Small c to learn Linux (32)--iptables configuration

Others 2022-04-22 03:51:30 views: 0

Iptables

iptables is a command-line tool for configuring the Linux kernel firewall and is part of the netfilter project. The term iptables also often refers to this kernel-level firewall. iptables can be configured directly or through many frontends [broken link: invalid section] and graphical interfaces [broken link: invalid section]. iptables for ipv4, ip6tables for ipv6

basic concept

iptables can detect, modify, forward, redirect and drop IPv4 packets. The code to filter IPv4 packets is already built into the kernel and is organized into sets of tables for different purposes. A table consists of a set of predefined chains that contain traversal order rules. Each rule contains a potential match for a predicate and a corresponding action (called a target) that is executed if the predicate is true. That is, the conditions match. iptables is a user tool that allows users to use chains and rules. Many newbies are always discouraged by the complexity of linux IP routing, but some of the most common use cases (NAT or basic network firewalls) are actually not that complicated. –ArchWiki

write picture description here

write picture description here

Tables

iptables contains 4 tables

  1. raw is used to configure packets, packets in raw will not be tracked by the system.
  2. filter is the default table for all firewall-related operations.
  3. nat is used for network address translation (eg: port forwarding).
  4. mangle is used for modifications to specific packets (see broken packets).

In most cases you only need to use filter and nat.

chains

5 chains

  1. PREROUTING
  2. INPUT
  3. FORWARD
  4. OUTPUT
  5. POSTROUTING

Tables consist of chains, which are lists of some ordered rules. The default filter table contains three built-in chains, INPUT, OUTPUT and FORWARD. These three chains act on different time points in the packet filtering process. Refer to the flowchart. The nat table contains PREROUTING, POSTROUTING and OUTPUT chains.

By default, there are no rules in any chain. You can add your own rules to the chain. The chain's default rules are usually set to ACCEPT, and can be reset to DROP if you want to ensure that no packets pass through the ruleset. The default rule always takes effect at the end of a chain, so packets need to pass through all existing rules before the default rule takes effect.

Users can join their own defined chains, making the ruleset more efficient and easier to modify.

1) Operations on custom chains

#默认为filter表

#给表中添加一条自定义规则链
iptables [-t table] -N chain_name

#删除一条自定义规则链
iptables -X chain_name

#修改自定义链名
iptables -E old_chain_name new_chain_name

2) Operations on the chain

#为链指定默认处理机制
iptables -P chain_name target

#清空链中的规则
iptables -F chain_name

#列出表中所有的链与链的规则,[-n]数字格式显示,[-v]详细格式信息
iptables -L [-n] [-v]
iptables -L -n -v
pkts packets, the number of packets matched by this rule
bytes The sum of the sizes of all packets matched by this rule will perform unit conversion
target target, the processing mechanism
prot protocol, usually [TCP
opt optional
in The incoming interface of the packet
out Outgoing interface of the packet
source source address
destination target address

3) Correspondence between tables and chains

Table and Chain Correspondence
filter INPUT,FORWARD,OUTPUT
nat PREROUTING,OUTPUT,POSTROUTING
missing PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
raw PREROUTING,OUTPUT

rules

The filtering of packets is based on rules. A rule is specified by a target (action after a packet matches all conditions) and a number of matches (conditions met by packets that cause the rule to apply).

rule command

#添加一条规则
iptables -A chain_name rule

#删除一条规则
iptables -D chain_name rule_number

#插入一条规则
iptables -I chain_name rule_number rule

#修改一条规则
iptables -R chain_name rule_number new_rule

#只显示指定链上的规则添加命令
iptables -S chain_name

rule = matching condition + processing mechanism

processing mechanism

  • DROP
  • REJECT
  • ACCEPT
  • SNAT
  • DNAT
  • RETURN
  • REDIRECT
  • LOG

match condition

parameter
-s Match the original address, either IP or network address; you can use the ! operator to negate, ! 172.16.0.0/16
-d match target address
-p match protocol, usually just use {TCP
-i The interface through which data packets flow; usually only used for INPUT, FORWARD, and PREROUTING
-O Outgoing interface; usually only used for OUTPUT, FORWARD, and POSTROUTING

Implicit match

parameter
–dport matching destination port
–sport matching source port
–tcp-flags Example: rst, syn, ack, fin syn. Indicates that rst, syn, ack, and fin are all 0 except for syn=1
–icmp-type 8 requests, 0 corresponding

Extended matching based on modules

model:-m 扩展模块名称 --专用选项1 --专用选项2...

multiport: Multiport matching, up to 15

  • --dports: target ports
  • --sports: source port

example

iptables -I INPUT -d 172.16.100.7 -p tcp -m multiport --dports 22,80 -j ACCEPT
iptables -I OUTPUT -s 172.16.100.7 -p tcp -m multiport --sports 22,80 -j ACCEPT

iprange: ip address range

  • [!] –src-range from[-to]
  • [!] –dst-range from[-to]

example

iptables -A INPUT -d 172.16.100.7 -p tcp --dport 23 -m iprange --src-range 172.16.100.1-172.16.100.100 -j ACCEPT
iptables -A OUTPUT -s 172.16.100.7 -p tcp --sport 23 -m iprange --dst-range 172.16.100.1-172.16.100.100 -j ACCEPT

time: specify the time range

  • datestart YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
  • –datestop YYYY[-MM[-DD[Thh[:mm[:ss]]]]]
  • –timestart hh:mm[:ss]
  • –timestop hh:mm[:ss]
  • [!] –weekdays day[,day…]

example

iptables -A INPUT -d 172.16.100.7 -p tcp --dport 901 -m time --weekdays Mon,Tus,Wed,Thu,Fri --timestart 08:00:00 --time-stop 18:00:00 -j ACCEPT
iptables -A OUTPUT -s 172.16.100.7 -p tcp --sport 901 -j ACCEPT

string: string match

  • --algo{bm|kmp}: use an algorithm for string matching search
  • --string "STR": String to look for
  • --hex-string "HEX-STR": The character to be searched, first encoded into hexadecimal format

connlimit: the maximum number of concurrent connections per IP to the specified service

  • –connlimit-above [n]

limit: keep warm rate control

  • –limit #[/second|/minute|/hour|/day]
  • –limit-burst #

state: state matching

  • –state NEW
  • –state ESTABLISHED
  • –state RELATED
  • –state INVALID

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324812076&siteId=291194637
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com