Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Iptables use examples     - The sublime into IDE (Linux)

- Linux System Getting Started tutorial: Ubuntu desktop using the command line to change the system proxy settings (Linux)

- Linux command ls (Linux)

- MySQL5.7.10 installation documentation (Database)

- CentOS 5.8 (64) Python 2.7.5 installation error resolved (Linux)

- RedHat Performance Tuning (Server)

- Configuring DNS process under CentOS 6.5 (Server)

- MongoDB 3.2 to upgrade from 3.0.7 (Database)

- Handle large data problems Bit-map method (Programming)

- Linux partition command (Linux)

- Oracle ORA-01089 failure analysis (Database)

- Why HBase need to build SQL engine layer (Database)

- Ubuntu 12.04 64-bit installation Redmine + Git + ReviewBoard (Linux)

- Oracle SDE and maintain common commands - Display space (Database)

- Linux performance monitoring (Linux)

- Java concurrent programming combat (using synchronized synchronization method) (Programming)

- Install KVM on Ubuntu and build a virtual environment (Linux)

- Security Knowledge: redirection command application security (Linux)

- How to Install SeaMonkey 2.25 for Ubuntu (Linux)

- How do I use Linux development environment (Linux)

 
         
  Iptables use examples
     
  Add Date : 2017-08-31      
         
         
         
  This article only writes iptables using the format method;

Iptables use the format;

Iptables -L -n -v --line-numbers Displays the rule serial number. If you need to delete the rule, simply delete the number.

Iptables -t filter -L -n Show the current default rule chain
[Root @ www ~] # iptables-t filter-L -n
Chain INPUT (policy ACCEPT)
Target prot opt source destination
 
Chain FORWARD (policy ACCEPT)
Target prot opt source destination
 
Chain OUTPUT (policy ACCEPT)
Target prot opt source destination
Iptables [-t table] -N chain Creates a custom rule chain
Example; iptables -N test
Note: [- t table] is the meaning of the table, the new rules in the creation of the time can not refer to, if that means that the creation of a new chain of rules only in the table this table some rules are cited or Jump

 
Iptables [-t table] -X Delete the custom chain of rules
Example; iptables -X test
 
Iptables [-t table] -E old custom chain name The new defined chain name
Example; iptables -E test newtest
 
Iptables [-t table] -P chain target Specifies the default policy for the chain, specifying default rules
Example; the system is currently the default chain Chain FORWARD (policy ACCEPT) modified to DROP
Iptables -P FORWARD DROP


Iptables [-t table] {-F | -L | -Z} [chain [rulenum]] [options ...]

[Root @ www ~] # iptables-t filter-L -n -v
Chain INPUT (policy ACCEPT 774 packets, 105K bytes) Inbound is allowed by default
Pkts bytes target opt opt in out source destination
Chain Forwarding (policy DROP 0 packets, 0 bytes) Forward the default deny
Pkts bytes target opt opt in out source destination
Chain OUTPUT (policy ACCEPT 65 packets, 5404 bytes) Outbound is allowed by default
Pkts bytes target opt opt in out source destination
-F: Clear the rules in the chain
Rules are numbered, starting from the top in the chain, starting at 1;
-L: list, lists all the rules in the table;
-n: Numeric format displays IP and Port
-v: Displays in verbose format

[Root @ www ~] #iptables -L -n -a --line-numbers

Pkts bytes target opt opt in out source destination
Pkts: packets, the number of packets matching the rule.
Bytes: The sum of the sizes of all packets matched by this rule, unit conversion is performed.
Target: the target, that is, processing mechanism;
Prot: Protocol, generally {TCP | UDP | ICMP};
Opt: Optional
In: The incoming interface of the packet.
Out: Outgoing interface of the packet.
Source: Source address;
Destination: Destination address;

Ptables [-t table] {-A | -D} chain rule-specification
-A: append, attach a rule
Rule-specification
Matching conditions - j processing mechanism

Matching conditions: Instance demonstration

Note: iptables from the top-to-back match, if you open a port service in advance, and then want to close, you need to write the closure rules written to open in front of

-s: match the original address, you can IP, you can also network address; you can use the! Operator inversion,! 172.16.0.0/16; -s equivalent to - src, or - source
D: matches the destination address
Example; iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.34.30 -j ACCEPT
Iptables -t filter -A OUTPUT -s 172.16.34.30 -d 172.16.0.0/16 -j ACCEPT
-p: match the agreement, usually only use {TCP | UDP | ICMP} one of three;
Iptables -A INPUT -i eth1 -d 172.16.34.30 -p icmp -j REJECT

-i: Data packets into the interface; usually only used for INPUT, FORWARD and PREROUTING

-o: outflow interface; usually only used for OUTPUT, FORWARD and POSTROUTING

Iptables -A INPUT -i eth1 -d 172.16.100.7 -j ACCEPT
Iptables -A OUTPUT -o eth1 -s 172.16.34.30 -j ACCEPT
 
Udp | icmp} to specify a specific protocol, the protocol can be extended automatically; -p {tcp | udp |
-p tcp
- port; Match the target port, can be a number of consecutive ports;
- port; Match the source port, but also is a number of consecutive ports;

Example; release the host from the 172.16.0.0/16 network ssh service on the local request; The following example is a pair of appear;
172.16.34.30 allows all requests from the 172.16.0.0/16 network segment to send ssh services
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.34.30 -p tcp -dport 22 -j ACCEPT
172.16.34.30 host ssh service, allowing only the response to the 172.16.0.0/16 this segment
Iptables -A OUPOUT -s 172.16.34.30 -d 172.16.0.0/16 -p tcp -sport 22 -j ACCEPT
Set the default policy, deny all unknown services, only release rules match the service
Iptables -P INPUT DROP
Iptables -P OUTPUT DROP
 
The importation of these two conditions I have not interrupted the host, because the above written in advance to allow the machine ssh two service rules, there is no interruption, but the other services of the plane, other hosts can not visit.
80 port of the machine to visit all the 172.16.0.0/16 address (then clear all the addresses, so write the rules when the source address is omitted write, write directly to the destination address)
Iptables-A INPUT-d 172.16.34.30-p tcp --dport 80-j ACCEPT only write this one, access to the message can come in, but can not respond to the customer, so there is a ring to write to the client host rule
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 80 -j ACCEPT At this time the source address is 172.16.34.30 is to the client host response

 

-p icmp

- icmp-type
8: ping request 0: ping response
Example: Freeing other hosts
Iptables -A OUTPUT -s 172.16.100.7 -p icmp -icmp-type 8 -j ACCEPT
Iptables -A INPUT -d 172.16.100.7 -p icmp -icmp-type 0 -j ACCEPT
Release other hosts to ping the machine
Iptables -A INPUT -d 172.16.100.1 -P icmp -icmp-type 8 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -p icmp -icmp-type 0 -j ACCEPT
 

-p udp

--dport
--sport
Tftp release of the machine services: (There are two tcp not write)
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.7 -p udp -dport 69 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -d 172.16.0.0/16 -p udp -sport 69 -j ACCEPT
Dns local services: (DNS total of eight rules, there are four tcp not write)
Iptables -A INPUT -s 172.16.0.0/16 -d 172.16.100.7 -p udp -dport 53 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -d 172.16.0.0/16 -p udp -sport 53 -j ACCEPT
Iptables -A OUTPUT -s 172.16.100.7 -p udp --dport 53 -j ACCEPT
Iptables -A INPUT -d 172.16.100.7 -p udp --sport 53 -j ACCEPT

 

 

Show extensions

Rule command
Iptables-D INPUT 2 that delete the second rule on the input chain Remember that if the deletion of the second article and the original article will automatically become the second article
Iptables -I Insert rule
Iptables -I INPUT 2 -i lo -j ACCEPT Indicates that the rule is inserted into the second line
Iptables -R INPUT 1 -s 172.16.0.0/16 -d 172.16.34.30 -i eth0 -p tcp --dport 22 -j ACCEPT Completely replace the first rule
Clearly specify the 172.16 network segment to connect the target address of the 22 services must come from the eth0 card
Iptables -S INPUT Displays the rules for the specified chain

 

 

Display extensions; extensions that must be explicitly specified;

-m Extension module name - Private option 1 - Private option 2
Multiport; Multi-port matching, more than one designated (15 or less) discrete port
--source-ports, the source port
--destinatil-ports The destination port
--ports
Example; open the machine's 22,80 two ports; (because here one-time open multiple ports all here to use the-m option)
Iptables -I INPUT -d 172.16.34.30 -p tcp-m multiport -dports 22,80 -j ACCEPT Here is the input so that the user may send a request and the target host does not get a response, all write a output rule outbound, To respond to the client port. (Write the two rules written in front of the two separate written rules can be deleted (this rule with the "-I" option to insert the rules), this also reached the effect of rule optimization)

Iptables -I OUTPUT -s 172.16.34.30 -p tcp -m multiport --sports 22,80 -j ACCEPT
 
Iptables-A INPUT -i eth0-m multiport-p tcp --dports 53,113,135,137,139,445-j DROP This plane through the eth0 NIC port have been rejected
Iptables -A INPUT -i eth0 -m multiport -p udp --dports 53,113,135,137,139,445 -j DROP
Iptables -A INPUT -i eth0 -p udp --dport 1026 -j DROPiptables -A INPUT -i eth0 -m multiport -p tcp --dports 3389,4899 -j DROP
 
Examples; allow the machine's telnet service to the specified host ip
Iptables -A INPUT -d 172.16.34.30 -p tcp -dport 23 -m iprange --src-range 172.16.34.10-172.16.34.20 -j ACCEPT
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 23 -m iprange -dst-range 172.16.34.10-172.16.34.20 -j ACCEPT

Matches the specified time range End time is greater than the start time The end date is on the start date
--datestart Start Date YYYY [-MM [-DD [Thh [: mm [: ss]]]]]
--datestop End date YYYY [-MM [-DD [Thh [: mm [: ss]]]]]
--timestart hh: mm [: ss] start time
--timestop hh: mm [: ss] End time
--weekdaysday [Mon, Tue, Wed, Thu, Fri, Sat, Sun] can also be 1-7 weeks for the date format rules
Example: Restricting Local Port 901 is only allowed from 08:00 to 18:00 during business hours (Monday to Friday);
Iptables -A INPUT -d 172.16.34.30 -p tcp -dport 901 -m time --weekdays Mon, Tue, Wed, Thu, Fri --timestart 08:00:00 -timestop 18:00:00 -j ACCEPT
The following rule can be abbreviated because the customer has restricted access rules to the customer so that the customer only has access to the specified working day.
(The server can release the user's request at any time, but the client is not always available.)
Iptables -A OUTPUT -s 172.16.34.30 -p tcp -sport 901 -j ACCEPT

String; Match the string
--algo {bm | kmp}; The algorithm used for character matching lookups
--string "STRING"; String to find
Example; if the client port to access the web page where there are rules defined in the string is not displayed to the customer
Install the httpd service, the new two home page file, write a different content, one of the contents of the home page file you need to match the string, such as "hello." Test the two pages of the web service without writing rules before Can be normal access. On one web page to do a string matching.

Iptables -I OUTPUT -s 172.16.34.30 -p tcp -sport 80 -m string -algo kmp --string "hello" -f DROP

After the completion of the rules to match the string again after the visit is displayed can not be opened to match the page.
     
         
         
         
  More:      
 
- Fedora 20 Installation and Configuration (Linux)
- Oracle set the timer task JOB scheduler to execute stored procedures or PL / SQL code block (Database)
- A custom implementation of the Android sidebar (Programming)
- Java Concurrency -volatile keywords (Programming)
- The need to avoid a gap of InnoDB lock (Database)
- To configure parameter configuration and software installation and uninstallation under Linux (Linux)
- X security settings in Ubuntu (Linux)
- To compiler and install MariaDB-10.0.20 under CentOS 6.6 (Database)
- Deployment Kubernetes manage Docker example cluster on Ubuntu (Server)
- Some Linux networking tools you might not know (Linux)
- Linux itself disguised illusion strengthen security (Linux)
- Java developers question (Programming)
- stat - Get more information than ls (Linux)
- Java Generics Introduction --HashMap summary (Programming)
- C ++ why we chose to use the smart pointer (Programming)
- Arduino UNO simulation development environment set up and run simulation (Linux)
- Linux Routine Task Scheduler (Linux)
- Use Swift remove the spaces in the string (Programming)
- Ubuntu 14.10 users to install Audio Recorder 1.5.7 (Linux)
- C # assembly calls across constants, variables and functions (Programming)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.