Home > Developer > Linux

Linux Firewall Tools--iptables

Source: Internet
Author: User
Tags lowercase iptables
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Iptables Introduction

Iptables is a kernel-based firewall with a very powerful, iptables built-in "three-table five-chain"

Three Sheets

1.filter definition allows or does not allow

2.nat defines the address translation

3.mangle Modifying message raw data

five chain of rules

1.PREROUTING (before routing)

2.INPUT (packet inflow port)

3.FORWARD (forward tube card)

4.OUTPUT (Packet egress)

5.POSTROUTING (after routing)

Can only be done on 3 chains for filter: INPUT, FORWARD, OUTPUT

It can only be done on 3 chains for Nat: Prerouting, OUTPUT, postrouting

For mangle 5 chains can do: prerouting,input,forward,output,postrouting


Iptables notation and parameters

iptables [-t table name] command options [link name] [conditional match] [-j action or jump]

All chain names must be uppercase, table names must be lowercase, actions must be uppercase, conditional matching must be lowercase

Common parameters:

-a adds a rule to the rule chain, which is added to the end by default

-t Specifies the table to manipulate, by default the filter

-D removes the rule from the rule chain and can specify an ordinal or matching rule to delete

-R for rule substitution

-I inserts a rule that is inserted into the header by default

-F clears the selected chain and resumes after reboot

-N New user-defined rule chain

-X Delete user-defined rule chain

-P is used to specify protocol numbers that can be tcp,udp,icmp, etc., or numbers.

-s Specifies the source address

-D Specify Destination Address

-I Access interface (NIC)

-O Outgoing interface (NIC)

-M multi-state

-j take the action, Accept,drop,snat,dnat,masquerade

--sport Source Port

--dport destination port, port must be used in conjunction with protocol.

Trigger action: (behind-j)

Accept allows packets to pass through

Drop Drop Packet

REJECT reject packet through

Log logs packet information to syslog log

DNAT Destination Address Translation

SNAT Source Address Translation

Masquerade Address Spoofing

REDIRECT redirection


iptables Example

Basic operations

Iptables-l list Iptables Rules
Iptables-f Clear Iptables built-in rules
Iptables-x Clear iptables Custom rule

Configure SSH Login Rules

Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a output-p TCP--sport 22-j ACCEPT

Allow SSH connections only for 192.168.0.100 machines

Iptables-a input-s 192.168.0.100-p TCP--dport 22-j ACCEPT

Destination address translation, mapping internal address

Iptables-t nat-a prerouting-i eth0-p tcp--dprot 81-j DNAT--to 192.168.0.2:80

Source address translation, hiding internal addresses

Iptables-t nat-a postrouting-s 192.168.0.0/24-j SNAT--to 1.1.1.1

Turn on forwarding function

Iptables-a forward-i eth0-o eth1-m State--state Related,established-j accept only built-in connections and related links are allowed internal forwarding
Ptables-a forward-i eth1-o eth0-j accept allow external forwarding

Filter a Mac

Iptables-a Forward-m mac--mac-source mac address-j DROP

Packet rectification

Iptables-a forward-d 192.168.0.1-m limit--limit 50/s-j ACCEPT
Iptables-a forward-d 192.168.0.1-j DROP

Match multiple ports at once

Iptables-a input-p tcp-m muliport--dport 21,22,25,80,110-j ACCEPT

Discard illegal connections

Iptables-a input-m State--state invalid-j DROP
Iptables-a output-m State--state invalid-j DROP
Iptables-a forward-m State--state invalid-j DROP


Instance

1 record all data from 192.168.0.1 host to native 22 port to messages log

Iptables-i input-s 192.168.0.1-p TCP--dport 22-j LOG

2 allows any machine to access the native 80 port via eth1

Iptables-i input-i eth1-p TCP--dport 80-j ACCEPT

3 company 192.168.0.0/24 network segment via 128.166.122.1 connection extranet

echo "Net.ipv4.ip_forward = 1"/etc/sysctl.conf

Sysctl-p Load Configuration

Iptables-t nat-i postrouting-s 192.168.0.0/24-j SNAT--to-source 128.166.122.1

41 Public IP128.166.122.1 Open, requires internal Web server 192.168.0.1 can be accessed

Iptables-t nat-i postrouting-d 128.166.122.1-p tcp--dport 80-j DNAT--to-destination 192.168.0.1

5 packet is too large, is divided into multiple slices sent to ensure that the data received can be combined with the-F

Iptables-a Output-f-D 192.168.1.2-j drop (drop sent to 192.168.1.2)

6 Limit the number of packets in a certain time period , or reject

Iptables-i input-m limit--limit 500/sec-j ACCEPT

Iptables-p INPUT DROP

7 refuse to forward data connections that contain certain keywords--string deny QQ packets

Iptables-i forward-m string--algo BM--string "QQ"-j REJECT

8 forwarding packets for an IP segment

Iptables-a forward-m iprange--src-range 192.168.0.1-192.168.0.10-p tcp--dport 80-j ACCEPT






This article is from the "Practical Linux knowledge and Skills sharing" blog, please be sure to keep this source http://superleedo.blog.51cto.com/12164670/1886999

Linux Firewall Tools--iptables

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
iptables linux firewall configuration linux firewall iptables iptables linux firewall firewall iptables server firewall iptables ubuntu firewall iptables centos firewall iptables

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More