Introduced:
Firewall default has four table five chain
Four table : (Priority of Table: Raw > Mangle > Nat > Filter)
1.Raw table--Two chains: Prerouting, OUTPUT
Function: Determines whether the packet is handled by the state tracking mechanism kernel module: Iptable_raw
2.Mangle table--Five chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD
Function: Modify the service type of the packet, TTL, and can configure the routing implementation of the QoS kernel module: iptable_mangle
3.Nat table--Three chains: Prerouting, Postrouting, OUTPUT
Function: For network address translation (IP, port) kernel module: Iptable_nat
4.filter table--Three chains: INPUT, OUTPUT, FORWARD
Function: Filter packets, define deny or allow kernel modules: Iptables_filter
five-strand : (default, cannot delete, but can clear the rules inside)
1.input--incoming packets Apply the policy in this rule chain
2.output--outgoing packets Apply policies in this rule chain
3.forward--policies in this rule chain are applied when forwarding packets
4.prerouting--apply rules in this chain before routing packets to a packet
5.postrouting--apply the rules in this chain after the packet is routed
First , when you start the firewall configuration :
Iptables-x (Clear all custom rule chains)
Iptables-f (Clear all rules)
Iptables-l (list all [plus n to digitally display IP])
Ii. preparation of the rules :
Iptables-i (insert rule) rule chain name Precedence
Iptables-a (add rule, default is) rule chain name
iptables-d (delete rule) rule chain name ordinal
Iptables-n (custom rule chain name)
Iptables-p (default) rule chain name DROP (Deny) or accept (allow) PS: Recommended last configuration except for emergencies
-P (Protocol)
--sport (Source port)
--dport (Destination port)
-S (source address)
-D (Destination address)
-I (Network card)
-O (out network card)
-M (extended)
1, State--state related,established// with the status of Detection, because the back of the data can not be forwarded . 2,limit--limit 5/m--limit-burst//10 passes, increase 5 per minute 3,connlimit--connlimit-above 1// Only 1 connections allowed per IP address
-j (behavior)
Accept (accepted)
DROP (STOP)
DNAT (destination address forwarding) generally in the prerouting chain
SNAT (source address forwarding) is generally in the postrouting chain
Rule chain name (join this rule chain)
Masquserade (Address spoofing)
--to-destination (Destination address)
-T NAT (select NAT table, used for general address mapping)
--line-number (show serial number)
Example:
1) When the Linux system acts as a server and a firewall:
1. Allow outside access to my 80-port httpd service:
Iptables-a input-p TCP--dport 80-j ACCEPT TCP protocol Destination port 80 in inbound rules through
Iptables-a output-p TCP--sport 80-j ACCEPT TCP protocol Source port 80 in outbound rules through
You can also customize the rule chain:
Iptables-n httpd-in//custom rule named httpd-in
Iptalbes-a input-j httpd-in//Add the httpd-in rule chain to the INPUT chain
Iptables-a httpd-in-p TCP--dport 80-j ACCEPT TCP protocol destination port 80 through the httpd-in chain
Iptables-n httpd-out//custom rule named Httpd-out
Iptalbes-a output-j httpd-out//Add Httpd-out rule chain to the OUTPUT chain
Iptables-a httpd-out-p TCP--sport 80-j ACCEPT TCP protocol source port 80 through the Httpd-out chain
Custom rule chains must be added to the default rule chain to make the iptables default rule chain not chaotic
2. Allow Ping: (as long as the previous two bars can be ping through)
Iptables-a input-i eth0-p icmp-j accept eth0 nic when inbound ICMP packets are allowed through
Iptables-a output-o eth0-p icmp-j ACCEPT eth0 NIC outbound ICMP packet allowed through
Iptables-a output-o eth0-m State--state related,established-j ACCEPT status detection allowed when outbound from eth0 NIC
2) When the Linux system is only used as a firewall:
echo 1 >/proc/sys/net/ipv4/ip_forward/Start Routing function, allow forwarding
1. Allow 80-port httpd service forwarding:
Iptables-a forward-p TCP--dport 80-j Accept//Allow TCP Destination port 80 forwarding
2. Allow Ping Forwarding:
Iptables-a forward-p icmp-j Accept//allow ICMP packet forwarding
3. Destination Address mapping:
iptables–t nat–a prerouting–d 192.168.99.101–j DNAT--to 192.168.100.102//Before routing, destination ip:192.168.99.101 converted to Ip:1 92.168.100.102)
4. Intranet Source Address hiding:
Iptables-t nat-a Postrouting-j Masquerade//After routing, the Intranet address is hidden and the source address becomes the firewall extranet IP address
5. Limited access: (Date display time, 072016182005[months of the year) July 20 16:18 2005, Direct date digital change system time to test)
Iptables–i forward–s 192.168.100.0/24–m time--timestart 16:10--timestop 18:10-j ACCEPT//To source segment 192.168.100.0/24, start 16:10-18:10 allowed through
Iptables–i forward–d 192.168.100.0/24–m time--timestart 16:10--timestop 18:10-j ACCEPT//target segment 192.168.100.0/24, start 16:10-18:10 allowed through
6. Access Speed limit:
Iptables-i forward-p TCP--dport 21-m connlimit--connlimit-above 1-j DROP//On 21 port forwarding, with each IP address exceeding 1 connections denied
3) logging using the Log monitor program:
/USR/LOCAL/ULOGD/SBIN/ULOGD &//start this program
Iptables-a forward-p icmp-j Accept//allow ICMP forwarding chain
Iptables-a forward-p icmp-j ulog//monitoring ICMP forwarding Chain
The above is my personal learning accumulated knowledge, if there is a need to correct or increase the place, welcome to exchange with me to learn a common progress, thank you to watch.
This article is from the "Pan" blog, make sure to keep this source http://zonds.blog.51cto.com/12638755/1930504
Policy rules for Linux firewalls