A, iptables basic understanding
Netfilter assembly has iptables, NAT and other functions, integrated in the linux kernel
Document official website: https: //netfilter.org/documentation/
In order to extend the underlying frame structure of various network services kernel select five positions put five Hook (hook subroutine) function (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING), which is open to users five hook function, The user can write rules thereto through a command tool (iptables)
By the five filter information table (table) composition, including rule set controls the IP packet processing (the rules), the rules are grouped in five chains (catena alberghiera) on.
iptables components:
Table five table: filter, nat, mangle, raw, security, and some chain five rules.
TABLE filter: filtering rule table, according to a predefined filter rule qualified data packets (commonly, three chains comprising default)
nat table: network address translation address translation rule table (commonly, by default includes two chains)
mangle: modifying the data flag rule table
raw: Close Connection Tracking enabled on the NAT table, accelerate speed packet through the firewall
security: a mandatory access control (MAC) network rules, implemented by a Linux Security Module (e.g. SELinux)
Three packet flows:
1, will flow to the machine: PREROUTING -> INPUT -> user-space processes (such as httpd service)
2, out of the machine: user-space process -> OUTPUT -> POSTROUTING
3, forward: PREROUTING -> FORWARD -> POSTROUTING
Two , iptables usage
Rule format:
iptables [-t table] SUBCOMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]
Simple format
SUBCOMMAND
1 View
-L: list, list all the rules specified in the chain, this option must be set after
-n: numberic, the address and port number in a digital format
-v: verbose, details
-vv more detail
-x: exactly, the results show the exact value of the counter, rather than the value of the read unit conversion
--line-numbers: The rule numbers are displayed
Common combination:
-vnL --line-numbers
The -vnL use iptables -t option and the option to view each table involved in the chain, the default table is the filter can not write
iptables -t filter -vnL
iptables -vnL
iptables -t filter -vnL INPUT
2. Chain Management
-N: new, custom a new rule chain
-X: delete, delete empty custom rule chains
-P: Policy, set the default strategy; filter table for the chain, which is the default policy are:
ACCEPT: to accept
DROP: discard
-E: rename a custom chain; reference count is not 0 is defined chain can not be renamed, nor
been deleted
3, Rule Management:
-A: append, add
-I: insert, insert, to be inserted into the specified rule number, the default is the first
-D: delete, delete
(1) specified in the rule number
(2) specified in the rule itself
-R: replace, replacement rules specified number specified chain
-F: flush, emptied specified rules chain
Examples
1, prohibits ping loopback adapter,
2, a rule is inserted in front of the current rule, the current rule will automatically take up a position behind the INPUT with no number is incremented in the first
3, delete the first rule, or iptables -D INPUT -s 127.0.0.1 -p icmp -j ACCEPT
4, empty data packets matching record in the chain value,
5, clear all the rules iptables -F
6, modify a chain on a specified rule, use the -R option to complete.
iptables -R INPUT 1 -s 127.0.0.1 -p icmp -j ACCEPT
7, each chain has its own default processing rules can be used to modify the -P option is generally not modified without permission rules, deny all xshell be disconnected
iptables -t filter -P INPUT DROP
8, custom chain
Use custom chain,
Not in force because, custom chain is not performed, the chain within the table will be executed only by default chain, custom chain needs to be called in to perform the default chain, call
Rename chain
iptables -E mychain mychain11
Delete chain
iptables -t filter -X mychain
Persistent iptables rules
Since the rules are stored in the kernel memory, reboot the system will be lost. So we want to use the configuration file to save all the iptables rules, rules to facilitate weight
Devices and systems to automatically load after startup.
Backup rule to iptables.rule
method one
chmod +x /etc/rc.d/rc.local
we /etc/rc.d/rc.local
View previous restart rule still
Method Two
yum install iptables
systemctl enable iptables
iptalbes-save -c > /etc/sysconfig/iptables
Iptables service is not recommended to use the service and firewalld conflict in centos