0, Iptables (ACL) Matching principle:
Consistent with Cisco, matching from top to bottom.
1, the basic usage of iptables:.
(1) command format
iptables [–ttable] command [match] [target]
Table: Tables, with three: filter (filter) NAT (forwarding) mangle (change)
Table composition: Linked list.
Command: Commands, there are many:
-a–append: Add
-d–delete: Delete
-g–policy: Strategy
-n–new-chain linked List
-l–list: List the rules in the chain
-r–replace: Replace list matching rules
-c–check: Check for matches
-i–insert: Inserting rules
Example:
-A INPUT
-I OUTPUT 3 (inserted into the 3rd article)
-D INPUT 10 (delete 10th)
Match: Matches
-P: Policy
-S: Source
-D: Purpose
--sport: Source Port
--dport: Source Address
-I: Into interface
-O: Out interface
Target: The object or operation.
Accept, drop, reject, return, log, TOS, Snat, Dnat, Masquerade, redirect, Mark, return (back to the main chain, can go to the custom chain)
(2) Simple Operation Introduction:
Receive packets:
Iptables–a input–s192.168.1.0/24–j ACCEPT
Reject packet:
Iptable–a input–s192.168.1.2--dport 80-j DROP
View the Rules table
Iptables-l–nv
2. Extension:
--icmp-type: Types that correspond to ICMP
--tcp-flag:syn ack fin PSH rst Urg (match at least two to 1 mismatch forced match to 0)
3. Examples of iptables:
(1) Filter
Requirements: Intranet user sale can only access intranet HTTP Server intranet interface, tech can only access ftp,ping all shut down. Telnet is all closed. Internal users cannot sisu the network. The extranet user can only access the HTTP extranet interface. (described later in the NAT section)
Iptables
Default Chain Empty Iptables–z
Begin:
(1) For inside Mouth: (all have-I inside or –oinside, write not open)
*iptables–t filter–a input–s 192.168.1.0/24–d 192.168.254.2–p tcp–dport 21,22–j ACCEPT
*iptables–tfilter–a input–s 192.168.2.0/24–d 192.168.254.1–p tcp–dport 80–j ACCEPT
*iptables–tfilter–a input–s 0.0.0.0/0–d 0.0.0.0/0–j DROP
*iptables–t filter–a output–s 192.168.254.2–d 192.168.1.0/24–p tcp–sport 21,22–j ACCEPT
*iptables–tfilter–a output–s 192.168.254.1–d 192.168.2.0/24–p tcp–sport 80–j ACCEPT
*iptables–tfilter–a output–s 0.0.0.0/0–d 0.0.0.0/0–j DROP
(2) for outside mouth: (all have-I outside or –o outside, write not open)
*ipables–t filter–a input–s 0.0.0.0/0–d 202.200.200.1–p tcp–dport 80–j ACCEPT
*ipables–t filter–a input–s 0.0.0.0/0–d 0.0.0.0/0–j DROP
*iptables–tfilter–a output–s 202.200.200.1–p–sport 80–j ACCEPT
*iptables–tfilter–a output–s 0.0.0.0/0–d 0.0.0.0/0–j DROP
(3) for the DMZ port: (both have-I DMZ or –ODMZ, cannot be opened): repetitive
*iptables–t filter–a input–s 192.168.1.0/24–d 192.168.254.2–p tcp–dport 21,22–j ACCEPT
*iptables–tfilter–a input–s 192.168.2.0/24–d 192.168.254.1–p tcp–dport 80–j ACCEPT
Ipables–t filter–a input–s 0.0.0.0/0–d 202.200.200.1–p tcp–dport 80–j ACCEPT
*iptables–tfilter–a input–s 0.0.0.0/0–d 0.0.0.0/0–j DROP
*iptables–t filter–a output–s 192.168.254.2–d 192.168.1.0/24–p tcp–sport 21,22–j ACCEPT
*iptables–tfilter–a output–s 192.168.254.1–d 192.168.2.0/24–p tcp–sport 80–j ACCEPT
*iptables–tfilter–a output–s 202.200.200.1–p–sport 80–j ACCEPT
*iptables–tfilter–a output–s 0.0.0.0/0–d 0.0.0.0/0–j DROP
(2) NAT
Requirements: Host 20.20.20.2 do address translation, server 10.10.10.2 do port mapping.
*iptables–t nat–a postrouting–o out–s 20.20.20.2–j snat–to 192.168.1.49
*iptables–t nat–a postrouting–i out–s 0.0.0.0/0–j snat–to 192.168.1.48
*iptables–t nat–a postrouting–o out–s 10.10.10.2–j dnat–to 192.168.1.50
*iptables–t nat–a postrouting–i out–s 0.0.0.0/0–p tcp–port 80–j REDIRECT
--to-port 1080
LINUX IPTABLES Firewall configuration