Iptable setting


INPUT external network access to the machine
OUTPUT native access extranet
Under the rules from the match
1) open ports
iptables -A INPUT -p tcp –dport 8080 -j ACCEPT
-P–dport goal of the agreement, REJECT rejection, port-j ACCEPT DROP drop
iptables -I INPUT 5 -p tcp –dport 9443 -j ACCEPT
Insert a rule, the rule is inserted into the INPUT chain‘s 5th, because the rules are executed in the order, so open ports in relation to port front
2) delete rule
iptables -D INPUT num
NUM rule number
3) see rules
/etc/init.d/iptables status
Or
iptables -L
4) save changes
/etc/init.d/iptables save
http://blog.chinaunix.net/uid-26495963-id-3279216.html
http://www.linuxso.com/linuxpeixun/10332.html
Firewall policy is generally divided into two types, one is a pass strategy, called blocking policy, through policy, the default is off, it is necessary to define who can enter. Blocking is, the door is open, but you must have authentication, you cannot. So we have to define, come in come in, let out, pass, is full, and blocking, are selected. When we define a policy when you want to define more than one feature, which defines packets are allowed or not allowed in policy, filter filter function, which defines the function is address translation NAT option. Alternating in order for these features to work, we have worked out a table of this definition, to define, distinguish between a variety of different job functions and handling.
Compare multiple features that we now have 3:
1.filter defines the allowed or not allowed
Define address translation 2.NAT
3.mangle features: modify packet data
We modify the original data packet is modified TTL. Packet data connection can be achieved, in mark/modify content. Firewall marked, in fact, is fulfilled by mangle.
Little extension:
For general filter can only do 3 chains: INPUT, FORWARD, OUTPUT
For the NAT can only do 3 chains: PREROUTING, OUTPUT, POSTROUTING
While mangle is 5 chain can do: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
Iptables/netfilter (the software) is working in user space, it allows rules to take effect, not a service in itself, and the rule is effective immediately. We have iptables is now being made into a service, you can start and stop. To start, you will enter into force directly, stop, the rules revoked.
Iptables support for custom links. But their definition of chain, must be associated with a particular chain. A level setting, specifies when the data went to find a particular chain, when the chain after the return. Then continue to check in a particular chain.
Note: the order of the rules is critical, who rules more strictly, should be more front, but check the rules of the time, of checking is way down from the top.
The formulation of rules:
Iptables rules defined in rather complex ways:
Format: iptables [-t table] COMMAND chain ACTION
A filter NAT-t mangle
COMMAND: defining how to manage rules
Chain: specify your next, what are the rules of chain operation when defining policy, can be omitted
CRETIRIA: specify match criteria
-J ACTION: specify how to handle
For example: 172.16.0.0/24 is not allowed to access.
iptables -t filter -A INPUT -s 172.16.0.0/16 -p udp –dport 53 -j DROP
Of course if you want to reject more thoroughly:
iptables -t filter -R INPUT 1 -s 172.16.0.0/16 -p udp –dport 53 -j REJECT
# View defined rules for more information
Detailed COMMAND:
1. chain management commands (which is to take effect immediately)
-P: sets the default policy (default setting is closed or the door is open)
Default policy generally have only two
iptables -P INPUT (DROP| ACCEPT) is closed by default/default is open
For example:
INPUT DROP this default rule to refuse. And did not define which actions, so all the rules including Xshell connections external connections such as, remote connections are refused.
-F:FLASH, empty the chain (note that administrative rights on each chain)
iptables -t nat -F PREROUTING
Empty the NAT table all links
-N:NEW supports the user creates a new chain
Inbound_tcp_web attached to the TCP table to check the Web.
-X: used to delete a userdefined chain
Using a method similar to theN, but in the inside of the chain must be emptied before deleting Ang
-E: used to Rename chain was used to rename the userdefined chains
-E oldname newname
-Z: empty chain, and the default rule in the chain counter (with two counters, how many packets are matched to, how many bytes)
: Empty
2. rule management commands
-A: append, at the end of the current chain added a rule
-I NUM: Insert, insert as the current rule.
-I 3: Insert article
-R num:Replays replace/modify rules
Format: 3............
-D NUM: delete, explicitly specify delete rules
3. view management commands L”
Attach subcommand
-N: display IP in a digital manner, it would show the IP direct, if not-n, the IP reverseresolves to a host name.
-V: show details
-vv
-Vvv: more details
-X: counters show exact values, do not do unit conversions
–Line-numbers: displays the number of the rules
The-t NAT: displays information for all levels
Detailed match criteria
1. Generic matches: source address to the destination address matches
-S: the specified as the source address matches host names cannot be specified here must be the IP
IP | IP/MASK | 0.0.0.0/0.0.0.0
And address can be reversed, adding a ! Other than the IP
-D: matching the destination address
-P: used to match Protocol (there is usually a 3, TCP/UDP/ICMP)
-I eth0: from the data that the card into the
Into general use in the PREROUTING and INPUT on
-O eth0: flowing from that the card data
Out on the OUTPUT and POSTROUTING
2. the extension matching
2.1 hidden extensions: extensions to the Protocol
-P Protocol extensions. There are generally three types of extensions
–Dport XX-XX: the specified destination port cannot be specified multiple non-contiguous ports, you can only specify a single port, such as
–Dport 21, or–dport 21-23 (21,22,23)
–Sport: Specifies the source port
–Tcp-fiags:TCP flags (SYN,ACK,FIN,PSH,RST,URG)
For it, usually with two parameters:
1. check the flags
2. must be a mark of 1-bit
–tcpflags syn,ack,fin,rst syn = –syn
Check this 4-bit, SYN in this 4-bit must be 1, the other must be 0. So this means that first package used to detect threeway handshake. This matches the first packets with the SYN 1 package, there is a shorthand way, called–SYN
-P udp:UDP protocol extensions
–dport
–sport
-P ICMP:ICMP expansion of the data message
–icmp-type:
Echo-request (echo request), generally expressed in octal
–ICMP-type match 8 echo request packet
Echo-reply (packet response) generally indicated by a zero
2.2 explicit extension (-m)
Extension module
-M multiport: multiport extensions are enabled
Then we can enable for example–dports 21,23,80
Detailed-j ACTION
Common ACTION:
DROP: silently discarded
General DROP for us to hide our identity, and our list
REJECT: expressly rejected
ACCEPT: accept
Custom_chain: turn a custom chain
DNAT
SNAT
MASQUERADE: the source address masquerading
REDIRECT: redirect: mainly used to implement port redirection
MARK: Firewall tags
RETURN: Returns
Custom returned after the chain is completed, to return to the original chain.