The use of iptables

Function
Filtering packets
Address Translation
Port conversions
Por

Hardware firewall
Software firewall

Node
Packet flow
The target address is the firewall.
The source address is the firewall
Through the firewall

Structure of the Iptables
1. Table (-T) processing order from high to low
Raw TABLE: Do link Tracking (output,prerouting)
mangle table: Marking data, implementing QoS functions (Input,output,forward,prerouting,postrouting)
NAT table: Implementing address Translation (source address translation, destination address translation, port translation) (Prerouting,postrouting,output)
Filter Table: Implementing packet filtering function (Input,output,forward)
2. Chain---Describe the flow of data
INPUT: Processing packets entering the firewall (the target address is a firewall)
OUTPUT: Processing of packets going out of the firewall (source address is a firewall packet)
FORWARD: Processing packets forwarded by the firewall
Preeouting: Destination address translation (processing before routing)
Postrouting: Source Address Translation (post-route processing)

The basic syntax of iptables
IPTABLES-T table name operation command chain name matching rules-j Jump processing method
Example: Setting the server to deny the source address ping test for 172.16.0.220
Iptables-t filter-a input-s 172.16.0.220-p icmp-j DROP

Example: Setting up the server only allows the source address to ping test 172.16.0.220 (first deny, then allow)
# iptables-t Filter-p INPUT DROP
# iptables-t Filter-a-S 172.16.0.220-p icmp-j ACCEPT

Operation Commands for Iptables
-A Add rule
-d Delete Rule
-R substitution Rules
-N New Rule chain
-l List Firewall rules
-I insert Rule
-F clears the standard rule chain
-Z Calculator zeroing
-X Delete a custom chain
-P Set Default rules
-e Rename rule chain

Common occurrences
-s Specifies the source address
-D Specify Destination Address
--sport specifying the source port
--dport specifying the destination port
-P Specify protocol
-I specifies the network card to enter
-o Specifies the NIC to go out

Jump Processing method
Accept allowed through
Drop Drop Packet
REJECT return Packet
SNAT Source Address Translation
DNAT Destination Address Translation
Masquerade Auto-match address Masquerade
REDIRECT Port Redirection

Save Firewall settings
Service Iptables save saves fire rules to/etc/sysconfig/iptables
Iptables-save >/iptables redirect settings to a file
Iptables-restore </iptables restore firewall settings from a file

Exercise: Set the server firewall to allow only 172.16.0.0/16 address segments to ping test, FTP connection, SSH connection, all other access denied all

Set the server's firewall to meet the following requirements
1. Allow any address for Web Access
2. Only SSH connections from 172.16.0.220 are allowed
3. Allow ping connectivity test from 172.16.0.0/16
4. Allow the native loopback address to communicate
5. Deny access to any other address

iptables extension
1. Multi-port expansion
-M multiport--dport 20,21,22
2. Status extension
New,established,invalid (Invalid connection), related (associated connection)
untracked (no tracking)
-M State--state NEW
To establish a data trace (load trace module) when establishing an associated connection
Modprobe nf_conntrack_ftp
Modprobe-l | grep XXX

3. Multi-Address matching
-M IPRange--src-range 172.16.0.100-172.16.0.200

Exercise: Set your server to reject the address between 10.0.0.x--->10.0.0.y between ping,x and y for the difference between 10

4.TCP Markup Extension
--tcp-flags Syn,ack,fin (Simultaneous check) SYN (only it is 1)

5. Time Extension
--timestart 08:30:00
--timestop 17:30:00
--datestart 2015/06/01
--datestop 2015/06/30
--monthdays 1,20
--weekdays 1,2,3,4,5

6. Character matching extension
-M string
-M string--algo (Specify algorithm) KMP--string "Sex"-j DROP

7.limit Limit Extension
-M limit--limit 5/s (5 packets per second)--limit-burst 8 (maximum bundle)---when maximum concurrency occurs, the subsequent time is compensated

8.nat table for address translation
#iptables-T nat-a postrouting-s 172.16.0.0/16-j SNAT--to-source 192.168.1.201
#iptables-T nat-a postrouting-o eth1-s 172.16.0.0/16-j Masquerade
#iptables-T nat-a prerouting-s 172.16.0.0/16-p TCP--dport 80-j REDIRECT--to-port 3128
#iptables-T nat-a prerouting-d 10.0.0.10 (Destination Gateway)-p TCP--dport 80-j DNAT--to-destination 192.168.10.100

Translation information for NAT tables
Cat/proc/net/nf_conntrack
/proc/sys/net/nf_conntrack_max
/proc/sys/net/netfilter/

Connection control tracking for 9.raw tables
# iptables-t raw-a output-p tcp--sport 80-j notrack (not tracked)
#iptables-T raw-a prerouting-p TCP--dport 80-j notrack
#iptables-T filter-a input-m State--state--state established,related,untracked-j ACCEPT

10. Tagging packets with the mangle table
Policy Routing: Depending on the situation, choose a different gateway (for example, choose Telecom or Unicom)
#iptables-T mangle-a forward-m iprange--srcrange 192.168.10.1-192.168.10.100-p tcp--dport 80-j MARK--set-mark 10
Adding policy routes
#ip rule add from all Fwmark table 10
#ip route add default via 10.0.0.10 dev eth0 table 10

#iptables-T mangle-a forward-m iprange--srcrange 192.168.10.1-192.168.10.100-p tcp--dport 80-j MARK--set-mark 20
Adding policy routes
#ip rule add from all Fwmark table 20
#ip route add default via 10.0.0.20 dev eth0 table 20

Experiment:
1. Use a single machine as a server, including Web services and FTP services
2. Requires this server to be able to surf the internet normally, but does not make connection tracing to the Web service and FTP service accessing native computer.
3. Requires a ping test and SSH connection, except to deny all other access
4. Allow loopback addresses for network testing

Iptables-a input-p tcp-m multiport--dport 21,22,80-j ACCEPT
Iptables-t raw-a output-p tcp-m multiport--sport 21,80-j notrack
Iptables-t raw-a output-p tcp-m State--state established,related,untracked-j Notrack
Iptables-t raw-a prerouting-p tcp-m multiport--dport 21,80-j notrack
Iptables-t filter-a input-m State--state established,related,untracked-j ACCEPT
Iptables-a input-p icmp-j ACCEPT
Iptables-p INPUT DROP

This article is from the "Sunny Rain" blog, please be sure to keep this source http://8776055.blog.51cto.com/8766055/1851550

The use of iptables