Linux system iptables Firewall user manual

The built-in firewall mechanism for Linux is implemented through the NetFilter module in kernel (www.netfilter.ort). Linux Kernel uses NetFilter to filter incoming and outgoing packets, NetFilter consists of three rule tables, and each table has many built-in chains. These bracelets can be manipulated by using the iptables command, such as adding, deleting, and listing rules.

The NetFilter rules table-filter NAT mangle filter, which is used to route network packets. Is the default, that is, if you do not specify the-t parameter, when a new rule is created, it is stored in the table by default.
INPUT network packet flow to server
OUTPUT network packet outflow from server
FORWARD network packets routed through the server
NAT, which is used for NAT tables. NAT (Net address translation) is a way to convert IP addresses.
Prerouting network packets can be modified when they reach the server
OUTPUT network packets are streamed out of the server
Postrouting network packets can be modified when they are about to be emitted from the server
Mangle, a table for modifying network packets, such as the TOS (Type of Service), TTL (Time to Live), etc.
INPUT network packet flow to server
OUTPUT network Packet Outgoing server
FORWARD network packets are forwarded through the server
Prerouting network packets can be modified when they reach the server
Postrouting network packets can be modified when they are about to be emitted from the server
1. Configure Iptables
When the packet enters the server, Linux kernel looks for the corresponding chain until a rule is found that matches the packet. If the target of the rule is accept, the remaining rules will be skipped and the packet will continue to be sent. If the target of the rule is drop, the packet is intercepted and kernel no longer refer to other rules.
Note: If there is no rule that matches the packet from beginning to end, and there is no rule for drop all at the end of the table, then the packet will be accepted. Cisco, on the other hand, has a rule with deny all at the end of the table.
1.) iptables command Options
iptables [-t tables] Command option parameter target
-a adds a rule at the end of the chain
-C checks a rule before it is added to the user-defined chain
-D removes a rule from the chain
-e renames a user-defined chain without changing the chain itself
-F empty Chain, delete all rules on the chain
-I inserts a rule in the chain
-L lists rules on a chain, such as Iptables–l input, which lists the rules of the input chain
-N Create a new chain
-P defines the default policy for a chain
-R replaces a rule on a chain
-X Delete a user-related chain
-Z zeroing all the chain bytes and packet counters for all tables
2.) iptables Command parameters
-p–protocol
The protocol type that is applied to the packet, which can be TCP UDP ICMP or all. can also be used.
When using-p TCP, you can also use other options to allow further definition of the rule. Options include:
--sport allows you to specify a matching packet source port. Port1:port, representing all ports between Port1 and Port2
--dport destination port, identical to--sport.
When using the-P!UDP, there are also special options for including:
--sport,--Dport, the same as-p TCP, except for UDP packets.
When using the-p ICMP parameter, only one option is available.
--icmp-type, which allows you to specify the ICMP type in the filter rule.
-S–SOURCE Specifies the source address of the packet. This parameter is followed by an IP address, a network address with sub-net mask, or a host name. (host name not recommended)
-D,--the destination address of the destination packet, with-S.
The-j,--jump is used to specify a target that tells the rule to send the matching packet to the target. Target can be a accept,drop,queue,return. If there is no-j, then no action is made on the packet, just add 1 to the counter.
-I--in-interface, for the input FORWARD prerouting chain, this parameter specifies the port to use when the packet arrives at the server.
-O-out-interface, for the output FORWARD postrouting chain, this parameter specifies the port to use when the packet leaves the server.
3.) iptables command target
The final step in creating a rule is to specify iptables operations on the packet. As long as a rule matches the packet, there is no other rule to do. The built-in target is: ACCEPT DROP QUEUE RETURN.
Accept: Allow the packet to pass and reach the destination.
Drop: Deny packet passing, discard the package.
QUEUE: Sends a packet back to the user application for processing.
Return: No longer checks packets based on other rules of the current chain, but returns directly, continues to be sent to its destination address, or the next chain.
2. Example of applying iptables rules
Allow www
Iptables–a input–p tcp–dport 80–j ACCEPT
The rule is added to the input chain of the filter table, allowing the destination port to be 80 packets.
Allow DHCP on the internal interface
Iptables–a input–i eth0–p TCP--Sport--dport
Iptables–a input–i eth0–p UCP--sport--dport
Both TCP and UDP protocols are allowed.
3. Save and restore Iptables
Save Iptables
Use Iptables-save to save existing iptables rules, Iptables-save > Iptables save paths, such as # Iptables-save >/etc/iptables.up.rule
Recovery iptables
Use Iptables-restore to recover the iptables table from the configuration document to the current Iptables table.
Iptables-restore/etc/iptables.up.rule
#restore the iptables rule when shutdown the interface eth0
Then reactivate Eth0.
In addition, you can modify the/etc/iptables.up.rule configuration file at any time to change the iptables rules. The Iptables.up.rule format is as follows:
#Generated by Iptables-save V1.3.3 on Tue Jul 31 14:18:44 2007
*filter
: INPUT ACCEPT [73:8,213]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [8:825]
-A input–i lo–p icmp–j DROP
-A input–i eth0–p icmp–j DROP
COMMIT
#Completed on Tue Jul 31 14:10:44 2007
There can be no blank lines between rows and rows.
Three. Summary
The order of each rule in the iptables bracelet is important, and if the first line is accept all, then all packets are allowed through firewall, so the order of the rules should be properly arranged.
The usual rule is: Deny all allowed minorities.

More wonderful Linux video tutorials at 51CTO Academy: http://edu.51cto.com/course/courseList/id-48.html

Linux system iptables Firewall user manual