Use the Linux Iptables firewall-Linux Enterprise Application-Linux server application information. For more information, see. The built-in firewall mechanism of Linux is implemented through the netfilter module in the kernel (www. netfilter. ort ). Linux kernel uses netfilter to filter incoming and outgoing data packets. netfilter consists of three rule tables, each of which consists of many built-in chains. You can use the iptables command to operate these table chains, such as adding, deleting, and listing rules.
I. Netfilter rule table-filter nat mangle
Filter, used to route network data packets. Yes, that is, if the-t parameter is not specified, when a new rule is created, it will be stored in the table by default.
INPUT Network Packet Flow to server
OUTPUT network packet outflow from the server
FORWARD network data packets are routed by the server
Nat, used for NAT table. NAT (Net Address Translation) is an IP Address conversion method.
The PREROUTING network packet can be modified when it reaches the server.
OUTPUT network data packets flow out from the server
The POSTROUTING network packet can be modified when it is about to be sent from the server.
Mangle, used To modify tables Of network data packets, such as TOS (Type Of Service), TTL (Time To Live), etc.
INPUT Network Packet Flow to server
OUTPUT network packet outflow Server
FORWARD network packets through the server
The PREROUTING network packet can be modified when it reaches the server.
The POSTROUTING network packet can be modified when it is about to be sent from the server.
1. Configure Iptables
When a data packet enters the server, Linux Kernel searches for the corresponding link until a rule matches the data packet. If the target of the rule is ACCEPT, the remaining Rules will be skipped and data packets will be sent again. If the target of the rule is DROP, the packet will be intercepted and the kernel will not refer to other rules.
Note: If there is no rule from the beginning that matches the data packet, and there is no rule to drop all at the end of the table, the data packet will be accept. Cisco, on the contrary, will follow the rules containing deny all at the end of the table.
-C. Check the rules before they are added to the user-defined chain.
-D. delete a rule from the chain.
-E. Rename the User-Defined chain without changing the chain itself.
-F. Clear the chain and delete all rules on the chain.
-I insert a rule into the chain
-L list rules on a chain, such as iptables? L rules for listing INPUT chains
-N: Create a new chain
-P defines the Default policy of a chain
-R: replaces a rule on the chain.
-X: deletes a user-related chain.
-Z: clears the bytes and data packet counters of all links in all tables.
2.) Command Parameters of Iptables
-P? Protocol
The protocol type applied to data packets. It can be tcp udp icmp or ALL .! It can also be used.
When-p tcp is used, other options can be used to allow further rule definition. Options include:
-- Sport allows you to specify the source port of the matched data packet. port1: port, indicating all ports between port1 and port2.
The destination port of -- dport is the same as that of -- sport.
When-p is used! During udp, there are also special options for use:
-- Sport, -- dport, which is the same as-p tcp but used for UDP packets.
Only one option is available when the-p icmp parameter is used.
-- Icmp-type: allows you to specify the icmp type in the filter rule.
-S? Source specifies the source address of the data packet. This parameter is followed by an IP address, a network address with sub-net mask, or a host name. (Host names are not recommended)
-D,--destination Packet destination Address, same as-s.
-J, -- jump is used to specify a target, telling the rule to send the matched data packet to the target. Target can be ACCEPT, DROP, QUEUE, RETURN. If there is no-j, no operation is performed on the data packet, but the counter is added to 1.
-I--in-interface: for the INPUT FORWARD PREROUTING chain, this parameter specifies the port used when the data packet arrives at the server.
-O--out-interface: For the output forward postrouting chain, this parameter specifies the port used when the packet leaves the server.
3.) Iptables Command target
The last step to create a rule is to specify Iptables operations on data packets. As long as a rule matches this packet, no other rule operations will be performed. The built-in targets are: accept drop queue return.
ACCEPT: Allow data packets to pass to the destination.
DROP: the packet is rejected and the packet is discarded.
QUEUE: sends data packets back to the user application for processing.
RETURN: no longer checks data packets according to other rules of the current chain, but returns directly and continues to be sent to its destination address or the next chain.
2. Example of applying Iptables rules
Allow WWW
Iptables? A input? P tcp? Dport 80? J ACCEPT
This rule is added to the INPUT chain of the filter table, allowing data packets whose destination port is 80.
Allow DHCP on the Internal interface
Iptables? A input? I eth0? P tcp-sport 68--dport 67 ACCEPT
Iptables? A input? I eth0? P ucp--sport 68--dport 67 ACCEPT
Both TCP and UDP protocols are allowed.
3. Save and restore Iptables
Save Iptables
You can use iptables-save to save the current iptables rules,
Iptables-save> iptables save path, for example, # iptables-save>/etc/iptables. up. rule
Restore Iptables
You can use iptables-restore to restore the iptables table from the configuration document to the current iptables table.
Iptables-restore </etc/iptables. up. rule
Ii. Iptables in Ubuntu Server
Iptables has been installed by default in Ubuntu server 6.06. Version 1.3.3. The default status is disabled.
You can enable iptables by modifying/etc/network/interfaces:
Auto lo
Iface lo inet loopback
Auto eth0
Iface eth0 inet dhcp
# Add the following content
Pre-up iptables-restore </etc/iptables. up. rule
# Call the restored rule when active the eth0
Post-down iptables-save>/etc/iptables. up. rule
# Restore the iptables rule when shutdown the interface eth0
Then, reactivate eth0.
In addition, you can modify the/etc/iptables. up. rule configuration file at any time to change iptables rules. The format of Iptables. up. rule is as follows:
# Generated by iptables-save V1.3.3 on Tue Jul 31 14:18:44 2007
* Filter
: Input accept [73: 8213]
: Forward accept [0: 0]
: Output accept [8: 825]
-A input? I lo? P icmp? J DROP
-A input? I eth0? P icmp? J DROP
COMMIT
# Completed on Tue Jul 31 14:10:44 2007
Rows and rows cannot be empty.
Iii. Summary
The order of each rule in the iptables table chain is very important. If the first rule is accept all, all data packets are allowed to pass through firewall. Therefore, the Rule Order should be properly arranged.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.