Rule syntax for iptables

Source: Internet
Author: User

Label:

rule syntax for iptablesCategory: firewalls 2012-04-19 17:09 1228 people read Comments (0) favorite reports inputtcpfilter Firewall Output Network

A

Basic syntax

Iptables-t filter-a input-p icmp-j DROP

Advanced syntax

Iptables-t filter-a input-m mac–mac-source 00:1c:23:3b:2e:b1-j DROP

Differences between advanced syntax and basic syntax: first, the filter mechanism is provided by the Iptables_filter.ko module, and the module itself provides some simple matching filtering, while the so-called basic syntax refers to the use of only Iptable_ The functionality provided by the Filter.ko module itself. Advanced syntax must invoke the functionality of other modules. Take the example of advanced syntax, "-MMAC" is to inform the Iptables tool, we want to use the function of Xt_mac.ko module, because it is called other modules, so the syntax of the parts will be changed with different modules, and each module syntax is not the same, this is called " Advanced syntax ".

Example 1: ICMP packet drop 222.24.21.195 sent to native

Syntax: iptables-a input-p icmp-s 222.24.21.195-j DROP

Syntax Explanation:

-ainput

Protecting objects

Because this example uses Inputchain, the object it protects is the native

-picmp

Original

-pprotocol (Protocol)

Objective

Match a specific protocol packet, this example is a packet that matches ICMP

Grammar

-P ICMP,-ptcp, -pudp-p all, etc.

-s222.24.21.195

Original

-S Source

The corresponding parameters

-ddestination

Objective

Match the IP on the "source" or "destination" side of the package

Grammar

-s222.24.21.195-s Www.baidu.com, such as, by example, the IP location can be represented by a single IP or standard CID network segment, as for the Qdn part, in fact Iptables is to send the FQDN to the DNS to perform the parsing, finally added to the rule or IP

-j

Objective

Jump

Grammar

Packages that meet both of these criteria are "processed" in a specific way

More common ways of handling:

ACCEPT

Allowed through

DROP

Discard the packet, this processing will cause the source to mistakenly think the packet is lost, and constantly resend the packet, this action will continue until the connection timeout

REJECT

Discards the packet and sends back an destinationunreachable ICMP packet to the sender, which terminates the connection action after receiving the error message packet.

Example 2:222.24.21.195 hosts are not allowed to perform name resolution through the native DNS service

Syntax: iptables-a input-p udp-s 222.24.21.195--dport 53-j REJECT

Syntax Explanation:

--dport53

--dportdestination Port

corresponding parameters

--sportsource Port

Span style= "FONT-SIZE:16PX;" > match the TCP, UDP header "source port" or "destination port", so you can determine the connection to access the service, for example:-pudp–dport 53  Represents the client to access UDP 53port, and UDP 53port is the DNS service

syntax

--dport 、--sport80, but note that When using the--dport or--sport parameters, be sure to indicate whether TCP or UDP is the protocol. Note: Be sure to add "-pudp or-ptcp" parameters whenever the "Port parameter" is used in the rule syntax.

Example 3: Allow the host of the 192.168.1.0/24 network segment to make any service request to 192.168.0.1

Syntax: iptables-a input-p all-s 192.168.1.0/24-d 192.168.0.1-j ACCEPT

Syntax Explanation:

-pall

Objective

Match all Protocol Packages

-s192.168.1.0/24

Objective

Match packets from the source-side IP to the 192.168.1.0/24 network segment

-jaccept

Objective

Open a package that meets the above 3 conditions

Example 4: Only native SSH services that allow client-side hosts to access from eth1

Syntax: iptables-a input-p tcp-i eth1--dport 22-j ACCEPT

Syntax Explanation:

-ieth1

Original

-iin-interface

The corresponding parameters

-oout-interface

Objective

Access interface for matching packets

Grammar

-I. ETH1-OETH2

Example 5: The native application is not allowed to send packets from the Eth0 interface to access the Www.baidu.com website

Syntax: iptables-a output-o eth0-p tcp-d www.baidu.com--dport 80-j REJECT

Syntax Explanation:

-aoutput

objects that are restricted

Because the example uses the Outpuchain, the purpose is to restrict the external connection of the machine

Two

There are several examples to understand the basic syntax of iptables, the following to summarize the parameters.

(1) Matching parameters of the interface

Parameter name

-I ,-o

Parameter values

The parameter values will vary depending on the physical interface used by the firewall host, and the common network interface names are listed below:

* eth0 : The interface name of the Ethernet network.

* The name of the PPP0:PPP interface.

* Lo : Localloopback interface.

* Fddi0: Light interface

Usage examples

-I eth0: matching packets fed from Eth0 interface

Significance

Matching packet ingress and egress interface

Add

Can be paired with "! "To represent the reverse, for example,"-i! Eth0 "means matching packets that are not entered from the Eth0 interface

(2) matching parameters of upper layer protocol (Upperlayer protocal)

Parameter name

-P

Parameter values

These parameters vary depending on the matching upper layer protocol, and the usual parameters are as follows:

* TCP : matches the upper layer protocol for the TCP protocol.

* UDP : Matches the upper layer protocol for the UDP protocol.

* ICMP : matches the upper layer protocol for the ICMP protocol.

* all: Matches all upper-level protocols.

For other upper layer protocols, refer to the/etc/protocols documentation, and now take part of the content:

IP 0 IP

Hopopt 0 hopopt

ICMP 1 ICMP

IGMP 2 IGMP

GGP 3 GGP

Ipencap 4 Ip-encap

TCP 6 TCP

Note: The first and second fields are for the system to use, for example, we write-ptcp can also be written as-P6. Because the TCP code is 6, the third field is used by the administrator to identify.

(3) IP address matching source/destination

Parameter name

-s-d

source and destination IP address matching, the acceptable IP address format is as follows:

*192.168.0.1: Matches a single IP.

*172.10.0.0/16  : Matches a network segment of Class B.

*192.168.0.0/24  : Matches a CLASSC network segment.

*192.168.0.0/28  : It can also be any standard CIDR network segment.

* www.qq.com :  can also be a URL, but finally stored in the value of chain or IP

 

Usage examples

-s192.168.0.1 : Matching packets sent from the 192.168.0.1 host

-S192.168.0.0/24 : Matches packets sent from the 192.168.0.0/24 network segment

-d192.168.0.10 : Match packets to be sent to the 192.168.0.10 host

Significance

Match packet source or destination IP address

Add

Can be paired with "! "To represent the reverse, for example:"-s! 192.168.0.0/24 "means a packet that matches the source IP is not a 192.168.0.0/24 network segment

(4) Port location matching source/destination

Parameter name

--sport–dport

Parameter values

We can use-sport or-dport to match the service we want to access, for example, we can use the--DPORT80 parameter to match the packet that accesses the webserver, or we can use the

--sport80 parameters match packets with webserver response to the client

Usage examples

--dport : Matches the packet of the accessed webserver.

--sport 110: Matches the packet that is responded to by POP3 Server to the client.

Significance

Port that matches the source or destination of the packet

Add

Can be paired with "! "To represent the reverse, such as"--sport! 80 "stands for matching packets not sent from webserver

(5) Treatment method

Parameter name

-j

Parameter values

The more common 3 kinds of treatment, respectively, are as follows:

* ACCEPT: Allow

* Drop : Discard the packet

* REJECT : Discards the packet and responds to an ICMP packet on the sending side

Usage examples

-j Accept Allow

-j Drop discards the packet

Significance

Handle eligible packets in a specific way

Rule syntax for iptables

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

Tags Index: