The iptables of Linux

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

The main categories of firewalls are:
1, NetFilter
2. TCP Wrappers
3. Proxy

Packet filtering software for Linux: iptables
The order of the rules is very important

Three sheets: Filter, NAT, mangle
Five chains: input, output, forward, prerouting, postrouting

View and purge of rules

iptables [-t tables] [-L] [-nv]-t：nat/filter-L：列出当前的规则-n：不进行IP的反查，显示速度快-v：列出更多的信息iptables-save [-t tables]#列出完整的防火墙规则iptables [-t tables] [-FXZ]-F：清除所有已制定的规则-X：除掉所有用户自定义的chain（tables）-Z：清零所有chain的计数和流量统计

Define a default Policy

iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]

Grammar:

[[email protected] ~]# iptables [-AI [INPUT|OUTPUT|FOREARD...]] [-io [eth0|eth1...]] > [-p [tcp|udp|icmp...]] [-s [sip|net]] [-d [dip|net]] -j [ACCEPT|DROP|REJECT|LOG]--sport、--dport[-m state] [--state 状态][-m mac] [--mac-source xxx]

Iptables Setup Script:
1. Clear existing Rules
2. Make the default policy
3. Set the Rules
4. Save

#!/bin/bash# Please enter the relevant parameters, do not enter the error extif= "eth0" # This is the network interface that can come to you on public IP inif= "eth1" #内部LAN network connection, if none is written inif= "" Innet= "192.168 .100.0/24 "# If there is no internal network interface, please fill in innet=" "Export extif inif INNEF # The first part, the firewall settings for this machine # 1. Set the network function of the kernel first echo "1" >/proc/sys/net/ipv4/tcp_syncookiesecho "1" >/proc/sys/net/ipv4icmp_echo_ignore_ Broadcastsfor i In/proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; Do echo "1" > $idonefor i in/proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; Do echo "0" > $idone # 2. Purge rules, set default policies, and open lo with associated setting values Path=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; Export pathiptables-fiptables-xiptables-ziptables-p INPUT dropiptables-p OUTPUT acceptiptables-p fprward ACCEPTiptab Les-a input-i lo-j acceptiptables-a input-nm state-state related,established-j accept# 3. Start the additional firewall script module if [-f/usr/local/virus/iptables/iptables.deny]; Then Sh/usr/local/virus/iptables/iptables.denyfi if [-f/usr/local/virus/iptables/iptabLes.allow]; Then Sh/usr/local/virus/iptables/iptables.allowfiif [-f/usr/local/virus/iptables/iptables.http]; Then sh/usr/local/virus/iptables/iptables.httpfi# 4. Allow certain types of ICMP packets to enter AICMP = "0 3 3/4" for tyicmp in $AICMPdo iptables-a input-i #EXTIF-P ICMP--icmp-typ E $tyicmp-j acceptdone# 5.  Allow access to certain services, please open it in your own environment # iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # ftp# iptables-a INPUT -P tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # ssh# iptables-a input-p tcp-i $EXTIF--dport--sport 102 4:65535-j Accept # smtp# iptables-a input-p tcp-i $EXTIF--dport,--sport 1024:65535-j ACCEPT # dns# Iptables-a in Put-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # dns# iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j Accept # www# iptables-a input-p tcp-i $EXTIF--dport--sport 1024:65535-j ACCEPT # pop3# Iptables- A input-p tcp-i $EXTIF--dport 443--sport 1024:65535-j ACCEPT # https# The second part, the firewall settings for the backend host # 1. Load some useful modules first modules= "Ip_tables iptables_nat ip_nat_ftp ip_nat-irc ip_conntrack ip_conntrack_ftp Ip_conntrack_irc" for MoD in $modulesdo testmod= ' lsmod | grep "^${mod}" | awk ' {print '} ' if [' $testmod ' = = ' "]; Then Modprobe $mod fi# 2. Rules for clearing NAT table Iptables-f-T natiptables-x-t natiptables-z-t natiptables-t nat-p prerouting acceptiptables-t NAT -P postrouting acceptiptables-t nat-p OUTPUT accept# 3. If there is an internal interface (dual NIC) Open as a router, and for IP-sharing if ["$INIF"! = ""]; Then iptables-a input-i $INIF-j ACCEPT echo "1" >/proc/sys/net/ipv4/ip_forward if ["$INIET"! = ""]; Then for innet in $INNET do iptables-r nat-a postrouting-s $innet-o $EXTIF-j MA  Squerade done fifi# If your MSN has been unable to connect, or some sites ok some sites are not OK, may be the problem of MTU, then you can uncomment the following line to start the range of MTU Iptables-a Forward-p tcp-m TCP--tcp-flags stn,rst syn-m tcpmss--mss 1400:1536-j tcpmss--clamp-mss-to-pmtu# 4. NAT Server Backend on-LAN external value server settings iptables-t nat-a prerouting-p tcp-i $EXTIF--dport 80-j DNAT--tp-description 192.168.1.210:80 #WWW # 5. Special features, including rules generated by Windows Remote Desktop, assume that the desktop host is 1.2.3.4# iptables-t nat-a prerouting-p tcp-s 1.2.3.4--dport 6000-j DNAT--to-desc Ription 192.168.100.10# iptables-t nat-a prerouting-p tcp-s 1.2.3.4--sport 3389-j DNAT--to-description 192.168.100. 20# 6. Finally, store these functions/etc/init.d/iptables save

Linux iptables

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More