The iptables of the shell

These five positions are also known as five hooks (hook functions), also called Five rule chains.
1.PREROUTING (before routing)
2.INPUT (packet inflow port)
3.FORWARD (forward tube card)
4.OUTPUT (Packet egress)
5.POSTROUTING (after routing)
This is the NetFilter rules of the five rule chain, any one packet, as long as through this machine, will pass through one of these five chains.

Firewall policy is generally divided into two kinds, called "Pass" strategy, a "blocking" strategy, a strategy, the default door is closed, you must define who can enter. Blocking strategy is that the door is open, but you must have identity authentication, otherwise you cannot enter. So we want to define, let come in, let go out, so pass, is to all pass, and plugging, then is to choose. When we define a strategy, we define several functions, including the ability to define a policy that is allowed or disallowed in a packet, the function of filter filtering, and the NAT option to define the function of address translation. In order for these functions to work alternately, we have developed the definition of "table" to define and differentiate the different working functions and processing methods.

We now use more than 3 different features:
1.filter definition allows or does not allow
2.nat defines the address translation
3.mangle function: Modify message original data

For filter generally can only be done on 3 chains: INPUT, FORWARD, OUTPUT
In general, Nat can only be done on 3 chains: Prerouting, OUTPUT, postrouting
And Mangle is a 5 chain can do: prerouting,input,forward,output,postrouting

Iptables defines rules in a more complex way:
Format: iptables [-t table] COMMAND chain Cretiria-j ACTION
-T Table:3 a filter NAT mangle
COMMAND: Define how rules are managed
Chain: Specifies which chain your next rule is to operate on, which can be omitted when defining a policy
Cretiria: Specifying Matching Criteria
-j ACTION: Specify how to Handle

For example: 172.16.0.0/24 is not allowed to access.
Iptables-t filter-a input-s 172.16.0.0/16-p UDP--dport 53-j DROP
Of course, if you want to refuse more thoroughly:
Iptables-t filter-r INPUT 1-s 172.16.0.0/16-p UDP--dport 53-j REJECT

Iptables-l-n-v# View the details of a definition rule

iptables [-t filter] [-ai input,output,forward] [-io interface]
[-P Tcp,udp.icmp,all] [-S ip/nerwork] [--sport Ports]
[-D Ip/netword] [--dport Ports] [-j ACCEPT DROP]
The above is the basic syntax of iptables
A is to add meaning
I is the meaning of the sowing
IO refers to the ports that the data is going to go through, such as eth1 eth0 PPPoE, etc.
P The protocol you want to specify
-S refers to the source address but a single IP such as 192.168.2.6 can also be a network 192.168.2.0/24 can also be a domain name such as 163.com if you fill in the Domain Name system will automatically parse out his IP and display in iptables
--sport Source Port
-D is similar to-s except that he refers to the destination address or IP domain and network
--dport Destination Port
-j Execution Parameters ACCEPT DROP

Four: detailed command:

1. Chain Management commands (this is immediate)
-P: Sets the default policy (setting the default door is closed or open)
Default policy generally has only two types
Iptables-p INPUT (drop| ACCEPT) is off by default/default is on
For example:
iptables-p INPUT Drop This will deny the default rule. And there is no action defined, so all the rules about the outside connection, including the Xshell connection, are rejected by the remote connection.
-f:flash, emptying the rule chain (note the administrative permissions for each chain)
Iptables-t nat-f prerouting
iptables-t nat-f emptying all chains of the NAT table
-n:new enable users to create a new chain The
Iptables-n Inbound_tcp_web represents the attached to the TCP table for checking the web.
-X: Used to delete a user-defined empty chain
using the same method as-N, but before the deletion must be the inside of the chain to empty the
-e: Used to rename chain is mainly used to give the user a custom chain rename
-e oldname newname
-Z: Empty The chain, and the counter of the default rule in the chain (there are two counters, how many packets are matched, how many bytes)
Iptables-z: Empty

2. Rule Management Command
-A: Append, add a rule at the end of the current chain
-I Num: Insert to insert the current rule into the first few.
-I 3: Insert as third
-R num:replays Replace/modify Rule
Format: Iptables-r 3 ...
-D Num: Delete, explicitly specify to delete the rules

3. View the Administrative command "-L"
Additional subcommands
-N: Digitally display IP, which will display IP directly, and if not N, the IP will be reversed to host name.
-V: Show Details
-VV
-VVV: More details
-x: Displays exact values on the counter, does not do unit conversions
--line-numbers: Displays the line number of the rule
-T nat: Displays information for all levels
Five: Detailed matching criteria

1. Common match: Source address Destination Address matching
-S: Specifies that the host name must be matched as the source address, and the IP
IP | Ip/mask | 0.0.0.0/0.0.0.0
and the address can be reversed, plus a "!" Indicates the
-D: matches the destination address except which IP
-p: Used to match the protocol (there are usually 3 kinds of protocols here, TCP/UDP/ICMP)
-i eth0: Incoming data from this NIC
The inflow is generally used on input and prerouting
-o eth0: Data flowing out of this NIC
is generally on output and postrouting

2. Extended Match
2.1 implied extension: extension to Protocol
-P Extension of the TCP:TCP protocol. There are generally three types of extension
--dport xx-xx: Specify the destination port, you cannot specify multiple noncontiguous ports, you can specify only a single port, such as
--dport 21 or--dport 21-23 (this means 21,22,23)
-- Sport: Specifies the flag bit of the source port
--tcp-fiags:tcp (Syn,ack,fin,psh,rst,urg)
for it, it typically has two parameters:
1. Check the flag bit
2. Must be a 1 flag bit
-- tcpflags syn,ack,fin,rst syn =--syn
indicates that the 4 bits are checked, the SYN must be 1 in the 4 bits, and the other must be 0. So this is the first time the package is used to detect three handshakes. For this package that specifically matches the first packet of SYN 1, there is also a shorthand method called--syn
-P udp:udp protocol extension
--dport
--sport
-P icmp:icmp data message extension
-- Icmp-type:
Echo-request (Request echo), typically represented by 8来
so--icmp-type 8 matching request echo Packet
Echo-reply (response packet) is generally expressed as "%"

2.2 Explicit extension (-m)
Extend various modules
-M multiport: means enable multiport extension
We can enable such as--dports 21,23,80


VI: detailed-J ACTION

Common action:
Drop: Silently Discard
We often use drop to hide our identities and hide our lists
REJECT: Express Refusal
Accept: Acceptance
Custom_chain: Turning to a custom chain
DNAT
SNAT
Masquerade: Source Address Spoofing
REDIRECT: Redirect: Used primarily for port redirection
Mark: Hit the firewall tag
return: Back
Returns the original rule chain after the custom chain has finished executing.
Seven: State detection:

is an explicit extension that detects the connection between sessions, and with detection we can extend the functionality between sessions.
What is stateful inspection? For the entire TCP protocol, it is a connected protocol, three handshake, the first handshake, we call the new connection, and from the second handshake, the ACK is 1, which is normal data transmission, and TCP's second third handshake, called the established connection (established), There is a state, more bizarre, such as: Syn=1 ack=1 rst=1, for this we do not recognize, we call invalid unrecognized. There is a fourth, FTP this ancient features, each port is independent, ports 21st and 20th are a go back, they are related, this relationship we call related.
So we have a total of four kinds of states:
NEW
Established
Related
INVALID

So we can increase the state detection for the exercises we just did. For example, only allow the state to enter the new and established, go out only allow established state out, this can be more common rebound Trojan has a good control mechanism.

For an extension of the exercises:
In the refusal to go out of the permit, come in only allow established come in, go out only allow established out. Default rules use Deny
Iptables-l-N--line-number: View the previous rule in the first few lines
Overwrite input
Iptables-r INPUT 2-s 172.16.0.0/16-d 172.16.100.1-p TCP--dport 22-m State--state new,established-j ACCEPT
Iptables-r OUTPUT 1-m State--state established-j ACCEPT

Now, if you want to release a 80 port, how can it be released?
Iptables-a input-d 172.16.100.1-p TCP--dport 80-m State--state new,established-j ACCEPT

Iptables-r INPUT 1-d 172.16.100.1-p UDP--dport 53-j ACCEPT

Exercises 2:
If we allow ourselves to ping others, but others ping their ping does not work how to achieve it?
Analysis: For ping This Protocol, comes in 8 (ping), out of 0 (response). We need 8 out of the way to get there, allow 0 to come in.

On the outgoing port: iptables-a output-p ICMP--icmp-type 8-j ACCEPT
On the incoming port: iptables-a input-p ICMP--icmp-type 0-j ACCEPT

Small extension: For 127.0.0.1 is special, we need to clearly define it
Iptables-a input-s 127.0.0.1-d 127.0.0.1-j ACCEPT
Iptables-a output-s 127.0.0.1-d 127.0.0.1-j ACCEPT
VIII: The realization of Snat and Dnat

Because we now have a very tight IP address, we have already allocated it, which leads us to address translation to conserve only a bit of the IP resources we have left. So how do you implement NAT's address translation through Iptables?

1.SNAT conversion based on the original address
The conversion based on the original address is generally used in many of our intranet users through an external network of the port when the Internet, then we will be the address of our intranet into a network of IP, we can achieve the ability to connect to other external network IP.
So we're going to define exactly how to convert in Iptables:
The defined style:
For example, we now want all the IP of the 192.168.10.0 network segment to be converted into a 172.16.100.1 this hypothetical extranet address:
Iptables-t nat-a postrouting-s 192.168.10.0/24-j SNAT--to-source 172.16.100.1
In this way, any attempt to access the network through the NIC from the local network will be converted to the IP 172.16.100.1.
So, what if the 172.16.100.1 is not fixed?
We all know when we use Unicom or telecom Internet, it will be in every time you turn on the random generation of an external network IP, meaning that the external network address is dynamic transformation. At this point we will change the address of the external network to masquerade (dynamic camouflage): It can automatically find out the address of the network, and automatically change it to the correct external network address. So, we need to set this up:
Iptables-t nat-a postrouting-s 192.168.10.0/24-j Masquerade
It is important to note that address spoofing does not apply to all places.

2.DNAT Destination Address Translation
For the destination address translation, the data flow is from the outside of the client, the inside is the server side through the destination address translation, we can let the outside of the IP through our external IP to access our servers different servers, and our services are placed on different servers in the intranet server.

How do I do destination address translation? ：
Iptables-t nat-a prerouting-d 192.168.10.18-p tcp--dport 80-j DNAT--todestination 172.16.100.2
The destination address translation is to be converted before it reaches the NIC, so it should be done in the prerouting position.

IX: Control of the storage and opening of rules

Note: Everything you define will expire when you reboot, and if we want to take effect, we need to save it with a command
1.service iptables Save command
It will be saved in/etc/sysconfig/ iptables This file
2.iptables-save command
iptables-save >/etc/sysconfig/iptables

3.iptables-restore command
When booting, it will automatically load/etc/sysconfig/iptabels
If the boot does not load or does not load, and you want to have a self-written configuration file (assuming that the Iptables.2) manual effect:
Iptables-restore </etc/sysconfig/iptables.2
completes the rules defined in iptables manually
-------------------------------------------------- ------------------------------
iptables-a input-i eth0-s 192.168.100.250-d 192.168.100.1-p tcp--dport 22-j accep T
iptables-a output-o eth0-d 192.168.100.250-s 192.168.100.1-p tcp--sport 22-j ACCEPT
opens Port 22, allowing remote administration. (many additional conditions are set: The management machine IP must be 250 and must be entered from the eth0 NIC)

Iptables-a input-i eth0-s 192.168.100.0/24-p TCP--dport 3128-m State--state new,established-j ACCEPT
Allows the 192.168.100.0/24 network segment of the machine to send packets from the ETH0 network card entry. If the packet is a TCP protocol and the destination port is 3128 (because redirect has changed the 80 to 3128.) The prerouting of the NAT table is in front of input of the filter table. , and, again, the state of the packet must be new or established (new represents the "first grip" of the TCP three-segment handshake, in other words, allows the client machine to send a link request to the server.) Established said that through the handshake has been established link), through.

Iptables-a output-o eth2-p TCP--sport 32768:61000-m State--state new,established-j ACCEPT
Let's take a look at this sentence first. Now your packet has entered the Linux server firewall. Squid needs to be accessed instead of you, so at this point the server becomes the client's role, so it is accessed using 32768 to 61000 private ports. (Everyone would be surprised if it should be 1024 to 65535.) In fact, the CentOS version of the Linux definition of the private port is 32768 to 61000, you can check through the Cat/proc/sys/net/ipv4/ip_local_port_range. Again: This is squid as the client to access other servers, so the source port here is 32,768:61,000, not 3128!

Iptables-a input-i eth2-p TCP--dport 32768:61000-m State--state established-j ACCEPT
Of course, the data have to go back.

Iptables-a output-o eth0-d 192.168.100.0/24-p TCP--sport 3128-m State--state established-j ACCEPT
The packet also goes through the server, to the intranet network card. Please note that here, Squid helps you visit the website you want to visit. So in the intranet, your machine is the client role, and squid is the server role. This is different from the process of the external visit just now. So here, the source port is 3128, not 32,768:61,000.

Iptables-a output-o eth2-p UDP--dport 53-j ACCEPT
Iptables-a input-i eth2-p UDP--sport 53-j ACCEPT
Of course, DNS is indispensable.

Iptables-a input-i eth+-P TCP--dport 80-j LOG--log-prefix "Iptables_80_alert"--log-level info
Iptables-a input-i eth+-P TCP--dport 21-j LOG--log-prefix "Iptables_21_alert"--log-level info
Iptables-a input-i eth+-P TCP--dport 22-j LOG--log-prefix "Iptables_22_alert"--log-level info
Iptables-a input-i eth+-P TCP--dport 25-j LOG--log-prefix "Iptables_25_alert"--log-level info
Iptables-a input-i eth+-P ICMP--icmp-type 8-j LOG--log-prefix "Iptables_icmp8_alert"--log-level info
Of course, a bit of logging will help the network administrator.

The iptables of the shell