Skill--iptables (iii)

匹配条件

One:-S Source Address: Specify the IP when available "," separated, specify multiple, you can also specify a network segment, with "!" to reverse
Note: The counter indicates that the message source address IP is not 192.168.1.103 that satisfies the condition and performs the corresponding action
Examples are as follows:

Two:-D Destination Address
Attention:
1. The source address indicates where the message came from, the destination address indicates where the message is going, when the target host has two or a network card, such as the following
2. The use of-s as mentioned above is also applicable to the-D
Case one:
Specifies that a 80.174 NIC refuses to receive messages from 80.138

And then we checked the 192.168.80.138 machine.

You can see that 80.138 can ping the 80.144 IP address, but was rejected by 80.174 "Destination Port unreachable"

Three:-P protocol type, specifying the type of protocol that needs to be matched
Attention:
1. The Transport layer Protocol of the SSH protocol belongs to the TCP protocol type, and the ping command uses the ICMP protocol
2. CENTOS6,-P supports TCP, UDP, Udplite, ICMP, ESP, Ah, SCTP
3. Centos7,-P supports TCP, UDP, Udplite, ICMP, ESP, ah, SCTP, ICMPv6, MH
4. When-P is not used, the default means to match all types, same as the-P all effect
Case two: Rejecting a TCP type request from 138

Test in a 192.168.80.138 machine

Four: NIC interface
-I: The matching message is from which Nic flows into the native (learn)
-O: The matching message is from which Nic flows into the native (learn)
We look at the following:

Packet flows from prerouting chain to input chain and forward chain
Packet outflow from output chain and forward chain via postouting chain
So:-I for prerouting input forward chain;-O for output forward postouting chain
Case THREE:
-I and-o examples

扩展匹配条件

One: TCP, multiport expansion module

Options	Description
TCP Module	When-p specifies the TCP protocol,-M can omit it
-M	Specifying extension modules
--dport (TCP expansion module)	Destination Port
--sport (TCP expansion module)	Source Port
Multiport Module	Specify multiple discrete ports at the same time

1.-p?tcp?-m?tcp?--Sport? The source port used to match the TCP protocol message, you can use ":" To specify a contiguous range of ports
2.-P does not conflict with-M, because-m specifies the name of the extension module-p Specifies the protocol for the message, except that the two names happen to be the same
3. When you do not use-m, it defaults to the same module as the-p specified protocol name
4.--dport for ports can be used for functions,--sport also applicable, such as: (: 20), (20:80), (20:80)
Case FOUR:
Examples of TCP extension modules

1）拒绝来自 101 的 ssh 请求iptables?-I?INPUT?-s?192.168.1.101?-p?tcp?-m?tcp?--sport?22?-j?REJECT2）拒绝来自 101 的 tcp协议的请求，拒绝的端口范围为：22 - 25 端口iptables?-I?INPUT?-s?192.168.1.101?-p?tcp?-m?tcp?--dport?22:25?-j?REJECT3）拒绝来自 101 的 tcp协议的请求，拒绝的端口范围为：0 - 22 端口iptables -I?INPUT?-s?192.168.1.101?-p?tcp?-m?tcp?--dport?:22?-j?REJECT4）拒绝来自 101 的 tcp协议的请求，拒绝的端口范围为：80 - 65535 端口iptables?-I?INPUT?-s?192.168.1.101 -p?tcp?-m?tcp?--dport?80:?-j?REJECT5）拒绝来自 101 的 tcp协议的请求，拒绝的端口范围为：不是 22 端口iptables?-I?INPUT?-s?192.168.1.101?-p?tcp?-m?tcp?!?--sport?22?-j?ACCEPT

Case FIVE:
Examples of multiport extension modules

1）使用 multiport 模块 指定 拒绝 101,102 两个端口iptables?-l INPUT?-s?192.168.1.101?-p?udp?-m?multiport?--sports?101,102?-j?REJECT2）使用 multiport 模块 指定 拒绝 22,80 两个端口iptables?-I?INPUT?-s?192.168.1.101?-p?tcp?-m?multiport?--dports?22,80?-j?REJECT3）使用 multiport 模块 指定 拒绝除 22,80 两个端口以外的端口iptables?-I?INPUT?-s?192.168.1.101 -p?tcp?-m?multiport?!?--dports?22,80?-j?REJECT4）使用 multiport 模块 指定 拒绝 80 - 88 范围内的端口iptables?-I?INPUT?-s?192.168.1.101?-p?tcp?-m?multiport?--dports?80:88?-j?REJECT5）使用 multiport 模块 指定 拒绝 22端口、80 - 88 范围内的端口iptables?-I?INPUT?-s?192.168.1.101?-p?tcp?-m?multiport?--dports?22,80:88?-j?REJECT

--tcp-flags of the TCP extension module
--tcp-flags: refers to the flag bit in the TCP header, which can be matched with this extension, to match the identity bit of the head of the TCP message, and then to implement the control function according to the identity bit
Here's how to use it:

iptables?-I?INPUT?-p?tcp?-m?tcp?--dport?22?--tcp-flags?SYN,ACK,FIN,RST,URG,PSH?SYN?-j?REJECTiptables?-I?INPUT?-p?tcp?-m?tcp?--dport?22?--tcp-flags?ALL?SYN?-j?REJECT其中 tcp 扩展模块专门提供了一个可以匹配 " 第一次握手 " 的选项：**--syn**iptables?-t?filter?-I?INPUT?-p?tcp?-m?tcp?--dport?22?--syn?-j?REJECT**注意：--syn 相当于 --tcp-flags?SYN,RST,ACK,FIN?SYN**

Two: IPRange, String, time, Connlimit, limit expansion module
1. IPRange specifies a contiguous range of IP addresses (-s and-D cannot specify a contiguous range of IP addresses)
--src-range: The source address of the matched message is in the same range
--dst-range: The target address range of the matched message
Case SIX:
Specify a contiguous IP address

2. String matches strings, which contain corresponding strings, the match executes the corresponding action successfully
--algo: Specifies the matching algorithm (BM/KMP) both must be selected
--string: Specify a string to match
Case Seven:
Matches string "It works!" string, performs REJTCT action
Below is the Apache display page


The rule is as follows, and the result is not responding when accessed again

3. TIME specifies the timeframe

Extended Condition	Description
--timestart	Specifies the start time of the time range, non-
--timestop	Specifies the end time of the time range, which cannot be reversed
--weekdays	Specify "Day of the Week", which is preferable to anti-
--monthdays	Specify "Date", which is preferable to anti-
--datestart	Specifies the start time of the date range, which is not reversed
--datestop	Specifies the end time of the date range, which is not reversed

Case EIGHT:
Examples of time extension modules

1）早上 9 点至晚上 7 点不可以浏览网页iptables?-I?OUTPUT?-p?tcp?--dport?80?-m?time?--timestart?09:00:00?--timestop?19:00:00?-j?REJECTiptables?-I?OUTPUT?-p?tcp?--dport?443?-m?time?--timestart?09:00:00?--timestop?19:00:00?-j?REJECT2）周六、日不可以浏览网页iptables?-I?OUTPUT?-p?tcp?--dport?80??-m?time?--weekdays?6,7?-j?REJECT3）每月的 22、23 不可以浏览网页iptables?-I?OUTPUT?-p?tcp?--dport?80??-m?time?--monthdays?22,23?-j?REJECT4）每月的除了 22、23 不可以浏览网页iptables?-I?OUTPUT?-p?tcp?--dport?80??-m?time?!?--monthdays?22,23?-j?REJECT5）周六、日的早上 9 点至晚上 7 点不可以浏览网页iptables?-I?OUTPUT?-p?tcp?--dport?80??-m?time?--timestart?09:00:00?--timestop?18:00:00?--weekdays?6,7?-j?REJECT6）每月的 22-28 的星期五不可以浏览网页iptables?-I?OUTPUT?-p?tcp?--dport?80??-m?time?--weekdays?5?--monthdays?22,23,24,25,26,27,28?-j?REJECT7）2018-12-24 至 2018-12-27 不可以浏览网页iptables?-I?OUTPUT?-p?tcp?--dport?80??-m?time?--datestart?2018-12-24?--datestop?2018-12-27?-j?REJECT

4. Connlimit limit the number of IP concurrent connections

Extended Condition	Description
--connlimit-above	When this option is used alone, the number of connections that limit each IP
--connlimit-mask	Can not be used alone, with this option when using the--connlimit-above option, to limit the number of IP connections in a certain class of IP segments

Case NINE:
Examples of connlimit extension modules

1）每个 IP 地址最多只能占用两个 ssh 链接远程到服务端（不指定 IP 即表示所有 IP）iptables?-I?INPUT?-p?tcp?--dport?22?-m?connlimit?--connlimit-above?2?-j?REJECT2）在 C 类网段中，最多同时有 20 个 ssh 客户端连接到服务器iptables?-I?INPUT?-p?tcp?--dport?22?-m?connlimit?--connlimit-above?20?--connlimit-mask?24?-j?REJECT3）在 C 类网段中，最多同时有 10 个 ssh 客户端连接到服务器iptables?-I?INPUT?-p?tcp?--dport?22?-m?connlimit?--connlimit-above?10?--connlimit-mask?27?-j?REJECT

5. Limit expansion Module
Limit limits the "message arrival rate", which is the limit of the number of packets that flow within a unit time

Extended Condition	Description
--limit-burst	Refer to the token bucket algorithm to specify the maximum number of tokens in the token bucket
--limit	Refer to the token bucket algorithm, which specifies how often tokens are generated in the token bucket, in the time units:/second,/minute,/hour,/day

Case 10:
When the external host ping the computer, the machine does not release a package for 6 seconds

iptables?-t?filter?-I?INPUT?-p?icmp?-m?limit?--limit-burst?3?--limit?10/minute?-j?ACCEPTiptables?-t?filter?-A?INPUT?-p?icmp?-j?REJECT

Skill--iptables (iii)