I have a "brother Bird's Linux private dishes-server erection." The 9th chapter explains the principle and configuration of the firewall in detail.
Basic knowledge
The NetFilter firewall mechanism is built into the Linux system kernel. NetFilter (packet filtering mechanism), so-called packet filtering, is to analyze the network packets into the host, the data packet header data extracted for analysis, in order to decide the connection as a release or blocking mechanism. NetFilter provides a command to iptables this program as a firewall packet filter. NetFilter is built-in and highly efficient.
We can use the Iptables command to set the NetFilter filtering mechanism.
There are 3 sheets in iptables:
> filter, which is the default table for packets entering Linux native.
> NAT (address translation), which is independent of Linux native, is mainly related to the computer in the LAN after the Linux host.
> Mangle (the Destruction), this table is mainly related to the routing flags of special packets (usually not involving the modification of this table, the modification of this table is very destructive, change it carefully).
There are several strands in each table:
Filter:input, OUTPUT, FORWARD
Nat:prerouting, Postrouting, OUTPUT
Mangle:prerouting, OUTPUT, INPUT, FORWARD
The following is the correlation between the tables and the chain in iptables
When a packet is transferred to NetFilter, NetFilter will compare each table according to the above process. If the packet conforms to the table, it is processed accordingly.
Use of the iptables command
Basic format: iptables [-t table]-cmd chain Cretiria-j ACTION
-T Table:3 one of the filter, Nat, mangle in the table, if not specified, the default is filter.
CMD: Operation command. View, add, replace, delete, and more.
Chain: Chain. Specifies which chain in the table is to be manipulated, such as the input chain in the filter table.
Cretiria: Match mode. Describe the packets to be filtered
Action: operation. Accept, reject, discard, etc.
View
Format: iptables [-t table]-l [-NV]
ModifyAdd to
Format: iptables [-t table]-A chain Cretiria-j ACTION
Add a new rule to the last position of the chain chain of the tables table (default filter)
Insert
Format: iptables [-t table]-I chain POS cretiria-j ACTION
Inserts a new rule into the table table (default filter) for the POS location of the chain chain. The rules behind the original are pushed backwards. The valid range for POS is: 1 ~ num+1
Replace
Format: iptables [-T table]-R chain POS cretiria-j ACTION
Replace the table table (default filter) with the new rule for the POS position of the chain chain. The valid range for POS is: 1 ~ num
Delete
Format: iptables [-T table]-R chain POS
Remove the rule for the POS location of the table table (default filter) chain chain. The valid range for POS is: 1 ~ num
Package Matching (Cretiria)
There are no rules for Cretiria, which are described in detail in this section. Package matching is a special field used to describe packet headers that need to be filtered.
Specify the network port:
-I: The network interface to which the packet is entered, such as eth0, lo, etc., to be mated to the input chain
-O: The network interface that the packet is sent out to match the output chain
Specify the protocol:
-P:TCP, UDP, ICMP, or all
Specify the IP network:
-S: Source network. can be IP or network
ip:192.168.0.100
Network: 192.168.0.0/24 or 192.168.0.0/255.255.255.0 are available
Can be added in front! Represents an inverse
-D: Target grid. Same-S
Specify the port:
--sport: Specifies the source port. Can be a single port, or it can be a contiguous port, for example: 1024:65,535.
--dport: Specifies the destination port. With--sport
Note: The TCP or UDP protocol is not valid until you specify it.
Specify MAC Address:
-M Mac--mac-source Aa:bb:cc:dd:ee:ff
Specify the Status:
-M State--state STATUS
The status can be:
> INVALID, Invalid Package
> Established, Connection status has been successfully connected
> new, want to connect the packet
> Related, this packet is related to packets sent out by the host (most commonly used)
For example, an illegal packet is discarded whenever a connection has been established or a packet related to a request has been made.
-M State--state related,established
ICMP data pair
The ping operation sends an ICMP packet, which can be rejected if you do not want to be ping.
--icmp-type type
The type is as follows:
8 Echo-request (Request)
0 echo-reply (response)
Note: Use with-P ICMP is required.
Action (Action)
Drop, discard
Accept, acceptance
REJECT, Reject
log, trace record, write access record to/var/log/messages
Save Configuration
Save the newly set rules to a file
Format: iptables-save [-t table]
Save the current configuration to/etc/sysconfig/iptables
Other
Format: iptables [-t table] [-FXZ]
-F: Please remove all rules that have been established
-X: Eliminate all user "custom" chain
-Z: Clear all statistical values by 0
Linux under firewall iptables settings