What is Iptables-general Linux technology-Linux technology and application information? For more information, see. Iptables is a packet filtering management tool based on the netfilter architecture. It is mainly used for firewall or transparent proxy. Iptables has evolved from ipchains and is more powerful. Iptables provides three functions: packet filtering, NAT (Network Address Translation), and general pre-route packet mangling. Package filtering: used to filter packets without modifying the content of the package. Compared with ipchians, Iptables provides faster and more convenient packet filtering. NAT: NAT can be divided into source address NAT and destination address NAT.
Iptables can append, insert, or delete packet filtering rules. In fact, netfilter and its related modules (such as the iptables module and nat module) actually execute these excessive rules ). Netfilter is a general architecture at the core of Linux. It provides a series of "tables". Each table is composed of several "chains, each chain can contain one or more "rules.
The default table is "filter", which contains three links: INPUT, FORWARD, and OUTPUT.
There can be one or several rules in each chain, and each rule is defined as follows: if the data packet header meets this condition, it will process the data packet. When a packet arrives at a chain, the system checks from the first rule to see if it meets the conditions defined by the rule: if yes, the system processes the data packet according to the method defined by the rule. If the data packet does not meet the requirements, the system checks the next rule. Finally, if the packet does not comply with any rule in the chain, the system will process the packet according to the pre-defined policy of the chain.
? Table, chain, rule
Iptables can manipulate three tables: filter table, nat table, and mangle table.
NAT and general mangle use the-t parameter to specify which table to operate. Filter is the default table. If the-t parameter is not set, the filter table is operated by default.
Rule rules: filter rules and port forwarding rules. For example, if any machine is prohibited from pinging our server, you can set a Rule on the server:
Iptables-a input-s! 127.0.0.1-p icmp-j DROP
Slave? S is a rule.-j is a condition before the rule, and-j is a rule action (Purpose ). The entire command is interpreted as inserting a rule in the INPUT rule chain of the filter table. All icmp packets whose source address is not 127.0.0.1 are discarded.
Chain rule chain: It is composed of a series of rules, each of which passes through each rule in the Chain sequentially. Chain is divided into system chain and user-created chain. The following describes the system chain.
System chain of the filter table: INPUT, FORWAD, OUTPUT
System chain of the nat table: PREROUTING, POSTROUTING, OUTPUT
System chain of the mangle table: PREROUTING, OUTPUT
Each system chain is checked at a specific position. For example, in packet filtering, If the destination address is a local package, it will enter the INPUT rule chain, and the package going out from the local will enter the OUTPUT rule chain.
All tables and chains are empty when they are started. The iptables setting method is to add corresponding rules to the appropriate table and system chain.
Table: iptables is named after the three tables used (filter, nat, and mangle). Only the filter table is used for packet filtering, and the filter table is the default table. No instructions are required.
Operation Command: add, delete, update, and so on.
Chain: for packet filtering, you can operate User-Defined chains for the INPUT, OUTPUT, and FORWARD chains in the filter table.
Rule matching: You can specify various rule matching rules, such as IP addresses, ports, and packet types.
Target action: when a rule matches a package, the tasks to be executed are commonly used:
The ACCEPT allows packets to pass through
DROP dropped packets
Some expansion goals include:
The REJECT rejects the packet and discards the packet and sends an unaccepted notification to the sender.
LOG information about the LOG package is recorded in the LOG
TOS value of the TOS rewrite package
To make the FORWARD rule take effect, you can use one of the following two methods:
-A or-append adds one or more rules to the end of the selected chain
-D or-delete: delete one or more rules at the end of the selected chain.
-R or-replace to replace a matching rule in the selected chain
-I or-insert inserts one or more rules into the selected chain with the given rule number. If the rule number is 1, it is in the chain header.
-L or-list lists all rules in a specified chain. If no chain is specified, all rules in the chain are listed.
-F or-flush clears the rules of the specified chain and table. If no chain is specified, all chains are cleared.
-N or-new-chain creates a new user-defined chain with the specified name, and cannot be the same as the existing chain name.
-X or-delete-chain: to delete a specified user-defined curtain, you must ensure that the rules in the chain are not used before deletion. If no chain is specified, all user chains are deleted.
-P or-policy specifies the default rule (built-in chain policy) for the permanent curtain. the user-defined curtain does not have the default rule. The default rule also makes the last rule in the Rule chain, it is displayed in the first line when-L is used.
-C or-check whether the specified package matches the rule of the specified chain.
-Z or-zero clears the rule packet BYTE counter in the specified curtain.
-P, [!] Protocol indicates the protocol to be matched. It can be tcp, udp, icmp, all, and prefix! Indicates all protocols except the protocol.
-S [!] Address [/mask] specifies the source address or address range.
-Sport [!] Port [: port] specifies the source port number or range. You can use the port number or the name in the/ETC/SERVICES file.
-D [!] Address [/mask] specifies the destination address or address range.
-Dport [!] Port [: port] specifies the destination port number or range. You can use the port number or the name in the/ETC/SERVICES file.
-Icmp-type [!] Typename specifies the ICMP information type that matches the rule (you can use iptables-p icmp-h to view valid ICMP type names)
-I [!] The interface name [+] matches an independent interface or an interface of some type. If this parameter is ignored, all interfaces are used by default. You can use this interface "! "To match the packages from the specified prey interface. the interface parameter is the interface name, such as eth0, eht1, ppp0, etc. It is completely legal to specify an interface that does not exist currently, And the rule takes effect only when the interface is working, compromise designation is very useful for similar connections such as PPP. "+" indicates that all interfaces of this type are matched. this option is only applicable to INPUT, FORWARD, and PREROUTING chains.
-O [!] Interface name [+] indicates the external network interface that matches the rule. This option is valid only for OUTPUT, FORWARD, and POSTROUTING chains.
[!] -- Syn only matches TCP packets with SYN bits and removes ACK and FIN bits. these packages indicate the TCP connection initiated by the request. blocking such a packet from an interface will block external TCP connection requests. however, the output TCP connection requests will not be affected. this parameter can be used only when the protocol type is set to TCP. you can use this parameter "! "Flag matches an existing return packet, which is generally used to limit network traffic. That is, only existing packets are allowed to be returned from connections sent to the outside.
[Root @ rh34 root] # iptables-L-n
(List all rules in a table or chain. The packet filtering Firewall uses the filter table by default. Therefore, this command will list all the content in the filter table. The-n parameter can speed up the display, or the-n parameter is not added .)
[Root @ rh34 root] # iptables-F
(Clear all rules in the Rule chain in the filter of the preset table)
[Root @ rh34 root] # iptables-X
(Clear the rules in the User-Defined chain in the filter of the preset table)
[Root @ rh34 root] # iptables-Z
(Clears all packet byte counters in the specified chain rule)
Set the chain's default policy. All are allowed by default, or all are discarded:
[Root @ rh34 root] # iptables-P INPUT ACCEPT
[Root @ rh34 root] # iptables-P OUTPUT ACCEPT
[Root @ rh34 root] # iptables-P FORWARD ACCEPT
(In the above example, we set the default allow policy in different directions. If discarded, the policy should be DROP. Strictly speaking, the firewall should be DROP and then allow specific rules)
[Root @ rh34 root] # iptables-N brus
(Create a user-defined chain named brus)
[Root @ rh34 root] # iptables-A brus-s 0/0-d 0/0-p icmp-j DROP
(A rule is set in this link)
[Root @ rh34 root] # iptables-a input-s 0/0-d 0/0-j brus
(Add a rule to the default INPUT chain so that all packages are processed by the brus custom chain)
Iptables-a input-p tcp -- tcp-flags SYN, FIN, ACK SYN
(Indicates that the SYN, ACK, and FIN flags must be checked, but only those with SYN are matched)
Iptables-a input-p tcp -- tcp-flags all syn, ACK
(ALL: SYN, ACK, FIN, RST, URG, and PSH are checked, but only SYN and ACK are matched)
Iptables-p tcp -- syn
(Option -- syn is a special case above, which is equivalent to the abbreviation of "-- tcp-flags SYN, RST, ack syn)
[Root @ redhatlinux9 root] # iptables-a forward-m limit -- limit 300/hour
(Restrict access to 300 packets per hour)
[Root @ redhatlinux9 root] # iptables-a input-m limit -- limit-burst 10
(-- Limit-burst specifies the trigger time value (the default value is 5), which is used to compare the number of massive data packets in an instant .)
(The above example compares whether there are more than 10 incoming packets at a time. packets exceeding this limit will be discarded directly)
[Root @ redhatlinux9 root] # iptables-a forward-p icmp-m limit -- limit 3/m -- limit-burst 3
(Assuming that the request passes evenly, with an average of three requests per minute, the trigger value burst is kept as 3. If the number of packets passed per minute is less than 3, the trigger value busrt will add 1 after each cycle (if 3 packets are allowed per minute, the number of weeks is 20 seconds), but the maximum value is 3. If the number of packets to be passed per minute exceeds 3, the trigger value busrt will be reduced to an extra value. For example, if there are four packets in the next minute, the trigger value will be changed to 2, at the same time, four packages can be passed. If there are six packages in the third minute, only five packages can be passed. The trigger value of busrt is 0. After that, if the number of packets per minute is less than or equal to 3, the trigger value busrt will add 1. If the number of packets per minute is greater than 3, the trigger value busrt will gradually decrease and eventually remain 0)
(That is, the maximum number of packets per minute is equal to the maximum rate (3 in this example) plus the current trigger value busrt. In any case, three packets can pass through, and the triggering value busrt is equivalent to the number of additional packets allowed)
Each network connection includes the following information: Source and Destination addresses, source and destination port numbers, called socket pairs (cocket pairs), protocol type, connection status (TCP protocol), and timeout time. The firewall calls these statuses ). The firewall that can monitor each connection status is called the status treasure filter firewall. In addition to completing the common packet filter firewall function, it also maintains a table that tracks the connection status in its own memory, therefore, it has greater security.
The command format is as follows:
Iptables-m state -- state [!] State [, state]
State indicates a list separated by commas (,). The connection status can be as follows:
NEW: this package wants to start a connection (reconnect or redirect the connection ).
RELATED: this package belongs to a new connection established by a established connection. For example, there is a RELATED relationship between the FTP data transmission connection and the control connection.
ESTABLISHED: the package belongs to a ESTABLISHED connection.
INVALID: this package does not match any connection. These packages are usually dropped.
For example:
[Root @ redhatlinux9 root] # iptables-a input-m state -- state RELATED, ESTABLISHED
(Match the established connection or the new connection established by the established connection. Match All TCP response packets)
[Root @ redhatlinux9 root] # iptables-a input-m state -- state NEW-I! Eth0
(Match all connection request packets from non-eth0 interfaces)
The following is a typical connection trace in Passive FTP connection mode.
[Root @ redhatlinux9 root] # iptables-a input-p tcp -- sport 1024: -- dport 1024:-m state -- state ESTABLISHED-j ACCEPT
[Root @ redhatlinux9 root] # iptables-a output-p tcp -- sport 1024: -- dport 1024:-m state -- state ESTABLISHED, RELATED-j ACCEPT
The following is a typical connection trace in Active FTP connection mode.
[Root @ redhatlinux9 root] # iptables-a input-p tcp -- sport 20-m state -- state ESTABLISHED, RELATED-j ACCEPT
[Root @ redhatlinux9 root] # iptables-a input-p tcp -- dport 20-m state -- state ESTABLISHED-j ACCEPT
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.