LINUX iptables Rules Learning Notes

Firewall Policy

Firewall policy is generally divided into two kinds, called "Pass" strategy, a "blocking" strategy, a strategy, the default door is closed, you must define who can enter. Blocking strategy is that the door is open, but you must have identity authentication, otherwise you cannot enter. So we want to define, let come in, let go out, so pass, is to all pass, and plugging, then is to choose. When we define a strategy, we define several functions, including the ability to define a policy that is allowed or disallowed in a packet, the function of filter filtering, and the NAT option to define the function of address translation. In order for these functions to work alternately, we have developed the definition of "table" to define and differentiate the different working functions and processing methods.

There are 3 different features to compare :
1.filter definition allows or does not allow
2.nat defines the address translation
3.mangle function: Modify message original data

Iptables is working in user space, which allows the rules to take effect, is not a service in itself, and the rules are effective immediately. And our iptables is now being made into a service that can be started and stopped. Starts, the rule takes effect directly and stops, then the rule is revoked.

Iptables also supports its own definition chain. But the chain that you define must be associated with a particular chain. In a level setting, specify that when there is data to be dedicated to a particular chain to deal with, when the chain is finished, then return. Then continue checking in a particular chain.

A rule is a predefined condition for a network administrator, and the rule is generally defined as "if the packet header conforms to such a condition, it will handle the packet." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). The primary task of configuring a firewall is to add, modify, and delete these rules.

Note: The order of the rules is very critical, the stricter the rules, the more forward you should put, and check the rules by the way they are checked from the top down.

Order of precedence between rule tables Raw--mangle--nat--filter

Grammar

Iptables (option) (parameter)

Options
-t< table;: Specifies the table to manipulate;
-A: Add an entry to the rule chain and a new rule at the end of the current chain
-D num: Remove entries from the rule chain; explicitly specify to delete the rules
-I num: inserting entries into the chain of rules; inserting the current rule into the first
-R num: Replace the entry in the chain of rules; Replays replace/modify the first rule
-L Num: Displays the entries already in the rule chain;
-F: Clears the existing entries in the rule chain;
-Z: Empties the packet calculator and byte counter in the rule chain;
-N: Create a new user-defined rule chain;
-P: Defines the default target in the rule chain;
-H: Displays help information;
-P: Specifies the packet protocol type to match;-P TCP|UDP--dport 80
-S: Specifies the packet source IP address to match;
-j< target;: Specify the target to jump to;
-i< network interface;: Specifies the network interface to which the packet enters the machine; eth0 inflow is generally used on input and prerouting
-o< Network Interface: Specifies the network interface to be used by the packet to leave the computer. Eth0 outflow generally on output and postrouting

iptables command option input order :
IPTABLES-T table name <-A/I/D/R> rule chain name [rule number] <-I/O nic name >-P protocol name <-s source ip/Source Subnet >--sport source port <-d destination ip/target subnet >--d Port Target Ports-j action

Table names include
Raw: Advanced features, such as: URL filtering.
Mangle: Packet Modification (QOS) for quality of service implementation.
NET: Address translation for the gateway router.
Filter: Packet filtering, for firewall rules

Actions include

Accept: Receive packets.
Drop: Drops the packet.
REDIRECT: Redirect, map, transparent proxy.
SNAT: Source address translation.
DNAT: Destination address translation.
Masquerade:ip Camouflage (NAT) for ADSL.
LOG: Logging.

Case

Allow all IP access
Iptables-a input-j ACCEPT

Disable all network access
Iptables-a input-j REJECT
Iptables-a forward-j REJECT

Open specified IP access
Iptables-a input-s 192.167.3.4-j ACCEPT

Deny specified IP access
Iptables-a input-s 192.167.3.4-j REJECT

Allows the specified source IP to access the specified destination IP
Iptables-a input-i eth0-s 10.1.6.41-d 10.1.6.129-j ACCEPT

Allows the specified source IP to access the specified destination IP and destination port
Iptables-a input-i eth0-s 10.1.6.41-d 10.1.6.129-p tcp--dport 22-j ACCEPT
specifying contiguous ports--dport 8080-9000 cannot specify multiple noncontiguous ports
Iptables-a input-i eth0-s 10.1.6.41-d 10.1.6.129-p tcp--dport 8080-9000-j ACCEPT
Extension of-P TCP:TCP protocol
--dport 21 specifying the destination port
--sport specifying the source port

Extension of-P UDP:UDP protocol
--dport: Specifying the destination port
--sport: Specifying the source port
Extension of the-P ICMP:ICMP data message

--icmp-type:
Echo-request (Request echo), generally denoted by 8来
So--icmp-type 8 matches the request Echo packet
Echo-reply (response packets) are generally expressed in

Allow local loopback interface (that is, run native access to this machine)
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
#允许已建立的或相关连的通行
Iptables-a input-m State--state established,related-j ACCEPT
#允许所有本机向外的访问
Iptables-a output-j ACCEPT

Allow all network access to the 22|80|FTP21|FTP20 port
Iptables-a input-p TCP--dport 22-j ACCEPT
Iptables-a input-p TCP--dport 80-j ACCEPT
Iptables-a input-p TCP--dport 21-j ACCEPT
Iptables-a input-p TCP--dport 20-j ACCEPT

Allow specified IP network access to 22|80|FTP21|FTP20 port
Iptables-a input-s ip-p TCP--dport 22-j ACCEPT
Iptables-a input-s ip-p TCP--dport 80-j ACCEPT
Iptables-a input-s ip-p TCP--dport 21-j ACCEPT
Iptables-a input-s ip-p TCP--dport 20-j ACCEPT

Disable IP access to 22|80|FTP21|FTP20 port and block A network segment: 123.0.0.0/8|16|24
Iptables-a input-s ip-p TCP--dport 22-j reject| DROP
Iptables-a input-s ip-p TCP--dport 80-j reject| DROP
Iptables-a input-s ip-p TCP--dport 21-j reject| DROP
Iptables-a input-s ip-p TCP--dport 20-j reject| DROP

Rule Save
Service Iptables Save

To view firewall rules:
Iptables-l-n-v

Iptables-s

To delete a iptables rule that has been added

Clear Firewall Policy
Iptabes-f

Displays all iptables as an ordinal tag, executing:
Iptables-l-N--line-numbers

Chain INPUT (Policy ACCEPT)
Num Target prot opt source destination
1 ACCEPT TCP--10.1.6.41 10.1.6.129 TCP dpt:22
2 REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

For example, to delete the rule with the number 8 in input, execute:
Iptables-d INPUT 2

Storage and opening of control rules
Note: All of the content you define will expire when you restart, and you need to save it with a command if you want us to take effect.
1.service iptables Save Command
It will be saved in the/etc/sysconfig/iptables file.
2.iptables-save command
Iptables-save >/etc/sysconfig/iptables

3.iptables-restore command
It will automatically load/etc/sysconfig/iptabels when it is powered on
If the boot does not load or does not load, and you want to have a self-written configuration file (assuming iptables.2) to be manually effective:
Iptables-restore </etc/sysconfig/iptables.2
The rules defined in Iptables are completed manually

LINUX iptables Rules Learning Notes