table of Contents

Firewall iptables

filter

3 chains of filter

filter rule write

Basic syntax of iptables

Precautions:

Basic control type of data packet

SNAT mode (source address translation)

DNAT mode (target address translation)

Firewall iptables

iptables tool

4 functions (table):

raw is not often configured
Mangle is not often configured
nat
filter

filter

Packet filtering firewall

View detailed rules of filter

iptables -t filter -nvL

3 chains of filter

Each table has a place to write rules (chain)

INPUT inbound chain

Note: The rule is to match from top to bottom one by one.

FORWARD forwarding rule chain

(When the source address 192.168.1.1 and the destination address 172.16.1.20 are not local)

For iptables -t filter -nvl

watch -n1 iptables -t filter -nvl

OUTPUT outbound chain

filter rule write

format

iptables -t filter -I INPUT -p tcp --dport 90 -j ACCEPT

View the filter rule table:

In this way, we can access this server's website externally.

Basic syntax of iptables

Precautions:

When the table name is not specified, it points to the filter table by default
When no chain name is specified, all chains in the default table
Unless the default policy of the chain is set, the matching conditions must be specified
Use small and large letters for options, chain names, and control types, and the rest are lowercase

Basic control type of data packet

ACCEPT is allowed to pass
DOROP drops directly without giving any prompt
REJECT refuses to pass, give a prompt if necessary
LOG records log information, and then passes to the next rule to continue matching

We can actually operate (icmp protocol PING) to see the difference of DOROP REJECT

REJECT

Write rule

iptables -I FORWARD -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP

DROP

Note: The same rule takes effect at the top

Add new rules

-A append a rule at the end of the chain
-I Insert a rule at the beginning of the chain (or specify the serial number)

E.g:

View rule list

-L List all rule entries
-n Display address and port information in the form of numbers
-v Display rule information in a more detailed way
-line-number When viewing rules, display the rule number

Delete, clear rules

-D delete a rule with a specified sequence number (or content) in the chain
-F Clear all rules

Delete the rule corresponding to sequence number 2 in the EORWARD chain

iptables -D FORWARD 2

Clear all the rules in the FORFARD chain

iptables -F FORWARD

When we emptied, did the rules disappear?

The firewall saves its original configuration by default, as long as the service of the iptables firewall is restarted, its previous rules will come out

service iptables restart

Specify the default policy

-P

Note: The only choices for the default strategy are DROP and ACCEPT

Change FORWARD's default strategy to DROP

iptables -P FORWARD DROP

Match condition

Common universal matching conditions

Protocol match -p [protocol name]
Address match -s [source address] -d [destination address]
Interface matching -i [inbound network card], -o [outbound network card]

Common implicit matching conditions

Port matching --sport [source port], --dport [destination port]
TCP flag port --tcp-flags [check range] [flag set]
ICMP type matching --icmp-type [ICMP type]

E.g:

ICMP type: 8 requests 0 echo 3 unreachable

Common display matching conditions

Multi-port matching -m multiport-sport [source port list], -m multiport-sport [destination port list]
IP range matching -m iprange --src-range [IP range]
MAC address matching -m mac --mac-source [MAC address]