The use of iptables

Source: Internet
Author: User
Tags ftp connection

Filtering packets
Address Translation
Port conversions

Hardware firewall
Software firewall

Packet flow
The target address is the firewall.
The source address is the firewall
Through the firewall

Structure of the Iptables
1. Table (-T) processing order from high to low
Raw TABLE: Do link Tracking (output,prerouting)
mangle table: Marking data, implementing QoS functions (Input,output,forward,prerouting,postrouting)
NAT table: Implementing address Translation (source address translation, destination address translation, port translation) (Prerouting,postrouting,output)
Filter Table: Implementing packet filtering function (Input,output,forward)
2. Chain---Describe the flow of data
INPUT: Processing packets entering the firewall (the target address is a firewall)
OUTPUT: Processing of packets going out of the firewall (source address is a firewall packet)
FORWARD: Processing packets forwarded by the firewall
Preeouting: Destination address translation (processing before routing)
Postrouting: Source Address Translation (post-route processing)

The basic syntax of iptables
IPTABLES-T table name operation command chain name matching rules-j Jump processing method
Example: Setting the server to deny the source address ping test for
Iptables-t filter-a input-s icmp-j DROP

Example: Setting up the server only allows the source address to ping test (first deny, then allow)
# iptables-t Filter-p INPUT DROP
# iptables-t Filter-a-S icmp-j ACCEPT

Operation Commands for Iptables
-A Add rule
-d Delete Rule
-R substitution Rules
-N New Rule chain
-l List Firewall rules
-I insert Rule
-F clears the standard rule chain
-Z Calculator zeroing
-X Delete a custom chain
-P Set Default rules
-e Rename rule chain

Common occurrences
-s Specifies the source address
-D Specify Destination Address
--sport specifying the source port
--dport specifying the destination port
-P Specify protocol
-I specifies the network card to enter
-o Specifies the NIC to go out

Jump Processing method
Accept allowed through
Drop Drop Packet
REJECT return Packet
SNAT Source Address Translation
DNAT Destination Address Translation
Masquerade Auto-match address Masquerade
REDIRECT Port Redirection

Save Firewall settings
Service Iptables save saves fire rules to/etc/sysconfig/iptables
Iptables-save >/iptables redirect settings to a file
Iptables-restore </iptables restore firewall settings from a file

Exercise: Set the server firewall to allow only address segments to ping test, FTP connection, SSH connection, all other access denied all

Set the server's firewall to meet the following requirements
1. Allow any address for Web Access
2. Only SSH connections from are allowed
3. Allow ping connectivity test from
4. Allow the native loopback address to communicate
5. Deny access to any other address

iptables extension
1. Multi-port expansion
-M multiport--dport 20,21,22
2. Status extension
New,established,invalid (Invalid connection), related (associated connection)
untracked (no tracking)
-M State--state NEW
To establish a data trace (load trace module) when establishing an associated connection
Modprobe nf_conntrack_ftp
Modprobe-l | grep XXX

3. Multi-Address matching
-M IPRange--src-range

Exercise: Set your server to reject the address between 10.0.0.x--->10.0.0.y between ping,x and y for the difference between 10

4.TCP Markup Extension
--tcp-flags Syn,ack,fin (Simultaneous check) SYN (only it is 1)

5. Time Extension
--timestart 08:30:00
--timestop 17:30:00
--datestart 2015/06/01
--datestop 2015/06/30
--monthdays 1,20
--weekdays 1,2,3,4,5

6. Character matching extension
-M string
-M string--algo (Specify algorithm) KMP--string "Sex"-j DROP

7.limit Limit Extension
-M limit--limit 5/s (5 packets per second)--limit-burst 8 (maximum bundle)---when maximum concurrency occurs, the subsequent time is compensated

8.nat table for address translation
#iptables-T nat-a postrouting-s SNAT--to-source
#iptables-T nat-a postrouting-o eth1-s Masquerade
#iptables-T nat-a prerouting-s TCP--dport 80-j REDIRECT--to-port 3128
#iptables-T nat-a prerouting-d (Destination Gateway)-p TCP--dport 80-j DNAT--to-destination

Translation information for NAT tables

Connection control tracking for 9.raw tables
# iptables-t raw-a output-p tcp--sport 80-j notrack (not tracked)
#iptables-T raw-a prerouting-p TCP--dport 80-j notrack
#iptables-T filter-a input-m State--state--state established,related,untracked-j ACCEPT

10. Tagging packets with the mangle table
Policy Routing: Depending on the situation, choose a different gateway (for example, choose Telecom or Unicom)
#iptables-T mangle-a forward-m iprange--srcrange tcp--dport 80-j MARK--set-mark 10
Adding policy routes
#ip rule add from all Fwmark table 10
#ip route add default via dev eth0 table 10

#iptables-T mangle-a forward-m iprange--srcrange tcp--dport 80-j MARK--set-mark 20
Adding policy routes
#ip rule add from all Fwmark table 20
#ip route add default via dev eth0 table 20

1. Use a single machine as a server, including Web services and FTP services
2. Requires this server to be able to surf the internet normally, but does not make connection tracing to the Web service and FTP service accessing native computer.
3. Requires a ping test and SSH connection, except to deny all other access
4. Allow loopback addresses for network testing

Iptables-a input-p tcp-m multiport--dport 21,22,80-j ACCEPT
Iptables-t raw-a output-p tcp-m multiport--sport 21,80-j notrack
Iptables-t raw-a output-p tcp-m State--state established,related,untracked-j Notrack
Iptables-t raw-a prerouting-p tcp-m multiport--dport 21,80-j notrack
Iptables-t filter-a input-m State--state established,related,untracked-j ACCEPT
Iptables-a input-p icmp-j ACCEPT
Iptables-p INPUT DROP

This article is from the "Sunny Rain" blog, please be sure to keep this source

The use of iptables

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.