Usage of iptables in Linux

1 iptables

The iptables command is used to create data filtering and NAT rules, and the policy of setting data filtering or processing packets in the Iptables command is called a rule, which synthesizes multiple rules into a chain.

1.1 Iptablestype of Control

Accept: Allow through

Log: Logs information is logged and then passed to the next rule to continue matching.

REJECT: Refuse to pass, give a hint when necessary.

Drop: Discard directly and do not give any response.

1.2Rule Chain

The rule chain is categorized according to the location of the processing packet

Prerouting: Processes the packet before routing is selected.

INPUT: Processes the inbound packets.

OUTPUT: Handles outbound packets.

FORWARD: Handles forwarded packets.

Postrouting: Processes the packet after routing is selected.

Order of the rule chain:

Inbound Order: PreroutingàINPUT

Outbound Order: OUTPUTàpostrouting

Forwarding Order: PreroutingàFORWARDàpostrouting

1.3Rules Table

The rule table in iptables is used to hold the rule chain, the rule table is allowed state by default, then the rule chain is to set the forbidden rules, and conversely if the rule table is forbidden, then the rule chain is to set the allowed rules

Raw table: Determines whether a status trace is being made to the packet.

Mangle table: Sets the tag for the packet.

Nat Table: Modifies the source, destination IP address, or port in the packet .

Filter table: This table is the default rule table that determines whether the packet is released.

Order of rules table:rawàmangleàNatàfilter

1.4 Precautions

1. No rule table specified defaults to the filter table.

2. not specifying a rule chain refers to all the chain of rules within a table.

3. When a rule is matched in the rule chain, it is checked in turn, and the match is stopped (except for the LOG rule) and is processed by the default state of the chain if no match is found.

1.5 iptablesCommand Usage1.5.1Add Rule

iptables [-t table name ] option [ link name ] [ condition ] [-j control type ]

1.5.1.1 INPUTrules

# Iptables-l-T Filter # to view the filter table, "-t filter" can be omitted, because the default is the filter table

# iptables-l-T nat # View Nat Table

# Set the default policy of the INPUT chain to discard. ( ssh connection is also rejected at this time)-p:policy

# iptables-p INPUT DROP

# allow all pings ,-i:insert Add a new rule to the rule chain header -p:protocol-j: Jump Command

# iptables-i Input-p icmp-j ACCEPT

in the The INPUT chain appends a rule that allows all packets that are not matched by another rule to pass, and "-t filter" can be omitted because the filter table is the default

# iptables-t Filter-a input-j ACCEPT

allow only users from the 10.0.0.0/24 network segment to connect to the native SSH service

# iptables-i input-s 10.0.0.0/24-p tcp--dport 22-j ACCEPT

# iptables-a input-p TCP--dport 22-j REJECT

do not allow any host to access the native 12345 Port

# iptables-i input-p TCP--dport 12345-j REJECT

# iptables-i input-p UDP--dport 12345-j REJECT

deny all hosts access to native HTTP service via eth0 NIC

# iptables-i input-i eth0-p tcp--dport 80-j REJECT

1.5.1.2 FORWARDrules

The FORWARD rule is equivalent to the routing function

prohibit user access to www.wangning.com

Iptables-i forward-d www.wangning.com-j REJECT

prohibited IP for 10.0.0.66 users to surf the internet

# iptables-i Forward-s 10.0.0.66-j REJECT

1.5.2Delete Rule

# Delete The first of the INPUT rules in the filter table

# iptables-d INPUT 1

1.6SaveIptablesConfiguration

#/etc/init.d/iptables Save

Usage of iptables in Linux