Linux------iptables firewall commonly used commands

Table and chain structure of iptables

• Rule chain

  • The role of rules: filtering or processing data packets
  • The role of the chain: to accommodate various firewall rules
  • The classification basis of the chain: different timing of processing data packets

• 5 types of rule chains are included by default

  • INPUT: Process inbound packets
  • OUTPUT: Process outbound packets
  • FORWARD: Process forwarding packets
  • POSTROUTING chain: Process data packets after routing
  • PREROUTING chain: processing data packets before routing

• Rule table

  • The role of the table: to accommodate various rule chains
  • The basis for the division of the table: the role of firewall rules is similar

• 4 rule tables included by default

  • raw table: Determine whether to track the status of the packet
  • mangle table: set flags for packets
  • nat table: modify the source, destination IP address or port in the data packet
  • filter table: Determine whether to let the data packet (filter)

• Schematic diagram of the default table and chain structure

The matching process of packet filtering

• Order between rule tables

  • raw- > mangle >nat > filter

• Order between rule chains

  • Inbound: PREROUTING→INPUT
  • Outbound: OUTPUT→POSTROUTING
  • 转发: PREROUTING> FORWARD>POSTROUTING

• Match order within the rule chain

  • Check in order, and stop when matching (except for LOG strategy)
  • If no matching rule is found, it will be processed according to the chain’s default strategy

Schematic diagram of matching process

**Note: **CentOS 7 uses firewalld firewall by default, if you want to use iptables firewall, you must first turn off firewalld firewall

iptables installation

• Turn off firewalld firewall

[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service

• Install iptables firewall

[root@localhost ~]# yum -y install iptables iptables-services

• Set iptables to start at boot

[root@localhost ~]# systemctl start iptables.service
[root@localhost ~]# systemctl enable iptables.service

The basic syntax of iptables

• Grammatical composition
  • iptables -t table name option chain name condition -j control type

[root@localhost ~]# iptables -t filter -I INPUT -p icmp-j REJECT

• Precautions

  • When the table name is not specified, it refers to the filter table by default
  • When the chain name is not specified, it refers to all chains in the table by default
  • Unless the default policy of the chain is set, matching conditions must be specified
  • Use uppercase letters for options, chain names, and control types, and lowercase the rest

• Common control types of data packets

  • ACCEPT: Allow to pass
  • DROP: drop directly without giving any response
  • REJECT: Refuse to pass, and prompt if necessary
  • LOG: record log information, and then pass it to the next rule to continue matching

• Summary of common management options

category	Options	use
Add new rule	-A	Add a rule to the end of the chain
Add new rule	-I	Insert a rule at the beginning of the chain (or specify the sequence number)
View the list of rules	-L	List all rule entries
View the list of rules	-n	Display address, port and other information in digital form
View the list of rules	-v	Display rule information in a more detailed way
View the list of rules	–line-numbers	When viewing rules, display the serial number of the rule
Delete and clear rules	-D	Delete a rule with a specified sequence number (or content) in the chain
Delete and clear rules	-F	Delete all rules
Set default policy	-P	Set default rules for the specified chain

Rule matching condition

Common general matching conditions

• Protocol match: -p protocol name
• Address matching: -s source address -d destination address
• Interface matching: -i inbound network card -o outbound network card

Commonly used implicit matching conditions

• Port matching: --sport source port --dport destination port
• ICMP type matching: --icmp-type ICMP type

Example:

iptables -I INPURT -p icmp -j DROP
iptables -A INPUT -i ens33 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -s 192.168.4.0/24 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j DROP

Note: 8: request, 0: echo, 3: unreachable

Common display matching conditions

Multi-port matching:

• -m multiport --sports source port list
• -m multiport --dports destination port list

IP range matching:

• -m iprange --src-range IP range

MAC address matching:

• -m mac -mac-source MAC address

Status match:

• -m state --state connection state

Example

iptable -A INPUT -p tcp -m multiport --dports 25,80,110 -j ACCEPT
iptable -A FORWARD -p tcp -m iprange --src-range 192.168.4.21-192.168.4.28 -j ACCEPT
iptable -A INPUT -m mac --mac-source 00:0c:29:c0:55:3f -j ACCEPT
iptable -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

Common connection status:

NEW ------------
ESTABLISHED not related to any connection ------------
RELATED in response to the request or established connection ----------- -Related to existing connections, such as FTP data connection

Summary:
iptables firewall includes 4 tables and 5 chains by default

The basic syntax of iptables

iptables common management options

• A、I、L、n、v、 --line-numbers、D、F、P

iptables rule matching conditions

• General match, implicit match, explicit match