Linux under firewall iptables settings

I have a "brother Bird's Linux private dishes-server erection." The 9th chapter explains the principle and configuration of the firewall in detail.

Basic knowledge

The NetFilter firewall mechanism is built into the Linux system kernel. NetFilter (packet filtering mechanism), so-called packet filtering, is to analyze the network packets into the host, the data packet header data extracted for analysis, in order to decide the connection as a release or blocking mechanism. NetFilter provides a command to iptables this program as a firewall packet filter. NetFilter is built-in and highly efficient.

We can use the Iptables command to set the NetFilter filtering mechanism.

There are 3 sheets in iptables:

> filter, which is the default table for packets entering Linux native.
> NAT (address translation), which is independent of Linux native, is mainly related to the computer in the LAN after the Linux host.
> Mangle (the Destruction), this table is mainly related to the routing flags of special packets (usually not involving the modification of this table, the modification of this table is very destructive, change it carefully).

There are several strands in each table:

Filter:input, OUTPUT, FORWARD
Nat:prerouting, Postrouting, OUTPUT
Mangle:prerouting, OUTPUT, INPUT, FORWARD

The following is the correlation between the tables and the chain in iptables

When a packet is transferred to NetFilter, NetFilter will compare each table according to the above process. If the packet conforms to the table, it is processed accordingly.

Use of the iptables command

Basic format: iptables [-t table]-cmd chain Cretiria-j ACTION

-T Table:3 one of the filter, Nat, mangle in the table, if not specified, the default is filter.
CMD: Operation command. View, add, replace, delete, and more.
Chain: Chain. Specifies which chain in the table is to be manipulated, such as the input chain in the filter table.
Cretiria: Match mode. Describe the packets to be filtered
Action: operation. Accept, reject, discard, etc.

View

Format: iptables [-t table]-l [-NV]

ModifyAdd to

Format: iptables [-t table]-A chain Cretiria-j ACTION

Add a new rule to the last position of the chain chain of the tables table (default filter)

Insert

Format: iptables [-t table]-I chain POS cretiria-j ACTION

Inserts a new rule into the table table (default filter) for the POS location of the chain chain. The rules behind the original are pushed backwards. The valid range for POS is: 1 ~ num+1

Replace

Format: iptables [-T table]-R chain POS cretiria-j ACTION

Replace the table table (default filter) with the new rule for the POS position of the chain chain. The valid range for POS is: 1 ~ num

Delete

Format: iptables [-T table]-R chain POS

Remove the rule for the POS location of the table table (default filter) chain chain. The valid range for POS is: 1 ~ num

Package Matching (Cretiria)

There are no rules for Cretiria, which are described in detail in this section. Package matching is a special field used to describe packet headers that need to be filtered.

Specify the network port:

-I: The network interface to which the packet is entered, such as eth0, lo, etc., to be mated to the input chain
-O: The network interface that the packet is sent out to match the output chain

Specify the protocol:

-P:TCP, UDP, ICMP, or all

Specify the IP network:

-S: Source network. can be IP or network
ip:192.168.0.100
Network: 192.168.0.0/24 or 192.168.0.0/255.255.255.0 are available
Can be added in front! Represents an inverse

-D: Target grid. Same-S

Specify the port:

--sport: Specifies the source port. Can be a single port, or it can be a contiguous port, for example: 1024:65,535.

--dport: Specifies the destination port. With--sport

Note: The TCP or UDP protocol is not valid until you specify it.

Specify MAC Address:

-M Mac--mac-source Aa:bb:cc:dd:ee:ff

Specify the Status:

-M State--state STATUS

The status can be:

> INVALID, Invalid Package
> Established, Connection status has been successfully connected
> new, want to connect the packet
> Related, this packet is related to packets sent out by the host (most commonly used)

For example, an illegal packet is discarded whenever a connection has been established or a packet related to a request has been made.

-M State--state related,established

ICMP data pair

The ping operation sends an ICMP packet, which can be rejected if you do not want to be ping.

--icmp-type type

The type is as follows:

8 Echo-request (Request)
0 echo-reply (response)

Note: Use with-P ICMP is required.

Action (Action)

Drop, discard

Accept, acceptance

REJECT, Reject

log, trace record, write access record to/var/log/messages

Save Configuration

Save the newly set rules to a file

Format: iptables-save [-t table]

Save the current configuration to/etc/sysconfig/iptables

Other

Format: iptables [-t table] [-FXZ]

-F: Please remove all rules that have been established
-X: Eliminate all user "custom" chain
-Z: Clear all statistical values by 0

Linux under firewall iptables settings