Home > Developer > Linux

Linux Iptables syntax (1)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Linux IptablesThe syntax is still important. Let's take a look at some of the points worth attention.

1. Chain Operations

Create a new chain (-N ).

Delete an empty chain (-X ).

Change the principle of a built-in chain (-P ).

Lists the rules (-L) in a chain ).

Clear all rules (-F) in a chain ).

Zero is the packet byte counter (-Z) of all rules in a chain ).

2. Operations on Rules

Add (append) A new rule to the end of A chain (-.

Insert a new rule (-I) at a location in the chain, usually at the beginning.

Replace a rule (-R) at a certain position in the chain ).

Delete a rule (-D) at a location in the chain ).

Delete the first rule (-D) in the chain ).

3. Specify the source address and Destination Address

Use -- source/-- src/-s to specify the source address (here/Represents or means, the same below), and use -- destination/-- dst/-s to specify the destination address. You can use the following four methods to specify an IP Address:

A. Use a complete domain name, such as "www.linuxaid.com.cn ";

B. Use an IP address, such as "192.168.1.1 ";

C. Use x. x/x. x to specify a network address, such as "192.168.1.0/255.255.255.0 ";

D.

Use x. x/x to specify a network address. For example, "192.168.1.0/24" indicates the number of valid digits of the subnet mask.

The commonly used representation in UNIX environments.

The default subnet mask number is 32, that is, specifying 192.168.1.1 is equivalent to 192.168.1.1/32.

4. Specify the Protocol

You can use the -- protocol/-p option to specify the protocol, such as-p tcp.

5. Specify the network interface

You can use -- in-interface/-I or -- out-interface/-o to specify network interfaces. It should be noted that for the INPUT chain, there may only be-I, that is, only the incoming package. For the OUTPUT chain, there may only be-o, that is, only outgoing packages are available. Only the FORWARD chain can have both-I network interfaces and-o network interfaces. You can also specify an existing network interface, such as ppp0. This rule is valid only after successful dialing.

 6. Specify ip fragmentation

During TCP/IP communication, each network interface has a maximum transmission unit (MTU). This parameter defines the maximum size of data packets that can be passed. If a data packet exceeds this parameter value, the system divides it into several smaller data packets (called ip fragmentation) for transmission, the receiver reassembles the ip fragments to restore the entire package.

However, when packet filtering is performed, ip fragmentation may cause the following problem: when the system divides large data packets into ip fragmentation for transmission, the first fragmentation contains the complete packet header information, however, the subsequent fragments only contain part of the packet header, such as the source address and target address. Therefore, if we have such a rule:

Iptables-a forward-p tcp-s 192.168.1.0/24-d 192.168.2.100 -- dport 80-j

ACCEPT

In this case, when the FORWARD policy is DROP, the system will only let the first ip Fragment pass, and the rest of the ip fragment will be lost, because the first fragment contains the complete packet header information, the rules can be met, and the remaining parts cannot pass because the Baotou information is incomplete and cannot meet the rules defined conditions.

We can use the -- fragment/-f option to specify the second and later ip fragmentation. For example, in the preceding example, we can add such a rule to solve this problem:

Iptables-a forward-f-s 192.168.1.0/24-d 192.168.2.100-j ACCEPT

However, you must note that there are already many instances that are currently launching ip fragmentation attacks (for example, to Win98 NT4/SP5, 6 ).

Win2K sends a large number of ip Fragments for DoS attacks). Therefore, it is a security risk to allow ip fragments to pass through. We can use iptables matching extension to limit this, however, this will affect the service quality. We will discuss this issue below.

7. Specify non-

Can be added before some options! To indicate unspecified values, such as "-s -!

192.168.1.1/32 indicates the IP address other than 192.168.1.1, "-p -!

Tcp indicates a Protocol other than tcp.


This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More