Linux firewall Iptables usage rules detailed __linux

Linux Firewall iptables usage rules detailed
shared by: du52.com Mail: wangaibo168@163.com home: http://www.du52.com

Linux firewall iptables usage rules detailed

Iptable rules

This chapter will discuss in detail how to structure your own rules. A rule is to point to a chain, to block different connections and packets, or to allow them to go where. Each row in the insertion chain is a rule. We will also discuss basic matche and their usage, as well as a variety of target, and how to build our own target (for example, a new strand).

1. The basic

We have explained what is a rule, and in the kernel's view, a rule is a statement that determines how a package is handled. If a package meets all the criteria (that is, the Matche statement), we run the target or jump directive. The syntax format for writing rules is:

iptables [-t table] command [match] [Target/jump]

There is nothing to say about this syntax, but note that the target command must be at the end. In order to be easy to read, we generally use this syntax. In short, most of the rules you'll see are written in this syntax. Therefore, if you see the rules written by others, you will probably find that it is the same syntax, and of course it is easy to understand those rules.

If you do not want to use a standard table, specify the table name at [table]. In general, it is not necessary to specify a table to use because Iptables uses the filter table to execute all commands by default. There is no need to specify a table name here, practically anywhere in the rule. Of course, putting the table name at the beginning is already a common standard.

Even though the command is always at the beginning, or directly behind the table name, we have to consider where it is readable. Command tells the program what to do, such as inserting a rule, adding a rule at the end of the chain, or deleting a rule, which is described carefully below.

Match describes a feature of the package in detail to make it different from all other packages. Here we can specify the source IP address of the package, the network interface, the port, the protocol type, or whatever. Below we will see a lot of different match.

Finally, the target of the packet. If the packet matches all match, the kernel handles it with target, or it sends the package to target. For example, we could have the kernel send the package to other chains in the current table (which we may have built ourselves), or simply discard the packet without any processing, or return a particular response to the sender. The following is a detailed discussion.

2. Tables

Option-T is used to specify which table to use, which can be any of the tables described below, and the filter table is the default. Note that the following description is just a summary of the chapters and links.

Table 1-1. Tables

Table (list name)	Explanation (Note)
Nat	The main use of NAT table is network address translation, that is, network addressing translation, abbreviated as NAT. The address of a data packet that has been NAT operated is changed, of course, the change is based on our rules. A package that belongs to a stream will only pass through this table once. If the first package is allowed to do NAT or masqueraded, the remaining packages will automatically be done the same. That is, the rest of the package will not pass through this table, one by NAT, but automatically completed. This is the main reason why we should not do any filtering in this table, and we will discuss this in more detail later. The role of the prerouting chain is to change its destination address when the package has just arrived at the firewall, if necessary. The output chain changes the destination address of the locally generated package. The postrouting chain changes its source address before the package is about to leave the firewall.
Mangle	This table is primarily used to mangle packets. We can change the contents of different packages and Baotou, such as Ttl,tos or mark. Note that mark does not really change the packet, it simply sets a tag in the kernel space for the package. Other rules or programs within the firewall, such as TC, can use this tag to filter packets or to advanced routes. This table has five built-in chains: Prerouting,postrouting, Output,input and forward. Prerouting changes the packet after the packet has entered the firewall and before routing the decision, postrouting after all routing decisions. Output changes the packet before determining the purpose of the package. Input changes the package before the package is routed to the local, but before the user-space program sees it. Forward mangle the package after the initial routing decision, and before the last change of the package's purpose. Note that the Mangle table cannot do any NAT, it simply changes the packet's Ttl,tos or mark, not its source address. Nat is manipulated in the NAT table.
Filter	The filter table is a special filter packet, built three chain, can be no problem to the package drop, LOG, accept and reject operations. The FORWARD chain filters all packages that are not locally generated and destination is not local (the so-called local firewall), and the input is precisely for those destinations that are local packages. OUTPUT is used to filter all locally generated packages.

The basic content of the three different tables is described above. You should know that the purpose of their use is completely different, but also to understand the use of each chain. If you do not understand, you may leave a loophole in the fire wall, giving people an opportunity. In the chapters and chains, we have discussed these essential tables and chains in detail. If you don't fully understand how the package is going to pass through these tables and chains, I suggest you go back and look more closely.

3. Commands

In this section, we will describe all the command and their use. command specifies what iptables will do with the rules we submit. These actions may be to add or remove something from a table, or to do something else. The following command is available for iptables (note that the default table is the filter table, if not explained). ）：

Table 1-2. Commands

Command	-A,--append
Example	Iptables-a INPUT ...
Explanation	Adds a rule at the end of the selected chain. When the source address or destination address is in the form of a name instead of an IP address, if the names can be resolved to multiple addresses, this rule will be combined with all available addresses.
Command	-D,--delete
Example	iptables-d input--dport 80-j drop or iptables-d input 1
Explanation	Deletes a rule from the selected chain. There are two ways to specify a rule to delete: One is to write the rules complete, and then specify the sequence number in the selected chain (the rules for each chain are numbered from 1).
Command	-R,--replace
Example	Iptables-r INPUT 1-s 192.168.0.1-j DROP
Explanation	Replaces the rule on the specified line in the selected chain (the rules for each chain are numbered separately from 1). Its main use is to experiment with different rules. When the source address or destination address is in the form of a name instead of an IP address, the command fails if the names can be resolved to multiple addresses.
Command	-I,--insert
Example	Iptables-i INPUT 1--dport 80-j ACCEPT
Explanation	Inserts a rule into the selected chain according to the given rule ordinal. If the ordinal number is 1, the rule is inserted into the head of the chain, in fact the default ordinal number is 1.
Command	-L,--list
Example	Iptables-l INPUT
Explanation	Displays all the rules for the selected chain. If no chain is specified, all the chains in the specified table are displayed. If nothing is specified, the chain for all the default tables is displayed. The exact output is affected by other parameters, such as-N and-V, as described below.
Command	-F,--flush
Example	Iptables-f INPUT
Explanation	Clears the selected chain. If no chain is specified, all the chains in the specified table are emptied. If nothing is specified, empty the chain of all the default tables. Of course, it can be deleted one by one, but with this command it will be quicker.
Command	-Z,--zero
Example	Iptables-z INPUT
Explanation	Zero all counters for the specified chain (if unspecified, all chains are considered).
Command	-N,--new-chain
Example	Iptables-n allowed
Explanation	Creates a new chain based on the user-specified name. The example above establishes a chain called allowed. Note that the name used cannot be the same as the existing chain or target.
Command	-X,--delete-chain
Example	Iptables-x allowed
Explanation	Deletes the specified user custom chain. This chain must not be referenced, and if referenced, you must delete or replace the rules associated with it before deleting it. If no arguments are given, this command deletes all non-builtin chains of the default table.
Command	-P,--policy
Example	Iptables-p INPUT DROP
Explanation	Sets the default target for the chain (available