TABLE (table)
contains four tables:
four tables of descending priority: RAW -> the mangle -> NAT -> filter
RAW --- only the use of the RAW table PREROUTING and OUTPUT chains, as highest priority, thereby receiving data packets before the connection tracking process. Once the user uses the RAW table, on a chain, RAW table dealt with, will skip the NAT table and ip_conntrack processing, that do not address conversion tracking and linking of data packets handled.
Filter --- This rule table is a default rule table, with INPUT, FORWARD and OUTPUT chain three rules, the rules table definition is used for packet filtering processing operation
NET ---- this table has prerouting rule and two rules postrouting chain, the main function For one, many, many-to-URL translation and other work (SNATDNAT)
mangle-- rule table has prerouting, FORWARD, postrouting three chains of rules, in addition to website translation work will rewrite the outside packet, in some special applications may have to rewrite the packet (ITL, TOS) setting or mARK (the packet marked for subsequent filtering) then it must be defined in the work mangles rule table
used commands:
-A addition rules -> the INPUT iptables -A
-D delete rule -> iptables -D INPUT 1 (ID)
-R & lt modification rules -> iptables -R INPUT 1 -s 192.168.12.0 -j DROP substituted existing rules, the same sequence ( 1 is the location )
-I insertion rule -> iptables -I INPUT 1 --dport 80 -j ACCEPT insert a rule, the rule on the original position will move backward a cis-bit
See Rule -L -> iptables -L INPUT rules all the rules listed in the chain
-N new rules -> iptables -N allowed to define new rules
general parameters:
-p protocol Example: iptables -A INPUT -p tcp
Example -s source address: 192.168.1.1 iptables -A the INPUT -s
-d destination address Example: the INPUT iptables -A -d 192.168.12.1
-sport source port Example: iptables -A 22 is the INPUT -p TCP --sport
- dport object Example port: the INPUT iptables -A 22 is --dport -p TCP
-i specify the entry card embodiment: the INPUT iptables -A -i eth0
-o specified card outlet Example: the FORWARD -o eth0 iptables -A
-j specified processing operation to be performed
commonly used in the ACTION:
DROP: discard
rEJECT: explicitly rejected
ACCEPT: accept the
SNAT address based on the conversion of the original
source-- specify the original address
such as 192.168.10.0 we all want to convert all segments of the IP when this passes 172.16.100.1 Suppose out of the external address:
iptables -t NAT -A -j 192.168.10.0/24 the SNAT --to the POSTROUTING -s-Source 172.16.100.1 (effective external network ip)
In this way, as long as the attempt from the local network through a network access card, will be converted into 172.16.100.1 all this IP.
MASQUERADE (dynamic camouflage) - Household bandwidth acquisition of external network ip, is the use of dynamic camouflage
iptables -t nat the POSTROUTING -s 192.168.10.0/24 -j MASQUERADE -A
DNAT target address translation
destination- specify the target address
iptables -t nat -A PREROUTING -d 192.168.10.18 -p tcp --dport 80 -j DNAT --to-destination 172.16 .100.2
10.18 100.2 access port 80 to convert the
mASQUERADE: source masquerading
the rEDIRECT: redirection: mainly used to implement the redirection port
mARK: playing firewall marks
rETURN: to return the custom finished using the return link, to return to the original rule chain.
Chain (chain)
Each table has its own set of built-in chain, the chain can be customized, so you can establish a set of rules,
filter the table input, output and forward chains
match (match)
for each rule iptables includes a set of matches and a target, means a condition matching iptables packet must match only when
data packets fulfill all the matching conditions, iptables order to process the packet in accordance with the objectives of the actions specified by the rule
matches are specified in the command line iptable
source-- match the source address or network ip
destination (-d) - ip matches the target address or network
protocol (-p) - Match value ip
in-interface (-i) - incoming interface (e.g., eth0)
OUT-interface (-o) - the outflow port
state-- match a set of connection state
string-- application layer data matching byte sequence
comment-- in the kernel memory as a rule up to 256 bytes of associated annotation data
target (target)
iptables support a target for a trigger packet matching the rule action
ACCEPT-- allow packets to pass
DROP-- discarding packets without further processing the data packet, in terms of the received stack, as if the packet was never received as
LOG- - recording the packet information to the syslog
REJECT-- discard the packet, and sends an appropriate response message (TCP packets on the TCP connections important or ICMP port unreachable messages for UDP packets)
RETURN-- in the call chain continue to process packets
vi / etc / sysconfig / iptables policy file
vi / etc / sysconfig / iptables- config profile
iptables default rules chain having 5
PREROUTING (inside to outside) forward (forward) POSTROUTING (outside to inside)
INPUT ( input) outpu t (output)
1. chain management commands (which are effective immediately)
-P: set the default policy (the default setting door is closed or open)
default policy is generally only two
iptables -P INPUT (DROP | ACCEPT)
default is off / default is ON
for example:
iptables -P INPUT DROP
This is the default rule to refused. And there is no definition of what action, so all the rules on external connections include Xshell connection and the like, remote connections are rejected
-F: FLASH, (note that each chain management authority) Clear rules chain
iptables -t nat -F the PREROUTING
iptables -F -t nat nat table emptied all chains
-N: NEW support user creates a chain
iptables -N inbound_tcp_web attached represent tcp table used to check the web.
-X: used to remove a user-defined chain empty
method with the same -N, but you want to be inside the chain to empty before deleting the Ngong
-E: Rename chain is mainly used for user-defined chain rename
-E oldname newname
the -Z: empty chain, and the chain default rule counter (two counters, it is matched to the number of packets, number of bytes)
iptables the -Z: empty
2. rule management command
- a: adding, at the end of the new rule in the current chain
-I num: insert, inserted into the current rule for the first few.
-I 3: Insert as Article
-R num: Replays replace / modify the first few rules
Format: iptables -R 3 ............
-D NUM: delete, delete the first few explicitly specify rules
3. Review Management Command " -L "
additional sub-command
-n: display ip digitally, it will display ip directly, if not -n, it will reverse the ip resolved to host names.
-v: Displays detailed information
-vv
-vvv: the more the more detailed the
-x: displays the exact value on the counter, do not do unit conversions
--line-numbers: display the line number rule
-t nat: Displays information of all levels of
4 .: Detailed match criteria
2. extended matching
2.1 implicit extension: extension of the protocol
extension of the TCP protocol: -p tcp. There are three general extension
--dport XX-XX: target port, a plurality of discontinuous port can not be specified, can specify a single port, such
--dport 21 or --dport 21-23 (this time represented 21,22,23 )
--sport: source port
--tcp-fiags: TCP flags (SYN, ACK, FIN, PSH , RST, URG)
for it, generally keep two parameters:
1. check flag
2. must as the flag bit. 1
--tcpflags SYN, ACK, FIN, RST SYN = --syn
Represents a four check bits, these four bits must syn 1, the other must be zero. So this means that for the detection of the first three-way handshake packets. For such special packet matches the first SYN packet is 1, there is a shorthand called --syn
-p UDP: UDP protocol extension
--dport
--sport
-p ICMP: ICMP packets extended
- type--icmp:
echo-request (echo request), generally denoted by 8
so --icmp-type 8 echo request packet matching
echo-reply (response packet) is generally represented by 0 to
2.2 explicitly extended (-m)
the expansion of various modules
-m multiport: enable multi-port expansion represents
then we can enable such --dports 21,23,80
policy requirements:
domain Name system (DNS) query
file transfer protocol (FTP) transmission
network time protocol (NTP) query
secure Shell (SSH) session
simple Mail transfer protocol (SMTP) session
for web session by HTTP / HTTPS
WHOIS query
external network scanning ------- (192.168.10.1 (eth1)) ( 192.168.10.0/ 24) ------- LAN client (10.50)
Internet Extranet web -------- ---------- ---------- iptables firewall LAN --------------- network scanning by (10.200)
outside the network dns -------- (host name: iptables) ---------------- web server (20.3)
(71.157.XX ( eth0)) ---------------- dns server (10.4)
script:
iptables.sh
iPTABLES = / sbin / iptables
modprobe = / sbin / modprobe
INT_NET = 192.168.10.0 / 24
## ## flush existing rules and set chain policy setting to drop ( to reset the existing rules and chain policy settings)
echo "[+] Flushing existing iptables rules ..."
$ iPTABLES -F ---------- ------------------- (Clear rules chain)
$ IPTABLES -F -t NAT ------------------- --- (empty nat table)
$ IPTABLES -X ----------------------------- (delete user empty chain)
$ IPTABLES -p iNPUT DROP ------------------ (close input port)
$ IPTABLES -p OUTPUT DROP ----------------- (closed output port)
$ IPTABLES the FORWARD DROP -p ---------------- (closed forward port)
### connection-load Tracking modules ------ (load connection module)
$ modprobe ip_conntrack ------------------- (loading module ip_conntrack )
$ modprobe iptables_nat ------------------- (iptables_nat load module)
$ modprobe ip_conntrack_ftp --------------- (load module ip_conntrack_ftp )
$ modprobe ip_nat_ftp --------------------- (ip_nat_ftp loading module)
INPUT chain
INPUT chain construct as fast iptables, the role of the local control target packet system can local socket communication, if a first INPUT chain rule claim IPtables so obtained packet is discarded (or setting policy for the DROP INPUT chain), then all trying to any ip communication (e.g., TCP, UDP, or efforts ICMP) to communicate directly with the system will fail. ARP works in the data link layer rather than the network layer, but only to filter packets ip iptables above protocol and, therefore iptables not arp protocol packet filtering.
The INPUT catena alberghiera ######## ####
echo "[+] Setting up the INPUT catena alberghiera ..."
####state tracking rules####
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-OPTIONS --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##anti-spoofing rules
$IPTABLES -A INPUT -i eth1 -s ! $INI_NET -j LOG --log-prefix "SPOOFED PKT"
$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP
##ACCEPT rules
$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
##default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP" --log-ip-options --log-tcp-options
建立OUTPUT链规则集的命令如下所示:
#####OUTPUT chain ####
echo "[+] setting up OUTPUT chain..."
###state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
###ACCEPT RULES rules for allowing connections out-interface
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
The OUTPUT -p TCP IPTABLES -A $ 80 --dport --syn -m State --state NEW -j ACCEPT
$ IPTABLES -A --syn the OUTPUT -p 443 -m State TCP --dport --state NEW -j ACCEPT
the OUTPUT -p TCP IPTABLES -A $ 4321 --dport --syn -m State --state NEW -j ACCEPT
$ IPTABLES -A 53 is the OUTPUT -p TCP --dport --syn -m State --state NEW -j ACCEPT
the OUTPUT -p ICMP IPTABLES -A $ --icmp-echo of the type-Request -j ACCEPT
#### the RULES default the OUTPUT LOG
$ IPTABLES -A the OUTPUT -o! LO -j LOG --log-prefix "DROP" --log --log-Options-TCP - IP-Options
the fORWARD chain
forward chain filter table provides the ability to access control interface to forward data packets through the firewall:
### #### catena alberghiera the fORWARD
echo "[+] the Setting up catena alberghiera ... the FORWARD "
### State Tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID" -- log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###anti-spoofing rules
$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT"
$IPTABLES -A FORWARD -i eth1 -s ! $INT_NET -j DROP
###ACCEPT rules
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth1 -s $INT_NET --dport 25 --syn -m state --state NEW -j ACCEPT
The FORWARD -p TCP IPTABLES -A $ -i eth1 -s -m $ INT_NET --dport State 43 is --syn --state NEW -j ACCEPT
$ IPTABLES -A 80 --syn the FORWARD -p -m State TCP --dport NEW -j ACCEPT --state
$ IPTABLES -A --syn the FORWARD -m -p TCP --dport 443 State --state NEW -j ACCEPT
$ IPTABLES -A the FORWARD -i eth1 -p TCP -s $ INT_NET --dport State --state NEW -m --syn 4321 -j ACCEPT
$ IPTABLES -A -p TCP UDP --dport the FORWARD -p -m State 53 is --state NEW -j ACCEPT
$ IPTABLES -A the FORWARD -p TCP ICMP - icmp-type echo-request -j ACCEPT
allowed through the firewall to initiate ftp, ssh, smtp and whois connection, but these must be initiated from the internal subnet subnet Interface (eth1), it allows http from any source, https dns and communicate through the firewall
#### log default rule
$ IPTABLES -A the FORWARD -i! -j LO the lOG --log-prefix "the DROP" Options --log --log-IP-TCP-Options-
network address Translation
iptables nat table dedicated to the definition of all NAT rules, there are two chains in this table: the POSTROUTING PREROUTING and, using the nat table PREROUTING chain rule to the data in which the interfaces should be transmitted has not been determined by the routing algorithm in the kernel package, in the chain packet processing has not been treated filter table INPUT or PREROUTING chain
through routing algorithm kernel determines the physical interface to transmit and coming out from the interface packet POSTROUTING chain is responsible for processing by the data link packet has been processed by the filter table check or forward chain output
### the rules the NAT
echo "[+] the Setting up the NAT the rules ..."
$ IPTABLES -t -p TCP --dport the PREROUTING NAT -A 80 DNAT --to 192.168.10.3:80 eth0 -j -i
$ IPTABLES -A -t NAT 443 --dport the PREROUTING -i eth0 -p TCP -j DNAT --to 192.168.10.3:443
$ IPTABLES -t NAT -A -i -p tcp --dport 53 PREROUTING eth0 -j DNAT --to 192.168.10.4:53
$ IPTABLES -A POSTROUTING -t NAT - is ¥ INT_NET -o eth0 -j MASQUERAD
Ip web server and the network address of the DNS server 192.168.10.3,4 respectively, for providing NAT functionality iptables command, three PREROUTING rule allows the external network and DNS web service request is sent to the appropriate network server, in POSTROUTING rules allow non-routable from the internal network and external Internet connection point to look like they came from an IP address 71.157.XX
final step in building iptable strategy really linux kernel to enable ip forwarding
### forwarding ###
echo "[+ ] Enabling Ip Forwarding ... "
echo 1> / proc / SYS / NET / ipv4 / ip_forward
command to test the use of hping nc
[Turn] iptables commands, rules, arguments detailed
Guess you like
Origin www.cnblogs.com/caogen1991/p/11122494.html
Recommended
Ranking