iptables related tutorials
Introduction to iptables firewall
Iptables, also called netfilter, is a free and excellent packet-filter-based firewall tool that comes with Linux. It is very powerful and flexible to use. It can fine-tune the data packets flowing in, out, and flowing through the server. control. iptables is an integrated module in the Linux 2.4 and 2.6 kerneliptables service related commands
1. Check iptables status: service iptables status
2. Turn iptables on/off: service iptables start/service iptables stop
3. Check whether iptables is started: chkconfig iptables --list
4. Set iptables to start/not start: chkconfig iptables on chkconfig iptables offiptables Introduction Principles
have four tables in the iptables in, respectively, filter, nat, mangle and raw Each table contains their different chain, the most commonly used is the filter table.
filter tablefilter is the default table used by iptables, responsible for filtering the data packets flowing into and out of the machine. Three chains are defined in the table:
INPOUT is responsible for filtering all data packets whose destination address is the address of the machine, which is to filter the data entering the host. package.
FORWARD is responsible for forwarding the data packets that flow through the machine but do not enter the machine, playing the role of forwarding.
OUTPUT is responsible for processing all data packets whose source address is the local address, that is, processing data packets sent from the host.
4. Detailed explanation of iptables related commands
View help
iptables -h
man iptables
lists iptables rules
iptables -L -n
lists iptables rules and displays rule numbers
iptables -L -n --line-numbers
lists iptables nat table rules (default is filter table)
iptables -L -n -t nat
clear the default rules (note that the default is filter table, if you need to add -t nat to nat table operation)
clear all rules
iptables -F
restart iptables to find that the rules still exist, because the
service iptables restart
save configuration
service iptables save
prohibits ssh Log in (If the server is in the computer room, be careful)
iptables -A INPUT -p tcp –dport 22 -j DROP
delete rule
iptables -D INPUT -p tcp –dport 22 -j DROP
-A, --append chain append to the last rule of the rule
-D, --delete chain [rulenum] Delete rule rulenum (1 = first) from chain
-I, --insert chain [rulenum] Insert in chain as rulenum (default 1=first ) Added to the first rule of the rule
-p, --proto proto protocol: by number or name, eg.'tcp', common protocols are tcp, udp, icmp, all
-j, --jump target Common behaviors are ACCEPT, DROP and REJECT are three REJECT but generally do not, be a security risk
Note: INPUT DROP and capital needs such keywords
Prohibit 192.168.33.0 network segment from eth0 network card access
iptables -A INPUT -p tcp -i eth0 -s 192.168.33.0 -j DROP
iptables -A INPUT -p tcp --dport 22 -i eth0 -s 192.168.33.61 -j ACCEPT
Prohibit all types of data with an ip address other than 192.168.10.10 from accessing
iptables -A INPUT! -S 192.168.10.10 -j DROP
Prohibit ping requests with ip addresses other than 192.168.10.10
iptables -I INPUT -p icmp –icmp-type 8 -s 192.168.50.100 -j DROP
extension matching: 1. Implicit extension 2. Display extension #implicit
extension
-p tcp
– sport PORT source port
–dport PORT target port
#Display extension: use additional matching rules
-m EXTENSTION –SUB-OPT
-p tcp –dport 22 Same function as -p tcp -m tcp –dport 22
state: state extension, interface ip_contrack Tracking session status
NEW: new connection request
ESTABLISHED: established connection request
INVALID: illegal connection
RELATED: associated connection
Match port range
iptables -I INPUT -p tcp -dport 22:80 -j DROP
Match multiple ports
iptables -I INPUT -p tcp -m multiport --dport 22,80,3306 -j ACCEPT
Do not allow data with source port 80 to flow out of
iptables -I OUTPUT -p tcp --sport 80 -j DROP