routing, you cannot configure any filtering in the table. SNAT and DNAT

(2) TTL: changing the data packet's survival time can enable the data packet to only have a special TTL, deceiving the ISP. some ISPs do not want multiple computers to share a connection to access the Internet, the ISP checks whether the data packets sent by a computer contain different TTL values.

(3) Mask: sets a special flag for a data packet. It configures the bandwidth limit and request-based classification by marking.

Five links in the Mangle table:

(1) PREROUTING chain: After a packet enters the firewall, the packet is changed before the route determines.

(2) POSTROUTING chain: After the destination address is determined, the packet is changed before the route is determined.

(3) OUTPUT chain: change the data packet before the data packet is determined as the destination address

(4) INPUT chain: after the data packet enters the local machine, the application changes the data packet before accepting it.

(5) FORWARD chain: After the first route judgment, the packet is changed before the last route judgment.

IPTABLESPacket and4Type of tracked connections4Status.

(1) NEW: This package wants to start a connection (reconnect or redirect the connection)

(2) RELATED: The package is a new connection established by a established connection. For example, the FTP data transmission connection controls the connection RELATED.

-- Icmp-type 0 (ping response) is the RELATED from icmp-type 8 (ping request ).

(3) ESTABLISHED: as long as the request is sent and received, a data connection changes from NEW to ESTABLISHED, and the status will continue to match the subsequent data packets of the connection.

INVALID: a data packet cannot be identified as a connection or has no status such as memory overflow. If an ICMP error message is returned for a connection that you do not know, you should generally DROP any data in this status.

List of common commands:

Command-A, -- append
Example Iptables-A input...

It indicates that a new rule is added to a rule refining, and the rule will become the last rule in the rule refining.

Command-D, -- delete
Example iptables-d input -- dport 80-j DROP
Iptables-d input 1

This indicates that a rule can be deleted from a rule refining process. you can enter a complete rule or directly specify a rule number to delete it.

Command-R, -- replace
Example iptables-r input 1-s 192.168.0.1-j DROP

It indicates that the current rule is replaced, and the Order of the rule is not changed after it is replaced.

Command-I, -- insert
Example iptables-I INPUT 1 -- dport 80-j ACCEPT

It indicates that a rule is inserted. The rule at the specified position will move a forward position.

Command-L, -- list
Example iptables-L INPUT

Lists all rules in a rule.

Command-F, -- flush
Example iptables-F INPUT

Delete all rules in a rule refining.

Command-Z, -- zero
Example iptables-Z INPUT

This indicates that the packet counter is set to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks.

Command-N, -- new-chain
Example iptables-N allowed

Define new rules.

Command-X, -- delete-chain
Example iptables-X allowed

Delete a rule.

Command-P, -- policy
Example iptables-P INPUT DROP

Define a filter policy. That is, the default processing method for packets that do not meet the filtering conditions.

Command-E, -- rename-chain
Example iptables-E allowed disallowed

Modifies the name of a custom rule.

Common packet comparison parameters:

Parameter-p, -- protocol
Example iptables-a input-p tcp

It indicates whether the communication protocol type is consistent and can be used! The operator performs reverse comparison, for example,-p! Tcp, which means other types except tcp, including udp, icmp, etc. If you want to compare all types, you can use the all keyword, for example,-p all.

Parameter-s, -- src, -- source
Example iptables-a input-s 192.168.1.1

The description is used to compare the source IP address of the packet. it can be compared to a single machine or network. when comparing the network, use a number to block it. for example,-s 192.168.0.0/24 can also be used to compare the IP address! The operator performs reverse comparison, for example,-s! 192.168.0.0/24.

Parameter-d, -- dst, -- destination

Example iptables-a input-d 192.168.1.1

Description used to compare the destination IP address of the packet. the setting method is the same as above.

Parameter-I, -- in-interface

Example iptables-a input-I eth0

The description is used to compare the network card from which the package Enters. you can use wildcard character + to perform large-scale comparison. for example,-I eth + indicates all ethernet network cards. you can also use it! The operator performs reverse comparison, for example,-I! Eth0.

Parameter-o, -- out-interface
Example iptables-a forward-o eth0

Specifies the network card from which the packet is sent.

Parameter -- sport, -- source-port
Example iptables-a input-p tcp -- sport 22
It indicates that the source port number of the packet can be compared to a single port or a range, for example, -- sport 22: 80, indicating that the port from 22 to 80 is qualified, to compare multiple non-consecutive ports, you must use the -- multiport parameter. For more information, see the following section. You can use it when comparing the port number!

The operator performs reverse comparison.

Parameter -- dport, -- destination-port
Example iptables-a input-p tcp -- dport 22

Description used to compare the destination port number of the package. the setting method is the same as above.

Parameter -- tcp-flags
Example iptables-p tcp -- tcp-flags SYN, FIN, ACK SYN
TCP
The status flag of the package. the parameters are divided into two parts: the first part lists the banners for comparison, and the second part lists which of the aforementioned banners are set and the unlisted banners must be empty. TCP status banners include: SYN (synchronous), ACK (response), FIN (ended), RST (reset), URG (urgent), PSH (forced push)

Can be used in parameters. In addition, you can use the keywords ALL and NONE for comparison. You can use it when comparing the banners! The operator performs reverse comparison.

Parameter -- syn
Example iptables-p tcp -- syn

The description is used to compare whether a TCP packet is online. it works exactly the same as iptables-p tcp -- tcp-flags SYN, FIN, and ACKSYN. if Yes! The operator can be used to compare non-required online packets.

Parameter-m multiport -- source-port
Example iptables-a input-p tcp-m multiport -- source-port 80,110

The description is used to compare multiple source ports that are not consecutive. up to 15 ports can be compared at a time. you can use this description! The operator performs reverse comparison.

Parameter-m multiport -- destination-port
Example iptables-a input-p tcp-m multiport -- destination-port22, 110

The description is used to compare non-consecutive destination port numbers. the setting method is the same as above.

Parameter-m multiport -- port
Example iptables-a input-p tcp-m multiport -- port 80,110

This parameter is special and used to compare packets with the same source port number and destination port number. the setting method is the same as above. Note: In this example, if the source port number is 80 but the destination port number is 110, this packet does not meet the condition.

Parameter -- icmp-type
Example iptables-a input-p icmp -- icmp-type 8

The description is used to compare the type numbers of ICMP. you can use code or number numbers for comparison. Please call iptables-p icmp -- help to check which code can be used.

Parameter-m limit -- limit
Example iptables-a input-m limit -- limit 3/hour
The description is used to compare the average traffic of packets within a certain period of time. the example above is used to compare whether the average traffic per hour exceeds three packets at a time.
In addition to the average time per hour, it can also be an average time per second, every minute or every day. the default value is an average time per hour. parameters such as:/second,/minute,/day.

In addition to comparing the number of packets, Setting this parameter will also suspend the packet comparison when conditions are met to avoid service interruption due to the use of the flood attack method by hackers.

Parameter -- limit-burst
Example iptables-a input-m limit -- limit-burst 5

The description is used to compare the quantity of a large number of packets in an instant. the example above is used to compare whether the number of packets that flood in at a time exceeds 5 (this is the default value). packets that exceed this limit will be discarded directly. The usage effect is the same as that.

Parameter-m mac -- mac-source
Example iptables-a input-m mac -- mac-source 00: 00: 00: 00: 00: 01 indicates the hardware address used to compare the packet source network interface, this parameter cannot be used in OUTPUT or Postrouting.
Rule refining, this is because the packet must be sent to the NIC before the NIC driver can identify the destination MAC address through the ARP communication protocol, so iptables

During packet comparison, you do not know the network interface to which the packet will be sent.

Parameter -- mark
Example iptables-t mangle-a input-m mark -- mark 1

The description is used to compare whether a number is indicated by a packet. when the packet is compared successfully, we can MARK a number through the MARK processing action. The maximum number cannot exceed 4294967296.

Parameter-m owner -- uid-owner
Example iptables-a output-m owner -- uid-owner 500

The description is used to compare the packets from the local machine and whether the packets are generated by a specific user. This prevents the server from transmitting sensitive data using root or other identities, and reduces the loss of system hacking. Unfortunately, this function cannot compare the packets from other hosts.

Parameter-m owner -- gid-owner
Example iptables-a output-m owner -- gid-owner 0

The description is used to compare whether the packets from the local machine are generated by a specific user group. The usage time is the same as above.

Parameter-m owner -- pid-owner
Example iptables-a output-m owner -- pid-owner 78

The description is used to compare the packets from the local machine and determine whether the packets are generated for a specific trip.

Parameter-m owner -- sid-owner
Example iptables-a output-m owner -- sid-owner 100

The description is used to compare the response packets from the local machine and whether the packets are the response packets of a specific online (Session ID.

Parameter-m state -- state
For example, iptables-a input-m state -- state RELATED and ESTABLISHED are used to compare the online status. There are four online statuses: INVALID, ESTABLISHED, NEW, and RELATED.
INVALID indicates that the package's online number (Session ID) cannot be identified or the number is incorrect.
ESTABLISHED indicates that the package belongs to a ESTABLISHED online network.
NEW indicates that the package wants to start online (reset online or redirect online ).

RELATED indicates that the packet belongs to a newly established online host. For example, FTP-DATA online must be from an FTP online.

Common handling actions:

-The j parameter is used to specify the action to be processed. common actions include: ACCEPT, REJECT, DROP, REDIRECT, MASQUERADE, LOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, and MARK are described as follows:

After the ACCEPT completes the processing, it will not compare other rules and directly jump to the next rule for refining (nat: postrouting ).

REJECT blocks the packet and sends the packet to notify the other party. you can choose to transfer the packet: ICMP port-unreachable, ICMPecho-reply, or tcp-reset (this packet will require the other party to shut down online). after this action is completed, the filtering program will not be directly interrupted after comparison with other rules.
Example:

Iptables-a forward-p TCP -- dport 22-j REJECT -- reject-withtcp-reset

DROP discarded packets are not processed. after this operation, the filter program is directly interrupted instead of comparing other rules.

REDIRECT redirects the packet to another port (PNAT). after this action is completed, it will continue to compare with other rules. This function can be used to implement transparent porxy.
Or to protect the web server. For example, iptables-t nat-a prerouting-p tcp -- dport 80-j

REDIRECT -- to-ports 8080

MASQUERADE rewrite the source IP address of the packet to the nic ip address of the firewall. you can specify the port
After the corresponding range is processed, directly jump to the next rule refining (mangle: postrouting ). This function is slightly different from SNAT. when you perform IP camouflage, you do not need to specify which IP address you want to disguise. the IP address will be directly read from the NIC. when you use a dial connection, the IP address is usually assigned by the DHCP server of the ISP company. in this case, MASQUERADE is particularly useful. Example:

Iptables-t nat-a postrouting-p TCP-j MASQUERADE -- to-ports1024-31000

LOG records the packet-related information in/var/log. for detailed location information, see The/etc/syslog. conf configuration file. after this operation is completed, it will continue to compare with other rules. For example:

Iptables-a input-p tcp-j LOG -- log-prefix "INPUT packets"

SNAT modifies the source IP address of the packet to a specific IP address or IP address range. you can specify the port range. after this operation is completed, it will directly jump to the next rule refining (mangle: postrouting ). Example:

Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT -- to-source194.236.50.155-194.236.50.160: 1024-32000

DNAT rewrite the IP address of the packet destination to a specific IP address or IP address range. you can specify the port range. after this operation is completed, it will directly jump to the next rule (filter: input or filter: forward ). Example:

Iptables-t nat-a prerouting-p tcp-d 15.45.23.67 -- dport 80-j DNAT -- to-destination 192.168.1.1-192.168.1.10: 80-100

MIRROR package, that is, after the source IP address and the destination IP address are reversed, the package is sent back. after this operation, the filter program will be interrupted.

The QUEUE interrupt filtering program puts the packets into the QUEUE and submits them to other programs for processing. Other applications can be implemented through self-developed processing programs, such as calculating the online cost.

The RETURN statement ends with the filtering program in the current rule refining process. it returns the master rule refining to continue filtering. if you think of custom rule refining as a sub-program, this action is performed, it is equivalent to early completion of the subroutine and return to the main program.

MARK marks a code on the package to provide a judgment basis for the filter conditions. after this processing, the MARK will continue to compare with other rules. Example:

Iptables-t mangle-a prerouting-p tcp -- dport 22-j MARK -- set-mark 2

Start Lab

If you do not know the basic knowledge about IPTABLES, we recommend that you first check it out.

Start configuration

Let's configure a filter table firewall.

(1) view the settings of IPTABLES on the local machine. by default, view the policies of the input forwardoutput three tables.

[Root @ tp ~] # Iptables-L-n
Chain INPUT (policy ACCEPT) Chain INPUT (policy DROP)
Target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 192.168.181.34 0.0.0.0/0 tcpdpt: 22
ACCEPT tcp -- 192.168.181.35 0.0.0.0/0 tcpdpt: 22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt: 80

Chain FORWARD (policy DROP)
Target prot opt source destination

Chain OUTPUT (policy DROP)
Target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 192.168.181.33 0.0.0.0/0 tcpspt: 22

If you do not choose to start the firewall when installing linux

# Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination

There are no rules.

(2) clear the original rules.

Whether or not you have enabled the firewall when installing linux, if you want to configure your own firewall, clear all the filter rules.

[Root @ tp ~] # Iptables-F clear the rules of all rule chains in the filter of the preset table

[Root @ tp ~] # Iptables-X clear the rules in the user-defined chain in the filter of the preset table

[Root @ tp ~] # Iptables-Z clear counter in filter of the preset table

Let's take a look.

[Root @ tp ~] # Iptables-L-n
Chain INPUT (policy ACCEPT)
Target prot optsource destination

Chain FORWARD (policy ACCEPT)
Target prot optsource destination

Chain OUTPUT (policy ACCEPT)
Target prot optsource destination

Nothing, just like we didn't start the firewall when installing linux. (say in advance, these configurations are the same as configuring IP addresses with commands, so restarting them will lose effect.) how to save them.

[Root @ tp ~] #/Etc/rc. d/init. d/iptables save

In this way, you can write it to the/etc/sysconfig/iptables file. remember to repeat the firewall after writing it to make it take effect.

[Root @ tp ~] # Service iptables restart

Now there are no configurations in the IPTABLES configuration table. let's start with our configuration.

(3) set preset rules

It is best to create a shellscript.

# Vi ipt. sh
#! /Bin/bash
# Iptables init
#---------------------------
Iptables-F
Iptables-X
Iptables-Z
# Set the default rules
#---------------------------
Iptables-P INPUT DROP
Iptables-P OUTPUT DROP
Iptables-P FORWARD DROP
#---------------------------
Service iptables save
Echo "------------------------------------------------------------------------"
Iptables-L-n
Echo "-------------------------------------------------------------------------"
# Bash./EPT. sh

The above means that when two chain rules (INPUT and FORWARD) in the filter table in IPTABLES are exceeded, how can we process data packets not in these two rules, that is, DROP (discard ). it should be said that the configuration is safe. we want to control inbound data packets

For the OUTPUT chain, that is, the outgoing package, we do not need to impose too many restrictions, but adopt ACCEPT. that is to say, what should we do if the package is not in a rule.

Note: If you log on remotely through SSH, you should drop it when you enter the first command and press enter because you have not set any rules.

What should I do? go to the local machine to operate it!

(4) add a rule.

First, add the INPUT chain. the default rule of the INPUT chain is DROP, so we will write the chain that requires ACCETP ().

To enable remote SSH login, we need to enable port 22.

This is different from other blogs.

Port 22 is required to enable SSH

Iptables-a input (-s 192.168.181.34)-p tcp -- dport 22-jACCEPT # enter the source IP address of the INPUT.
Iptables-a output (-s 192.168.181.33)-p tcp -- sport 22-j ACCEPT # source IP address of OUTPUT (basically Local)

If the WEB server is configured, enable port 80.

# Iptables-a input-p tcp -- dport 80-j ACCEPT
If the email server is configured, enable Port 25,110.

# Iptables-a input-p tcp -- dport 110-j ACCEPT
# Iptables-a input-p tcp -- dport 25-j ACCEPT
If the FTP server is configured, enable port 21.

# Iptables-a input-p tcp -- dport 21-j ACCEPT

# Iptables-a input-p tcp -- dport 20-j ACCEPT

If the DNS server is configured, enable Port 53.

# Iptables-a input-p tcp -- dport 53-j ACCEPT

If you have another server, you just need to open the port and write it.

The above mainly writes the INPUT chain, and all the rules that are not in the above DROP

Allow icmp packets to pass, that is, allow ping,

# Iptables-a output-p icmp-j ACCEPT (if OUTPUT is set to DROP)

# Iptables-a input-p icmp-j ACCEPT (if INPUT is set to DROP)

Allow loopback! (Otherwise, DNS may fail to be shut down normally)

IPTABLES-a input-I lo-p all-j ACCEPT (if it is INPUT DROP)
IPTABLES-a output-o lo-p all-j ACCEPT (if it is output drop)

The OUTPUT chain is written below. the default rule of the OUTPUT chain is ACCEPT, so we will write the chain that needs to be dropped (abandoned.

Reduce insecure port connections

# Iptables-a output-p tcp -- sport 31337-j DROP

# Iptables-a output-p tcp -- dport 31337-j DROP

Some Trojans scan services from ports 31337 to 31340 (elite ports in hacking languages. Since legal services do not use these non-standard ports for communication, blocking these ports can effectively reduce the chances of independent communication between machines that may be infected on your network and their remote master servers.

The same applies to other ports, such as 31335, 27444, 27665, 20034, 9704, 137-139 (smb), and 2049 (NFS, I have not written all of them here. if you are interested, check the relevant information.

Of course, you can set the OUTPUT chain to DROP for more secure access, so you can add more rules, just like adding

Allow SSH login. just write it.

The more detailed rules are as follows:

For example, we only allow SSH connections to machines 192.168.0.3.

# Iptables-a input-s 192.168.0.3-p tcp -- dport 22-jACCEPT

If you want to allow or restrict the availability of a certain IP address, 192.168.0.0/24 indicates all IP addresses of 192.168.0.1-255.

24 indicates the number of subnet masks. remember to delete this line in/etc/sysconfig/iptables.

-A input-p tcp-m tcp -- dport 22-j ACCEPT because it indicates that all addresses can log on.

Or use the following command:

# Iptables-d input-p tcp -- dport 22-j ACCEPT

Save it. I'll talk about it again. Instead, it uses the command method and only takes effect at that time. if you want to restart it, save it. write to the/etc/sysconfig/iptables file.

#/Etc/rc. d/init. d/iptables save

Write it like this! 192.168.0.3 indicates IP address other than 192.168.0.3

The same is true for other rule connections.

The following is the FORWARD chain. the default rule of the FORWARD chain is DROP, so we will write the chain that requires ACCETP (via) to monitor the ongoing forwarding chain.

Enable the forwarding function (required when the default FORWARD rule is DROP when performing NAT)

# Iptables-a forward-I eth0-o eth1-m state -- state