Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Iptables use examples     - AngularJS (Programming)

- Use Oracle Data Guard to complete cross-platform database migration cases (Database)

- To create a full command line Android Build System (Linux)

- Oracle for Oracle GoldenGate to achieve a one-way synchronization DDL operations (Database)

- MySQL binlog group to submit XA (two-phase commit) (Database)

- Apache site default home page settings (Server)

- Du and df show disk space usage inconsistent Causes and Treatment (Linux)

- RabbitMQ tutorial examples: the Hello RabbitMQ World Java realization (Linux)

- Android screen rotation processing and ProgressDialog the best AsyncTask (Programming)

- Install Websphere MB required system rpm package under Linux (Linux)

- Ubuntu install the camera driver (Linux)

- Android 4.2 compilation notes (Programming)

- grep command Series: How to Use the grep command in Linux / UNIX (Linux)

- Several back door and log tool under Linux (Linux)

- ORA-28000 the account is locked fault simulation (Database)

- PPA on Ubuntu Linux installation Plank 0.8.0 (Linux)

- Oracle data row split multiple lines (Database)

- Brief Linux commands (Linux)

- How x2g0 install Remote Desktop on Linux VPS (Server)

- RedHat command line and graphical interface switching (Linux)

 
         
  Iptables use examples
     
  Add Date : 2017-08-31      
         
       
         
  This article only writes iptables using the format method;

Iptables use the format;

Iptables -L -n -v --line-numbers Displays the rule serial number. If you need to delete the rule, simply delete the number.

Iptables -t filter -L -n Show the current default rule chain
[Root @ www ~] # iptables-t filter-L -n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
 
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
 
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Iptables [-t table] -N chain Creates a custom rule chain
Example; iptables -N test
Note: [- t table] is the meaning of the table, the new rules in the creation of the time can not refer to, if that means that the creation of a new chain of rules only in the table this table some rules are cited or Jump

 
Iptables [-t table] -X Delete the custom chain of rules
Example; iptables -X test
 
Iptables [-t table] -E old custom chain name The new defined chain name
Example; iptables -E test newtest
 
Iptables [-t table] -P chain target Specifies the default policy for the chain, specifying default rules
Example; the system is currently the default chain Chain FORWARD (policy ACCEPT) modified to DROP
Iptables -P FORWARD DROP


Iptables [-t table] {-F | -L | -Z} [chain [rulenum]] [options ...]

[Root @ www ~] # iptables-t filter-L -n -v
Chain INPUT (policy ACCEPT 774 packets, 105K bytes) Inbound is allowed by default
Pkts bytes target opt opt in out source destination
Chain Forwarding (policy DROP 0 packets, 0 bytes) Forward the default deny
Pkts bytes target opt opt in out source destination
Chain OUTPUT (policy ACCEPT 65 packets, 5404 bytes) Outbound is allowed by default
Pkts bytes target opt opt in out source destination
-F: Clear the rules in the chain
Rules are numbered, starting from the top in the chain, starting at 1;
-L: list, lists all the rules in the table;
-n: Numeric format displays IP and Port
-v: Displays in verbose format

[Root @ www ~] #iptables -L -n -a --line-numbers

Pkts bytes target opt opt in out source destination
Pkts: packets, the number of packets matching the rule.
Bytes: The sum of the sizes of all packets matched by this rule, unit conversion is performed.
Target: the target, that is, processing mechanism;
Prot: Protocol, generally {TCP | UDP | ICMP};
Opt: Optional
In: The incoming interface of the packet.
Out: Outgoing interface of the packet.
Source: Source address;
Destination: Destination address;

Ptables [-t table] {-A | -D} chain rule-specification
-A: append, attach a rule
Rule-specification
Matching conditions - j processing mechanism

Matching conditions: Instance demonstration

Note: iptables from the top-to-back match, if you open a port service in advance, and then want to close, you need to write the closure rules written to open in front of

-s: match the original address, you can IP, you can also network address; you can use the! Operator inversion,! 172.16.0.0/16; -s equivalent to - src, or - source
D: matches the destination address
Example; iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.34.30 -j ACCEPT
Iptables -t filter -A OUTPUT -s 172.16.34.30 -d 172.16.0.0/16 -j ACCEPT
-p: match the agreement, usually only use {TCP | UDP | ICMP} one of three;
Iptables -A INPUT -i eth1 -d 172.16.34.30 -p icmp -j REJECT

-i: Data packets into the interface; usually only used for INPUT, FORWARD and PREROUTING

-o: outflow interface; usually only used for OUTPUT, FORWARD and POSTROUTING

Iptables -A INPUT -i eth1 -d 172.16.100.7 -j ACCEPT
Iptables -A OUTPUT -o eth1 -s 172.16.34.30 -j ACCEPT
 
Udp | icmp} to specify a specific protocol, the protocol can be extended automatically; -p {tcp | udp |
-p tcp
- port; Match the target port, can be a number of consecutive ports;
- port; Match the source port, but also is a number of consecutive ports;

Example; release the host from the 172.16.0.0/16 network ssh service on the local request; The following example is a pair of appear;
172.16.34.30 allows all requests from the 172.16.0.0/16 network segment to send ssh services
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.34.30 -p tcp -dport 22 -j ACCEPT
172.16.34.30 host ssh service, allowing only the response to the 172.16.0.0/16 this segment
Iptables -A OUPOUT -s 172.16.34.30 -d 172.16.0.0/16 -p tcp -sport 22 -j ACCEPT
Set the default policy, deny all unknown services, only release rules match the service
Iptables -P INPUT DROP
Iptables -P OUTPUT DROP
 
The importation of these two conditions I have not interrupted the host, because the above written in advance to allow the machine ssh two service rules, there is no interruption, but the other services of the plane, other hosts can not visit.
80 port of the machine to visit all the 172.16.0.0/16 address (then clear all the addresses, so write the rules when the source address is omitted write, write directly to the destination address)
Iptables-A INPUT-d 172.16.34.30-p tcp --dport 80-j ACCEPT only write this one, access to the message can come in, but can not respond to the customer, so there is a ring to write to the client host rule
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 80 -j ACCEPT At this time the source address is 172.16.34.30 is to the client host response

 

-p icmp

- icmp-type
8: ping request 0: ping response
Example: Freeing other hosts
Iptables -A OUTPUT -s 172.16.100.7 -p icmp -icmp-type 8 -j ACCEPT
Iptables -A INPUT -d 172.16.100.7 -p icmp -icmp-type 0 -j ACCEPT
Release other hosts to ping the machine
Iptables -A INPUT -d 172.16.100.1 -P icmp -icmp-type 8 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -p icmp -icmp-type 0 -j ACCEPT
 

-p udp

--dport
--sport
Tftp release of the machine services: (There are two tcp not write)
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.7 -p udp -dport 69 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -d 172.16.0.0/16 -p udp -sport 69 -j ACCEPT
Dns local services: (DNS total of eight rules, there are four tcp not write)
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.7 -p udp -dport 53 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -d 172.16.0.0/16 -p udp -sport 53 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -p udp --dport 53 -j ACCEPT
Iptables -A INPUT -d 172.16.100.7 -p udp --sport 53 -j ACCEPT

 

 

Show extensions

Rule command
Iptables-D INPUT 2 that delete the second rule on the input chain Remember that if the deletion of the second article and the original article will automatically become the second article
Iptables -I Insert rule
Iptables -I INPUT 2 -i lo -j ACCEPT Indicates that the rule is inserted into the second line
Iptables -R INPUT 1 -s 172.16.0.0/16 -d 172.16.34.30 -i eth0 -p tcp --dport 22 -j ACCEPT Completely replace the first rule
Clearly specify the 172.16 network segment to connect the target address of the 22 services must come from the eth0 card
Iptables -S INPUT Displays the rules for the specified chain

 

 

Display extensions; extensions that must be explicitly specified;

-m Extension module name - Private option 1 - Private option 2
Multiport; Multi-port matching, more than one designated (15 or less) discrete port
--source-ports, the source port
--destinatil-ports The destination port
--ports
Example; open the machine's 22,80 two ports; (because here one-time open multiple ports all here to use the-m option)
Iptables -I INPUT -d 172.16.34.30 -p tcp-m multiport -dports 22,80 -j ACCEPT Here is the input so that the user may send a request and the target host does not get a response, all write a output rule outbound, To respond to the client port. (Write the two rules written in front of the two separate written rules can be deleted (this rule with the "-I" option to insert the rules), this also reached the effect of rule optimization)

Iptables -I OUTPUT -s 172.16.34.30 -p tcp -m multiport --sports 22,80 -j ACCEPT
 
Iptables-A INPUT -i eth0-m multiport-p tcp --dports 53,113,135,137,139,445-j DROP This plane through the eth0 NIC port have been rejected
Iptables -A INPUT -i eth0 -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP
Iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROPiptables -A INPUT -i eth0 -m multiport -p tcp --dports 3389,4899 -j DROP
 
Examples; allow the machine's telnet service to the specified host ip
Iptables -A INPUT -d 172.16.34.30 -p tcp -dport 23 -m iprange --src-range 172.16.34.10-172.16.34.20 -j ACCEPT
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 23 -m iprange -dst-range 172.16.34.10-172.16.34.20 -j ACCEPT

Matches the specified time range End time is greater than the start time The end date is on the start date
--datestart Start Date YYYY [-MM [-DD [Thh [: mm [: ss]]]]]
--datestop End date YYYY [-MM [-DD [Thh [: mm [: ss]]]]]
--timestart hh: mm [: ss] start time
--timestop hh: mm [: ss] End time
--weekdaysday [Mon, Tue, Wed, Thu, Fri, Sat, Sun] can also be 1-7 weeks for the date format rules
Example: Restricting Local Port 901 is only allowed from 08:00 to 18:00 during business hours (Monday to Friday);
Iptables -A INPUT -d 172.16.34.30 -p tcp -dport 901 -m time --weekdays Mon, Tue, Wed, Thu, Fri --timestart 08:00:00 -timestop 18:00:00 -j ACCEPT
The following rule can be abbreviated because the customer has restricted access rules to the customer so that the customer only has access to the specified working day.
(The server can release the user's request at any time, but the client is not always available.)
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 901 -j ACCEPT

String; Match the string
--algo {bm | kmp}; The algorithm used for character matching lookups
--string "STRING"; String to find
Example; if the client port to access the web page where there are rules defined in the string is not displayed to the customer
Install the httpd service, the new two home page file, write a different content, one of the contents of the home page file you need to match the string, such as "hello." Test the two pages of the web service without writing rules before Can be normal access. On one web page to do a string matching.

Iptables -I OUTPUT -s 172.16.34.30 -p tcp -sport 80 -m string -algo kmp --string "hello" -f DROP

After the completion of the rules to match the string again after the visit is displayed can not be opened to match the page.
     
         
       
         
  More:      
 
- Hazelcast integration with MongoDB (Database)
- dmidecode command Detailed (Hardware information) (Linux)
- CentOS 7 - use cgroups limit process resource (Linux)
- MySQL5.7.10 installation documentation (Database)
- File encryption and decryption of Linux security mechanisms (Linux)
- Git Tutorial Comments (Linux)
- Oracle database, some basic grammatical structures (Database)
- Oracle Data Pump Example (Database)
- Java input and output common class Scanner (Programming)
- VMWare virtual machine without rebooting way to add virtual disk (Linux)
- Oracle SQL statement tracking (Database)
- Linux crontab (Linux)
- Big Data Common Glossary (Linux)
- Linux (Ubuntu) How iptables port mapping (Server)
- Use Oracle 11g show spparameter command (Database)
- Mount and unloading disks under Linux (Linux)
- Log in CentOS 6.5 Multi-user setting VNC (Server)
- C # how to generate a folder or file automatically rename (Programming)
- MySQL Tutorial: Using tpcc-mysql pressure measurement (Database)
- Oracle Data File Management (Database)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.