table of Contents
Brief introduction
The basic concept of the above iptables were explained to you, please come to supplement the basics of reading this article. This article is mainly a firewall daily operations.
Table Rules View
Output content analysis rule table
Before performing the operation table, please review the case again on finishing this section table structure.
| table | chain |
|---|---|
| raw | prerouting,output |
| missing | prerouting,input,forward,output,postrouting |
| nat | prerouting,output,postrouting |
| filter | input,forward,output |
The following operation is preferably carried out in the above test machine, so as not to affect the normal access to your host.
As shown above, we use the -t option to specify the table need to operate, use the -L option to view the corresponding rule table -t, -L lists the rules. The reality of the three command chain, input, forword, output, each chain has its own rules. Properties of these fields are described below:
target: 规则对应的target,往往表示规则对应的动作,即规则匹配成功之后采取的措施;
prot: 表示规则对应的协议,是否针对某些协议应用此规则;
opt: 表示规则对应的选项;
source: 表示规则对应的源头地址,可以是一个ip,也可以是一个网段;
destination: 表示规则对应的目标地址。可以是一个ip,也可以是一个网段;We can also directly opposite the following command to view the rules for other tables:
iptables -t raw -L
iptables -t mangle -L
iptables -t nat -Liptables -t default view without the filter table
View table rules commonly used commands
iptables -t 表名 -L #查看对应表的所有规则
iptables -t 表名 -L 链名 #查看指定表指定链的规则
iptables -t 表名 -L -v #表示指定表的所有规则,并且更详细输出
iptables -t 表名 -n -L #表示查看表的所有规则,并且在显示规则时,不对规则中的IP或者端口进行名称反解,-n选项表示不解析IP地址。
iptables --line-numbers -t 表名 -L #表示查看表的所有规则,并且显示规则的序号,--line-numbers选项表示显示规则的序号,注意,此选项为长选项,不能与其他短选项合并,不过此选项可以简写为--line,注意,简写后仍然是两条横杠,仍然是长选项。Best Practices: The actual length will often short options are merged:
iptables --line -t filter -nvxL
iptables --line -t filter -nvxL INPUTRules common operating table
When reference herein for iptables operation, in the test machine
Operating instructions
Add Rule
iptables -F INPUT #删除filter表中INPUT链的所有规则
iptables -t filter -I INPUT -s 192.168.56.12 -j DROP #表示丢弃从192.168.56.12来的主机的所有数据;
iptables -A INPUT -s 192.168.56.12 -j ACCEPT #这个命令并没有指定操作那个表,我们之前强调默认的表是filter表,所以此处操作的也是filter表;-A表示在对应的链INPUT中追加规则,而上一步使用的-I则是插入操作;—I是在首部添加。此时虽然添加了规则允许访问,但是注意顺序,匹配到上个丢弃规则之后就不会往下执行了,所以依然无法访问
iptables -t filter -I INPUT 2 -s 192.168.56.12 -j accept #表示插入到第几行
iptables -t 表名 -P 链名 动作 #设置指定链的默认策略
示例:iptables -t filter -P FORWARD ACCEPTDelete Rule
If there is no time to save the rule to delete the rule, please be careful operation
iptables -t filter -D INPUT 3 #删除filter表中INPUT链中序号为3的规则
iptables -t filter -D INPUT -s 192.168.1.146 -j DROP # 删除指定表的指定链的指定规则
iptables -t filter -F INPUT # 删除指定表的指定链的所有规则
iptables -t filter -F #删除指定表filter中的所有规则Modify the rules
命令语法:iptables -t 表名 -R 链名 规则序号 规则原本的匹配条件 -j 动作
示例:iptables -t filter -R INPUT 3 -s 192.168.1.146 -j ACCEPT3 represents the above-described exemplary article rule modifying the filter table INPUT chain, the operation of this rule is modified ACCEPT, -s 192.168.1.146 for this rule in the original matching condition, if this is omitted match condition, modified rules the source address may become 0.0.0.0/0.
Other rule changes: first by number delete a rule, and then add a rule in the original number position.
Save rule
iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptablesTable rule matching operation
Common match statements
Description: -s for matching the source address of the packet, the source address can specify multiple simultaneously, using a comma between each IP,
you can also specify a network segment
iptables -t filter -I INPUT -s 192.168.1.111,192.168.1.118 -j DROP
iptables -t filter -I INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -t filter -I INPUT ! -s 192.168.1.0/24 -j ACCEPT-d used to match the destination address of the packet, can specify multiple destinations at once, separated by a comma between each IP, can also specify a network segment.
#示例如下
iptables -t filter -I OUTPUT -d 192.168.1.111,192.168.1.118 -j DROP
iptables -t filter -I INPUT -d 192.168.1.0/24 -j ACCEPT
iptables -t filter -I INPUT ! -d 192.168.1.0/24 -j ACCEPT-p used to match the protocol type, the protocol type can have matching tcp, udp, icmp, esp etc.
iptables -t filter -I INPUT -p tcp -s 192.168.1.146 -j ACCEPT
iptables -t filter -I INPUT ! -p udp -s 192.168.1.146 -j ACCEPT-i for matching the packets that flow from the present machine card, since only the matching condition for matching packet flow to the machine, it can not use this option in the output chain and postrouting the chain;
iptables -t filter -I INPUT -p icmp -i eth4 -j DROP
iptables -t filter -I INPUT -p icmp ! -i eth4 -j DROP-o used to match packets from the network card out of the machine, so you can not use this option in the input chain and postrouting chain;
iptables -t filter -I OUTPUT -p icmp -o eth4 -j DROP
iptables -t filter -I OUTPUT -p icmp ! -o eth4 -j DROPExpanded matching statement
tcp Expansion Module
source port -p tcp -m tcp --sport tcp packets for matching, the colon may be used to specify a range of contiguous ports
-p tcp -m tcp --dport tcp for matching destination port protocol, may be used colon matching a continuous range of ports
iptables -t filter -I OUTPUT -d 192.168.1.146 -p tcp -m tcp --sport 22 -j REJECT
iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m tcp --dport 22:25 -j REJECT
iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m tcp --dport :22 -j REJECT
iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m tcp --dport 80: -j REJECT
iptables -t filter -I OUTPUT -d 192.168.1.146 -p tcp -m tcp ! --sport 22 -j ACCEPTmultiport expansion module
multiport
common syntax is as follows:
-p -m multiport --sports TCP source port for packets matching can specify the port number discontinuous, separated by commas
-p udp -m multiport --dports for matching packets destination port, you can specify discrete destination port number, separated by commas
iptables -t filter -I OUTPUT -d 192.168.1.146 -p udp -m multiport --sports 137,138 -j REJECT
iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m multiport --dports 22,80 -j REJECT
iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m multiport ! --dports 22,80 -j REJECT
iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m multiport --dports 80:88 -j REJECT
iptables -t filter -I INPUT -s 192.168.1.146 -p tcp -m multiport --dports 22,80:88 -j REJECTCommon expansion modules
iprange
iprange used for a contiguous range of addresses specified;
expansion matching conditions include the following
--src-range: range of source addresses specifying the continuation
--dst-range: target address specified continuous range
#示例
iptables -t filter -I INPUT -m iprange --src-range 192.168.1.127-192.168.1.146 -j DROP
iptables -t filter -I OUTPUT -m iprange --dst-range 192.168.1.127-192.168.1.146 -j DROP
iptables -t filter -I INPUT -m iprange ! --src-range 192.168.1.127-192.168.1.146 -j DROPstring module
Use string expansion module, you can specify a string to match, if the message contains the corresponding strings match the conditions of the accord;
--algo: Specifies the corresponding matching algorithm, the algorithm can be used to bm \ kmp, this is required
--string: Specifies the string to match
#示例
iptables -t filter -I INPUT -p tcp --sport 80 -m string --algo bm --string "OOXX" -j REJECT
iptables -t filter -I INPUT -p tcp --sport 80 -m string --algo bm --string "OOXX" -j REJECTtime module
To match packets based on practice period, if the time arrives text message within the specified time frame, then match the criteria.
--timestart: used to specify the time range starting time, undesirable anti
--timestop: End Time for a specified time range, undesirable anti
--weekdays: used to specify the "week", it is desirable anti
--monthdays: specifies "some number", preferably anti
--datestart: specifying a date range for the start date, undesirable anti
--datestop: end time for the specified date range, undesirable trans
#示例
iptables -t filter -I OUTPUT -p tcp --dport 80 -m time --timestart 09:00:00 --timestop 19:00:00 -j REJECT
iptables -t filter -I OUTPUT -p tcp --dport 443 -m time --timestart 09:00:00 --timestop 19:00:00 -j REJECT
iptables -t filter -I OUTPUT -p tcp --dport 80 -m time --weekdays 6,7 -j REJECT
iptables -t filter -I OUTPUT -p tcp --dport 80 -m time --monthdays 22,23 -j REJECT
iptables -t filter -I OUTPUT -p tcp --dport 80 -m time ! --monthdays 22,23 -j REJECT
iptables -t filter -I OUTPUT -p tcp --dport 80 -m time --timestart 09:00:00 --timestop 18:00:00 --weekdays 6,7 -j REJECT
iptables -t filter -I OUTPUT -p tcp --dport 80 -m time --weekdays 5 --monthdays 22,23,24,25,26,27,28 -j REJECT
iptables -t filter -I OUTPUT -p tcp --dport 80 -m time --datestart 2017-12-24 --datestop 2017-12-27 -j REJECTconnlimit module
This module simultaneously ip address limits for each link the number of links to the server side. Note not need to use ip, ip restrictions default is to do for each client; that is, a single ip restrictions on the number of concurrent links;
#示例
iptables -I INPUT -p tcp --dport 22 -m connlimit --connlimit-above 2 -j REJECT
iptables -I INPUT -p tcp --dport 22 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT
iptables -I INPUT -p tcp --dport 22 -m connlimit --connlimit-above 10 --connlimit-mask 27 -j REJECTlimits module
The main module of the limits packet arrival rate limiting
--limit-burst:
#示例 #注意,如下两条规则需配合使用,
iptables -t filter -I INPUT -p icmp -m limit --limit-burst 3 --limit 10/minute -j ACCEPT
iptables -t filter -A INPUT -p icmp -j REJECTtcp flage
#示例
iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN -j REJECT
iptables -t filter -I OUTPUT -p tcp -m tcp --sport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN,ACK -j REJECT
iptables -t filter -I INPUT -p tcp -m tcp --dport 22 --tcp-flags ALL SYN -j REJECT
iptables -t filter -I OUTPUT -p tcp -m tcp --sport 22 --tcp-flags ALL SYN,ACK -j REJECT