Linux under iptables explanation

Iptables (NetFilter network filter)

Iptables is a unique firewall mechanism on Linux that is very powerful. The CentOS default is no iptables rule.

The iptables command can be used to configure packet filtering rules for Linux, which are commonly used to implement firewalls, NAT.

Common options:

iptables-nvl View rule (-N for digital display output IP address and Port-V for visual display-L to list all rules)

iptables-f Purge rule (flush clear); purging is only temporary, restarting the system or restarting the Iptables service will also load the saved rules. Save the rule after you clear it.

/etc/init.d/iptables Save or service iptables save Save Rule

Firewall rules are saved in configuration file/etc/sysconfig/iptables

iptables-z counter Clear 0 (zero)

Service iptables Stop pauses the Firewall service and clears the firewall rule, but after a reboot, the/etc/sysconfig/iptables is read to start the firewall. Even if we stop the firewall, but once any rule is added, it will also open.

iptables-t Specifies the table name (table), the default is no-T is the filter table;

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650; src=/e/ U261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") No-repeat center;border:1px solid #ddd; "alt=" spacer.gif "/> Intuitive diagram easy to understand, 4 tables, 5 chains;

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6B/AF/wKiom1U0akLjRYhGAAIyHGE7Rec605.jpg "style=" float: none; "title=" 123525l8sggjorovrpkopk.png "alt=" Wkiom1u0akljryhgaaiyhge7rec605.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6B/AB/wKioL1U0a56g8537AAIbDWY8DEU108.jpg "style=" float: none; "title=" 123530dmowzfmfkcnooknb.png "alt=" Wkiol1u0a56g8537aaibdwy8deu108.jpg "/>

Filter This table is mainly used for filtering packets, is a system preset table with built-in three chainsINPUT, output, and forward.  Input acts on the package that enters the machine; the output acts on the packet sent by the machine; forward acts on packets that are not related to the machine.

NAT is primarily useful for network address translation, port mapping, there are also three chains. preroutingThe role of a chain is to change the destination address of a package just as it arrives at the firewall, if necessary. OUTPUTThe chain changes the destination address of the locally generated package. postroutingThe chain changes its source address before the package leaves the firewall.

mangleIt is primarily used to modify the TOS (Type of service, type of services), TTL (Time tolive, lifetime) value of the packet, and to set the mark mark for the packet to implement QoS (Quality of service, Service quality) tuning and Policy Routing applications are not widely available due to the need for appropriate routing device support. Five chains:prerouting, postrouting, INPUT, OUTPUT, FORWARD

Raw sets a flag on the message that determines whether the packet is handled by the state tracking mechanismonly two chains:OUTPUT, prerouting

Iptables Rule Related:
View rules iptables-t NAT-NVL
Purge rule iptables-t nat-f
Add/Remove rule iptables-a/-d input-s 10.72.11.12-p tcp--sport 1234-d 10.72.137.159--dport 80-j DROP
Insert Rule iptables-i input-s 1.1.1.1-j drop/accept/reject
iptables-nvl--line-numbers View rule with ID number
iptables-d INPUT 1 deletes the corresponding rule based on the ID number of the rule
iptables-p INPUT DROP is used to set the default rule, the default is accept, once set to DROP, can only use iptables-p ACCEPT to revert to the original state, and not use the-f parameter;

Discard all packets for IP 192.168.20.0 network segment

[Email protected] ~]# iptables-i input-s 192.168.20.0-j DROP

Delete the rule, the same as the suffix to add the rule can be;

[Email protected] ~]# iptables-d input-s 192.168.20.0-j DROP

Discard all packets that have 1.1.1.1 access to the local TCP protocol 80 port;

[[email protected] ~]# iptables-i input-s 1.1.1.1-p tcp--dport 80-j DROP

Discard all packets sent to port 22 on the 10.0.1.14;

[[email protected] ~]# iptables-i output-p tcp--dport 22-d 10.0.1.14-j DROP

Use this command to view the rule with ID number display;

[[email protected] ~]# iptables -nvl --line-numberchain input  (policy  Accept 84 packets, 5944 bytes) num   pkts bytes target      prot opt in     out     source                destination          1        0      0 DROP       tcp  --  *       *       1.1.1.1               0.0.0.0/0            tcp dpt:80 2        0      0 drop       all  --  *       *       192.168.20.0          0.0.0.0/0

Then delete the time using iptables-d INPUT 1 To delete the above 1 rule without writing a long suffix.

Forbid others to ping your host, you can ping others; just add a rule; Icmp-type 8 can be achieved;

[[email protected] ~]# iptables-i input-p ICMP--icmp-type 8-j DROP

example, a script, for the filter table, all the input chain drop, the other two links, and then open for the 192.168.20.0/24 network segment 22 ports can be connected to the host; Open 80 ports for all network segments and 21 ports for all network segments;

[Email protected] ~]# vim iptables.sh #! /bin/bash ipt= "/sbin/iptables" $ipt-f$ipt-p INPUT drop$ipt-p OUTPUT accept$ipt-p FORWARD accept$ipt-a input-s 192. 168.20.0/24-p TCP--dport 22-j accept$ipt-a input-p tcp--dport 80-j accept$ipt-a input-p tcp--dport 21-j ACCEPT

[Email protected] ~]# sh iptables.sh

Run the script, if you want to run firewall rules, add a line "/bin/sh/root/iptables.sh" in/etc/rc.d/rc.local

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

NAT Table Application:
Routers are implemented using the NAT principle of iptables.

Suppose you have two NICs on your machine eth0 and eth1, where eth0 IP is 192.168.4.11,eth1 IP is 192.168.20.1. Eth0 is connected to the Internet but eth1 is not connected, now another machine (192.168.20.10) and eth1 are interoperable, so how can it be set up so that the connection eth1 the machine can connect to the Internet?

[[email protected] ~]# Cat/proc/sys/net/ipv4/ip_forward0[[email protected] ~]# echo "1" >/proc/sys/net/ipv4/ip_ forward [[email protected] ~]# iptables-t nat-a postrouting-s 192.168.20.0/24-o eth0-j Masquerade

/proc/sys/net/ipv4/ip_forward for kernel parameters, the default is 0,1 to turn on the route forwarding feature.

The 2nd command makes an IP forwarding operation to the NAT table for Iptables, which is followed by the device name, which represents the egress network card. Masquerade the meaning of disguise, let 192.168.20.0 network section through eth0 disguise to connect the Internet.

iptables Regular backup and recovery:
Service Iptables Save is saved to/etc/sysconfig/iptables, and if you later encounter the task of backing up the firewall rule, copy a copy of the file.
iptables-save > Myipt.rule can save firewall rules to the specified file;
Iptables-restore < Myipt.rule so you can restore the specified rules;

[[email protected] ~]# iptables-save > Myipt.rule[[email protected] ~]# service iptables stopiptables:setting chains T o Policy accept:nat Filter [OK]iptables:flushing firewall rules: [OK]iptables:unlo ading modules: [OK][[email protected] ~]# Iptables-restore < Myipt.rule

This article is from the "Model Student's Learning blog" blog, please be sure to keep this source http://8802265.blog.51cto.com/8792265/1635953

Linux under iptables explanation