Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Iptables principle     - Installation under Linux to deploy Java (Linux)

- Android Delete project useless resource file (Programming)

- The source code compiler installation Nginx 1.8.0 under Ubuntu 14.10 (Server)

- Eclipse-4.4 crash problem solving under Debian-7.6 (Linux)

- Oracle 11g logical standby achieve BI needs (Database)

- Oracle first Automated Installation Packages (Database)

- Linux-- sub-volume compression and decompression (Linux)

- IOS interview questions Summary (Programming)

- Nginx caching using the official guide (Server)

- Through the source code to install MySQL 5.6.26 under CentOS6 (Database)

- Systemd on RHEL7 (Linux)

- CentOS6 5 source compiler installation Hadoop2.5.1 (Server)

- MySQL query performance comparison of a single truth (Database)

- Let 32 Linux / CentOS system to support more than 4G memory (Linux)

- ARM Linux system call (Linux)

- Hadoop + Zookeeper NameNode achieve high availability (Server)

- Linux using DenyHosts prevents ssh cracks (Linux)

- How to use Quagga BGP (Border Gateway Protocol) router to filter BGP routing (Linux)

- CentOS 6.5 configuration SSDB 1.8.0 (Server)

- Thrift 0.9.3 compiler installation under Ubuntu (Linux)

  Iptables principle
  Add Date : 2018-11-21      
  One, Iptables principle

Firewalls are now divided into the following three types: packet filtering, application proxies, stateful inspection

Packet filtering firewall: now the market has been static packet filtering firewall can not see, and replaced by a dynamic packet filtering firewall technology Ha ~

Proxy Firewall: Because some special packet attack can easily break through packet filtering firewall protection, such as we know SYN attack, ICMP flood attack, so with the proxy server as specifically for the user confidentiality or break access restricted data forwarding channel application proxy firewall appeared ha ~ the use of a new technology application protocol analysis.

Stateful inspection firewall: Dynamic packet filtering based on its technology evolved, adding a state detection module, developed into a little conversation filtering, session state retention is limited in time, this firewall can also be content package analysis, thus avoiding excessive open ports.

netfilter / iptables IP packet filtering system actually consists of two components netfilter and iptables. netfilter is part of the integrated in the kernel, and its role is to define, save the corresponding rules, and iptables is a tool used to modify the filter rules and other configuration information, we can be set by iptables for some of the needs of our business environment Ha ~ rules, and these rules are stored in the kernel space.

netfilter is a Linux kernel in a common framework, which provides a series of tables (tables), each table by a number of chains (chains) composed of each chain which may be made of one or several of the rules (rules) components. In fact netfilter is a container table, the table is a chain container, chain is the rule container.

Built chain iptables

Before the packet enters the machine, enter the router: PREROUTING

INPUT: through the destination routing table based machine

FORWARDING: routing table, the destination is not native

OUTPUT: The machine produced by the outward forwarding

POSTROUTIONG: through the routing table, before the card is sent to the interface

Two, iptables basic usage

The basic syntax:

iptables [-t table] COMMAND CHAIN CRETIRIA -j TARGET

-t table:

net, mangle, raw, filter

Default filter



-F: (Flush) Clear rules chain

-N: (New) one strand of self

-X: (Delete) to delete a custom empty chain

-Z: (Zero) counter to zero

-P: (Policy) to set the default policy, in terms of the filter table, the default rule for the ACCEPT or DROP

-E: Rename a custom chain

CHAIN: Specifies the next rule in the end you're on a chain which

CRETIRIA: Specifies the matching criteria

ACTION: Specifies how to deal with

Common commands

DROP: silently discarded; Usually we use DROP more to hide our identity and hide our list

REJECT: expressly rejected

ACCEPT: to accept

DNAT: explicitly stated do is destination address translation operation

SNAT: clearly stated to do is to translate the source address Operation

MASQUERADE: Source Address Masquerading

REDIRECT: Redirection: it is mainly used for port redirection

MARK: playing firewall marks

RETURN: Return used after custom chain execution is completed, to return to the original rules chain

Chain rule

-A: (Append) at the end of the selected chain to add one or more rules

-I: (Insert) to insert one or more rules in the selected chain according to the rules given number

-D: (Delete) to delete one or more rules from the selected chain

-R: (Replace) substituted a rule from the selected chain

Common query command


-n: number format displays the host address port

-v: Displays detailed format information


-vvv: The more the more detailed display

--line-numbers: numbers show rules

-x: exactly, do not do the counting result of the counter unit conversion, and display its exact value

pkts bytes target prot opt in out source destination

The number of packets, this rule is to match packets: pkts

bytes: this is in terms of the size of the rule to match all packets and will execute unit

target: objective, namely handling mechanism

prot: protocol, typically {TCP | UDP | ICMP}

opt: Optional

in: incoming interface packet

Outgoing interface packet: out

source: source address

destination: destination address

Third, the matching criteria

Universal matching

-s address: Specifies the packets that match the source IP address range; can be IP, or network address; you can use! Negate

--src, --source

-d Address: Specify the packet destination IP address matches the scope

--dst, --destination

-p Protocol: Specifies the match protocol type packets, there are three general tcp, udp, icmp

-i ethX: data packets enter interface: PREROUTING, INPUT, FORWARD

-o ethX: data packets enter interface: OUTPUT, FORWARD, POSTROUTING

Expanded matches

Implicit Match: When using the -p {tcp | udp | icmp} when one can use a straightforward extension specific options

-p tcp

--sport PORT [-PORT]: Specifies the source port, multiple ports

--dport PORT [-PORT]: Specifies the destination port, which can be multiple contiguous ports

--tcp-flag: Bit list of TCP flags (separated by commas)

Flag must list 1

eg: - tcp-flags syn, ack, rst, fin syn

-p udp

--sport PORT [-PORT]: Specifies the source port, multiple ports

--dport PORT [-PORT]: Specifies the destination port, which can be multiple contiguous ports

-p icmp


echo-request (Echo Request), generally used to represent 8

echo-reply (response packet) is generally used to indicate 0

Show Extended -m must specify the name you want to extend the expansion module

multiport: multi-port match

It can be used to match a non-continuous or continuous port; specify up to 15 ports; separated by a colon


iptables -I INPUT -d -p tcp -m multiport --dports 22,80 -j ACCEPT

iptables -I OUTPUT -s -p tcp -m multiport --sports 22,80 -j ACCEPT

iprange: addresses that match the specified range

Rather than the entire network useful when matching a stretch of consecutive addresses;

Specific options:

[!] --src-Ragne IP [-IP]

[!] --dst-Range

iptables -A INPUT -d -p tcp --dport 23 -m iprange --src-range -j ACCEPT

iptables -A OUTPUT -s -p tcp --sport 23 -m iprange --dst-range -j ACCEPT

string: string matching, application layer packets can be detected in a string

Check character matches Efficient Algorithm

kmp, bm

Specific options:

--algo {kmp | bm}

--string "STRING"

--hex-string "HEX_STRING": HEX_STRING is encoded into a string of hexadecimal format;


iptables -I OUTPUT -m string --algo kmp --string "sex" -j DROP

time: time-based access control to do

Specific options:

--datestart YYYY [-MM] [- DD [Thh [: mm [: ss]]]]


--timestart hh: mm [: ss]

--timestop hh: mm [: ss]

--weekdays day [, day] Mon, Tue,


iptables -I INPUT -d -p tcp --dport 80 -m time --timestart 08:20 --timestop 18:40 --weekdays Mon, Tue, Thu, Fri -j REJECT

connlimit: limit the number of connections for each IP number of concurrent connections that can initiate restrictions do;

Specific options:

[!] --connlimit-Above [n]


iptables -A INPUT -d -p tcp --dport 22 -m connlimit --connlimit-above 2 -j DROP

limit: limit rate

Specific options:

--limit n [/ second | / minute | / hour | / day]

--limit-burst n


iptables -A INPUT -d -p icmp --icmp-type 8 -m limit --limit 20 / minute --limit-burst 5 -j ACCEPT

state: state check

Specific options:


Tracking the status of the connection:

NEW: establishing a new session

ESTABLISHED: already established connection

RELATED: en affiliated

INVALID: Unrecognized connection

Adjust the maximum number of connections that can accommodate tracking connections:

/ Proc / sys / net / nf_conntrack_max

All current connection tracking

/ Proc / net / nf_conntrack

Different type of connection tracking protocols or property when:

/ Proc / sys / net / netfilter directory:

Release passive mode FTP service:

1, the load module / lib / modules / KERNEL_VERSION / kernel / net / netfilter /

Module: nf_conntrack_ftp

2, release request message:

(1) Release NEW state of the port 21 request packets;

(2) Release ESTABLISHED and RELATED states packets

3, travel response packet:

(1) Release ESTABLISHED and RELATED states packets

Fourth, write rules

First determine the function (table) to determine the flow of packets to determine the objectives to be achieved, it is determined matching condition


Communicate with native processes:



The machine via forwarding:



When writing rules to note:

Server: last out

Client: last in, first-out

Client port is random, so in most scenarios should not be qualified

Rules file: / etc / sysconfig / iptables

Save Enable rule in the rule file:

1, iptables-save> / etc / sysconfig / iptables

2, service iptables save

Entry into force of the rules file rules:

1, iptables-restore < / etc / sysconfig / iptables

2, service iptables restart

Action: Empty the existing rules, read and entered into force rules file rules

Common Syntax

To delete a rule:

iptables [-t table] -D chain rulenum

Set policies:

iptables [-t table] -P chain target

Modify the rule:

iptables [-t table] -R chain rulenum rule-specification

Insert a rule:

iptables [-t table] -I chain [rulenum] rule-specification

Create a custom link:

iptables [-t table] -N chain

Remove Custom and 0 references empty chain

iptables [-t table] -X chain

To rename a custom chain:

iptables [-t table] -E old_name new_name

Five examples

1, SNAT address based on the original conversion

Based on the conversion of the original address is generally used in many of our internal network users outside the network through a port when the Internet, then we will convert our network address to an external IP network, we can connect to other external network IP function.

For example, we now want all IP network After all, when converted into this assumption out of the external address:

iptables -t nat -A POSTROUTING -s -j SNAT --to-source

So long as it is from the local network tries to access the network through a network card, it will be converted into all this IP.

We all know that when we use the China Unicom or Telecom Internet time, usually it will generate a random external network IP every time you boot time, meaning that outside the network address is dynamic transformation. Then we will replace the external network address MASQUERADE (dynamic camouflage): It can automatically find the address outside the network, and automatically to the correct external network address. So, we need this setting:

iptables -t nat -A POSTROUTING -s -j MASQUERADE

Here we must note: masquerading does not apply to all the places.

iptables -t nat -A POSTROUTING -s -j SNAT --to

2, DNAT target address translation

For destination address translation, data flow is from the outside, the outside of the client, which is the server-side

By destination address translation, we can make out through our external ip ip outside the network to access our servers on different servers, and our services are on different servers within the network server.

iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to-destination

Destination address translation to be done before reaching the conversion card, do so at this position PREROUTING

3, only allow SSH access to the server

iptables -A INPUT -s -p tcp --dport 22 -j ACCEPT

4, shielding IP from to

iptables -I INPUT -s -j DROP

5, discarded illegal connections

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A OUTPUT -m state --state INVALID -j DROP

iptables-A FORWARD -m state --state INVALID -j DROP

6, allows ping

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

                iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

7, prevent DOS attacks

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25 / minute --limit-burst 100 -j ACCEPT
- After CentOS configure SSH password Free, still prompted for a password (Linux)
- CentOS 6.5 set under Oracle 12c at startup (Database)
- Analysis of Java in the deep copy and shallow copy (Programming)
- Linux operating system must know the security command (Linux)
- SSH automatic disconnection problem solving (Linux)
- Spring JDBC Comments (Programming)
- CentOS 7 Test Marathon start Docker container (Server)
- Connect to the Oracle Database Help class (Database)
- Android Studio utility plug organize, create sharp artifact (Programming)
- Vagrant build LNMP environment (Server)
- PULL operation mechanism parsing XML Comments (Programming)
- Chrome plug-in management, online-offline installation, part of the plug presentations (Linux)
- Iptables on the request URL for IP access control (Linux)
- SSH mutual trust configuration (Server)
- Linux common network tools: traceroute routing of scanned (Linux)
- Eclipse Android development environment installation (Linux)
- Redhat 7 can only be read after installation Samba service catalog approach could not be written (Server)
- Linux 101 hack book reading notes (Linux)
- Linux platform to prevent hackers to share practical skills (Linux)
- Spring inject a type of object to enumerate (Programming)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.