A, iptables four Table V chain
1.iptables four tables (case sensitive):
default table 4
nat table (address conversion table)
filter table (table data filtering)
RAW table (table state tracking)
the mangle table (table packet marking).
2.ptables 5 chains (case sensitive):
the INPUT chain (inbound rules)
the OUTPUT chain (outbound rules)
the FORWARD chain (forwarding rules)
the PREROUTING chain (before routing rules)
the POSTROUTING chain (after the routing rules)
iptabels syntax
iptables [-t table] Option [Chain Name] [Condition] [-j target operation]
Examples:
iptables -t filter -I -p ICMP the INPUT -j REJECT
Note the rule:
you can not specify a table, defaults to the filter table
can not specify a chain, the default is the corresponding table of all chains
if the matching conditions are not found, the firewall default rules
Option / chain name / target operating capital letters, the rest are lower case
Operation objectives:
ACCEPT: allow / release
DROP: discards, not give any response
REJECT: rejected by, if necessary, gives prompts
LOG: log, and then passed to the next rule
Common Command Options:
Add Rule:
-A: appended to the end of the chain rule
-I: insertion rule to the head of the chain
See Rule:
-L: view rules
-n: display information address and port in digital form
-list- numbers: display the line number
to delete the rule:
-D: delete the specified rule in the chain
-F: Clear all the rules of
the default rules:
-P: default rules specify chain
example:
iptables -t filter -A INPUT -p tcp -j ACCEPT
addition rules to the end of the filter table INPUT chain, allowing anyone to use the TCP protocol to access the machine
iptables -I INPUT -p udp -j ACCEPT
insertion rules to the filter table the beginning of the INPUT chain, allowing anyone to use the UDP protocol to access the machine
iptables -I INPUT 2 -p icmp -j ACCEPT
insertion rule to line 2 filter table INPUT chain, allows anyone to access the machine uses ICMP
3. See rules in iptables
iptables -NL INPUT INPUT chain rule only See
iptables -L INPUT --line-numbers see rule line numbers
4. delete rule, clear all rules
iptables -D INPUT 3
Remove the filter table rule 3 INPUT chain
iptables -F
emptying the filter table of the firewall rules all chains
iptables -t nat -F
clear all table chains nat firewall rule
5. Set the default firewall rules
iptables -t filter -P the INPUT DROP
iptables -nl
filter filtering and forwarding control:
Protocol adaptation
- p protocol name
address match
- s source address, -d destination address
matching interface
- i card receiving data, -o transmission data card
port matches
-sport source port number, destination port number --dport
ICMP matches
-icmp -type
Linux's open routing forwarding
echo 0> / proc / sys / net / ipv4 / ip_forward ## off route forwarding
echo 1> / proc / sys / net / ipv4 / ip_forward ## open route forwarding
or more configured to temporarily configure
echo 'net.ipv4.ip_forward = 1 '>> /etc/sysctl.conf
modify /etc/sysctl.conf configuration file, permanent rules can be achieved
Ban ping related strategies
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
prohibits only inbound ping request, the ping does not reject the inbound response packets
The MAC address filter
iptables -A INPUT -p tcp --dport 22 -m mac --mac-source 52: 54: 00: 00: 00: 0b -j DROP
reject 52: 54: 00: 00: 00: 0b this remote host the present machine
Based on multi-port filtering rules
iptables -A INPUT -p tcp -m multiport --dports 20: 22,25,80,110,143,16501: 16800 -j ACCEPT
disposable 20,21,22,25,80,110,143,16501 to open all of the ports 16,800
The IP address range set rules
iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.4.10-192.168.4.20 -j ACCEPT
allows login from 192.168.4.10-192.168.4.20
iptables -A INPUT -p tcp --dport 22 -s 192.168.4.0/24 -j DROP
banned from the network 192.168.4.0/24 other hosts login
Save firewall configuration
service iptables save