Table and chain structure of iptables
-
Rule chain
- The role of rules: filtering or processing data packets
- The role of the chain: to accommodate various firewall rules
- The classification basis of the chain: different timing of processing data packets
-
5 types of rule chains are included by default
- INPUT: Process inbound packets
- OUTPUT: Process outbound packets
- FORWARD: Process forwarding packets
- POSTROUTING chain: Process data packets after routing
- PREROUTING chain: processing data packets before routing
-
Rule table
- The role of the table: to accommodate various rule chains
- The basis for the division of the table: the role of firewall rules is similar
-
4 rule tables included by default
- raw table: Determine whether to track the status of the packet
- mangle table: set flags for packets
- nat table: modify the source, destination IP address or port in the data packet
- filter table: Determine whether to let the data packet (filter)
-
Schematic diagram of the default table and chain structure
The matching process of packet filtering
-
Order between rule tables
- raw- > mangle >nat > filter
-
Order between rule chains
- Inbound: PREROUTING→INPUT
- Outbound: OUTPUT→POSTROUTING
- 转发: PREROUTING> FORWARD>POSTROUTING
-
Match order within the rule chain
- Check in order, and stop when matching (except for LOG strategy)
- If no matching rule is found, it will be processed according to the chain’s default strategy
Schematic diagram of matching process
**Note: **CentOS 7 uses firewalld firewall by default, if you want to use iptables firewall, you must first turn off firewalld firewall
iptables installation
- Turn off firewalld firewall
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service
- Install iptables firewall
[root@localhost ~]# yum -y install iptables iptables-services
- Set iptables to start at boot
[root@localhost ~]# systemctl start iptables.service
[root@localhost ~]# systemctl enable iptables.service
The basic syntax of iptables
- Grammatical composition
- iptables -t table name option chain name condition -j control type
[root@localhost ~]# iptables -t filter -I INPUT -p icmp-j REJECT
-
Precautions
- When the table name is not specified, it refers to the filter table by default
- When the chain name is not specified, it refers to all chains in the table by default
- Unless the default policy of the chain is set, matching conditions must be specified
- Use uppercase letters for options, chain names, and control types, and lowercase the rest
-
Common control types of data packets
- ACCEPT: Allow to pass
- DROP: drop directly without giving any response
- REJECT: Refuse to pass, and prompt if necessary
- LOG: record log information, and then pass it to the next rule to continue matching
-
Summary of common management options
category | Options | use |
---|---|---|
Add new rule | -A | Add a rule to the end of the chain |
Add new rule | -I | Insert a rule at the beginning of the chain (or specify the sequence number) |
View the list of rules | -L | List all rule entries |
View the list of rules | -n | Display address, port and other information in digital form |
View the list of rules | -v | Display rule information in a more detailed way |
View the list of rules | –line-numbers | When viewing rules, display the serial number of the rule |
Delete and clear rules | -D | Delete a rule with a specified sequence number (or content) in the chain |
Delete and clear rules | -F | Delete all rules |
Set default policy | -P | Set default rules for the specified chain |
Rule matching condition
Common general matching conditions
- Protocol match: -p protocol name
- Address matching: -s source address -d destination address
- Interface matching: -i inbound network card -o outbound network card
Commonly used implicit matching conditions
- Port matching: --sport source port --dport destination port
- ICMP type matching: --icmp-type ICMP type
Example:
iptables -I INPURT -p icmp -j DROP
iptables -A INPUT -i ens33 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -s 192.168.4.0/24 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j DROP
Note: 8: request, 0: echo, 3: unreachable
Common display matching conditions
Multi-port matching:
- -m multiport --sports source port list
- -m multiport --dports destination port list
IP range matching:
- -m iprange --src-range IP range
MAC address matching:
- -m mac -mac-source MAC address
Status match:
- -m state --state connection state
Example
iptable -A INPUT -p tcp -m multiport --dports 25,80,110 -j ACCEPT
iptable -A FORWARD -p tcp -m iprange --src-range 192.168.4.21-192.168.4.28 -j ACCEPT
iptable -A INPUT -m mac --mac-source 00:0c:29:c0:55:3f -j ACCEPT
iptable -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
Common connection status:
NEW ------------
ESTABLISHED not related to any connection ------------
RELATED in response to the request or established connection ----------- -Related to existing connections, such as FTP data connection
Summary:
iptables firewall includes 4 tables and 5 chains by default
The basic syntax of iptables
iptables common management options
- A、I、L、n、v、 --line-numbers、D、F、P
iptables rule matching conditions
- General match, implicit match, explicit match