iptables
Commonly used firewall software on Linux
Supplementary instructions
iptables command is a commonly used firewall software on Linux and is part of the netfilter project. It can be configured directly or through many front ends and graphical interfaces.
grammar
iptables(options)(parameters)Options
-t, --table table operates on the specified table, which must be one of raw, nat, filter, and mangle. If this option is not specified, the default is the filter table.
#Universal matching: matching of source address and target address
-p: Specifies the packet protocol type to be matched;
-s, --source [!] address[/mask]: Use the specified address/group of addresses as the source address and filter according to this rule. When there is no mask following, address is an address, such as: 192.168.1.1; when mask is specified, it can represent a range of addresses, such as: 192.168.1.0/255.255.255.0.
-d, --destination [!] address[/mask]: The address format is the same as above, but here the address is specified as the destination address, and filtering is performed accordingly.
-i, --in-interface [!] <network interface name>: Specifies the network interface from which the data packet comes, such as the most common eth0. Note: It only works on the three chains INPUT, FORWARD and PREROUTING. If this option is not specified, instructions can come from any network interface. Similar to the previous one, "!" means negation.
-o, --out-interface [!] <network interface name>: Specify the network interface through which data packets go out. Only works on three chains: OUTPUT, FORWARD, and POSTROUTING.
# View management commands
-L, --list [chain] List all rules on chain chain, or if no chain is specified, list all rules on all chains in the table.
#Rule management commands
-A, --append chain rule-specification Inserts the specified rule at the end of the specified chain chain, that is, this rule will be placed at the end and will be executed last. Rules are specified by subsequent matches.
-I, --insert chain [rulenum] rule-specification Inserts one or more rules at the specified position in chain chain. If the specified rule number is 1, it is inserted at the head of the chain. This is also the default case if no rule number is specified.
-D, --delete chain rule-specification -D, --delete chain rulenum Delete one or more specified rules in the specified chain.
-R num: Replays replace/modify which rule
#Chain management commands (this takes effect immediately)
-P, --policy chain target: Set the policy target for the specified chain. Note that only built-in chains are allowed to have strategies, user-defined ones are not allowed.
-F, --flush [chain] Clear all rules on the specified chain chain. If no chain is specified, clears all rules for all chains in the table.
-N, --new-chain chain Create a new chain with the specified name.
-X, --delete-chain [chain]: Delete the specified chain. This chain must not be referenced by any other rules, and there must be no rules on this chain. If no link name is specified, all non-built-in links in the table will be deleted.
-E, --rename-chain old-chain new-chain: Rename the specified chain with the specified new name. This will not have any impact within the chain.
-Z, --zero [chain]: Clear all counters on the specified chain or all chains in the table.
-j, --jump target <specified target>: that is, what action should be performed when a certain condition is met. The target can be a built-in target, such as ACCEPT, or a user-defined chain.
-h: Display help information;Basic parameters
| Parameters | Function |
|---|---|
| -P | Set default policy: iptables -P INPUT (DROP |
| -F | Clear the rule chain |
| -L | View rule chain |
| -A | Add a new rule at the end of the rule chain |
| -I | num Adds a new rule at the head of the rule chain |
| -D | num delete a rule |
| -s | Match the source address IP/MASK, add an exclamation point "!" to indicate except this IP. |
| -d | Match target address |
| -i | Network card name matches the data flowing in from this network card |
| -o | Network card name matches data flowing from this network card |
| -p | Match protocols, such as tcp, udp, icmp |
| --dport num | Match target port number |
| --sport num | Match source port number |
Command option input order
iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o network card name> -p protocol name <-s source IP/source subnet> --sport source port< -d target IP/target subnet> --dport target port -j actionWorking Mechanism
Rule chain names include (also known as the five hook functions):
Firewall policy
Firewall policies are generally divided into two types, one is called the 'pass' policy, and the other is called the 'block' policy. In the pass policy, the door is closed by default, and it is necessary to define who can enter. The blocking strategy is that the door is open, but you must have identity authentication, otherwise you cannot enter. So we have to define, let those who come in come in, and let those who go out go out, so to open means to let everyone pass, and to block is to choose. When we define the policy, we need to define multiple functions respectively, including: defining the policies that are allowed or not allowed in the data packet, the filter function, and the nat option that defines the address translation function. In order to allow these functions to work alternately, we formulated the definition of "table" to define and distinguish various working functions and processing methods.
There are three functions we use now:
We modify the original data of the message to modify the TTL. It is possible to disassemble the metadata of the data packet and mark/modify the content inside. Firewall tags are actually implemented by mangle.
Small extension:
iptables/netfilter (this software) works in user space. It can make rules take effect. It is not a service itself, and the rules take effect immediately. And our iptables is now made into a service, which can be started and stopped. If started, the rules will take effect directly; if stopped, the rules will be revoked.
iptables also supports defining your own chain. But the chain you define must be associated with a specific chain. In a level setting, specify that when there is data, go to a specific chain for processing, and return after that chain is processed. Then continue checking in the specific chain.
Note: The order of the rules is very critical. The stricter the rules, the higher they should be placed. When checking the rules, they are checked from top to bottom.
Table names include:
Actions include:
┏╍╍╍╍╍╍╍╍╍╍╍╍╍╍╍┓
┌───────────────┐ ┃ Network ┃
│ table: filter │ ┗━━━━━━━┳━━━━━━━┛
│ chain: INPUT │◀────┐ │
└───────┬───────┘ │ ▼
│ │ ┌───────────────────┐
┌ ▼ ┐ │ │ table: nat │
│local process│ │ │ chain: PREROUTING │
└ ┘ │ └─────────┬─────────┘
│ │ │
▼ │ ▼ ┌─────────────────┐
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ │ ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ │table: nat │
Routing decision └───── outing decision ─────▶│chain: PREROUTING│
┅┅┅┅┅┅┅┅┅┳┅┅┅┅┅┅┅┅┅ ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ └────────┬────────┘
│ │
▼ │
┌───────────────┐ │
│ table: nat │ ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅ │
│ chain: OUTPUT │ ┌─────▶ outing decision ◀──────────────┘
└───────┬───────┘ │ ┅┅┅┅┅┅┅┅┳┅┅┅┅┅┅┅┅
│ │ │
▼ │ ▼
┌───────────────┐ │ ┌────────────────────┐
│ table: filter │ │ │ chain: POSTROUTING │
│ chain: OUTPUT ├────┘ └──────────┬─────────┘
└───────────────┘ │
▼
┏╍╍╍╍╍╍╍╍╍╍╍╍╍╍╍┓
┃ Network ┃
┗━━━━━━━━━━━━━━━┛Example
Clear all current rules and counts
iptables -F # Clear all firewall rules
iptables -X # Delete user-defined empty links
iptables -Z # Clear countConfigure to allow ssh port connection
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
# 22 is your ssh port. -s 192.168.1.0/24 means that machines in this network segment are allowed to connect. IP addresses in other network segments cannot log in to your machine. -j ACCEPT indicates accepting such a requestAllow the local loopback address to be used normally
iptables -A INPUT -i lo -j ACCEPT
#The local ring address is the one 127.0.0.1, which is used on this machine. Its entry and exit are set to allow
iptables -A OUTPUT -o lo -j ACCEPTSet default rules
iptables -P INPUT DROP # Configure the default to deny entry
iptables -P FORWARD DROP #Default does not allow forwarding
iptables -P OUTPUT ACCEPT # The default is to go outConfigure whitelist
iptables -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT # Allow intranet machines in the computer room to access
iptables -A INPUT -p all -s 192.168.140.0/24 -j ACCEPT # Allow intranet machines in the computer room to access
iptables -A INPUT -p tcp -s 183.121.3.7 --dport 3380 -j ACCEPT # Allow 183.121.3.7 to access port 3380 of this machineOpen the corresponding service port
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Open port 80, because this is the port used by the web to the outside world
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT # Allow to be pinged
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # The established connection must be allowed inSave rules to configuration file
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak # Back up before making any changes, please maintain this excellent habit
iptables-save > /etc/sysconfig/iptables
cat /etc/sysconfig/iptablesList the rules that have been set
iptables -L [-t table name] [chain name]
iptables -L -t nat # List all rules on nat
# ^ -t parameter specified, must be one of raw, nat, filter, mangle
iptables -L -t nat --line-numbers # Rules with numbers
iptables -L INPUT
iptables -L -nv # View, this list looks more detailedClear existing rules
iptables -F INPUT # Clear all rules above the specified chain INPUT
iptables -X INPUT # Delete the specified chain. This chain must not be referenced by any other rules, and there must be no rules on this chain.
# If no link name is specified, all non-built-in links in the table will be deleted.
iptables -Z INPUT # Clear all counters on the specified chain or all chains in the table.Delete added rules
#Add a rule
iptables -A INPUT -s 192.168.1.5 -j DROPDisplay all iptables with serial numbers and execute:
iptables -L -n --line-numbersFor example, to delete the rule with serial number 8 in INPUT, execute:
iptables -D INPUT 8Open the specified port
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow local loopback interface (that is, run the local machine to access the local machine)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow established or related traffic
iptables -A OUTPUT -j ACCEPT #Allow all external access from this machine
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allow access to port 22
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allow access to port 80
iptables -A INPUT -p tcp --dport 21 -j ACCEPT #Allow port 21 of ftp service
iptables -A INPUT -p tcp --dport 20 -j ACCEPT #Allow port 20 for FTP service
iptables -A INPUT -j reject #Prohibit access by other rules that are not allowed
iptables -A FORWARD -j REJECT #Prohibit access by other rules that are not allowedBlock IP
iptables -A INPUT -p tcp -m tcp -s 192.168.0.8 -j DROP # Block malicious hosts (for example, 192.168.0.8
iptables -I INPUT -s 123.45.6.7 -j DROP # Command to block a single IP
iptables -I INPUT -s 123.0.0.0/8 -j DROP #The command to seal the entire segment from 123.0.0.1 to 123.255.255.254
iptables -I INPUT -s 124.45.0.0/16 -j DROP #The command to block the IP segment from 123.45.0.1 to 123.45.255.254
iptables -I INPUT -s 123.45.6.0/24 -j DROP #The command to block the IP segment from 123.45.6.1 to 123.45.6.254 isSpecify the network interface through which the data packet goes out
Only works on three chains: OUTPUT, FORWARD, and POSTROUTING.
iptables -A FORWARD -o eth0View added rules
iptables -L -n -v
Chain INPUT (policy DROP 48106 packets, 2690K bytes)
pkts bytes target prot opt in out source destination
5075 589K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
191K 90M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
1499K 133M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4364K 6351M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6256 327K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes)
pkts bytes target prot opt in out source destination
5075 589K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0Start network forwarding rules
The public network 210.14.67.7 allows the internal network 192.168.188.0/24 to access the Internet.
iptables -t nat -A POSTROUTING -s 192.168.188.0/24 -j SNAT --to-source 210.14.67.127Port Mapping
Port 2222 of the local machine is mapped to port 22 of the intranet virtual machine
iptables -t nat -A PREROUTING -d 210.14.67.127 -p tcp --dport 2222 -j DNAT --to-dest 192.168.188.115:22String matching
For example, if we want to filter the string test in all TCP connections and terminate the connection once it appears, we can do this:
iptables -A INPUT -p tcp -m string --algo kmp --string "test" -j REJECT --reject-with tcp-reset
iptables -L
#Chain INPUT (policy ACCEPT)
# target prot opt source destination
# REJECT tcp -- anywhere anywhere STRING match "test" ALGO name kmp TO 65535 reject-with tcp-reset
#
#Chain FORWARD (policy ACCEPT)
# target prot opt source destination
#
#Chain OUTPUT (policy ACCEPT)
# target prot opt source destinationPrevent Windows worm attacks
iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --algo kmp --string "cmd.exe"Prevent SYN flood attacks
iptables -A INPUT -p tcp --syn -m limit --limit 5/second -j ACCEPTAdd SECMARK record
iptables -t mangle -A INPUT -p tcp --src 192.168.1.2 --dport 443 -j SECMARK --selctx system_u:object_r:myauth_packet_t
# Add MAC security context to packets sent from 192.168.1.2:443 to this machine in TCP mode system_u:object_r:myauth_packet_tMore examples
Use iptables to build a powerful security shield http://www.imooc.com/learn/389
iptables: application layer firewall tool under linux
iptables 5 chain: corresponding Hook point
netfilter: a packet processing module within the core layer of the Linux operating system
Hook point: The mounting point of the data packet in netfilter; PRE_ROUTING / INPUT / OUTPUT / FORWARD / POST_ROUTING
iptables & netfilter
iptables 4 table 5 chain
iptables rules
filter: access control/rule matching nat: address forwarding mangle/raw
Data access control: ACCEPT / DROP / REJECT Packet rewriting (nat -> address translation): snat / dnat Information record: log
Usage scenario examples
Open tcp 10-22/80 port open icmp Access to other ports that are not allowed is prohibited
Existing problems: This machine cannot access this machine; This machine cannot access other hosts
ftp: Default passive mode (the server generates a random port and tells the client, and the client actively connects to this port to pull data) vsftpd: Enable ftp to support active mode (the client generates a random port to notify the server, and the server actively connects to this port to send data)
Allow external network access: web http -> 80/tcp; https -> 443/tcp mail smtp -> 25/tcp; smtps -> 465/tcp pop3 -> 110/tcp; pop3s -> 995/tcp imap -> 143/tcp
internal use: file nfs -> 123/udp samba -> 137/138/139/445/tcp ftp -> 20/21/tcp remote ssh -> 22/tcp sql mysql -> 3306/tcp oracle -> 1521/tcp
nat forward
Prevent CC attacks
iptables -L -F -A -D # list flush append delete
# scene one
iptables -I INPUT -p tcp --dport 80 -j ACCEPT # Allow tcp port 80
iptables -I INPUT -p tcp --dport 10:22 -j ACCEPT # Allow tcp 10-22 ports
iptables -I INPUT -p icmp -j ACCEPT # Allow icmp
iptables -A INPUT -j REJECT #Add a rule, disallow all
# Optimize scenario one
iptables -I INPUT -i lo -j ACCEPT # Allow local access
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow access to the external network
iptables -I INPUT -p tcp --dport 80 -s 10.10.188.233 -j ACCEPT # Only allow fixed ip to access 80
# Scene 2
vi /etc/vsftpd/vsftpd.conf # Use vsftpd to enable ftp active mode
port_enable=yes
connect_from_port_20=YES
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
vi /etc/vsftpd/vsftpd.conf # It is recommended to use ftp passive mode
pasv_min_port=50000
pasv_max_port=60000
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -p tcp --dport 50000:60000 -j ACCEPT
#You can also use iptables module tracking to automatically develop the corresponding port
# Scene 3
iptables -I INPUT -i lo -j ACCEPT # Allow local access
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow access to the external network
iptables -I INPUT -s 10.10.155.0/24 -j ACCEPT # Allow intranet access
iptables -I INPUT -p tcp -m multiport --dports 80,1723 -j ACCEPT # Allow ports, 80 -> http, 1723 -> vpn
iptables -A INPUT -j REJECT #Add a rule, disallow all
iptables-save # Save settings to configuration file
# Scene 4
iptables -t nat -L # View nat configuration
iptables -t nat -A POST_ROUTING -s 10.10.177.0/24 -j SNAT --to 10.10.188.232 # SNAT
vi /etc/sysconfig/network # Configure gateway
iptables -t nat -A POST_ROUTING -d 10.10.188.232 -p tcp --dport 80 -j DNAT --to 10.10.177.232:80 # DNAT
#scene5
iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT # Limit the number of concurrent connection accesses
iptables -I INPUT -m limit --limit 3/hour --limit-burst 10 -j ACCEPT # limit module; --limit-burst defaults to 5
