The iptables command can be used to configure Linux packet filtering rules. It is often used to implement firewall and Nat. The configuration of iptables is complex. After mastering the rules, it is not difficult to use iptables to complete the specified task. Next we will learn the detailed usage of iptables through specific instances.
1. delete an existing rule
When you set a new iptables rule, make sure that the old rule is cleared. Run the following command to clear the old rule:
Iptables-F (or iptables-- Flush)
2. Set the chain Policy
For the filter table, the default chain policy is accept. We can use the following command to modify the chain policy:
Iptables-P input dropiptables-P forward dropiptables-P output drop
The preceding command configuration discards the received, forwarded, and sent packets, and implements strict packet management. Because both the receiving and sending packets are discarded, When configuring other rules, you must configure the input and output Rules separately. Of course, if you trust this machine to send packets out, you do not need to configure the third rule.
3. shield the specified IP Address
Sometimes we find that an IP address keeps sending packets to the server. In this case, we can use the following command to discard packets sent from a specified IP Address:
Block_this_ip ="X. x"Iptables-A input-I eth0-P TCP-S"$ Block_this_ip"-J Drop
The preceding command is used to discard the TCP packet sent from x. x ip to the eth0 port.
4. Configure service items
Using iptables, we can perform security management on the service items that are commonly used. For example, we can only set the network segment to be specified and connect to the local machine through SSH Through the specified network port:
Iptables-A input-I eth0-P TCP-S192.168.100.0/24-- Dport22-M state -- state new, estableshed-J acceptiptables-A output-O eth0-p tcp -- Sport22-M state -- State established-J accept
To connect a local machine to another machine through SSH, you need to set the following rules because the connection is established on the local port:
Iptables-A input-I eth0-P TCP-S192.168.100.0/24-- Dport22-M state -- state estableshed-J acceptiptables-A output-O eth0-p tcp -- Sport22-M state -- state new, established-J accept
Similarly, for TCP connection-based services such as HTTP/HTTPS (80/443), POP3 (110), rsync (873), and MySQL (3306), you can also configure the preceding command.
Run the following command to enable the UDP-based DNS Service:
Iptables-A output-p udp-O eth0 -- dport53-J acceptiptables-A input-p udp-I eth0 -- Sport53-J accept
5. configure network port forwarding
For a server used as a firewall or gateway, a network port is connected to the public network, and packets from other network ports are forwarded to this network port for Intranet Communication. Assume that eth0 is connected to the Intranet and eth1 is connected to the public network. The configuration rules are as follows:
Iptables-a forward-I eth0-O eth1-J accept
6. Configure port forwarding
For ports, we can also use iptables to configure forwarding:
Iptables-T Nat-A prerouting-p tcp-d192.168.102.37-- Dport422-J dnat --192.168.102.37:22
The above command forwards the packet from Port 422 to port 22, so SSH connection can be performed through port 422. Of course, for port 422, we also need. configure the rules that support connection establishment in the same way as in the "Configure service items" section.
7. DoS attack prevention
With the extension module limit, we can also configure iptables rules to prevent DoS Attacks:
Iptables-A input-p-TCP -- dport80-M limit -- limit25/Minute -- limit-burst100-J accept
-- Litmit 25/minute indicates that the maximum number of connections per minute is 25
-- Litmit-burst 100 indicates that litmit/minute is enabled when the total number of connections exceeds 100.
8. Configure web traffic balancing
We can use a server as a front-end server to distribute traffic using iptables. The configuration method is as follows:
Iptables-A prerouting-I eth0-P TCP -- dport 80 -M state -- state new-M nth -- Counter 0 -- Every 3 -- Packet 0 -J dnat -- to-destination 192.168 . 1.101 : 80 Iptables -A prerouting-I eth0-P TCP -- dport 80 -M state -- state new-M nth -- Counter 0 -- Every 3 -- Packet 0 -J dnat -- to-destination 192.168 . 1.102 : 80 Iptables -A prerouting-I eth0-P TCP -- dport 80 -M state -- state new-M nth -- Counter 0 -- Every 3 -- Packet 0 -J dnat -- to-destination 192.168 . 1.103 : 80
The above Configuration Rules use the nth extension module to balance the traffic on port 80 to three servers.
9. log the discarded packets
Using the log target and syslog service, we can record the packets sent and received under a certain port of a protocol. For example, you can use the following method to record packet loss.
First, define a chain:
Iptables-N Logging
Next, import all received packets to the logging chain:
Iptables-A input-J Logging
Set the log prefix and Log Level:
Iptables-a logging-m limit -- limit2/Min-J log -- log-Prefix"Iptables packet dropped:"-- Log-level7
Finally, the package is dropped to discard the package:
Iptables-a logging-J Drop
You can also configure the syslog. conf file to specify the log output of iptables.
have fun!