Home IT Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ iptables using summary     - Monitor traffic Linux Shell Edition (Programming)

- SQL statement to repair SQL Server database (Database)

- Example of use WebSocket (Programming)

- Oracle restrict certain IP, the malicious user actions on important table (Database)

- Use calcurse schedule appointments and to-do in the Linux terminal (Linux)

- Disk Management LVM (Linux)

- 10046 trace only open for a particular SQL statement (Database)

- HTTP and HTTPS request response process difference (Linux)

- Linux Getting Started tutorial: 3D effects and beautify your desktop (Linux)

- Linux Change ssh port and disable remote root login at (Linux)

- Vim custom color (Linux)

- Linux Network Programming --IP packet format Detailed (Programming)

- CentOS6 MongoDB connection solution can not break 1000 (Database)

- Laravel configuration PhpStorm + Xdebug + Chrome settings Debug Environment (Server)

- Server Security Analysis attack on Linux (Linux)

- Git Rebase Tutorial: Using Git Rebase turn back the clock (Linux)

- Open source backup software installed on Ubuntu Systemback 1.6.201 (Linux)

- JDK comes with tools JPS (Linux)

- Linux `dirname $ 0` (Linux)

- How do you prevent other users from accessing your home directory in Linux (Linux)

 
         
  iptables using summary
     
  Add Date : 2016-06-19      
         
       
         
  Iptables is a Linux firewall in Linux can filter packets. Following is a brief introduction to the application under iptables.

1.iptables five hook (hook function) in Linux

PREROUTING: packet enters the host, but has not yet been routed stage.

INPUT: the data packet into the internal hosts.

FORWARD: packet will be forwarded out of the host.

POSTROUTING: data packets sent by the level immediately out.

OUTPUT: data packets transmitted from this host.

2.iptables four chains in Linux

fileter: The above can be applied to INPUT FORWARDOUTPUT

nat: The above can be applied PREROUTINGPOSTROUTING OUTPUT

mangle: it can be applied PREROUTINGPOSTROUTING OUTPUT INPUT FORWARD.

raw: it can be applied PREROUTINGOUTPUT above.

3.iptables generic matches

-s: Specifies the source address of the packet filter.

-d: specifies the destination address of the packet filter.

-p: Specifies the type of protocol filtering.

-i: Specifies the filter packets entering the network interface.

-o: Specifies the filter packets flowing network interface.

-j: Specifies the action on the packet

I: ACCEPT --------- accept the specified data packets.

II: DROP ---------- discard specified data packets.

III: REJECT ------- specified discard packets.

eg: 192.168.5.1 to 192.168.5.10 to access the http packet discard operation

iptables -A INPUT -s 192.168.5.1 -d192.168.5.10 -p tcp --dport 80 -j DROP

eg: 192.168.5.1 to 192.168.5.10 to access the http packets received operation

iptables -A INPUT -s 192.168.5.1 -d192.168.5.10 -p tcp -doprt 80 -j ACCEPT

iptables -A OUTPUT -s 192.168.5.10 -d192.168.5.1 -p tcp -sport 80 -j ACCEPT

At the time of receiving the data packet is processed, it is necessary to note that a two-way process the data packet to a back.

Custom rules to iptables on the line to save

service iptables save

iptables -L -nv --line-numbers // View custom firewall rules.

4. The management rules

-A: Add a rule, to add the position at the end of the rule.

-I: Add a rule, to the top position if omitted, added, add the default location in the rule.

-D: Delete a rule.

-R: Designation of a rule to be modified.

Management of the chain:

-F: Clear a chain of all of the above rules.

-P: Changes the default rule developed chain.

-N: Customizing a new empty chain.

-X: Delete a custom empty chain.

5. Expansion option

eg: for the http service request, 192.168.5.1 server connection state control section

iptables -A INPUT -d 192.168.5.1 -p tcp -dport 80 -m state-state NEW, ESTABLISHED -j ACCEPT

iptables -A OUTPUT -s 192.168.5.1 -p tcp-sport 80 -m state -state ESTABLISHED -j ACCEPT

// Server for NEW and ESTABLISHED state INPUT server packets to be serviced, for OUTPUTon server responds only to packets ESTABLISHED types of messages.

eg: multi-port corresponding

iptables -A INPUT -d 192.168.5.1 -p tcp -m-multiport -destination-ports 21,22,80 -m state -state NEW, ESTABLISHED -jACCEPT

// Give 21,22,80 port on the INPUT chain and is a NEW or ESTABLISHED packet release handle.

eg: writing rules, a ssh IP addresses can connect up to three. After more than three times over five minutes during the connection process.

iptables -A INPUT -d 192.168.5.1 -p tcp-dport 22 -m connlimit -connlimit-above 3 -j DROP

iptables -A INPUT -d 192.168.5.1 -p tcp-dport 22 -m state -state NEW -m recent -set -name SSH // new record access ssh connection, recording source IP address.

iptables -A INPUT -d 192.168.5.1 -p tcp-dport 22 -m state -state NEW -m recent -update -seconds 300 -hitcount 3 -nameSSH -j DROP // After more than three times, and not connected to 300 seconds - -hitcount seconds and it must be used with -update.

eg: During http request, if the request is not allowed to display the page as well as H7N9

iptables -A OUTPUT -d 192.168.5.1 -p tcp-dport 80 -m string -algo kmp -string "H7N9" -j DROP

// Note that direction is the direction OUTPUT.

6.nat:

DNAT: Destination Translation

SNAT: source address translation

eg: when you access the Internet, the 192.168.5.0/24 addresses into 172.16.10.1

iptables -A POSTROUTING -s 192.168.5.0/24 -jSNAT -to-source 172.16.10.1

iptables -A POSTROUTING -s 192.168.5.0/24 -jSNAT MASQUERADE // If you need conversion address is a dynamic address, you can use MASQUERADE for automatic conversion.

eg: when accessing the server 172.16.10.1 putting converted into the network 192.168.5.1 access

iptables -A PREROUTING -d 172.16.10.1 -p tcp-dport 80 -j DNAT -to-destination 192.168.5.1

The same can port mapping

iptables -A PREROUTING -d 172.16.10.1 -p tcp-dport 80 -j DNAT -to-destination 192.168.5.1:8080

7. In the process of opening up iptables. Use lsmod | grepip can view which modules are loaded. In Linux6.4 system, / proc / sys / net / nf_conntrack_max can view the maximum number of connections allowed iptables. If a server is very busy, so that when the number of connections exceeds the number of profiles of the time, then there will be a large number of requests are discarded. Record the current connection status information in / proc / net / nf_conntrack in. This status information can also be used to view iptstate.
     
         
       
         
  More:      
 
- Hadoop 2.6.0 stand-alone / pseudo-distributed installation (Server)
- Linux Powerful command Awk Introduction (Linux)
- Spacewalk remove packages install the update (Linux)
- Five Linux user space debugging tool (Linux)
- How to install Go1.5 source development environment on Mac (Server)
- Java singleton mode (Singleton mode) (Programming)
- Do not enter password login ssh (Server)
- Java threads in the life cycle (Programming)
- MySQL Parameter Tuning Best Practices (Database)
- SSH configuration under Linux (Linux)
- Introduction to thread pooling and simple implementation (Programming)
- Linux security concerns again (Linux)
- Linux system performance monitoring with Nmon (Linux)
- Oracle View index and use indexes Precautions (Database)
- Rman Oracle database backup and recovery plan (Database)
- Linux dmidecode command detail (Linux)
- The need to avoid a gap of InnoDB lock (Database)
- VMware difference in three network connection (Linux)
- Commonly used Linux system camouflage method (Linux)
- Scope of variables in C # (Programming)
     
           
     
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.