Linux firewall--iptables (ii)

Last Update:2014-07-12 Source: Internet

Author: User

Tags block ip address

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

V. Filter filtering and forwarding

A, turn on the IP forwarding of the kernel

# sysctl-w Net.ipv4.ip_forward=1

or # echo 1 >/proc/sys/net/ipv4/ip_forward

b, basic matching conditions

• Universal Matching

→ Can be used directly, not dependent on other conditions or extensions

→ includes network protocol, IP address, network interface and other conditions

• Implicit matching

→ requires a specific protocol match as a precondition

→ include conditions such as ports, TCP tags, ICMP types, and so on

Category	Options	Usage
Generic match	Protocol Matching	-P protocol Name
	Address Matching	-S Source Address-D destination Address
	Interface Matching	-I receiving data network card-o Data network card
Implicit matching	Port Matching	--sport Source Port--dsport Destination port
	ICMP type matching	--icmp-type ICMP type
	TCP tag Matching	--tcp-flags Check which bits of which bits are set (! Reverse)

C, block IP address, network segment (here Plus- p ICMP to do the test)

• Host protection, source address for inbound access (source address: The address where the access originated)

# Ping 192.168.1.201

PING 192.168.1.201 (192.168.1.201) bytes of data.

Bytes from 192.168.1.201:icmp_seq=1 ttl=64 time=1.98 ms

Bytes from 192.168.1.201:icmp_seq=2 ttl=64 time=0.326 ms

# iptables-i INPUT 1-p icmp-s 192.168.1.202-j DROP

# Ping 192.168.1.201 (ping does not pass, with Ctrl + C cancel)

PING 192.168.1.201 (192.168.1.201) bytes of data.

---192.168.1.201 ping statistics---

3 packets transmitted, 0 received, 100% packet loss, time 2510ms

• Network protection, source address for forwarded access (source address: The address that is not the actual originating access)

# iptables-f

# ping 192.168.1.201

PING 192.168.1.201 (192.168.1.201) bytes of data.

Bytes from 192.168.1.201:icmp_seq=1 ttl=64 time=2.16 ms

Bytes from 192.168.1.201:icmp_seq=2 ttl=64 time=0.250 ms

# iptables-i forward-p icmp-s 192.168.1.202-j DROP

# ping 192.168.1.201

PING 192.168.1.201 (192.168.1.201) bytes of data.

Bytes from 192.168.1.201:icmp_seq=1 ttl=64 time=0.408 ms

Bytes from 192.168.1.201:icmp_seq=2 ttl=64 time=0.341 ms

D. Protection of specified network services

• Restricting access to a specified service port

# iptables-a input-s 192.168.1.202/24- p tcp--dport -j ACCEPT

# iptables-a input-p tcp--dport 22-j DROP

# iptables-a INPUT ! -S 192.168.1.202/24-p tcp--dport 20:21 -j DROP

E, Ban ping related policy processing

• Allow native Ping to other hosts, however, prevent other hosts from pinging the machine

# iptables-a output-p ICMP--icmp-type echo-request-j ACCEPT

# iptables-a input-p ICMP! --icmp-type echo-request-j ACCEPT

# iptables-a INPUT! -S 127.0.0.1-p ICMP--icmp-type echo-request-j DROP

# iptables-a OUTPUT! -S 127.0.0.1-p ICMP! --icmp-type echo-request-j DROP

F, TCP tag subdivision control

• Non-inbound SYN request packets (first handshake)

→ Check 4 marker bits, where the SYN bit is set

• Release additional packets for inbound access

# iptables-a input-i eth1-p tcp--tcp-flags syn,rst,ack,fin syn-j DROP

# iptables-a input-i eth1-p TCP! --syn-j ACCEPT

Vi. iptables Status Matching

A, the use of extended matches

• Basic Format

→-m Expansion Module--Extended condition condition value

Example:-m mac--mac 00:0d:29:24:ec:19

B. Common extension matches

Category	Options	Usage
Show matches	Status Matching	-M State--state status value
	MAC address Matching	-M Mac--mac-source MAC address
	Multi-port matching	-M multiport--sport Source Port list
	Multi-port matching	-M multiport--dport Target Port list
	IP range Matching	-M IPRange--src-range ip1-ip2
	IP range Matching	-M IPRange--dst-range ip1-ip2

C, iptables status tracking

• Five status of network connections

→new, request to establish a connected package, a completely unfamiliar package

→established, the package that will or has established a connection

→related, a package associated with a known connection

→invalid, no corresponding connection, and invalid connection package

→untracked, packet without tracking status

D. Discard the unfamiliar TCP response

• For example, reflex, bounce-type attack

# iptables-a Input-m State--state new-p TCP! --syn-j DROP

# iptables-a Forward-m State--state new-p TCP! --syn-j DROP

Linux firewall--iptables (i) http://nmore.blog.51cto.com/9008175/1437118

This article is from the "Ywcto" blog, make sure to keep this source http://nmore.blog.51cto.com/9008175/1437304

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More