Netfilter/iptables is integrated in linux2.4.x packet filtering firewall system in version kernel
Netfilter/iptables framework enables packet filtering, network address translation, and packet management capabilities
Linux The central firewall system consists of two parts: NetFilter and the iptables ; NetFilter in kernel space, iptables is the user tool
iptables Four tables and five chains are maintained by default
the default iptables The rules table is: Fileter table (Filter rules table), Nat table (address translation Rules table), mangle (Modify the data marker bit rule table), Raw (Trace data Table rule table)
Each rule table contains multiple data chains: INPUT (inbound data filtering), OUTPUT (outbound data filtering), FORWARD (forward data filtering), prerouting (pre-route filtering), postrouting (post-route filtering)
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/88/wKiom1XllvmDtjj8AADFgcGCjdM800.jpg "title=" capture. PNG "alt=" Wkiom1xllvmdtjj8aadfgcgcjdm800.jpg "/>
iptables firewall Syntax format:
Command Description: NetFilter Firewall rule Management tools
Usage: iptables [-t table name ]{-a|-d|-i|-d|-f|-l|-z|-p} Chain name rule-specification
Options: - T Specifies the firewall rule table that needs to be maintained, without using - T , the default Action object is Filter Table
-A Append firewall Rules
- D Delete a firewall rule
- I. inserting a firewall rule
- F Empty firewall Rules
- L List Firewall Rules
- R Replace firewall rules
- Z emptying Firewall data table statistics
- P set chain default rules
Matching parameters: [!] -P matching protocol,! The representative takes the reverse
[!] -S match Source Address
[!] -D match Destination address
[!] -I matches inbound NIC interface
[!] -O matching Outbound NIC interface
[!] --sport Matching Source port
[!] --dport Matching Destination port
[!] --src-range Match Source Address range
[!] --dst-range Matching Destination address range
[!] --limit Matching data table rate
[!] --mac-source Matching Source MAC address
[!] --sports Matching Source port
[!] --dports Matching Destination port
[!] --state Matching Status (INVALID, established, NEW, related)
[!] --string matching Application layer string
Trigger action: Accept allows packet to pass
Drop Drop Packet
REJECT reject packet through
Log logs the packet information to the Syslog log
DNAT Destination Address Translation
SNAT Source Address Translation
Masquerade Address Spoofing
REDIRECT redirection
The-a option to add a firewall rule appends the rule to the end of the entire chain, and the rules added with the-I option are inserted into the chain by default as the first rule
Example:
[[email protected]/]# IPTABLES-NL//View all rules of the filter table
[[email protected]/]# iptables-t NAT-NL//View all rules for NAT table
[[email protected]/]# iptables-f//emptying all rules in the filter table
[[email protected]/]# iptables-a input-s 192.168.0.1-j drop//Add a new inbound rule to the filter table and discard all packets sent by the 192.168.0.1 host to the firewall itself
[[email protected]/]# iptables-i input-s 192.168.0.22-p icmp-j REJECT//Insert a new inbound rule into the filter table, deny 192.168.0.22 ping firewall native
[[email protected]/]# IPTABLES-NL--line-number//View the firewall rule in the filter table and show the rule number
[[email protected]/]# iptables-d input 1//delete the first rule of the INPUT chain in the filter table
[Email protected]/]# iptables-r INPUT 2! -S 192.168.0.254-j REJECT//Replace the second rule in the input chain in the filter table, rejecting any host other than 192.168.0.254 Connection Firewall native
[[email protected]/]# iptsbles-t filter-p Input Accept//Modify the default rule for input chain in the filter table to receive packets
[[email protected]/]# iptables-i input-s 192.168.0.10-p tcp--dport 22-j LOG//Will 192.168.0.10 host sends all packet information to firewall native 22 port Record to messages log
[[email protected]/]# iptables-i input-i eth0--p tcp--dport 80-j ACCEPT//Allow any host to access firewall native port 80 from the Eth0 network interface
iptables Firewall Application Case
Case 1: Allow any client access to the daily services provided by the server host (HTTP, HTTPS, DNS, NTP, SMTP, POP3, SSH), in the Linux system, the/etc/services file can help us find the standard port information corresponding to the various services.
[[email protected]/]# iptables-a input-p TCP--dport 22-j ACCEPT
[[email protected]/]# iptables-a input-p UDP--dport 25-j ACCEPT
[[email protected]/]# iptables-a input-p TCP--dport 53-j ACCEPT
[[email protected]/]# iptables-a input-p UDP--dport 53-j ACCEPT
[[email protected]/]# iptables-a input-p TCP--dport 80-j ACCEPT
[[email protected]/]# iptables-a input-p TCP--dport 110-j ACCEPT
[[email protected]/]# iptables-a input-p TCP--dport 143-j ACCEPT
[[email protected]/]# iptables-a input-p TCP--dport 123-j ACCEPT
[Email protected]/]# iptables-p INPUT DROP
[[email protected]/]# iptables-p OUTPUT ACCEPT
Case 2: The company has a public IP, the use of firewalls to achieve all the hosts in the LAN through Snat sharing Internet access, using CentOS as a company soft route, the company's internal network of all 192.168.0.0/24 networks within the host connection, The firewall automatically modifies the source address of all packets to the public IP on the router, and then the Internet returns the information to the true back-end host after the message is routed. The firewall source address translation (SNAT) rule needs to be written to the postrouting chain of the NAT table.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/85/wKioL1XlqcPBzSsXAADizt_U6_o549.jpg "title=" capture. PNG "style=" float:right; "alt=" wkiol1xlqcpbzssxaadizt_u6_o549.jpg "/>
[Email protected]/]# vim/etc/sysctl.conf
Net.ipv4.ip_forward = 1//Turn on route forwarding for Linux-based soft routing
[[email protected]/]# sysctl-p//Reload kernel parameter configuration file/etc/sysctl.conf
[Email protected]/]# iptables-t nat-i postrouting-s 192.168.0.0/24-j SNAT--to-source 124.126.199.84
Case 3: The company has a public IP, internal http, mail two core server, through the firewall to enable customers from anywhere in the Internet access to two server resources located within the company
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/89/wKiom1Xlq1SxfC29AADeCak-hfA108.jpg "title=" capture. PNG "alt=" Wkiom1xlq1sxfc29aadecak-hfa108.jpg "/>
[Email protected]/]# vim/etc/sysctl.conf
Net.ipv4.ip_forward = 1//Turn on route forwarding for Linux-based soft routing
[[email protected]/]# sysctl-p//Reload kernel parameter configuration file/etc/sysctl.conf
[Email protected]/]# iptables-t nat-i prerouting-d 124.126.198.84-p tcp--dport 80-j DNAT--to-destination 192.168. 0.100
[Email protected]/]# iptables-t nat-i prerouting-d 124.129.198.84-p tcp--dport 25-j DNAT--to-destination 192.168. 0.101
[[email protected]/]# iptables-t nat-i prerouting-d 124.126.198.84-p tcp--dport 110-j DNAT--to-destination 192.168 .0.101
Case 4: The packet is too large to complete the transmission of the data at one time, the packet will be divided into pieces of data sent out, the receiving end of the data, the data fragments will be re-assembled into a complete packet. But the problem is that when the data is split, only the initial data fragment in front contains all the data header information (IP, TCP, UDP, ICMP, etc.), and subsequent fragments contain only part of the packet header information. It is not possible to check the header information of subsequent data fragments at this time. Of course, if you want to match the second and subsequent shards of data, you can use the "-F" option
Discard all data sent to 192.168.1.1 and shard data
[Email protected]/]# iptables-a output-f-D 192.168.1.1-j DROP
Case 5: The current network of attacks, many attacks will send a large number of invalid packets to the server, resulting in the server can not respond to the normal request package, Iptables provides a limit extension function, you can limit the number of packets per unit time. The following rule is to accept inbound connections when the number of packets per second is 500, otherwise deny the connection
[Email protected]/]# iptables-i input-m limit--limit 500/sec-j ACCEPT
[Email protected]/]# iptables-p INPUT DROP
Case 6: In an enterprise environment, the server will face a variety of attacks, iptables itself belongs to the three layer packet filtering firewall, but also provides the string extension function, through the--string can also be restricted by the keyword network connection. The following two records are written to the Linux-based soft routing server rules, the implementation of the refusal to forward contains the keyword/etc/passad and QQ packet, that is, to prevent the password file copied out of the LAN, and prevent internal employees to visit the QQ site
[[email protected]/]# iptables-i forward-m string--algo BM--string "/etc/passwd"-j REJECT
[[email protected]/]# iptables-i forward-m string--algo BM--string "QQ"-j REJECT
Case 7: Set up firewall rules based on data connection status, release all outbound packets, deny inbound new connection requests and invalid connections, release inbound response requests
[Email protected]/]# iptables-f
[Email protected]/]# iptables-a input-m State--state new-j DROP
[Email protected]/]# iptables-a input-m State--state established,related-j ACCEPT
[[email protected]/]# iptables-p OUTPUT ACCEPT
Case 8: The company uses a Linux-based soft routing device that requires firewall rules to be set on the routing device, recording 192.168.0.1 to 192.168. All hosts in the 0.22 address segment are sent to the packets that the routing requires to forward, and the packets are allowed to be forwarded
[[email protected]/]# iptables-a forward-m iprange--src-range 192.168.0.1-192.168.0.10-p tcp--dport 80-j LOG
[Email protected]/]# iptables-a forward-m iprange--src-range 192.168.0.1-192.168.0.10-p tcp--dport 80-j ACCEPT
This article from "Fancy" blog, reproduced please contact the author!
Network Security-iptables Firewall