LINUX IPTABLES Firewall configuration

0, Iptables (ACL) Matching principle:

Consistent with Cisco, matching from top to bottom.

1, the basic usage of iptables:.

(1) command format

iptables [–ttable] command [match] [target]

Table: Tables, with three: filter (filter) NAT (forwarding) mangle (change)

Table composition: Linked list.

Command: Commands, there are many:

-a–append: Add

-d–delete: Delete

-g–policy: Strategy

-n–new-chain linked List

-l–list: List the rules in the chain

-r–replace: Replace list matching rules

-c–check: Check for matches

-i–insert: Inserting rules

Example:

-A INPUT

-I OUTPUT 3 (inserted into the 3rd article)

-D INPUT 10 (delete 10th)

Match: Matches

-P: Policy

-S: Source

-D: Purpose

--sport: Source Port

--dport: Source Address

-I: Into interface

-O: Out interface

Target: The object or operation.

Accept, drop, reject, return, log, TOS, Snat, Dnat, Masquerade, redirect, Mark, return (back to the main chain, can go to the custom chain)

(2) Simple Operation Introduction:

Receive packets:

Iptables–a input–s192.168.1.0/24–j ACCEPT

Reject packet:

Iptable–a input–s192.168.1.2--dport 80-j DROP

View the Rules table

Iptables-l–nv

2. Extension:

--icmp-type: Types that correspond to ICMP

--tcp-flag:syn ack fin PSH rst Urg (match at least two to 1 mismatch forced match to 0)

3. Examples of iptables:

(1) Filter

Requirements: Intranet user sale can only access intranet HTTP Server intranet interface, tech can only access ftp,ping all shut down. Telnet is all closed. Internal users cannot sisu the network. The extranet user can only access the HTTP extranet interface. (described later in the NAT section)

Iptables

Default Chain Empty Iptables–z

Begin:

(1) For inside Mouth: (all have-I inside or –oinside, write not open)

*iptables–t filter–a input–s 192.168.1.0/24–d 192.168.254.2–p tcp–dport 21,22–j ACCEPT

*iptables–tfilter–a input–s 192.168.2.0/24–d 192.168.254.1–p tcp–dport 80–j ACCEPT

*iptables–tfilter–a input–s 0.0.0.0/0–d 0.0.0.0/0–j DROP

*iptables–t filter–a output–s 192.168.254.2–d 192.168.1.0/24–p tcp–sport 21,22–j ACCEPT

*iptables–tfilter–a output–s 192.168.254.1–d 192.168.2.0/24–p tcp–sport 80–j ACCEPT

*iptables–tfilter–a output–s 0.0.0.0/0–d 0.0.0.0/0–j DROP

(2) for outside mouth: (all have-I outside or –o outside, write not open)

*ipables–t filter–a input–s 0.0.0.0/0–d 202.200.200.1–p tcp–dport 80–j ACCEPT

*ipables–t filter–a input–s 0.0.0.0/0–d 0.0.0.0/0–j DROP

*iptables–tfilter–a output–s 202.200.200.1–p–sport 80–j ACCEPT

*iptables–tfilter–a output–s 0.0.0.0/0–d 0.0.0.0/0–j DROP

(3) for the DMZ port: (both have-I DMZ or –ODMZ, cannot be opened): repetitive

*iptables–t filter–a input–s 192.168.1.0/24–d 192.168.254.2–p tcp–dport 21,22–j ACCEPT

*iptables–tfilter–a input–s 192.168.2.0/24–d 192.168.254.1–p tcp–dport 80–j ACCEPT

Ipables–t filter–a input–s 0.0.0.0/0–d 202.200.200.1–p tcp–dport 80–j ACCEPT

*iptables–tfilter–a input–s 0.0.0.0/0–d 0.0.0.0/0–j DROP

*iptables–t filter–a output–s 192.168.254.2–d 192.168.1.0/24–p tcp–sport 21,22–j ACCEPT

*iptables–tfilter–a output–s 192.168.254.1–d 192.168.2.0/24–p tcp–sport 80–j ACCEPT

*iptables–tfilter–a output–s 202.200.200.1–p–sport 80–j ACCEPT

*iptables–tfilter–a output–s 0.0.0.0/0–d 0.0.0.0/0–j DROP

(2) NAT

Requirements: Host 20.20.20.2 do address translation, server 10.10.10.2 do port mapping.

*iptables–t nat–a postrouting–o out–s 20.20.20.2–j snat–to 192.168.1.49

*iptables–t nat–a postrouting–i out–s 0.0.0.0/0–j snat–to 192.168.1.48

*iptables–t nat–a postrouting–o out–s 10.10.10.2–j dnat–to 192.168.1.50

*iptables–t nat–a postrouting–i out–s 0.0.0.0/0–p tcp–port 80–j REDIRECT

--to-port 1080

LINUX IPTABLES Firewall configuration