1 iptables
The iptables command is used to create data filtering and NAT rules, and the policy of setting data filtering or processing packets in the Iptables command is called a rule, which synthesizes multiple rules into a chain.
1.1 Iptablestype of Control
Accept: Allow through
Log: Logs information is logged and then passed to the next rule to continue matching.
REJECT: Refuse to pass, give a hint when necessary.
Drop: Discard directly and do not give any response.
1.2Rule Chain
The rule chain is categorized according to the location of the processing packet
Prerouting: Processes the packet before routing is selected.
INPUT: Processes the inbound packets.
OUTPUT: Handles outbound packets.
FORWARD: Handles forwarded packets.
Postrouting: Processes the packet after routing is selected.
Order of the rule chain:
Inbound Order: PreroutingàINPUT
Outbound Order: OUTPUTàpostrouting
Forwarding Order: PreroutingàFORWARDàpostrouting
1.3Rules Table
The rule table in iptables is used to hold the rule chain, the rule table is allowed state by default, then the rule chain is to set the forbidden rules, and conversely if the rule table is forbidden, then the rule chain is to set the allowed rules
Raw table: Determines whether a status trace is being made to the packet.
Mangle table: Sets the tag for the packet.
Nat Table: Modifies the source, destination IP address, or port in the packet .
Filter table: This table is the default rule table that determines whether the packet is released.
Order of rules table:rawàmangleàNatàfilter
1.4 Precautions
1. No rule table specified defaults to the filter table.
2. not specifying a rule chain refers to all the chain of rules within a table.
3. When a rule is matched in the rule chain, it is checked in turn, and the match is stopped (except for the LOG rule) and is processed by the default state of the chain if no match is found.
1.5 iptablesCommand Usage1.5.1Add Rule
iptables [-t table name ] option [ link name ] [ condition ] [-j control type ]
1.5.1.1 INPUTrules
# Iptables-l-T Filter # to view the filter table, "-t filter" can be omitted, because the default is the filter table
# iptables-l-T nat # View Nat Table
# Set the default policy of the INPUT chain to discard. ( ssh connection is also rejected at this time)-p:policy
# iptables-p INPUT DROP
# allow all pings ,-i:insert Add a new rule to the rule chain header -p:protocol-j: Jump Command
# iptables-i Input-p icmp-j ACCEPT
in the The INPUT chain appends a rule that allows all packets that are not matched by another rule to pass, and "-t filter" can be omitted because the filter table is the default
# iptables-t Filter-a input-j ACCEPT
allow only users from the 10.0.0.0/24 network segment to connect to the native SSH service
# iptables-i input-s 10.0.0.0/24-p tcp--dport 22-j ACCEPT
# iptables-a input-p TCP--dport 22-j REJECT
do not allow any host to access the native 12345 Port
# iptables-i input-p TCP--dport 12345-j REJECT
# iptables-i input-p UDP--dport 12345-j REJECT
deny all hosts access to native HTTP service via eth0 NIC
# iptables-i input-i eth0-p tcp--dport 80-j REJECT
1.5.1.2 FORWARDrules
The FORWARD rule is equivalent to the routing function
prohibit user access to www.wangning.com
Iptables-i forward-d www.wangning.com-j REJECT
prohibited IP for 10.0.0.66 users to surf the internet
# iptables-i Forward-s 10.0.0.66-j REJECT
1.5.2Delete Rule
# Delete The first of the INPUT rules in the filter table
# iptables-d INPUT 1
1.6SaveIptablesConfiguration
#/etc/init.d/iptables Save
Usage of iptables in Linux