Some interpretations of iptables in Linux

The first thing to note is that iptables is not a firewall, but a tool to implement firewall functionality.

Two frame diagrams for 1.iptables:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6B/92/wKioL1Uxs8XDPuL7AAIyHGE7Rec248.jpg "style=" float: none; "title=" Gjorovrpkopk.png "alt=" Wkiol1uxs8xdpul7aaiyhge7rec248.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6B/96/wKiom1Uxsm-gquG1AAIbDWY8DEU043.jpg "style=" float: none; "title=" Zfmfkcnooknb.png "alt=" Wkiom1uxsm-gqug1aaibdwy8deu043.jpg "/>

Table:

Raw table: >

mangle table: mainly used to modify packets

Nat table: The main use is network address translation, port mapping

Fileter table: mainly used for filtering packages

In general, we do more configuration of the filter table.

Chain:

INPUT: A package that acts on the native

OUTPUT: A package that acts on a native send

FORWARD: matching packets traversing the native (forwarding)

Prerouting: used to modify the destination address (DNAT)

Postrouting: used to modify the source address (SNAT)

Basic operation of 2.iptables

 start command:service iptables start     restart command: service iptables restart     Close command: service iptables stop Save command: Service  iptables save Purge Rule:iptables -f    The number of flows of the chain to clear 0:  iptables -z Clear chain:  Iptables -x when emptying iptables, the general-f -z -x is used together with the 

iptables -nvl  Displays the results of the firewall rules that are currently set: [[Email protected] ~]# iptables -nvlchain  INPUT  (policy accept 0 packets, 0 bytes)  pkts bytes target      prot opt in     out      source                destination            37  4317  accept     all  --  *      *        0.0.0.0/0             0.0.0.0/0           state related, established     0     0 accept      icmp --  *      *       0.0.0.0/0             0.0.0.0/0                0     0 ACCEPT      all  --  lo     *        0.0.0.0/0            0.0.0.0/0                1    52  accept     tcp  --  *      *        0.0.0.0/0             0.0.0.0/0           state new tcp  dpt:22    39  4106 reject     all  --  *       *       0.0.0.0/0             0.0.0.0/0            reject-with icmp-host-prohibited Chain FORWARD  (policy accept 0  Packets, 0 bytes)  pkts bytes target     prot opt  in     out     source                destination              0     0 REJECT      all  --  *      *        0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited Chain OUTPUT  (policy accept  37 packets, 5314 bytes)  pkts bytes target     prot  opt in     out     source                destination

Three states of Iptables:

ACCEPT Allow

DROP Discard

REJECT Reject

the difference between drop and reject : Drop is not allowed to enter directly, and reject is first let go and then refuse, drop is more secure, so generally refuse to use drop.

Iptables The default rule is allow , that is,

Iptables-p INPUT acceptiptables-p OUTPUT acceptiptables-p FORWARD ACCEPT

Configuration of 3.iptables:

two configuration ideas for iptables:

1) Default permission, reject special;

2) Default refusal, allow special;

Both have their own characteristics, which depends on the situation. However, note : If you want to choose the second configuration, please remember to set up SSH to accept, because the general machine is not around us, once the default is configured to deny, then our remote login will be disconnected, the problem is large.

To configure the default pre-deny settings:

Iptables-a input-p TCP--dport 22-j ACCEPT

Iptables-a output-p TCP--sport 22-j ACCEPT

there is another way : Do a scheduled task, let Iptables stop periodically, that is, the execution of service iptables stop, so that even if the configuration is not allowed to deny SSH before the default does not matter, When the scheduled task is in effect, Iptables automatically clears all configurations, including the default rules.

Basic syntax for iptables:

iptables [-t Filter/nat] [-a/i] [input/output/forward] [-I/O interface] [-P tcp/udp/icmp/all] [-S ip/network] [--sport por TS] [-D ip/network] [--dport ports] [-j Accept/drop]

Default is filter when no-T is added

Syntax parameters:

-I: First line insertion

-A: Last Append

-I/O: Refers to the data to enter or go through the port, such as ETH1,ETH0,PPPOE, etc.

-P: The protocol you want to specify

-S: Specify the source IP, but a single IP such as 192.168.109.131, can also be a network 192.168.109.0/24, also can be a domain name such as 163.com, if you fill in is the domain Name system will automatically parse out his IP and display in Iptables

--sport: Source Port

-D: Specify the destination port

--dport: Destination Port

-j: Execution parameters Accept or drop,reject generally not used

If you configure input (enter), then the source IP is the transport IP, the destination port is the local; output is, in contrast, understandable.

execution priority for 4.iptables:  

The execution order of the iptables is top-down, and when there is a configuration conflict, the previous execution takes effect.

5. Delete Iptables

Sometimes we need to delete one or a few iptables, that can not iptables-f, delete a iptables commonly used in two ways:

1. Modify the configuration file

# Vim/etc/sysconfig/iptables

Delete the corresponding line, then service iptables restart, and then service iptables save.

Attention:

After modifying the configuration file can not first save, must first restart to save, otherwise White did. because save will reload at the start of the Iptables service, if you call the service Iptables save directly before restarting, your/etc/sysconfig/iptables configuration will be rolled back to the configuration of the last boot.

2. Command Delete

1) If you remember the configuration of the wording, then you can directly iptables-d after the configuration of the wording. Such as:

iptables-d input-s 10.72.11.12-p tcp--sport 1234-d 10.72.137.159--dport 80-j DROP

  2) General method:

a.  View the ordinal:# iptables -nvl --line-numberchain input  of each iptables (Policy ACCEPT  0 packets, 0 bytes) num   pkts bytes target      prot opt in     out     source                destination          1      263 21025 accept      all  --  *      *        0.0.0.0/0             0.0.0.0/0           state related, Established 2        0     0 accept      icmp --  *      *       0.0.0.0/0             0.0.0.0/0            3        0      0 ACCEPT     all  --  lo      *       0.0.0.0/0             0.0.0.0/0

B. Delete According to the number viewed: # iptables-d INPUT 2

Note:

1, if there are more than one rule in the list of rules, the content matching only deletes the smallest item;

2, according to the number matching delete, to ensure that the rule number is less than or equal to the number of rules, otherwise error;

3, according to the content of the deletion, to ensure that the rule exists, or error.

Technical Links: http://www.aminglinux.com/bbs/forum.php

This article is from the "I am not my" blog, please be sure to keep this source http://wangwq.blog.51cto.com/8711737/1634806

Some interpretations of iptables in Linux