Linux under IPtables command Detailed

Enterprise 2020-03-03 07:57:26 views: null 
Linux下IPtables命令图解

Linux under IPtables command Detailed

Linux under the command analysis IPtables

1. Command:
-A sequential addition, add a new rule
-I inserted, insert a new rule number indicates a plus -I rear insert row where
-R modify, delete later add a new rule -D delete a digital representation which line
-D delete, delete behind a new rule -D delete plus a number indicates which line
-N create a chain
-X delete a custom chain, to ensure that the chain is empty before deleting times, and not referenced
-L View
@ 1 .iptables -L -n displayed digitally
@ 2. iptables -L -v show details
@ 3. iptables -L -x display accurate information
-E chain rename
all rules -F empty chain
-Z clearing chain rule used
-P default rule set
2 match condition:
implicit match:
-p TCP UDP ICMP
--sport source port
--dport targeting end
-s source address
-d destination address
-i packet enters the card
-o packet card outlet
expansion match:
-m state --state matching state
-m mutiport --source-port port match, a set of ports designated
-m limit --limit 3 / minute every three minutes
-m limit --limit-burst 5 matches only 5 packets
-m string --string --algo bm | kmp --string "xxxx" string matching
-mtime - timestart 8:00 --timestop 12:00 represents the time from which the time period to which
-mtime - days represent day
-m mac --mac-source xx: xx : xx: xx: xx: xx source MAC address matching
-m layer7 --l7proto qq qq denotes matching of Tencent of course, also supports many protocols, the default is no, we need to patch the kernel and recompile the kernel and iptables -m layer7 can use this display to match the expansion
3. action:
-j
DROP direct throw
ACCEPT allows
REJECT lost, but reply
lOG --log-prefix "descriptive information, their casual definition of" logging
SNAT source address translation
DNAT target address translation
rEDIRECT redirect
MASQUERAED address masquerading
save iptables rules
service iptables save
to restart service
service iptables STOP
service iptables Start

Linux under IPtables business case analysis
Linux under IPtables command Detailed

Meaning:
: INPUT ACCEPT [0: 0]
which indicates the rule is a default policy table INPUT ACCEP ([0: 0]. By this rule is the data packets and the total number of bytes in the record) :
the FORWARD ACCEPT [0: 0]
This FORWARD rule table represents the default policy is ACCEPT
: OUTPUT ACCEPT [0: 0]
this rule means that the default policy is ACCEPT OUTPUT tABLE

NEW user initiates a new request
ESTABLISHED request for a new response to
the relationship between the two full RELATED connection, a complete connection, need to rely on another complete connection.
INVALID unrecognized state.

-A INPUT -m state -state ESTABLISHED, RELATED -j ACCEPT
meant to allow incoming data packets only response I have just sent out packets

INPUT -p ICMP -j ACCEPT -A
-A INPUT LO -i -j ACCEPT
means allows local loopback interface for all data communications INPUT table, -i parameter is specified interface, the interface is lo, lo is Loopback (local loop back Interface)

-Reject-INPUT -j REJECT -A with ICMP-Host-Prohibited
-A -j REJECT -reject-FORWARD-Host-Prohibited ICMP with
these two means to reject all others do not meet any of the above table and the INPUT FORWARD Table a packet rule. And sends a message to the host host prohibited rejected.

To introduce the following, each parameter I added what it meant, and I did not speak the same 22 ports allow
-A -m State the INPUT -p tcp the -state NEW -m tcp -j ACCEPT - dport 22
-A last added a rule
-bonding operation behind -j, for receiving an operation of the main (ACCEPT), discarded (DROP), reject (rEJECT) and the recording (the LOG)
- dport limit target port number.
-p agreement: This rule set which packet format is mainly applicable to the packet format: tcp, udp, icmp and all.
-m state -state a fuzzy matching state,

IPtables real business case rules

WEB server, port 80 open;
iptables -A 80 --dport the INPUT -p TCP -j ACCEPT

Mail server port opening 25,110;
iptables -A 110 --dport the INPUT -p TCP -j ACCEPT
iptables -A 25 --dport the INPUT -p TCP -j ACCEPT

FTP Server, open a port 21
iptables -A 21 --dport the INPUT -p TCP -j ACCEPT
iptables -A --dport 20 is the INPUT -p TCP -j ACCEPT

DNS server, the port 53 open
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Icmp packets allowed through, i.e. allow of ping,
iptables -A the OUTPUT -p icmp -j ACCEPT (the OUTPUT DROP provided any)
iptables -A the INPUT -p icmp -j ACCEPT (if the INPUT is arranged DROP)

Forwarding port 8080 of the machine to another host, IP: 192.168.1.162, target host IP and port: 192.168.1.163: 80, the following rules;
iptables -t NAT -A the PREROUTING -p TCP TCP -d -m 192.168. 1.162 --dport 8080 -j DNAT --to-destination 192.168.1.163:80

-A the POSTROUTING -p -t NAT iptables -m TCP TCP 80 -j --dport Source 192.168.1.162:8080 the SNAT --to-
echo. 1> / proc / SYS / NET / IPv4 / ip_forward
simultaneously turned iptables forward forwarding.

Guess you like

Origin blog.51cto.com/jiangzm/2475009
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com