Use of the iptables command

Use of the iptables command

iptables [-t table] command [match] [-j Target/jump]

[-T table] specifies the rule table

The-t parameter is used to have three built-in rule tables: NAT, mangle, and filter, which are treated as filter when no rule table is specified. The functions of a rule table are as follows:

NAT: This rule table has prerouting and postrouting two chain of rules, the main function for a pair of one or one-to-many, many-to-many web site conversion work (SNAT, DNAT), this rule table in addition to as a URL conversion, please do not do other purposes.

Mangle: This rule table has three chain of rules for prerouting, FORWARD, and postrouting. In addition to the URL conversion work will overwrite the packet, in some special applications may also have to rewrite the packet (TTL, TOS) or set mark (the packet as a token for subsequent filtering), this must be defined in the Mangle rules table, because the usage is not high, We are not going to discuss the use of mangle here.

Filter: This rule table is the default rule table with INPUT, FORWARD, and OUTPUT three rule chains, which are the name of the processing action for packet filtering (for example, DROP, LOG, ACCEPT, or REJECT). We will establish the basic rules in this rule table.

Command Common Commands list:

Command-A,--append

Example Iptables-a INPUT ...

Describes the new rule in a chain of rules that will become the last rule in the chain of rules.

Command-D,--delete

Example iptables-d INPUT--dport 80-j DROP

iptables-d INPUT 1

Description to remove a rule from a chain of rules, you can either enter the full rule or specify the rule number to delete it directly.

Command-R,--replace

Example Iptables-r INPUT 1-s 192.168.0.1-j DROP

The instructions supersede the existing rules, and the rules are replaced without changing the order.

Command-I,--insert

Example Iptables-i INPUT 1--dport 80-j ACCEPT

Note Insert a rule that the rule at that location will move backward one position.

Command-L,--list

Example 1 iptables-l INPUT

The description lists all the rules in a chain of rules.

Example 2 iptables-t nat-l

Description lists all the rules in all chains of the NAT table.

Command-F,--flush

Example Iptables-f INPUT

Describes deleting all rules of the input chain in the filter table.

Command-Z,--zero

Example Iptables-z INPUT

Description The packet counter is zeroed. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering blocking attacks.

Command-N,--new-chain

Example Iptables-n allowed

Description defines a new rule chain.

Command-X,--delete-chain

Example Iptables-x allowed

Description Deletes a rule chain.

Command-P,--policy

Example Iptables-p INPUT DROP

Description defines the filtering policy. That is, the packet that does not meet the filter, the default processing method.

Command-E,--rename-chain

Example IPTABLES-E allowed disallowed

Describes modifying the name of a custom rule chain.

[match] commonly used packet matching parameters

Parameter-P,--protocol

Example Iptables-a input-p TCP

Indicates whether the matching protocol type is compatible and can be used! operator to reverse-match, for example:

-P!TCP

means a type other than TCP, such as UDP, ICMP ... such as

If you want to match all types, you can use the All keyword, for example:

-P All

Parameter-S,--SRC,--source

Example Iptables-a input-s 192.168.1.1

Describes the source IP used to match the packet, which can be matched to a single machine or network, using numbers to represent the subnet mask when matching the network, for example:

-S 192.168.0.0/24

Can be used when matching IP! operator to reverse-match, for example:

-S!192.168.0.0/24.

Parameter-D,--DST,--destination

Example Iptables-a input-d 192.168.1.1

Describes the destination IP used to match the packet, set the same way.

Parameter-I.,--in-interface

Example Iptables-a input-i eth0

Description is used to match packets from which Nic enters, you can use the wildcard character + to larger range matching, for example:

-I. eth+

Represents all the Ethernet NICs

can also be used! operator to reverse-match, for example:

-I.!eth0

Parameter-O,--out-interface

Example Iptables-a forward-o eth0

The description is used to match the packet to be sent from which NIC, set the same way.

Parameter--sport,--source-port

Example Iptables-a input-p TCP--sport 22

Describes the source port used to match the packet, which can match a single port, or a range, for example:

--sport 22:80

Indicates that between 22 and 80 ports are eligible, and if you want to match multiple ports that are not contiguous, you must use the--multiport parameter, as described later in this article. When you match the port number, you can use it! Operator for reverse matching.

Parameter--dport,--destination-port

Example Iptables-a input-p TCP--dport 22

Describes the destination port number used to match the packet, set the same way

Parameter--tcp-flags

Example iptables-p TCP--tcp-flags syn,fin,ack SYN

The description matches the status flag of the TCP packet, the parameters are divided into two parts, the first part lists the flags that want to match, the second part lists which of the aforementioned flags are set, and the flags that are not enumerated must be empty. TCP status flags include: SYN (synchronous), ACK (Reply), FIN (end), RST (reset), URG (emergency), PSH (forced push), etc. can be used in parameters, in addition to using the keyword all and NONE to match. When matching flags, you can use! The operator line is reversed.

Parameter--syn

Example Iptables-p TCP--syn

The description is used to denote the TCP communication protocol in which the SYN bit is opened, and the ACK is grouped with the FIN bit closed, that is, the initial connection of TCP, which is exactly the same as the Iptables-p TCP--tcp-flags syn,fin,ack SYN, if used! operator, which can be used to Match non-required connection packets.

Parameter-M multiport--source-port

Example Iptables-a input-p tcp-m multiport--source-port 22,53,80,110

The description is used to match multiple source ports that are not contiguous, can match up to 15 ports at a time, and can be used! Operator for reverse matching.

Parameter-M multiport--destination-port

Example Iptables-a input-p tcp-m multiport--destination-port 22,53,80,110

Description used to match multiple destination port numbers that are not contiguous, set the same way

Parameter-M multiport--port

Example Iptables-a input-p tcp-m multiport--port 22,53,80,110

Note that this parameter is special, used to match the source port and the destination port number of the same packet, set the same way. Note: In this example, if the source port number is 80, the destination port number is 110, the packet is not eligible.

Parameter--icmp-type

Example Iptables-a input-p ICMP--icmp-type 8

Describes the type number used to match ICMP, which can be matched using code or numeric numbers. Please call iptables-p ICMP--help to see what code is available.

Parameter-M limit--limit

Example Iptables-a input-m limit--limit 3/hour

Describes the average amount of traffic that is used to match packets over a certain period of time, and the example above is used to match: whether the average traffic per hour exceeds 3 packets a time. In addition to the average per hour, the average time per second, minute, or day, the default value is an average of once per hour, with parameters such as:/second,/minute,/day. In addition to matching the number of packets, setting this parameter will also suspend the matching action of the packet when the condition is reached, in order to avoid the use of flood attacks by hackers, resulting in service interruption.

Parameter--limit-burst

Example Iptables-a input-m limit--limit-burst 5

The description is used to match the number of packets in an instant, and the above example is used to match whether the packets that have been flooded at the same time are more than 5 (this is the default value), and packets exceeding this limit will be discarded directly. Use the same effect as above.

Parameter-M Mac--mac-source

Example Iptables-a input-m mac--mac-source 00:00:00:00:00:01

Describes the hardware address used to match the packet Source network interface, this parameter cannot be used in the OUTPUT and postrouting rule chain, this is because the packet to send to the network card, the network card driver through the ARP communication protocol to detect the destination MAC address, so iptables in the packet It is not known which network interface The packet will be sent to.

Parameter--mark

Example Iptables-t mangle-a input-m Mark--mark 1

The description is used to match whether the packet is represented by a number, and when the packet is successfully matched, we can mark the packet by marking a number with the maximum number not exceeding 4294967296.

Parameter-M owner--uid-owner

Example

Iptables-a output-m owner--uid-owner 500

The instructions used to match packets from this machine are generated by a particular user, which prevents the server from using root or other identities to transmit sensitive data, which can reduce the system's horrendous loss. Unfortunately, this feature does not match packets from other hosts.

Parameter-M owner--gid-owner

Example Iptables-a output-m owner--gid-owner 0

The description is used to match the packet from this machine, which is generated by a particular user group.

Parameter-M owner--pid-owner

Example

Iptables-a output-m owner--pid-owner 78

The description is used to match the packet from this machine, which is generated for a particular process, using the same timing.

Parameter-M owner--sid-owner

Example

Iptables-a output-m owner--sid-owner 100

Describes the response packet used to match a packet from this machine to a specific connection (Session ID), using the same timing.

Parameter-M State--state

Example

Iptables-a input-m State--state related,established

The description is used to match the connection state and there are four connection states: INVALID, established, NEW, and related.

INVALID indicates that the packet's connection number (Session ID) is not recognizable or is incorrectly numbered.

Established indicates that the packet belongs to an already established connection.

NEW indicates that the packet wants to start a connection (reset the connection or redirect the connection).

Related indicates that the packet belongs to a new connection established by an established connection. For example, the Ftp-data connection must originate from an FTP connection.

[-j target/jump] Common processing actions:

The-J parameter is used to specify the processing action to be performed, and the commonly used processing actions include: ACCEPT, REJECT, DROP, REDIRECT, Masquerade, LOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, MARK, The following are explained separately:

ACCEPT: The packet is released, after this processing action, will no longer match the other rules, directly jump down a chain of rules (natostrouting).

REJECT: Blocking the packet, and transmitting the packet to notify the other side, can be transmitted packets have several options: ICMP port-unreachable, ICMP echo-reply or tcp-reset (this packet will require the other side to close the connection), after the processing action, Will no longer match other rules and interrupt the filter program directly. Examples are as follows:

Iptables-a forward-p TCP--dport 22-j REJECT--reject-with tcp-reset

Drop: Discard packet is not processed, after this processing action, will no longer match other rules, directly interrupt the filter program.

REDIRECT: The packet is redirected to another port (Pnat), and after this processing is done, the other rules will continue to be matched. This feature can be used to implement transparent proxies or to protect Web servers. For example:

Iptables-t nat-a prerouting-p tcp--dport 80-j REDIRECT--to-ports 8080

Masquerade: Overwrite packet source IP is the firewall NIC IP, you can specify the range of port, after this processing action, jump directly down a chain of rules (manglepostrouting). This function is slightly different from Snat, when IP camouflage, do not need to specify which IP,IP will be read from the network card directly, when using dial-up, IP is usually assigned by the ISP's DHCP server, this time masquerade particularly useful. Examples are as follows:

Iptables-t nat-a postrouting-p tcp-j Masquerade--to-ports 1024-31000

LOG: The packet-related message is recorded in the/var/log, the detailed location please consult the/etc/syslog.conf configuration file, after this processing action, will continue to match its rules. For example:

Iptables-a input-p tcp-j LOG--log-prefix "INPUT packets"

SNAT: Overwrite the packet source IP to a specific IP or IP range, you can specify a range of port, after this processing action, will jump directly down a rule (mangleostrouting). Examples are as follows:

Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT--to-source?194.236.50.155-194.236.50.160:1024-32000

DNAT: Overwrite the packet destination IP to a specific IP or IP range, you can specify a range of port, after this processing action, will jump directly down a chain of rules (Filter:input or Filter:forward). Examples are as follows:

Iptables-t nat-a prerouting-p tcp-d 15.45.23.67--dport 80-j DNAT--to-destination 192.168.1.1-192.168.1.10:80-100

MIRROR: Mirror package, that is, the source IP and destination IP swapped, the packet back, after this processing action, will interrupt the filter program.

Queue: Interrupt the filter program, put the packet into the queue, to other programs processing. Other applications, such as calculating connection costs, can be done through a self-developed handler.

Return: End the filter in the current rule chain, return to the main rule chain to continue filtering, if the custom rule chain as a subroutine, then this action is equivalent to prematurely end the subroutine and return to the main program.

Mark: Label the package with a designator so that it can be judged as a condition for subsequent filtering, and after the processing is done, it will continue to match other rules. Examples are as follows:

Iptables-t mangle-a prerouting-p tcp--dport 22-j MARK--set-mark 2

• This article is from: Linux Learning Network

Use of the iptables command