The iptables of Linux

Source: Internet
Author: User
Tags inif network function windows remote desktop

The main categories of firewalls are:
1, NetFilter
2. TCP Wrappers
3. Proxy

Packet filtering software for Linux: iptables
The order of the rules is very important

Three sheets: Filter, NAT, mangle
Five chains: input, output, forward, prerouting, postrouting

View and purge of rules

iptables [-t tables] [-L] [-nv]-t:nat/filter-L:列出当前的规则-n:不进行IP的反查,显示速度快-v:列出更多的信息iptables-save [-t tables]#列出完整的防火墙规则iptables [-t tables] [-FXZ]-F:清除所有已制定的规则-X:除掉所有用户自定义的chain(tables)-Z:清零所有chain的计数和流量统计

Define a default Policy

iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]

Grammar:

[[email protected] ~]# iptables [-AI [INPUT|OUTPUT|FOREARD...]] [-io [eth0|eth1...]] > [-p [tcp|udp|icmp...]] [-s [sip|net]] [-d [dip|net]] -j [ACCEPT|DROP|REJECT|LOG]--sport、--dport[-m state] [--state 状态][-m mac] [--mac-source xxx]

Iptables Setup Script:
1. Clear existing Rules
2. Make the default policy
3. Set the Rules
4. Save

#!/bin/bash# Please enter the relevant parameters, do not enter the error extif= "eth0" # This is the network interface that can come to you on public IP inif= "eth1" #内部LAN network connection, if none is written inif= "" Innet= "192.168 .100.0/24 "# If there is no internal network interface, please fill in innet=" "Export extif inif INNEF # The first part, the firewall settings for this machine # 1. Set the network function of the kernel first echo "1" >/proc/sys/net/ipv4/tcp_syncookiesecho "1" >/proc/sys/net/ipv4icmp_echo_ignore_ Broadcastsfor i In/proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; Do echo "1" > $idonefor i in/proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; Do echo "0" > $idone # 2. Purge rules, set default policies, and open lo with associated setting values Path=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; Export pathiptables-fiptables-xiptables-ziptables-p INPUT dropiptables-p OUTPUT acceptiptables-p fprward ACCEPTiptab Les-a input-i lo-j acceptiptables-a input-nm state-state related,established-j accept# 3. Start the additional firewall script module if [-f/usr/local/virus/iptables/iptables.deny]; Then Sh/usr/local/virus/iptables/iptables.denyfi if [-f/usr/local/virus/iptables/iptabLes.allow]; Then Sh/usr/local/virus/iptables/iptables.allowfiif [-f/usr/local/virus/iptables/iptables.http]; Then sh/usr/local/virus/iptables/iptables.httpfi# 4. Allow certain types of ICMP packets to enter AICMP = "0 3 3/4" for tyicmp in $AICMPdo iptables-a input-i #EXTIF-P ICMP--icmp-typ E $tyicmp-j acceptdone# 5.  Allow access to certain services, please open it in your own environment # iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # ftp# iptables-a INPUT -P tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # ssh# iptables-a input-p tcp-i $EXTIF--dport--sport 102 4:65535-j Accept # smtp# iptables-a input-p tcp-i $EXTIF--dport,--sport 1024:65535-j ACCEPT # dns# Iptables-a in Put-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # dns# iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j Accept # www# iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # pop3# Iptables- A input-p tcp-i $EXTIF--dport 443--sport 1024:65535-j ACCEPT # https# The second part, the firewall settings for the backend host # 1. Load some useful modules first modules= "Ip_tables iptables_nat ip_nat_ftp ip_nat-irc ip_conntrack ip_conntrack_ftp Ip_conntrack_irc" for MoD in $modulesdo testmod= ' lsmod | grep "^${mod}" | awk ' {print '} ' if [' $testmod ' = = ' "]; Then Modprobe $mod fi# 2. Rules for clearing NAT table Iptables-f-T natiptables-x-t natiptables-z-t natiptables-t nat-p prerouting acceptiptables-t NAT -P postrouting acceptiptables-t nat-p OUTPUT accept# 3. If there is an internal interface (dual NIC) Open as a router, and for IP-sharing if ["$INIF"! = ""]; Then iptables-a input-i $INIF-j ACCEPT echo "1" >/proc/sys/net/ipv4/ip_forward if ["$INIET"! = ""]; Then for innet in $INNET do iptables-r nat-a postrouting-s $innet-o $EXTIF-j MA  Squerade done fifi# If your MSN has been unable to connect, or some sites ok some sites are not OK, may be the problem of MTU, then you can uncomment the following line to start the range of MTU Iptables-a Forward-p tcp-m TCP--tcp-flags stn,rst syn-m tcpmss--mss 1400:1536-j tcpmss--clamp-mss-to-pmtu# 4. NAT Server Backend on-LAN external value server settings iptables-t nat-a prerouting-p tcp-i $EXTIF--dport 80-j DNAT--tp-description 192.168.1.210:80 #WWW # 5. Special features, including rules generated by Windows Remote Desktop, assume that the desktop host is 1.2.3.4# iptables-t nat-a prerouting-p tcp-s 1.2.3.4--dport 6000-j DNAT--to-desc Ription 192.168.100.10# iptables-t nat-a prerouting-p tcp-s 1.2.3.4--sport 3389-j DNAT--to-description 192.168.100. 20# 6. Finally, store these functions/etc/init.d/iptables save

Linux iptables

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.