Home > Developer > Linux

The use of Linux system iptables

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

One, iptables and firewalld comparison

In the CentOS 7 system, the FIREWALLD firewall replaces the iptables firewall. In fact, iptables and FIREWALLD are not real firewalls, they are just firewall management tools or services that define firewall policies.
The Iptables service puts the configured firewall policy at the kernel level of the NetFilter network filter, while the FIREWALLD service handles the configured firewall policy at the kernel-level Nftables packet filtering framework. In other words, there are currently multiple firewall management tools in the Linux system, designed to make it easier for OPS to manage firewall policies in Linux systems, and we just need to configure one of them to be sufficient. Although these tools have advantages and disadvantages, they are consistent in the configuration of firewall policies.

Two, iptables syntax

Grammar:

iptables (选项) (参数)

iptables command Option Input Order:

iptables -t 表名 <-A/I/D/R> 规则链名 [规则号] <-i/o 网卡名> -p 协议名 <-s 源IP/源子网> --sport 源端口 <-d 目标IP/目标子网> --dport 目标端口 -j 触发动作(目标值)

Note:
-T table four tables: Filter,nat,mangle,raw (default table is filter)
-A (Append) append add-I (insert) Insert line number-d (delete) Delete line number-R (replace) replace
-I (in-interface) inflow interface-O (out-interface) outgoing interface
-P (Protocol) protocol TCP, UDP, Udplite, ICMP, etc.
-S (source) Origin address--sport (source port)
-D (destination) destination address--dport (destination port) Destination port
-j (jump) execution Accpet/drop/reject/dnat/snat/masquerade/redirect/log (must be capitalized)

Three, iptables work flow


The order of rules for iptables filtering is:
From top to bottom, the match is stopped.
Iptables has four tables and five chains: (The chain name must be capitalized)
Four tables:
Filter (Filtering rules table):(default) Input,ouput,forward
NAT (address forwarding Rules table): Prerouting,output,postrouting
mangle (Modify data bit rules table): Prerouting,input,ouput,forward,postrouting
Raw (Trace data Table Rule table): Preronting,outout

Five-strand: prerouting (pre-route filtering), INPUT (inbound filtering), OUTPUT (outbound filtering), FORWARD (forwarding filter), postrouting (post-route filtering)

Four, iptables command

The following configured system environment: redhat6.7

[[email protected] ~]# cat /etc/redhat-release    Red Hat Enterprise Linux Server release 6.7 (Santiago)

First, the Firewall service starts to stop:

service iptables save | stop | start | restart | status | save  //CentOS6保存,停止,启动,重启,查看状态,保存chkconfig iptables on| off  //开机自起或关闭systemctl stop | start | restart | status   firewalld  //CentOS7停止,启动,重启,查看状态systemctl enable | disable firewalld   //开机自起或关闭

1. Host-type Firewall

You need to save the configuration after each configuration:
/etc/init.d/iptables Save or Serveice iptables save

1.1 Turn on the Iptables service on the 61 host. Only 192.168.4.254 hosts are allowed to access their SSH services.

[[email protected] ~]# iptables -F[[email protected] ~]# iptables  -t  filter  -A  INPUT  -s  192.168.4.254 -p tcp  --dport 22  -j ACCEPT[[email protected] ~]# iptables  -t  filter   -P  INPUT  DROP[[email protected] ~]# serveice iptables save[[email protected] ~]# iptables  -t  filter  -nL  INPUTChain INPUT (policy DROP)target     prot opt source               destination         ACCEPT     tcp  --  192.168.4.254        0.0.0.0/0

1.2 Add 1 new rules on 61 hosts to allow all hosts on the network to access the local Web services.

[[email protected] ~]# iptables  -t  filter  -A  INPUT    -p tcp  --dport  80  -j   ACCEPT[[email protected] ~]# serveice iptables save[[email protected] ~]# iptables  -t  filter  -nL  INPUTChain INPUT (policy DROP)target     prot opt source               destination         ACCEPT     tcp  --  192.168.4.254        0.0.0.0/0           tcp dpt:22 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

1.3 Add 1 new rules on 61 hosts and do not allow 192.168.4.62 hosts to access native Web services.

[[email protected] ~]# iptables  -t  filter  -I  INPUT  2  -s  192.168.4.62  -p tcp  --dport  80  -j  ACCEPT[[email protected] ~]# serveice iptables save[[email protected] ~]# iptables  -t  filter  -nL  INPUTChain INPUT (policy DROP)target     prot opt source               destination         ACCEPT     tcp  --  192.168.4.254        0.0.0.0/0           tcp dpt:22 ACCEPT     tcp  --  192.168.4.62         0.0.0.0/0           tcp dpt:80 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0

1.4 Add a new rule on the 61 host, 61 can ping other hosts on the network, but other hosts cannot ping61 the host.

[[email protected] ~]# iptables  -t  filter  -A  INPUT  -p  icmp   --icmp-type  echo-reply  -j  ACCEPT[[email protected] ~]# serveice iptables save[[email protected] ~]# iptables  -t  filter  -nL  INPUTChain INPUT (policy DROP)target     prot opt source               destination         ACCEPT     tcp  --  192.168.4.254        0.0.0.0/0           tcp dpt:22 ACCEPT     tcp  --  192.168.4.62         0.0.0.0/0           tcp dpt:80 ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 0

2. Network-type Firewall

Note: Gateways for hosts 65 and 67 are 192.168.4.68
2.1 Let all the hosts in the LAN share a public IP address to surf the net.

[[email protected] ~]# iptables -F[[email protected] ~]# iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -o eth1 -j SNAT --to-source 192.168.2.68[[email protected] ~]# iptables -t nat -nL POSTROUTING Chain POSTROUTING (policy ACCEPT)target     prot opt source               destination         SNAT       all  --  192.168.4.0/24       0.0.0.0/0           to:192.168.2.68

2.2 Publish Web services within the LAN.

[[email protected] ~]# iptables -t nat -A PREROUTING -i eth1 -d 192.168.2.68 -p tcp --dport 80 -j DNAT --to-destination 192.168.4.67[[email protected] ~]# iptables -t nat -nL PREROUTING Chain PREROUTING (policy ACCEPT)target     prot opt source               destination         DNAT       tcp  --  0.0.0.0/0            192.168.2.68        tcp dpt:80 to:192.168.4.67
Encouragement: I hear and I forget, I see and I-remember, I do and I understand!

Resources:
Http://man.linuxde.net/iptables
Https://www.cnblogs.com/alimac/p/5848372.html
Https://www.cnblogs.com/can-H/p/6726743.html
Http://www.benet.wang/%E6%8A%80%E6%9C%AF%E9%9D%A2%E8%AF%95/174.html
Https://www.cnblogs.com/wajika/p/6382853.html
Http://www.jb51.net/article/112698.htm

The use of Linux system iptables

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More