LInux Iptables Learning

Author's original:

Http://blog.chinaunix.net/uid-9950859-id-98277.html

The data to be transmitted on the Internet will be divided into small packets, once we have connected to the network, there will be a lot of packets entered, left, or through our computer.
First we have to figure out what the firewall will do with these packets. These packets go through some corresponding rules chain, such as the packet to enter your computer will first enter the input chain, the packets sent from our computer will go through the output chain, if a computer to do a network gateway (two computers in the intranet and extranet two network connections, The packets that communicate between the two computers pass through this computer, which is the equivalent of a router, and there may be a lot of data passing through this computer, then these packets must be forward chain, forward chain is the data forwarding chain. Understanding the concept of these "chains" we can further learn to use iptables.
Now let's analyze how the iptables rules work, if we want to visit the site www.yahoo.com, we want to send a request to www.yahoo.com, these packets to go through the output chain, before the request is issued, The kernel of Linux will check in the output chain if there is a corresponding rule for this packet, if there is no corresponding rule, the output chain will have the default rules, or allow, or not allow (in fact, not allow two, one is to reject the request, tell the requesting program is rejected And another is to discard, let the request the caller silly wait, until timeout). If allowed, the request is sent, and the packet returned by the www.yahoo.com server passes through the input chain, and of course there are rules waiting for it in the input chain.

Here we introduce several iptable commands,

iptables-l [-t filter]

This command shows what firewall rules are currently set, and the possible results are as follows:

[Email protected]:~# iptables-lchain INPUT (policy ACCEPT) target     prot opt source               destination         Chain FORWARD (policy accept) target     prot opt source               destination         Chain OUTPUT (policy accept) target     prot opt SOURCE               Destination

From here we can see that the iptables has three strands, namely INPUT OUTPUT and forward. which
INPUT is the external data to enter the first outside of our host level (of course you can also add a hardware firewall).
OUTPUT is the green card you want to do when your host's data is sent out.
FORWARD is forwarded when you're using NAT.

To set up the iptables is mainly to set the three chain, of course, including-nat three other chain we'll talk later.
You have to use iptables, you have to launch it. Start command service iptables restart
The default setting for Iptables is three chains, which are all accept the following:

Iptables---P FORWARD ACCEPT

The above information you can see with iptables-l

Overall, iptables can have two settings
1. By default, Deny Special
2. Default deny, allow Special
Both have their own characteristics, from the security point of view of the individual bias to the second, is the default refusal, allowing special. But iptalbes default is the first default permission, rejecting special
You can use the command to change the default value to reach our request command as follows

Iptables---P FORWARD DROP

If you look at it again with iptables-l, you'll feel the default value changed.

First to talk about the inflammation of several parameters XZFL
-F Purge Rule
-X Clear Chain
-Z Zeroing the flow of the chain's count
In general, when you create an access rule, the old rules are zeroed out. This is a good habit, because the existence of certain rules will affect the rules you build.
Basic syntax:

Interface ]      [-P tcp,udp.icmp,all] [-S ip/nerwork] [--sport ports]      [-D Ip/netword] [--dport ports] [-j ACCEPT DROP]

The above is the basic syntax of iptables
A is to add meaning
I is the meaning of the sowing
IO refers to the ports that the data is going to go through, such as eth1 eth0 PPPoE, etc.
P The protocol you want to specify
-S refers to the source address but a single IP such as 192.168.2.6 can also be a network 192.168.2.0/24 can also be a domain name such as 163.com if you fill in the Domain Name system will automatically parse out his IP and display in iptables
--sport Source Port
-D is similar to-s except that he refers to the destination address or IP domain and network
--dport Destination Port
-j Execution Parameters ACCEPT DROP
Note: If a parameter exists, it is all accepted
1 if I want to come to my own L0 interface data are all accepted, we can write this:

Iptables-a input-i lo-j ACCEPT

2 If we want to accept the data from this IP address, we can write this 192.168.2.6.

192.168. 2.6 -j ACCEPT

3 If we're going to refuse to 192.168.2.0/24 the Telnet connection to this web.

192.168. 2.0/ -j DROP

iptables Directive
Grammar:

iptables [-t table] command [match] [-j Target/jump]

The-t parameter is used to specify a rule table with three built-in rule tables: NAT, mangle, and filter, which are treated as filter when no rule table is specified. The functions of a rule table are as follows:
NAT This rule table has prerouting and postrouting two rules chain, the main function for a pair of one or one-to-many, many-to-many web site translation work (Snatdnat), due to the characteristics of the translation work, the destination URL translation of the packet, There is no need for source URL translation, and vice versa, so in order to improve the rate of overwriting packets, when the firewall is operating, each packet will only pass through this rule table once. If we define the rules of packet filtering in this data table, we will not be able to make multiple comparison of the same package, so this table is not intended to be used for other purposes other than URL translation.
mangle This rule table has three rule chains for prerouting, FORWARD, and postrouting.
In addition to the translation of the URL to rewrite the packet, in some special applications may also have to rewrite the packet (TTL, TOS) or set mark (the packet is marked for subsequent filtering), this must be defined in the Mangle rules table, because the usage is not high, We are not going to discuss the use of mangle here.
filter This rule table is a default rule table with INPUT, FORWARD, and OUTPUT Three rule chains, the rule table as the name implies is used for packet filtering action (for example: DROP, LOG, ACCEPT or REJECT), We will establish the basic rules in this rule table.

List of common commands：
Command-A,--append
Example Iptables-a INPUT ...
Describes the new rule in a chain of rules that will become the last rule in the chain of rules.
Command-D,--delete
Example iptables-d INPUT--dport 80-j DROP
iptables-d INPUT 1
Description to remove a rule from a chain of rules, you can either enter the full rule or specify the rule number to delete it directly.
Command-R,--replace
Example Iptables-r INPUT 1-s 192.168.0.1-j DROP
The instructions supersede the existing rules, and the rules are replaced without changing the order.
Command-I,--insert
Example Iptables-i INPUT 1--dport 80-j ACCEPT
Note Insert a rule that the rule at that location will move backward one position.
Command-L,--list
Example Iptables-l INPUT
The description lists all the rules in a chain of rules.
Command-F,--flush
Example Iptables-f INPUT
Description deletes all rules in a chain of rules.
Command-Z,--zero
Example Iptables-z INPUT
Description The packet counter is zeroed. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering blocking attacks.
Command-N,--new-chain
Example Iptables-n allowed
Description defines a new rule chain.
Command-X,--delete-chain
Example Iptables-x allowed
Description Deletes a rule chain.
Command-P,--policy
Example Iptables-p INPUT DROP
Description defines the filtering policy. That is, the package that does not meet the filter conditions, the default processing method.
Command-E,--rename-chain
Example IPTABLES-E allowed disallowed
Description modifies the name of a custom rule chain.
Common Packet Comparison parameters:
Parameter-P,--protocol
Example Iptables-a input-p TCP
Description is better than the type of communication protocol, you can use! The operator makes a reverse alignment, for example:-P! TCP, which means any type other than TCP, contains UDP, ICMP ... such as If you want to compare all types, you can use the All keyword, for example:-P all.
Parameter-S,--SRC,--source
Example Iptables-a input-s 192.168.1.1
The description is used to compare to the source IP of the packet, can be compared to a single machine or network, compared to the network when the number to represent the mask, for example:-S 192.168.0.0/24, than the IP can be used! The operator makes a reverse alignment, for example:-S! 192.168.0.0/24.
Parameter-D,--DST,--destination
Example Iptables-a input-d 192.168.1.1
Description used to compare the destination IP of the packet, set the same way.
Parameter-I.,--in-interface
Example Iptables-a input-i eth0
The description is used to match the packet from which card to enter, you can use the wildcard character + to enlarge the range ratio, for example:-I eth+ all the Ethernet network card, also to use! The operator makes a reverse alignment, for example:-I! Eth0.
Parameter-O,--out-interface
Example Iptables-a forward-o eth0
The description is used to send out from which NIC the packet is to be sent, the same way as the setting.
Parameter--sport,--source-port
Example Iptables-a input-p TCP--sport 22
The description is used to compare the source port number of the packet, can be compared to a single port, or a range, for example:--sport 22:80, indicating that from 22 to 80 ports is a conforming piece, if you want to compare to a discontinuous number of ports, you must use the--multiport parameter, see later. When compared to the port number, you can use! The operator makes a reverse alignment.
Parameter--dport,--destination-port
Example Iptables-a input-p TCP--dport 22
Specify the destination port number to be used in comparison to the packet, set the same way.
Parameter--tcp-flags
Example iptables-p TCP--tcp-flags syn,fin,ack SYN
Description compared to the status of the TCP packet, the parameters are divided into two parts, the first part lists the name of the right to compare, the second part lists which of the preceding flags have been set, the flag that has not been enumerated must be empty. TCP status flags include: SYN (synchronous), ACK (Reply), FIN (end), RST (reset), URG (emergency)
PSH (forced push) and so on can be used for parameters, in addition to using the keyword all and NONE to compare. Can be used when compared to the banner! Inverse alignment of the operator line.
Parameter--syn
Example Iptables-p TCP--syn
Describes a TCP packet that is used to compare to whether the request is online, exactly the same as the Iptables-p TCP--tcp-flags syn,fin,ack SYN, if used! operator, which can be used to match the non-demand on-line packets.
Parameter-M multiport--source-port
Example Iptables-a input-p tcp-m multiport--source-port 22,53,80,110
The description is used for multiple source port numbers that are not contiguous, and can be used up to 15 ports at a time! The operator makes a reverse alignment.
Parameter-M multiport--destination-port
Example Iptables-a input-p tcp-m multiport--destination-port 22,53,80,110
The description is used for multiple destination port numbers that are not contiguous and are set up in the same way.
Parameter-M multiport--port
Example Iptables-a input-p tcp-m multiport--port 22,53,80,110
Note that this parameter is special, used in the same way as the source port number and destination port number of the same package, set the same as above. Note: In this example, if the source port number is 80 destination port number is 110, this packet is not eligible.
Parameter--icmp-type
Example Iptables-a input-p ICMP--icmp-type 8
The description is used to compare the type number of the ICMP, which can be compared using code or numeric numbers. Please call iptables-p ICMP--help to see what code is available.
Parameter-M limit--limit
Example Iptables-a input-m limit--limit 3/hour
Describes the average amount of traffic that is used to block packets over a certain period of time, the above example being used to compare: whether the average traffic per hour exceeds 3 packets a time. In addition to the average per hour, the average time per second, minute, or day, the default value is an average of once per hour, with parameters such as:/second,/minute,/day. In addition to sealing
The ratio of the number of external, set this parameter will also be when the condition is reached, suspend the packet alignment action, in order to avoid the hacker use flood attack method, resulting in service interruption.
Parameter--limit-burst
Example Iptables-a input-m limit--limit-burst 5
Describes the number of packets that are used for a larger amount of time than an instant, and the above example is used to have more than 5 packets (which are the default values) that exceed this limit and will be discarded directly. Use the same effect as above.
Parameter-M Mac--mac-source
Example Iptables-a input-m mac--mac-source 00:00:00:00:00:01
Explain the hardware address used for the packet source network interface, this parameter can not be used in the OUTPUT and postrouting rule refining, this is because the packet to send out to the net, before the network card driver through the ARP communication protocol to detect the destination MAC address, so iptables in the packet ratio Yes, it is not known that the packet will be sent to a network interface.
Parameter--mark
Example Iptables-t mangle-a input-m Mark--mark 1
The description is used to indicate whether the packet is represented by a number, and when the packet is successful, we can mark the action by marking the packet with a number that cannot exceed 4294967296.
Parameter-M owner--uid-owner
Example Iptables-a output-m owner--uid-owner 500
The description is used to compare packets from the machine to a particular user, which avoids the server using root or other identity to transmit sensitive data, which can reduce the system's terrible loss. Unfortunately, this feature cannot be compared to packets from other hosts.
Parameter-M owner--gid-owner
Example Iptables-a output-m owner--gid-owner 0
The description is used in the same time as if the packet from this machine is generated for a particular user group.
Parameter-M owner--pid-owner
Example Iptables-a output-m owner--pid-owner 78
The description is used to compare the packets coming from this machine to a particular itinerary.
Parameter-M owner--sid-owner
Example Iptables-a output-m owner--sid-owner 100
The description is used as the same time as the response packet for a specific online (Session ID) packet from the native.
Parameter-M State--state
Example Iptables-a input-m State--state related,established
The description is used to compare online status to four types of online status: INVALID, established, NEW, and related.
INVALID indicates that the packet's online number (Session ID) is not recognizable or is incorrectly numbered.
Established indicates that the packet belongs to an already established online.
NEW indicates that the package wants to start one online (reset online or redirect online).
Related indicates that the package belongs to an already established online, and that the new online is established. For example, Ftp-data online must originate from an FTP online.
Common processing actions:
The-J parameter is used to specify the processing action to be performed, and the commonly used processing actions include: ACCEPT, REJECT, DROP, REDIRECT, Masquerade, LOG, DNAT,
SNAT, MIRROR, QUEUE, RETURN, MARK, respectively, are described as follows:
ACCEPT will release the packet, after this processing action, will no longer than the other rules, directly jump down a rule smelting (natostrouting).
REJECT blocking the packet and transmitting the packet notifies the other party that the packet can be routed with several options: ICMP port-unreachable, ICMP echo-reply, or
Tcp-reset (this packet will require the other side to close the line), after the processing action, will no longer than the other rules, the direct interruption of the filter program. Examples are as follows:
Iptables-a forward-p TCP--dport 22-j REJECT--reject-with tcp-reset
The drop discard packet is not processed, and after this processing is done, the filter is no longer directly interrupted than the other rules.
REDIRECT re-directs the packet to another port (Pnat), and after this processing is done, it will continue to be compared to other rules. This function can be used to implement a transparent type
Porxy or used to protect the Web server. Example: Iptables-t nat-a prerouting-p tcp--dport 80-j REDIRECT--to-ports 8080
Masquerade overwrite the packet source IP is the firewall NIC IP, you can specify the range of port, after this processing action, jump directly down a rule (mangleostrouting). This function and SNAT slightly different, when the IP camouflage, do not need to specify which IP,IP to be disguised as a direct read from the network card, when using the dial-up line, IP is usually assigned by the ISP company's DHCP server, this time masquerade particularly useful. Examples are as follows:
Iptables-t nat-a postrouting-p tcp-j Masquerade--to-ports 1024-31000
Log will record the packet information in the/var/log, detailed location please consult the/etc/syslog.conf configuration file, after this processing action, will continue to compare its rules. For example:
Iptables-a input-p tcp-j LOG--log-prefix "INPUT packets"
SNAT overwrite the packet source IP to a specific IP or IP range, you can specify a range for port, and after this processing action, a rule (mangleostrouting) will be skipped directly. Examples are as follows:
Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT--to-source 194.236.50.155-194.236.50.160:1024-32000
DNAT overwrite the packet destination IP to a specific IP or IP range, you can specify a range for port, and after this processing action, you will be directed to the next rule (Filter:input or filter:forward). Examples are as follows:
Iptables-t nat-a prerouting-p tcp-d 15.45.23.67--dport 80-j DNAT--to-destination
192.168.1.1-192.168.1.10:80-100
MIRROR the packet, that is, the source IP and destination IP swapped, the packet back, after this processing action, will interrupt the filter program.
The queue interrupts the filtering program, placing the packet in the queue and handing it over to other programs. Other applications, such as calculating online fees, can be done through a self-developed processing program. such as
Return end in the current rule in the process of the filter, return to the main rule to continue filtering, if the custom rule refining as a subroutine, then this action, it is quite early to end the subroutine and return to the main program.
Mark marks the package with a designator so that it can be judged by the criteria for subsequent filtering, and will continue to be compared to other rules after the process has been completed. Examples are as follows:
Iptables-t mangle-a prerouting-p tcp--dport 22-j MARK--set-mark 2

See this configuration on the Internet is also relatively easy to understand, turned around, we look together, I hope that your work can be helpful. The safety awareness of network administrators is much more important than sloganeering Linux security.

Iptables-F-t mangle-F-t Nat-x

First, empty the three tables and empty the self-built rules.

Iptables---P FORWARD ACCEPT

The default policy for set input and output is drop,forward for accept.

Iptables-a input-i Lo--A output-o lo-j ACCEPT

Open the "loopback" first to avoid unnecessary trouble.

8 -0 -j ACCEPT

Turn on the ping feature on all network cards for easy maintenance and inspection.

192.168. 100.250 192.168. 100.1  -192.168. 100.250 192.168. 100.1  -j ACCEPT

Open port 22 to allow remote administration. (Set a number of additional conditions: the management machine IP must be 250, and must be entered from the Eth0 network card)

Iptables-a input-i Eth0-s192.168.100.0/ --P TCP--dport3128-M state--state new,established-J Acceptiptables-A Output-o eth0-d192.168.100.0/ --P TCP--sport3128-M state--state established-J Acceptiptables-A input-i eth1-s192.168.168.0/ --P TCP--dport3128-M state--state new,established-J Acceptiptables-A Output-o eth1-d192.168.168.0/ --P TCP--sport3128-M state--state established-J Acceptiptables-A input-i eth2-p TCP--dport32768:61000-M state--state established-J Acceptiptables-A output-o eth2-p TCP--sport32768:61000-M state--state new,established-J Acceptiptables-A output-o eth2-p UDP--dport --J Acceptiptables-A input-i eth2-p UDP--sport --j ACCEPT

The above sentence is more headache, I do explain each.
iptables-a input-i eth0-s 192.168.100.0/24-p TCP--dport 3128-m State--state new,established-j ACCEPT
Allows the 192.168.100.0/24 network segment of the machine to send packets from the ETH0 network card entry. If the packet is a TCP protocol and the destination port is 3128 (because redirect has changed the 80 to 3128.) The prerouting of the NAT table is in front of input of the filter table. , and, again, the state of the packet must be new or established (new represents the "first grip" of the TCP three-segment handshake, in other words, allows the client machine to send a link request to the server.) Established said that through the handshake has been established link), through.
iptables-a output-o eth2-p TCP--sport 32768:61000-m State--state new,established-j ACCEPT
Let's take a look at this sentence first. Now your packet has entered the Linux server firewall. Squid needs to be accessed instead of you, so at this point the server becomes the client's role, so it is accessed using 32768 to 61000 private ports. (Everyone would be surprised if it should be 1024 to 65535.) In fact, the CentOS version of the Linux definition of the private port is 32768 to 61000, you can check through the Cat/proc/sys/net/ipv4/ip_local_port_range. Again: This is squid as the client to access other servers, so the source port here is 32,768:61,000, not 3128!
iptables-a input-i eth2-p TCP--dport 32768:61000-m State--state established-j ACCEPT
Of course, the data have to go back.
iptables-a output-o eth0-d 192.168.100.0/24-p TCP--sport 3128-m State--state established-j ACCEPT
The packet also goes through the server, to the intranet network card. Please note that here, Squid helps you visit the website you want to visit. So in the intranet, your machine is the client role, and squid is the server role. This is different from the process of the external visit just now. So here, the source port is 3128, not 32,768:61,000.
iptables-a output-o eth2-p UDP--dport 53-j ACCEPT
Iptables-a input-i eth2-p UDP--sport 53-j ACCEPT
Of course, DNS is indispensable.

Iptables-a input-i eth+-P TCP--dport the-j LOG--log-prefix"Iptables_80_alert"--log-Level Infoiptables-A Input-i eth+-p TCP--dport +-j LOG--log-prefix"Iptables_21_alert"--log-Level Infoiptables-A Input-i eth+-p TCP--dport A-j LOG--log-prefix"Iptables_22_alert"--log-Level Infoiptables-A Input-i eth+-p TCP--dport --j LOG--log-prefix"Iptables_25_alert"--log-Level Infoiptables-A input-i eth+-p ICMP--icmp-type8-j LOG--log-prefix"Iptables_icmp8_alert"--log-level Info

Of course, a bit of logging will help the network administrator.

LInux Iptables Learning