Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Iptables use examples     - ORA-14400: inserted partition key does not map to any partition (Database)

- [SHELL] MySQL primary recovery solution from + Keepalived online (Server)

- Simple RPM package production (Linux)

- Grading defense against Linux server attacks (Linux)

- ORA-12547: TNS: lost contact error Solution (Database)

- Tor Browser: under Linux for anonymous Web browsing ultimate browser (Linux)

- Dell R710 server disk recovery database one case (record) (Server)

- C ++ sequence containers basics summary (Programming)

- About Git (Linux)

- Why use Docker (Programming)

- Elasticsearch Kibana installation notes (Linux)

- Linux Apache server security (Linux)

- Ubuntu achieve initialization iptables (Linux)

- Java memory-mapped file MappedByteBuffer (Programming)

- Smack 4.1.x Upgrade Guide (Linux)

- Linux SSH commands (Linux)

- Depth study and understanding for individual users suicide DDoS attacks (Linux)

- Flask deploy applications using Nginx on Ubuntu (Server)

- Ubuntu 14.10 Server configuration wireless Internet access (Server)

- Ubuntu 14.04 running ASP.NET Configuration Mono + Jexus (Server)

 
         
  Iptables use examples
     
  Add Date : 2017-08-31      
         
       
         
  This article only writes iptables using the format method;

Iptables use the format;

Iptables -L -n -v --line-numbers Displays the rule serial number. If you need to delete the rule, simply delete the number.

Iptables -t filter -L -n Show the current default rule chain
[Root @ www ~] # iptables-t filter-L -n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
 
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
 
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Iptables [-t table] -N chain Creates a custom rule chain
Example; iptables -N test
Note: [- t table] is the meaning of the table, the new rules in the creation of the time can not refer to, if that means that the creation of a new chain of rules only in the table this table some rules are cited or Jump

 
Iptables [-t table] -X Delete the custom chain of rules
Example; iptables -X test
 
Iptables [-t table] -E old custom chain name The new defined chain name
Example; iptables -E test newtest
 
Iptables [-t table] -P chain target Specifies the default policy for the chain, specifying default rules
Example; the system is currently the default chain Chain FORWARD (policy ACCEPT) modified to DROP
Iptables -P FORWARD DROP


Iptables [-t table] {-F | -L | -Z} [chain [rulenum]] [options ...]

[Root @ www ~] # iptables-t filter-L -n -v
Chain INPUT (policy ACCEPT 774 packets, 105K bytes) Inbound is allowed by default
Pkts bytes target opt opt in out source destination
Chain Forwarding (policy DROP 0 packets, 0 bytes) Forward the default deny
Pkts bytes target opt opt in out source destination
Chain OUTPUT (policy ACCEPT 65 packets, 5404 bytes) Outbound is allowed by default
Pkts bytes target opt opt in out source destination
-F: Clear the rules in the chain
Rules are numbered, starting from the top in the chain, starting at 1;
-L: list, lists all the rules in the table;
-n: Numeric format displays IP and Port
-v: Displays in verbose format

[Root @ www ~] #iptables -L -n -a --line-numbers

Pkts bytes target opt opt in out source destination
Pkts: packets, the number of packets matching the rule.
Bytes: The sum of the sizes of all packets matched by this rule, unit conversion is performed.
Target: the target, that is, processing mechanism;
Prot: Protocol, generally {TCP | UDP | ICMP};
Opt: Optional
In: The incoming interface of the packet.
Out: Outgoing interface of the packet.
Source: Source address;
Destination: Destination address;

Ptables [-t table] {-A | -D} chain rule-specification
-A: append, attach a rule
Rule-specification
Matching conditions - j processing mechanism

Matching conditions: Instance demonstration

Note: iptables from the top-to-back match, if you open a port service in advance, and then want to close, you need to write the closure rules written to open in front of

-s: match the original address, you can IP, you can also network address; you can use the! Operator inversion,! 172.16.0.0/16; -s equivalent to - src, or - source
D: matches the destination address
Example; iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.34.30 -j ACCEPT
Iptables -t filter -A OUTPUT -s 172.16.34.30 -d 172.16.0.0/16 -j ACCEPT
-p: match the agreement, usually only use {TCP | UDP | ICMP} one of three;
Iptables -A INPUT -i eth1 -d 172.16.34.30 -p icmp -j REJECT

-i: Data packets into the interface; usually only used for INPUT, FORWARD and PREROUTING

-o: outflow interface; usually only used for OUTPUT, FORWARD and POSTROUTING

Iptables -A INPUT -i eth1 -d 172.16.100.7 -j ACCEPT
Iptables -A OUTPUT -o eth1 -s 172.16.34.30 -j ACCEPT
 
Udp | icmp} to specify a specific protocol, the protocol can be extended automatically; -p {tcp | udp |
-p tcp
- port; Match the target port, can be a number of consecutive ports;
- port; Match the source port, but also is a number of consecutive ports;

Example; release the host from the 172.16.0.0/16 network ssh service on the local request; The following example is a pair of appear;
172.16.34.30 allows all requests from the 172.16.0.0/16 network segment to send ssh services
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.34.30 -p tcp -dport 22 -j ACCEPT
172.16.34.30 host ssh service, allowing only the response to the 172.16.0.0/16 this segment
Iptables -A OUPOUT -s 172.16.34.30 -d 172.16.0.0/16 -p tcp -sport 22 -j ACCEPT
Set the default policy, deny all unknown services, only release rules match the service
Iptables -P INPUT DROP
Iptables -P OUTPUT DROP
 
The importation of these two conditions I have not interrupted the host, because the above written in advance to allow the machine ssh two service rules, there is no interruption, but the other services of the plane, other hosts can not visit.
80 port of the machine to visit all the 172.16.0.0/16 address (then clear all the addresses, so write the rules when the source address is omitted write, write directly to the destination address)
Iptables-A INPUT-d 172.16.34.30-p tcp --dport 80-j ACCEPT only write this one, access to the message can come in, but can not respond to the customer, so there is a ring to write to the client host rule
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 80 -j ACCEPT At this time the source address is 172.16.34.30 is to the client host response

 

-p icmp

- icmp-type
8: ping request 0: ping response
Example: Freeing other hosts
Iptables -A OUTPUT -s 172.16.100.7 -p icmp -icmp-type 8 -j ACCEPT
Iptables -A INPUT -d 172.16.100.7 -p icmp -icmp-type 0 -j ACCEPT
Release other hosts to ping the machine
Iptables -A INPUT -d 172.16.100.1 -P icmp -icmp-type 8 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -p icmp -icmp-type 0 -j ACCEPT
 

-p udp

--dport
--sport
Tftp release of the machine services: (There are two tcp not write)
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.7 -p udp -dport 69 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -d 172.16.0.0/16 -p udp -sport 69 -j ACCEPT
Dns local services: (DNS total of eight rules, there are four tcp not write)
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.7 -p udp -dport 53 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -d 172.16.0.0/16 -p udp -sport 53 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -p udp --dport 53 -j ACCEPT
Iptables -A INPUT -d 172.16.100.7 -p udp --sport 53 -j ACCEPT

 

 

Show extensions

Rule command
Iptables-D INPUT 2 that delete the second rule on the input chain Remember that if the deletion of the second article and the original article will automatically become the second article
Iptables -I Insert rule
Iptables -I INPUT 2 -i lo -j ACCEPT Indicates that the rule is inserted into the second line
Iptables -R INPUT 1 -s 172.16.0.0/16 -d 172.16.34.30 -i eth0 -p tcp --dport 22 -j ACCEPT Completely replace the first rule
Clearly specify the 172.16 network segment to connect the target address of the 22 services must come from the eth0 card
Iptables -S INPUT Displays the rules for the specified chain

 

 

Display extensions; extensions that must be explicitly specified;

-m Extension module name - Private option 1 - Private option 2
Multiport; Multi-port matching, more than one designated (15 or less) discrete port
--source-ports, the source port
--destinatil-ports The destination port
--ports
Example; open the machine's 22,80 two ports; (because here one-time open multiple ports all here to use the-m option)
Iptables -I INPUT -d 172.16.34.30 -p tcp-m multiport -dports 22,80 -j ACCEPT Here is the input so that the user may send a request and the target host does not get a response, all write a output rule outbound, To respond to the client port. (Write the two rules written in front of the two separate written rules can be deleted (this rule with the "-I" option to insert the rules), this also reached the effect of rule optimization)

Iptables -I OUTPUT -s 172.16.34.30 -p tcp -m multiport --sports 22,80 -j ACCEPT
 
Iptables-A INPUT -i eth0-m multiport-p tcp --dports 53,113,135,137,139,445-j DROP This plane through the eth0 NIC port have been rejected
Iptables -A INPUT -i eth0 -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP
Iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROPiptables -A INPUT -i eth0 -m multiport -p tcp --dports 3389,4899 -j DROP
 
Examples; allow the machine's telnet service to the specified host ip
Iptables -A INPUT -d 172.16.34.30 -p tcp -dport 23 -m iprange --src-range 172.16.34.10-172.16.34.20 -j ACCEPT
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 23 -m iprange -dst-range 172.16.34.10-172.16.34.20 -j ACCEPT

Matches the specified time range End time is greater than the start time The end date is on the start date
--datestart Start Date YYYY [-MM [-DD [Thh [: mm [: ss]]]]]
--datestop End date YYYY [-MM [-DD [Thh [: mm [: ss]]]]]
--timestart hh: mm [: ss] start time
--timestop hh: mm [: ss] End time
--weekdaysday [Mon, Tue, Wed, Thu, Fri, Sat, Sun] can also be 1-7 weeks for the date format rules
Example: Restricting Local Port 901 is only allowed from 08:00 to 18:00 during business hours (Monday to Friday);
Iptables -A INPUT -d 172.16.34.30 -p tcp -dport 901 -m time --weekdays Mon, Tue, Wed, Thu, Fri --timestart 08:00:00 -timestop 18:00:00 -j ACCEPT
The following rule can be abbreviated because the customer has restricted access rules to the customer so that the customer only has access to the specified working day.
(The server can release the user's request at any time, but the client is not always available.)
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 901 -j ACCEPT

String; Match the string
--algo {bm | kmp}; The algorithm used for character matching lookups
--string "STRING"; String to find
Example; if the client port to access the web page where there are rules defined in the string is not displayed to the customer
Install the httpd service, the new two home page file, write a different content, one of the contents of the home page file you need to match the string, such as "hello." Test the two pages of the web service without writing rules before Can be normal access. On one web page to do a string matching.

Iptables -I OUTPUT -s 172.16.34.30 -p tcp -sport 80 -m string -algo kmp --string "hello" -f DROP

After the completion of the rules to match the string again after the visit is displayed can not be opened to match the page.
     
         
       
         
  More:      
 
- AngularJS (Programming)
- Talk about Java in the collection (Programming)
- Linux System Getting Started Tutorial: Installing Git on Linux (Linux)
- Nginx caching using the official guide (Server)
- Port is not being used, how will bind failure? (Server)
- Oracle ORA-01691 error message, a single data file size limit problem (Database)
- The relationship between UNIX and Linux (Linux)
- To create a file in Linux directory by setfacl (Linux)
- Create, modify, delete users, user groups under linux (Linux)
- linux firewall configuration (Linux)
- Ubuntu root user profiles (Programming)
- Linux remote wake the computer original code [C] (Linux)
- RHEL7.0 log system (Linux)
- Python 3.5 await / async (Programming)
- Cancel Root Command History under Linux (Linux)
- Linux at command (Linux)
- Ubuntu 14.04 and derivative version of the user on how to install cURL 7.37.1 (Linux)
- Getting CentOS Learning Notes (Linux)
- Setting Squid successful anti-hotlinking (Linux)
- Linux Kernel 4.2.2 compiler installation tutorial (Linux)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.