iptables

Commonly used firewall software on Linux

Supplementary instructions

iptables command is a commonly used firewall software on Linux and is part of the netfilter project. It can be configured directly or through many front ends and graphical interfaces.

• [Supplementary description](#Supplementary description)
  • grammar
  • options
• [Basic parameters](#Basic parameters)
  • [Command option input order](#Command option input order)
  • Working Mechanism
  • [Firewall policy](#firewall policy)
  • [Firewall policy](#firewall policy-1)
  • Example
    • [Clear all current rules and counts](#Clear all current rules and counts)
    • [Configure to allow ssh port connection](#Configure to allow ssh port connection)
    • [Allow local loopback address to be used normally](#Allow local loopback address to be used normally)
    • [Set default rules](#Set default rules)
    • [Configuration Whitelist](#Configuration Whitelist)
    • [Open the corresponding service port](#Open the corresponding service port)
    • [Save rules to configuration file](#Save rules to configuration file)
    • [List the set rules](#List the set rules)
    • [Clear existing rules](#clear existing rules)
    • [Delete added rules](#delete added rules)
    • [Open the specified port](#Open the specified port)
    • Block IP
    • [Specify the network interface through which the data packet goes out](#Specify the network interface through which the data packet goes out)
    • [View added rules](#View added rules)
    • [Start network forwarding rules](#Start network forwarding rules)
    • Port Mapping
    • [String Match](#String Match)
    • [Block Windows worm attacks](#block windows worm attacks)
    • [Prevent SYN flood attacks](#Prevent syn flood attacks)

grammar

iptables(options)(parameters)

Options

-t, --table table operates on the specified table, which must be one of raw, nat, filter, and mangle. If this option is not specified, the default is the filter table.

#Universal matching: matching of source address and target address
-p: Specifies the packet protocol type to be matched;
-s, --source [!] address[/mask]: Use the specified address/group of addresses as the source address and filter according to this rule. When there is no mask following, address is an address, such as: 192.168.1.1; when mask is specified, it can represent a range of addresses, such as: 192.168.1.0/255.255.255.0.
-d, --destination [!] address[/mask]: The address format is the same as above, but here the address is specified as the destination address, and filtering is performed accordingly.
-i, --in-interface [!] <network interface name>: Specifies the network interface from which the data packet comes, such as the most common eth0. Note: It only works on the three chains INPUT, FORWARD and PREROUTING. If this option is not specified, instructions can come from any network interface. Similar to the previous one, "!" means negation.
-o, --out-interface [!] <network interface name>: Specify the network interface through which data packets go out. Only works on three chains: OUTPUT, FORWARD, and POSTROUTING.

# View management commands
-L, --list [chain] List all rules on chain chain, or if no chain is specified, list all rules on all chains in the table.

#Rule management commands
-A, --append chain rule-specification Inserts the specified rule at the end of the specified chain chain, that is, this rule will be placed at the end and will be executed last. Rules are specified by subsequent matches.
-I, --insert chain [rulenum] rule-specification Inserts one or more rules at the specified position in chain chain. If the specified rule number is 1, it is inserted at the head of the chain. This is also the default case if no rule number is specified.
-D, --delete chain rule-specification -D, --delete chain rulenum Delete one or more specified rules in the specified chain.
-R num: Replays replace/modify which rule

#Chain management commands (this takes effect immediately)
-P, --policy chain target: Set the policy target for the specified chain. Note that only built-in chains are allowed to have strategies, user-defined ones are not allowed.
-F, --flush [chain] Clear all rules on the specified chain chain. If no chain is specified, clears all rules for all chains in the table.
-N, --new-chain chain Create a new chain with the specified name.
-X, --delete-chain [chain]: Delete the specified chain. This chain must not be referenced by any other rules, and there must be no rules on this chain. If no link name is specified, all non-built-in links in the table will be deleted.
-E, --rename-chain old-chain new-chain: Rename the specified chain with the specified new name. This will not have any impact within the chain.
-Z, --zero [chain]: Clear all counters on the specified chain or all chains in the table.

-j, --jump target <specified target>: that is, what action should be performed when a certain condition is met. The target can be a built-in target, such as ACCEPT, or a user-defined chain.
-h: Display help information;

Basic parameters

Parameters	Function
-P	Set default policy: iptables -P INPUT (DROP
-F	Clear the rule chain
-L	View rule chain
-A	Add a new rule at the end of the rule chain
-I	num Adds a new rule at the head of the rule chain
-D	num delete a rule
-s	Match the source address IP/MASK, add an exclamation point "!" to indicate except this IP.
-d	Match target address
-i	Network card name matches the data flowing in from this network card
-o	Network card name matches data flowing from this network card
-p	Match protocols, such as tcp, udp, icmp
--dport num	Match target port number
--sport num	Match source port number

Command option input order

iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o network card name> -p protocol name <-s source IP/source subnet> --sport source port< -d target IP/target subnet> --dport target port -j action

Working Mechanism

Rule chain names include (also known as the five hook functions):

• INPUT chain: handles input packets.
• OUTPUT chain: handles output packets.
• FORWARD chain: handles forwarding packets.
• PREROUTING CHAIN: used for target address translation (DNAT).
• POSTOUTING CHAIN: used for source address translation (SNAT).

Firewall policy

Firewall policies are generally divided into two types, one is called the 'pass' policy, and the other is called the 'block' policy. In the pass policy, the door is closed by default, and it is necessary to define who can enter. The blocking strategy is that the door is open, but you must have identity authentication, otherwise you cannot enter. So we have to define, let those who come in come in, and let those who go out go out, so to open means to let everyone pass, and to block is to choose. When we define the policy, we need to define multiple functions respectively, including: defining the policies that are allowed or not allowed in the data packet, the filter function, and the nat option that defines the address translation function. In order to allow these functions to work alternately, we formulated the definition of "table" to define and distinguish various working functions and processing methods.

There are three functions we use now:

1. Filter defines what is allowed or not allowed, and can only be done on three chains: INPUT, FORWARD, OUTPUT
2. NAT defines address translation, which can only be done on three chains: PREROUTING, OUTPUT, POSTROUTING
3. Mangle function: Modify the original data of the message, which can be done in 5 chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

We modify the original data of the message to modify the TTL. It is possible to disassemble the metadata of the data packet and mark/modify the content inside. Firewall tags are actually implemented by mangle.

Small extension:

• Generally speaking, filters can only be used on three chains: INPUT, FORWARD, and OUTPUT.
• For nat, it can generally only be done on three chains: PREROUTING, OUTPUT, POSTROUTING
• Mangle can do all 5 chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

iptables/netfilter (this software) works in user space. It can make rules take effect. It is not a service itself, and the rules take effect immediately. And our iptables is now made into a service, which can be started and stopped. If started, the rules will take effect directly; if stopped, the rules will be revoked.

iptables also supports defining your own chain. But the chain you define must be associated with a specific chain. In a level setting, specify that when there is data, go to a specific chain for processing, and return after that chain is processed. Then continue checking in the specific chain.

Note: The order of the rules is very critical. The stricter the rules, the higher they should be placed. When checking the rules, they are checked from top to bottom.

Table names include:

• raw: Advanced features such as URL filtering.
• mangle: Packet modification (QOS), used to achieve quality of service.
• nat: Address translation, used for gateway routers.
• filter: Packet filtering, used for firewall rules.

Actions include:

• ACCEPT: Receive packets.
• DROP: Drop the packet.
• REDIRECT: redirection, mapping, transparent proxy.
• SNAT: Source address translation.
• DNAT: Destination address translation.
• MASQUERADE: IP masquerading (NAT), for ADSL.
• LOG: Logging.
• SEMARK : Add SEMARK mark for intra-domain Mandatory Access Control (MAC)

                             ┏╍╍╍╍╍╍╍╍╍╍╍╍╍╍╍┓
 ┌───────────────┐           ┃    Network    ┃
 │ table: filter │           ┗━━━━━━━┳━━━━━━━┛
 │ chain: INPUT  │◀────┐             │
 └───────┬───────┘     │             ▼
         │             │   ┌───────────────────┐
  ┌      ▼      ┐      │   │ table: nat        │
  │local process│      │   │ chain: PREROUTING │
  └             ┘      │   └─────────┬─────────┘
         │             │             │
         ▼             │             ▼              ┌─────────────────┐
┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅    │     ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅      │table: nat       │
 Routing decision      └───── outing decision ─────▶│chain: PREROUTING│
┅┅┅┅┅┅┅┅┅┳┅┅┅┅┅┅┅┅┅          ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅      └────────┬────────┘
         │                                                   │
         ▼                                                   │
 ┌───────────────┐                                           │
 │ table: nat    │           ┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅┅               │
 │ chain: OUTPUT │    ┌─────▶ outing decision ◀──────────────┘
 └───────┬───────┘    │      ┅┅┅┅┅┅┅┅┳┅┅┅┅┅┅┅┅
         │            │              │
         ▼            │              ▼
 ┌───────────────┐    │   ┌────────────────────┐
 │ table: filter │    │   │ chain: POSTROUTING │
 │ chain: OUTPUT ├────┘   └──────────┬─────────┘
 └───────────────┘                   │
                                     ▼
                             ┏╍╍╍╍╍╍╍╍╍╍╍╍╍╍╍┓
                             ┃    Network    ┃
                             ┗━━━━━━━━━━━━━━━┛

Example

Clear all current rules and counts

iptables -F # Clear all firewall rules
iptables -X # Delete user-defined empty links
iptables -Z # Clear count

Configure to allow ssh port connection

iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
# 22 is your ssh port. -s 192.168.1.0/24 means that machines in this network segment are allowed to connect. IP addresses in other network segments cannot log in to your machine. -j ACCEPT indicates accepting such a request

Allow the local loopback address to be used normally

iptables -A INPUT -i lo -j ACCEPT
#The local ring address is the one 127.0.0.1, which is used on this machine. Its entry and exit are set to allow
iptables -A OUTPUT -o lo -j ACCEPT

Set default rules

iptables -P INPUT DROP # Configure the default to deny entry
iptables -P FORWARD DROP #Default does not allow forwarding
iptables -P OUTPUT ACCEPT # The default is to go out

Configure whitelist

iptables -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT # Allow intranet machines in the computer room to access
iptables -A INPUT -p all -s 192.168.140.0/24 -j ACCEPT # Allow intranet machines in the computer room to access
iptables -A INPUT -p tcp -s 183.121.3.7 --dport 3380 -j ACCEPT # Allow 183.121.3.7 to access port 3380 of this machine

Open the corresponding service port

iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Open port 80, because this is the port used by the web to the outside world
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT # Allow to be pinged
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # The established connection must be allowed in

Save rules to configuration file

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak # Back up before making any changes, please maintain this excellent habit
iptables-save > /etc/sysconfig/iptables
cat /etc/sysconfig/iptables

List the rules that have been set

iptables -L [-t table name] [chain name]

• Four table names raw, nat, filter, mangle
• Five rule chain names INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING
• The filter table contains three rule chains: INPUT, OUTPUT, and FORWARD

iptables -L -t nat # List all rules on nat
# ^ -t parameter specified, must be one of raw, nat, filter, mangle
iptables -L -t nat --line-numbers # Rules with numbers
iptables -L INPUT

iptables -L -nv # View, this list looks more detailed

Clear existing rules

iptables -F INPUT # Clear all rules above the specified chain INPUT
iptables -X INPUT # Delete the specified chain. This chain must not be referenced by any other rules, and there must be no rules on this chain.
                    # If no link name is specified, all non-built-in links in the table will be deleted.
iptables -Z INPUT # Clear all counters on the specified chain or all chains in the table.

Delete added rules

#Add a rule
iptables -A INPUT -s 192.168.1.5 -j DROP

Display all iptables with serial numbers and execute:

iptables -L -n --line-numbers

For example, to delete the rule with serial number 8 in INPUT, execute:

iptables -D INPUT 8

Open the specified port

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow local loopback interface (that is, run the local machine to access the local machine)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow established or related traffic
iptables -A OUTPUT -j ACCEPT #Allow all external access from this machine
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allow access to port 22
iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allow access to port 80
iptables -A INPUT -p tcp --dport 21 -j ACCEPT #Allow port 21 of ftp service
iptables -A INPUT -p tcp --dport 20 -j ACCEPT #Allow port 20 for FTP service
iptables -A INPUT -j reject #Prohibit access by other rules that are not allowed
iptables -A FORWARD -j REJECT #Prohibit access by other rules that are not allowed

Block IP

iptables -A INPUT -p tcp -m tcp -s 192.168.0.8 -j DROP # Block malicious hosts (for example, 192.168.0.8
iptables -I INPUT -s 123.45.6.7 -j DROP # Command to block a single IP
iptables -I INPUT -s 123.0.0.0/8 -j DROP #The command to seal the entire segment from 123.0.0.1 to 123.255.255.254
iptables -I INPUT -s 124.45.0.0/16 -j DROP #The command to block the IP segment from 123.45.0.1 to 123.45.255.254
iptables -I INPUT -s 123.45.6.0/24 -j DROP #The command to block the IP segment from 123.45.6.1 to 123.45.6.254 is

Specify the network interface through which the data packet goes out

Only works on three chains: OUTPUT, FORWARD, and POSTROUTING.

iptables -A FORWARD -o eth0

View added rules

iptables -L -n -v
Chain INPUT (policy DROP 48106 packets, 2690K bytes)
 pkts bytes target     prot opt in     out     source               destination
 5075  589K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 191K   90M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
1499K  133M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
4364K 6351M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 6256  327K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes)
 pkts bytes target     prot opt in     out     source               destination
 5075  589K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Start network forwarding rules

The public network 210.14.67.7 allows the internal network 192.168.188.0/24 to access the Internet.

iptables -t nat -A POSTROUTING -s 192.168.188.0/24 -j SNAT --to-source 210.14.67.127

Port Mapping

Port 2222 of the local machine is mapped to port 22 of the intranet virtual machine

iptables -t nat -A PREROUTING -d 210.14.67.127 -p tcp --dport 2222 -j DNAT --to-dest 192.168.188.115:22

String matching

For example, if we want to filter the string test in all TCP connections and terminate the connection once it appears, we can do this:

iptables -A INPUT -p tcp -m string --algo kmp --string "test" -j REJECT --reject-with tcp-reset
iptables -L

#Chain INPUT (policy ACCEPT)
# target prot opt source destination
# REJECT tcp -- anywhere anywhere STRING match "test" ALGO name kmp TO 65535 reject-with tcp-reset
#
#Chain FORWARD (policy ACCEPT)
# target prot opt source destination
#
#Chain OUTPUT (policy ACCEPT)
# target prot opt source destination

Prevent Windows worm attacks

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --algo kmp --string "cmd.exe"

Prevent SYN flood attacks

iptables -A INPUT -p tcp --syn -m limit --limit 5/second -j ACCEPT

Add SECMARK record

iptables -t mangle -A INPUT -p tcp --src 192.168.1.2 --dport 443 -j SECMARK --selctx system_u:object_r:myauth_packet_t
# Add MAC security context to packets sent from 192.168.1.2:443 to this machine in TCP mode system_u:object_r:myauth_packet_t

More examples

Use iptables to build a powerful security shield http://www.imooc.com/learn/389

iptables: application layer firewall tool under linux

iptables 5 chain: corresponding Hook point netfilter: a packet processing module within the core layer of the Linux operating system Hook point: The mounting point of the data packet in netfilter; PRE_ROUTING / INPUT / OUTPUT / FORWARD / POST_ROUTING

iptables & netfilter

iptables 4 table 5 chain

iptables rules

• 4 tables

filter: access control/rule matching nat: address forwarding mangle/raw

• rule

Data access control: ACCEPT / DROP / REJECT Packet rewriting (nat -> address translation): snat / dnat Information record: log

Usage scenario examples

• scene one

Open tcp 10-22/80 port open icmp Access to other ports that are not allowed is prohibited

Existing problems: This machine cannot access this machine; This machine cannot access other hosts

• Scene 2

ftp: Default passive mode (the server generates a random port and tells the client, and the client actively connects to this port to pull data) vsftpd: Enable ftp to support active mode (the client generates a random port to notify the server, and the server actively connects to this port to send data)

• Scene three

Allow external network access: web http -> 80/tcp; https -> 443/tcp mail smtp -> 25/tcp; smtps -> 465/tcp pop3 -> 110/tcp; pop3s -> 995/tcp imap -> 143/tcp

internal use: file nfs -> 123/udp samba -> 137/138/139/445/tcp ftp -> 20/21/tcp remote ssh -> 22/tcp sql mysql -> 3306/tcp oracle -> 1521/tcp

• Scene 4

nat forward

• Scene 5

Prevent CC attacks

iptables -L -F -A -D # list flush append delete
# scene one
iptables -I INPUT -p tcp --dport 80 -j ACCEPT # Allow tcp port 80
iptables -I INPUT -p tcp --dport 10:22 -j ACCEPT # Allow tcp 10-22 ports
iptables -I INPUT -p icmp -j ACCEPT # Allow icmp
iptables -A INPUT -j REJECT #Add a rule, disallow all

# Optimize scenario one
iptables -I INPUT -i lo -j ACCEPT # Allow local access
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow access to the external network
iptables -I INPUT -p tcp --dport 80 -s 10.10.188.233 -j ACCEPT # Only allow fixed ip to access 80

# Scene 2
vi /etc/vsftpd/vsftpd.conf # Use vsftpd to enable ftp active mode
port_enable=yes
connect_from_port_20=YES
iptables -I INPUT -p tcp --dport 21 -j ACCEPT

vi /etc/vsftpd/vsftpd.conf # It is recommended to use ftp passive mode
pasv_min_port=50000
pasv_max_port=60000
iptables -I INPUT -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -p tcp --dport 50000:60000 -j ACCEPT

#You can also use iptables module tracking to automatically develop the corresponding port

# Scene 3
iptables -I INPUT -i lo -j ACCEPT # Allow local access
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow access to the external network
iptables -I INPUT -s 10.10.155.0/24 -j ACCEPT # Allow intranet access
iptables -I INPUT -p tcp -m multiport --dports 80,1723 -j ACCEPT # Allow ports, 80 -> http, 1723 -> vpn
iptables -A INPUT -j REJECT #Add a rule, disallow all

iptables-save # Save settings to configuration file

# Scene 4
iptables -t nat -L # View nat configuration

iptables -t nat -A POST_ROUTING -s 10.10.177.0/24 -j SNAT --to 10.10.188.232 # SNAT
vi /etc/sysconfig/network # Configure gateway

iptables -t nat -A POST_ROUTING -d 10.10.188.232 -p tcp --dport 80 -j DNAT --to 10.10.177.232:80 # DNAT

#scene5
iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT # Limit the number of concurrent connection accesses
iptables -I INPUT -m limit --limit 3/hour --limit-burst 10 -j ACCEPT # limit module; --limit-burst defaults to 5