V. Filter filtering and forwarding
A, turn on the IP forwarding of the kernel
# sysctl-w Net.ipv4.ip_forward=1
or # echo 1 >/proc/sys/net/ipv4/ip_forward
b, basic matching conditions
• Universal Matching
→ Can be used directly, not dependent on other conditions or extensions
→ includes network protocol, IP address, network interface and other conditions
• Implicit matching
→ requires a specific protocol match as a precondition
→ include conditions such as ports, TCP tags, ICMP types, and so on
Category |
Options |
Usage |
Generic match |
Protocol Matching |
-P protocol Name |
Address Matching |
-S Source Address-D destination Address |
Interface Matching |
-I receiving data network card-o Data network card |
Implicit matching |
Port Matching |
--sport Source Port--dsport Destination port |
ICMP type matching |
--icmp-type ICMP type |
TCP tag Matching |
--tcp-flags Check which bits of which bits are set (! Reverse) |
C, block IP address, network segment (here Plus- p ICMP to do the test)
• Host protection, source address for inbound access (source address: The address where the access originated)
# Ping 192.168.1.201
PING 192.168.1.201 (192.168.1.201) bytes of data.
Bytes from 192.168.1.201:icmp_seq=1 ttl=64 time=1.98 ms
Bytes from 192.168.1.201:icmp_seq=2 ttl=64 time=0.326 ms
# iptables-i INPUT 1-p icmp-s 192.168.1.202-j DROP
# Ping 192.168.1.201 (ping does not pass, with Ctrl + C cancel)
PING 192.168.1.201 (192.168.1.201) bytes of data.
---192.168.1.201 ping statistics---
3 packets transmitted, 0 received, 100% packet loss, time 2510ms
• Network protection, source address for forwarded access (source address: The address that is not the actual originating access)
# iptables-f
# ping 192.168.1.201
PING 192.168.1.201 (192.168.1.201) bytes of data.
Bytes from 192.168.1.201:icmp_seq=1 ttl=64 time=2.16 ms
Bytes from 192.168.1.201:icmp_seq=2 ttl=64 time=0.250 ms
# iptables-i forward-p icmp-s 192.168.1.202-j DROP
# ping 192.168.1.201
PING 192.168.1.201 (192.168.1.201) bytes of data.
Bytes from 192.168.1.201:icmp_seq=1 ttl=64 time=0.408 ms
Bytes from 192.168.1.201:icmp_seq=2 ttl=64 time=0.341 ms
D. Protection of specified network services
• Restricting access to a specified service port
# iptables-a input-s 192.168.1.202/24- p tcp--dport -j ACCEPT
# iptables-a input-p tcp--dport 22-j DROP
# iptables-a INPUT ! -S 192.168.1.202/24-p tcp--dport 20:21 -j DROP
E, Ban ping related policy processing
• Allow native Ping to other hosts, however, prevent other hosts from pinging the machine
# iptables-a output-p ICMP--icmp-type echo-request-j ACCEPT
# iptables-a input-p ICMP! --icmp-type echo-request-j ACCEPT
# iptables-a INPUT! -S 127.0.0.1-p ICMP--icmp-type echo-request-j DROP
# iptables-a OUTPUT! -S 127.0.0.1-p ICMP! --icmp-type echo-request-j DROP
F, TCP tag subdivision control
• Non-inbound SYN request packets (first handshake)
→ Check 4 marker bits, where the SYN bit is set
• Release additional packets for inbound access
# iptables-a input-i eth1-p tcp--tcp-flags syn,rst,ack,fin syn-j DROP
# iptables-a input-i eth1-p TCP! --syn-j ACCEPT
Vi. iptables Status Matching
A, the use of extended matches
• Basic Format
→-m Expansion Module--Extended condition condition value
Example:-m mac--mac 00:0d:29:24:ec:19
B. Common extension matches
Category |
Options |
Usage
|
Show matches
|
Status Matching |
-M State--state status value |
MAC address Matching |
-M Mac--mac-source MAC address |
Multi-port matching
|
-M multiport--sport Source Port list |
-M multiport--dport Target Port list |
IP range Matching
|
-M IPRange--src-range ip1-ip2 |
-M IPRange--dst-range ip1-ip2 |
C, iptables status tracking
• Five status of network connections
→new, request to establish a connected package, a completely unfamiliar package
→established, the package that will or has established a connection
→related, a package associated with a known connection
→invalid, no corresponding connection, and invalid connection package
→untracked, packet without tracking status
D. Discard the unfamiliar TCP response
• For example, reflex, bounce-type attack
# iptables-a Input-m State--state new-p TCP! --syn-j DROP
# iptables-a Forward-m State--state new-p TCP! --syn-j DROP
Linux firewall--iptables (i) http://nmore.blog.51cto.com/9008175/1437118
This article is from the "Ywcto" blog, make sure to keep this source http://nmore.blog.51cto.com/9008175/1437304