iptbales:
The firewall works at the edge of the host, and sets some rules for some data packets entering and leaving the network to protect the host and perform some forwarding functions.
For Linux, the tcp/ip protocol stack is in the kernel, which means that the processing of packets is processed in the kernel, that is to say, the firewall must work in the kernel, and the firewall must complete the processing of tcp/ip packets in the kernel. The flow into the location, with the rules to check, can really work.
iptables is used to measure the attributes of tcp/ip packets: source ip, destination ip, source port, destination port;
tcp flags: syn, syn+ack, ack, fin, urg, psh, rst;
link:
INPUT: processing Data packets entering the firewall (the destination address is the firewall)
OUTPUT: Process the data packets going out from the firewall (the source address is the data packets of the firewall)
FORWARD: Process the data packets forwarded by the firewall
PREROUTING: Perform destination address translation (processed before routing)
POSTROUTING: Perform source address translation (processing after routing)
table (-t):
filter: mainly responsible for the general input and output packets of the host (default table), corresponding links: INPUT, OUTPUT, FORWARD
nat: responsible for network addresses Conversion, that is, the conversion from the destination IP address and port, is generally used for sharing Internet access or special port conversion services, the corresponding link: PREROUTING, PORTROUTING, OUTPUT (port conversion)
mangle: split the message and modify the message The text flag bit, and finally encapsulated, the corresponding link rules: prerouting input forword output postrouting
iptables view:
-L: View the link rules of the table
-t: specify the table to view
-n: display host ip and port number in numeric format
-v: display detailed information, vv display more detailed information, vvv display most detailed information
--line-number: display line number
-x: display exact unit
 |
pkts: the number of matching rules
target: target
prot: protocol
source: source address/network segment
destination: destination address/network segment
opt Additional options, -- means that there is no
iptables rule to clear:
-F: clear all the filter table Rule
-X: rules for clearing custom links
-Z:
management rules for clearing counters iptables:
-P : Set the default policy, set the default policy for the specified chain, the format is as follows:
#Set the default rule of the input chain of the fllter table to discard
iptables-t fllter -P INPUT DROP
-N : Create a new custom chain (the built-in chain cannot be deleted, if there are too many, you can customize the chain) #custom chain
can only be called to play a role
iptables-N fillter_web
-A: add a rule
-D: delete a rule
-R: replace the rule: iptables -R INPUT 1 -s 10.0.10.0/24-d 10.0.10.62 -i eth0 -j ACCEPT ---- replace rule 1 with eth0 only allow A certain network segment comes in.
Write rule syntax: iptables -t table name capitalized sub-option link name match standard -j target
target: the following only write the target that needs to be understood
DROP : discard
REJECT : reject
ACCEPT : accept
REDIRECT: port redirection
DNAT: destination address translation
SNAT: source address translation
matching criteria: general matching criteria, extended matching criteria
1, common matching criteria
-s: source ip or source network segment
-d: destination ip or destination network segment
-i : Specify the incoming interface of the data packet
-o : Specify the outgoing interface of the data packet
-p : Specify the packet matching rules of only which protocol to
allow --sport Specify the source port The protocol must be specified before the specified port
--dport Specify the destination port
2 , Extension matching criteria: All extension matching means that you need to use -m to specify the name of the extension to refer to, and each extension module generally has its own special options. Among these options, some are necessary.
#Multiport Match #
-p tcp --dport|--sport 20:28 (intermediate port numbers must be consecutive): Match tcp destination/source ports 20 to 28
-p tcp --dport|--sport ! 20:28 (intermediate port numbers must be consecutive): match tcp destination port/source port number 20 to 28
-p tcp -m multiport --sprot|--dport 20, 22, 28 (the port number can be different Continuous): match tcp source port/destination port No. 20, 22, 28 #Multiple
address matching#
-m iprange --src-range 172.16.0.100-172.16.0.200
-m iprange --dst-range 172.16.0.100 -172.16.0.200 #Message
flag bit match#
--tcp-flags syn, ack, fin syn #This sentence means that syn requests to establish a link synchronously, ack confirms, fin disconnects, and syn synchronizes
six TCP flag bits:
SYN (synchronization sequence number bit): when TCP establishes a connection Set this value to 1.
ACK (acknowledgment number bit): When the value is 1, the data of the sender is acknowledged.
URG (urgent): If the URG is 1, it means that the value needs to be transmitted first.
PSH: The value is 1, indicating that the output should be displayed on the screen as soon as possible, and should not be placed in the cache.
RST: The value is 1, indicating that a reconnection is requested after disconnection.
FIN: When the value is 1, the TCP is disconnected.
#TimeExtension#
--timestart 08:30:00 start time
--timestop 17:30:00 end time
--datestart 2015/06/01 start date
--datestop 2015/06/30 end date
--monthdays 1,2 ,3,4,5 Specify the month
--weekdays 1,20 Specify the period range #character
extension#
-m string
--string ""
--algo kmp|bm Specify the matching algorithm, generally kmp,bm
-m string -- algo kmp --string "sex" -j DROP Packets containing the "sex" character will be rejected #rate extension #Used
to
protect the server from crashes
-m limit --limit 5/s --limit-burst 8 #Allow 5 packets per second, 8 for the first time, but only 2 for the second.
#Packet state extension#
-m state --state NEW/ESTABLISHED/RELATED/INVALID
NEW: The state of the data packet indicates that this data packet is the first data packet received. For example, receiving a SYN packet, which is the first packet of the connection, will match the NEW state. The first packet may also not be a SYN packet, but it will still be considered a NEW state.
ESTABLISHED: As long as a response is sent and received, a data connection changes from NEW to ESTABLISHED, and the state will continue to match subsequent packets of this connection.
RELATED: When a connection is related to a connection that is already in the ESTABLISHED state, it is considered RELATED, that is, if a connection wants to be RELATED, it must first have an ESTABLISHED connection, and this ESTABLISHED connection generates a primary A connection other than a connection, this new connection is RELATED.
INVALID: The state indicates which connection the packet belongs to or does not have any state.
iptables implements NAT function:
1. SNAT source address translation:
 |
The ip configuration of client, firewall, and back-end server is shown in the figure, and the routing function of iptables (ie Ipv4_forward=1) is enabled. This is that the client can spell the same back-end server, but cannot access the web of the back-end server. At this time, iptables needs to be used. The NAT function converts the client's ip10.0.10.0 network segment into its own ip of 192.168.0.4, and then accesses the web server.
iptables -t nat -A POSTROUTING -s 10.0.10.0/16 -j SNAT --to-source 192.168.0.4
2. DNAT destination address translation:
In the above example, if the client accesses the web server next time instead of accessing 192.168.0.110, Instead, visit 10.0.10.60
iptables -t nat -A PREROUTING -d 10.0.10.62 -j DNAT --to-destination 192.16.0.110
Firewall save:
service iptables save save existing firewall rules
service iptables restart restart firewall
firewall rules The effect of order:
The first rule is matched, and once a rule is met, the rules below it will not be matched. A certain rule (-P) is generally the last match.