Below is a list of commands and rules for their use. We tell iptables commands that we intend to do. Is usually one of two things-adding a new rule in a chain, or delete an existing rule from a table. The following are the commands that are used in iptables.
Table 6-2. Team
Example iptables-A INPUT of …
Description adds a new rule to the end of the specified chain.
Example iptables-D INPUT–dport 80-j DROP, iptables-D INPUT 1
Describes how to delete a rule from the chain. The team has two first-record format-when you set the comparison criterion with the-D (see the first example), and the second is the number of the rule. If you specify the comparison criterion, then removes the rule that has this criterion, if you specify a number of rules, then the rule will be removed from the specified number. By the rules in the conversation starts with 1.
Example iptables-R INPUT 1-s 192.168.0.1-j DROP
Description This command replaces the one rule to another. Mostly it’s used while debugging the new rules.
Example iptables-I INPUT 1–dport 80-j ACCEPT
Description of Inserts a new rule in the chain. The number following the name indicates the number of the chain rule before which to insert a new rule, in other words the number of sets the room to accommodate the new rules. In the example above, indicates that this rule should be 1 in the INPUT chain.
Example iptables-L INPUT
Description of the listing rules in a given chain, this example assumes the withdrawal rules from the chain of INPUT. If the chain is not specified, displays the list of rules for all chains. The format of the output depends on the availability of additional keys in the command, for example,-n,-v, and more.
Example iptables-F INPUT
Description of the Reset (delete) all rules of a given chain (table). If the name of the chain and the table is not specified, all rules in all chains. (I want my add, that if you do not specify a table of key-t (–table), the cleaning of chains is made only in the filter table, long)
Example iptables-Z INPUT
Description of the Reset all counters in the specified chain. If the chain is not specified, refer to all of the chain. When you use the-v switch in conjunction with the command-L, the output will be filed and the State count packets that fall under the scope of each rule. You can use command-L and-Z in this case will be given a first list of rules with counters, and then will reset the counters.
Example iptables-N allowed
Description of a new chain with the given name in the given table in the above example creates a new chain with the name allowed. The name of the chain must be unique and must not be a reserved names chains and action (such as DROP, REJECT, etc.)
Example iptables-X allowed
Description of the removal of the specified chain from a given table. To remove the chain should not be rules and there should be links from other chains in the chain. If the name is not specified, the chain will remove all chains of specified table except the built-in.
Example iptables-P INPUT DROP
Description sets the default policy for the specified thread. Default policy specifies the action that the packages do not miss under any of the rules in a chain. As the default policy allowed the ACCEPT and DROP.
Example iptables-E allowed disallowed
Description of the-E Command executes the rename user-defined chain. In the example, the chain is allowed will be renamed the chain is disallowed. This rename does not change the behavior of, but are only cosmetic.
Command must always be specified. You can view a list of available commands by using the iptables-h or that same iptables-help. Some commands can be used together with the additional keys. The following is a list of additional keys and describes the results of their actions. However, note that it does not show the additional keys that are used to build the criteria (the matches) or action (targets). These options we will discuss next.
Table 6-3. Additional keys
The command uses the-list,–append–insert-delete,-replace
Description is used to enhance the informative output and is typically used together with the-list command. When used with the-list command, the output of this command includes the name of the interface the packet and byte counters for each rule. The format of the output of counters is also output the digits of a symbolic multipliers K (x 1000), M (x 1, 000000.000) and G (x 1, 000000, 000000, 000000). To get the-list command to display the total number (without the use of multipliers) you want to use the-x, which is described below. If the key-v-verbose command is used-the-append–insert-delete-or-replace, you will receive a detailed report about the operation.
The command uses the-list
Description for all numbers in the output displays their exact value without rounding and without the use of multipliers K, M, G. This key is only used with the-list command and not applicable with other teams.
The command uses the-list
Description Causes iptables output the IP addresses and port numbers in numerical form preventing attempts to convert them to symbolic names. This switch is used only with the-list command.
The command uses the-list
Description of key-line-numbers includes the display of line numbers when displaying the list of rules-list command. Line number matches a rule in a chain. This key is used only with the-list command.
The team, which uses-insert, append-to-replace
Description of the key is used to set the initial value of the packet and byte counters in the specified value when you create a new rule. For example, the key-set-4000 20 counters will count = 20, and the count of bytes = 4000.
The team, which is used by All
Description of the-modprobe module load kernel defines a command. This key should be used only when the kernel modules is out of the way (search path). This key can be used with any command.
Here we’ll look at the criteria for the selection of packages. I broke all of the criteria in five groups. The first is the general criteria that can be used in all rules. The second TCP criteria that apply only to TCP packets. The third-the UDP-eligibility criteria that apply only to UDP packets. Fourth-ICMP-criteria for ICMP packets. And finally the fifth-the special criteria, such as the state, the owner, limit, etc.
6.4.1. General criteria
Here we describe the general criteria. Common criteria is acceptable to any rules, they do not depend on protocol type and does not require loading plug-ins. To this group I deliberately classified criterion-the protocol despite the fact that it is used by some protocol-specific extensions. For example, we decided to use TCP criterion, then we will need to use criterion-the protocol as an additional key is passed the name of the Protocol is TCP. However, criterion-protocol itself is a criterion that is used to specify the type of Protocol.
Table 6-4. General criteria
Example iptables-A INPUT-p tcp
Description this criterion is used to specify the type of Protocol. Examples of protocols can be TCP, UDP, and ICMP. List of protocols can be found in any file First of all, as the name of the Protocol in this criterion can be one of the three protocols, as well as the keyword ALL. As the Protocol is allowed to transmit the number-number of the Protocol, for example, corresponds to the number of Internet Control Message Protocol (ICMP) 1, TCP-and UDP-6-17. Matching between numbers and their names you can look in the file/etc/protocols, already mentioned. Selection list of protocols and can be separated by commas, for example: udp, tcp (although the author points to the possibility of transferring the list of protocols, however you can do Paladin! By the way, man iptables clearly stipulates that this criteria can be specified only one protocol. Maybe this extension is available in patch-o-matic? Editor’s note. Translat.) If this criteria is numeric value 0, then this is equivalent to using a pointer, ALL that is meant by default when the criterion-protocol is not used. For the logical inversion of the criterion, the name of the Protocol (list of protocols) used the symbol!, for example-to-protocol! TCP includes packets, UDP and ICMP protocols.
Example iptables-A INPUT-s 192.168.1.1
Description the IP address (a) the source of the package. The source address can be specified as shown in the example, then refers to only one IP address. And you can specify the address as address/mask, such as 192.168.0.0/255.255.255.0, or a more modern way of 192.168.0.0/24, i.e., determining the range of addresses as a symbol!, installed in front of the address indicates the logical negation, i.e. the-source! 192.168.0.0/24 refers to any address other than the address 192.168.0. x.
Example iptables-A INPUT-d 192.168.1.1
Description of the IP address(es) of the recipient. Has syntax similar to criterion-the-source, except that it includes the destination address. Exactly the same could determine how only one IP address, or a range of addresses. Symbol! used for the logical inversion of the criterion.
The criterion of-i,-in-interface
Example iptables-A INPUT-i eth0
Description of the Interface from which the packet was received. The use of this criterion is only permitted in the chains FORWARD and PREROUTING, INPUT, in all other cases, will cause an error. If this criterion is any interface that is equivalent to the use of criteria-i +. As before, the symbol! negates the result of matches. If the interface name ends with the symbol +, the criterion specifies all of the interfaces that begin with the specified string, such as-(i) PPP + denotes any PPP interface and record-i! ETH + any interface, apart from any eth.
Example iptables-A FORWARD-o eth0
Description Specifies the name of the output interface. This criterion is only allowed in the OUTPUT chain, FORWARD and POSTROUTING, otherwise an error message will be generated. If this criterion is any interface that is equivalent to the use of criteria-o +. As before, the symbol! negates the result of matches. If the interface name ends with the symbol +, the criterion specifies all of the interfaces that begin with the specified string, such as-o eth + denotes any eth interface and write-o! ETH +-any interface, apart from any eth.
Example iptables-A INPUT-f
The description applies to all parts of a fragmented packet, except the first, this is because it is not possible to determine the outgoing/incoming port for the package and for ICMP packets to determine their type. Using fragmented packets can be an attack on your firewall, because the fragments may not otlavlivat′sâ other rules. As before, you can use a character! to invert the result of a comparison. only in this case the symbol! must be preceded by a criterion-f, for example! -f. Inversion criterion is interpreted as “all of the first fragments of the fragmented packets and/or non-fragmented packets, but not the second and n
6.4.2. Implicit criteria
In this section, we consider the implicit criteria, specifically, the criteria are loaded implicitly and are available, for example when you specify criteria-tcp-protocol. To date, there are three auto-loadable extensions, this is TCP, UDP criteria criteria and criteria of ICMP (for its rules I need to explicitly specify the key-m tcp, i.e. about neâvnosti here to speak of, so be careful when building its rules, if something does not go-try to explicitly specify the required extension is long). Download these extensions can be done explicitly by using the-m,-match, for example-m tcp.
220.127.116.11. TCP criteria
This set of criteria depends on the type of Protocol and only works for TCP packets. To use them, you need to specify in the regulation the protocol type-tcp-protocol. Important: test-tcp-protocol must stand in front of a specific criterion. These extensions are loaded automatically as the tcp protocol and udp and icmp protocols. (The implicit loading of extensions I mentioned above long).
Table 6-5. TCP criteria
Example iptables-A INPUT-p tcp-sport 22
Description of the source port that sent the packet. As a parameter can specify a port number or name of the network service. Name correspondence services and port numbers can be found in the file/etc/services. When you specify the port rules are somewhat faster. However, this is less useful for parsing script listings. If you are going to create significant sets of rules, say several hundred or more, then it is preferable to use port numbers. Port numbers can be specified as a range of minimum and maximum numbers, for example-the-source-port 22: 80. If omitted, the minimum criterion, i.e., when the port is written as–source-port: 80, the number 0 is the start of the range. If omitted, the maximum port, i.e., when the criterion is written as–source-port 22: as of the end of the range is the number of 65535. Allowed the recording-source-port 80: 22, in this case, change the number 22 and iptables 80 places, i.e., such entry will be converted in-source-port 22: 80. As before, the symbol! used for inversion. So test-source-port! 22 means any port other than 22. Inversion can be applied to a range of ports, for example-the source-port! 22: 80. For additional information, please refer to the description of the criterion of multiport.
Example iptables-A INPUT-p tcp-dport 22
Description of the port or port range, which is addressed to the package. Arguments are specified in the same format as for the-source-port.
Example iptables-p tcp-tcp-flags SYN, FIN, ACK SYN
Description Specifies a wildcard mask of flags and tcp packet. The package shall be considered to have satisfied the criteria, if the flags in the first list in a single State of the set flags in the second list. So for the above example under criterion fall packages with the SYN flag set and the ACK and FIN flags are reset. As arguments the criterion can be flags SYN, ACK, FIN, RST, URG, PSH, and reserved identifiers ALL and NONE. All-means all the flags and NONE-NONE flag. Thus, the criterion of–tcp-flags ALL NONE means-“all the flags in the packet should be dropped.” As before, the symbol! means the inversion test important: the names of flags in each list must be separated by commas, spaces are used to separate lists.
Example iptables-p tcp-syn
Description of criterion-syn is essentially a relic, perekočevavšim of ipchains. Criterion packets with the SYN flag set and the ACK and FIN flags dropped. This criterion is similar to the criterion–tcp-flags SYN, FIN, ACK SYN. such packets are used for opening a TCP connection. Blocking these packets you securely block all incoming connection requests, but this criterion is not able to block outbound connection requests. As before, you can invert the criterion symbol!. So test! -syn-means-“all the packages that are not connection request”, i.e. all packets with the FIN and ACK flags set.
Example iptables-p tcp-tcp-option 16
Description For condition of this criterion will be considered as a package, the TCP parameter is equal to the specified number. TCP Option is part of the packet header. It consists of 3 different fields. The first MI-8 bit field contains information about the options that are used by this connection. The second MI-8 bit field contains the length of the field options. If you follow through, then the standards should handle all possible options, but, instead, we can check the first box and if there are unsupported by our firewall option