QuickStart Linux iptables firewall 1 native and external basic communication management

Overview

Iptables is a firewall component running under Linux, and the following is a quick way to learn how to get started with iptables.

Features (important)

1. Its work logic is divided into chain, table, rule three layer structure.
2. When the packet passes, in the corresponding table, the rules are matched from top to bottom, the match is jumped out, and subsequent rules are ignored.
3. Often used to filter packets and forward packets (proxy servers).
4. Works based on IP port and Mac

Structure

Chain name	Prerouting	FORWARD	Postrouting	INPUT	OUTPUT
meaning	generally means sending from the outside of the network to the current host And before the routing rule processes	generally means sending from an extranet to the current host The case of routing rules processing, this situation There are probably two possibilities natively handles network data from external sources forwards network data from external sources to other addresses	generally means sending from the extranet to the current host , this is the case native unsolicited request generation When forwarding network data,	data sent to this computer	& nbsp; Data sent outward by the machine
Default Available Tables	Mangel (special packet tagging) NAT (address translation)	Mangel (special packet tagging) Filter (filtering)	Mangel (special packet tagging) NAT (address translation)	Mangel (special packet tagging) Filter (filtering)	Mangel (special packet tagging) Filter (filtering)

Iptables's workflow can be broadly expressed as three different

1. Source Address send data--{prerouting--> routing Rule-->postrouting}--Destination address received data
2. Source Address send data--{prerouting-->input--> native}
3. {Native-->output-->postrouting}--Destination address received data

From the above table we can see, for the case of address forwarding, for example, a separate host network management, we only need to configure input and output two chain to complete the management of the network, this time the focus is also the two links.

Example 1, Managing rules

iptables [-t table name] [option]-N

Options:

1. -L View

2. -F Clears all rules

3. -X clears the custom chain

4. -Z Clears all chain statistics

The meaning of-n is to display the rules in IP and port mode

Cases:

View all rules in the filter table

iptables-t filter-l-N

Clear the rules in the filter table

iptables-t filter-f

2, define default rules for tables

The first thing to remember is that iptables is a structure with a chain of tables, so the default rules that define each table on each chain are formatted as

Iptables-t table-P chain action type

-T don't say that.-P here to capitalize the name of the chain is also case sensitive note do not write the wrong action type has accept allow drops by drop is prohibited and there is an action is log logging, currently I have not used.

Cases:

Set the filter table default rule on the input chain

iptables-t filter-p INPUT ACCEPT

It is important to note that by default all links are allowed to reach the server. Such settings in the formal production server environment is very dangerous, do not recommend this setting, should be set to drop, but the default allows all links to prohibit the result is to kick off their remote operations, the server is not local, but in the remote this is troublesome. So keep in mind that the default rules are set after you set the rules for your own access, preferably in the final settings.

3, custom rules

Let's really set up an IP and port-based rule in a table on a chain, and it's the most common use of iptables.

Format:

iptables [-ai chain] [-io NIC] [-P protocol] [-s source IP] [-d Destination IP]-j action

Cases:

Prohibit IP 192.168.1.110 computer from accessing native eth0 NIC

Analysis:

1. prevent XXX from accessing the machine so it is input chain add rule use-a
2. The NIC is eth0 because it is the input chain, so the parameter should be-I
3. Source IP is 192.168.1.110
4. Action is DROP

So it should be written

iptables-a input-i eth0-s 192.168. 1.110 -j DROP

Conversely, disable native access 192.168.1.110 can write like this

iptables-a output-o eth0-d 192.168. 1.110 -j DROP

Cases:

Allow native access to local loopback nic localhost

iptables-a input-i Lo-J ACCEPT

iptables -A output-o lo-j ACCEPT

Now we can add a policy for fixed IP, then how to add a network segment of the policy, such as prohibit 192.168.1.xxx this network segment all the IP access to this machine, here is to use the following notation

iptables-a input-i eth0-s 192.168. 1.0/ -j DROP

Here the 192.168.0/24 is to represent the network segment, the specific meaning can go to understand the computer network principle, 24 actually refers to the binary from left to right there are 24 1, in IPV4 IP address representation method has 32 bit, then 32-24=8 that is the last segment of the decimal IP represents 0

So we can set the policy for IP segment 1 for IP 2

Here's a strategy for adding ports, and this is often the most detailed and useful content

Format:

IPTABLES-A chain-io Nic-P protocol-S source IP--sport Source Port-D destination IP--dport destination port-j action

Here are a few points to note

1. The same chain as the IP (may be input or output) using a different-I or-O
2. -P is lowercase. On behalf of the Protocol, the type can be TCP, UDP, ICMP, or all, especially note that we usually use the ping command is actually the ICMP protocol, and this Protocol is very special, do not use the port so when using all (including ICMP) at the same time set the port may error!
3. Input to have the source, output to have a target, but input is often limited to the target port, output is often limited source port, attention to logic do not mess.

Cases:

Web server Add 80 service

iptables-a input-p tcp--dport -j ACCEPT

Allow 192.168.1.x network segment access to MySQL database

iptables-a input-p tcp-s 192.168. 1.0/ --dport 3306 -j ACCEPT

Finally, when there are multiple rules matching one access, whichever is the first, the default rule is used when the corresponding rule cannot be matched.

In the previous example, I believe you have found that the-a often represents the meaning of add, each time add is added to the list of rules to the last, then in addition to add actually there is the-I insert Insert rule

The specific usage is to replace I with a and add a number sort after the chain name

-I chain name 1

1 represents the first order, which is the highest-priority matching rule.

For example

iptables-i INPUT 1 -P TCP --dport-j ACCEPT

====================== I'm a split line ====================

The above description is the specific rules configuration, these configurations will be lost when the firewall restarts, then how to manage the Firewall service is the following content

Boot from Boot

chkconfig iptables on

Rule Save

Service Iptables Save

The above command actually saves the rule in the/etc/sysconfig/iptables file, and the reboot automatically reads

It doesn't matter if it's a server that's relatively fixed, but if you need to switch rules frequently, it's not very easy to manage the rules that are written in this file.

The rule can be written as a separate file, in the boot time automatically loaded (/etc/rc.local), but pay attention to the permissions set (755), the benefits of this is easy to manage, the disadvantage is that only when the power-on effective

If the Firewall service is restarted, the corresponding rule cannot be loaded.

Summary: Iptables seemingly complex, actually find a good logical correspondence relationship or not difficult is the key is the 5 chain of several tables to understand the meaning, here is only a simple introduction of the local and external communication basic management.