Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux system Iptables Firewall User Manual     - Linux ln command - create a file / directory link (Linux)

- Android 5.1 OTA package compilation error (Programming)

- Binary tree traversal: the first sequence in order preorder recursive and non-recursive and traversal sequence (Programming)

- There is sort of a directed acyclic graph topology (Programming)

- Oracle Database import and export combat (Database)

- CentOS 5.11 Open VNC access (Linux)

- Terminal Linux command prints - echo (Linux)

- CentOS 6 rapid deployment of Java applications (Linux)

- How to network to share files between Windows, MAC and Linux (Linux)

- XenServer Virtual Machine Installation --- first ISO image file storage expansion (Linux)

- MongoDB Study Notes (1) - Install MongoDB on Windows systems (Database)

- Linux system security knowledge (Linux)

- grep regular expression (Linux)

- Detailed LVM2 (Linux)

- Linux command to view the system status (Linux)

- Oracle DATABASE LINK (DBLINK) Create (Database)

- Modify MySQL character encoding under Linux (Database)

- Linux, security encryption to transfer files between machines (Linux)

- Ubuntu in Vim editor display processing method Chinese garbled (Linux)

- MySQL Data Types (Database)

  Linux system Iptables Firewall User Manual
  Add Date : 2018-11-21      
  Built-in firewall mechanism of Linux, through the netfilter kernel module implements (www.netfilter.ort). Linux kernel netfilter to use to filter incoming and outgoing packets, netfilter rules by the three tables, each table there are a number of built-in chains. These bracelets can be operated by using the iptables command, such as adding, deleting, and listing rules.

One, Netfilter rules table -filter nat mangle

filter, used to route network packets. It is the default, meaning that if you do not specify the -t parameter when creating a new rule, it will default to be stored within the table.

INPUT server network packet flow

OUTPUT network packet flow from the server

FORWARD network packets routed through the server

nat, for the NAT table .NAT (Net Address Translation) is an IP address conversion method.

PREROUTING network packets can be modified when the server arrives

OUTPUT network packet flow from the server

POSTROUTING network packets can be modified in the forthcoming issue from the server

mangle, used to modify the network packets table, such as TOS (Type Of Service), TTL (Time To Live), etc.

INPUT server network packet flow

OUTPUT network packets flowing server

FORWARD network packet forwarding via the server

PREROUTING network packets can be modified when the server arrives

POSTROUTING network packets can be modified in the forthcoming issue from the server

1. Configure Iptables

When a packet enters the server, Linux Kernel will find the corresponding chain until it finds a rule that matches the packet. If the rule's target is ACCEPT, will skip the rest of the rules, the packet will continue to be sent. If the rule's target is to DROP, the packet will be blocked off, kernel will no longer refer to other rules.

Note: If you do not have a rule from beginning to end the packet matches, and the end of the table and did not drop all the rules, then the packet will be accept. Cisco is the opposite, because it contains deny all the rules in the table at the end will be.

1.) Iptables command options

iptables [-t tables] command option parameter target

-A Tail to add a rule in the chain

Before -C add rules to a user-defined chain be checked

-D Delete a rule from the chain

-E Rename the user-defined chain, the chain itself does not change

-F Delete all rules emptied chain chain,

-I Insert a rule in the chain

-L Lists the rules of a chain, such as iptables -L INPUT INPUT chain rules listed

-N Create a new chain

-P Define a default policy of a chain

A rule -R replacement chain

-X Delete a user chain related

-Z All chains all tables bytes and packet counter is cleared

2.) Iptables command parameter

-p -protocol

Protocol type for the packet may be a TCP UDP ICMP or ALL. ! It can also be used.

When using the -p tcp, you can also use other options to further define the rules allow. Options include:

--sport match allows you to specify the packet source port .port1: port, all ports port1 and port2 between

--dport destination port, and --sport identical.

! When using the -p udp, there are special options for making include:

--sport, - dport, and -p tcp same, except for the used UDP packet.

When using the -p icmp parameter, only one option is available.

--icmp-type, allows you to specify the type of filtering icmp rule.

-s -source specify the source address of the packet. This parameter is followed by an IP address, a sub-net mask with the network address, or a host name. (Deprecated hostname)

-d, - - destination of the packet destination address, with -s.

-j, - jump is used to specify a target, tell the rule sends the packet to match the target. Target can be ACCEPT, DROP, QUEUE, RETURN. If not -j, then the packets will not carry out any operation, except that the counter is incremented.

-i - - in-interface, for INPUT FORWARD PREROUTING chain, which specifies the packet arrives at a port used by the server.

-o - - out-interface, for OUTPUT FORWARD POSTROUTING chain, which specifies the packets leave the port used by the server.

3.) Iptables command target

The final step in creating a rule is specified Iptables operations on data packets. As long as the packet matches a rule, there will be no other operating rules. There are built-in target: ACCEPT DROP QUEUE RETURN.

ACCEPT: Allows packets to pass through to reach the destination.

DROP: Reject packet through, discard the packet.

QUEUE: the packet is sent back to the user application processing.

RETURN: not to check packets according to other rules chain present, but directly returns continue to be sent to its destination address, or the next chain.

2. Application Iptables rule examples

Allow WWW

iptables -A INPUT -p tcp -dport 80 -j ACCEPT

The rule is added to the INPUT chain of the filter table, allowing the destination port is 80 packets.

On the internal interface allows DHCP

iptables -A INPUT -i eth0 -p tcp - - sport 68 - -dport 67 ACCEPT

iptables -A INPUT -i eth0 -p ucp - -sport 68 - -dport 67 ACCEPT

Above while allowing TCP and UDP protocols.

3. Save and restore Iptables

Save Iptables

Using iptables-save to save the current iptables rules,

iptables-save> iptables save path, such as # iptables-save> /etc/iptables.up.rule

Recovery Iptables

Use iptables-restore iptables configuration files can be restored from the table to the existing iptables tables.

iptables-restore < /etc/iptables.up.rule

Two, Ubuntu Server in Iptables

Ubuntu Server6.06 already installed by default iptables, version 1.3.3 is off by default.

By modifying the / etc / network / interfaces iptables can be opened:

auto lo

Iface lo inet loopback

auto eth0

iface eth0 inet dhcp

# Add the following

pre-up iptables-restore < /etc/iptables.up.rule

#call the restored rule when active the eth0

post-down iptables-save> /etc/iptables.up.rule

#restore the iptables rule when shutdown the interface eth0

Then you can reactivate eth0.

In addition, you can modify /etc/iptables.up.rule profile at any time to change the iptables rules. Iptables.up.rule format is as follows:

#Generated By iptables-save V1.3.3 on Tue Jul 31 14:18:44 2007

* Filter

: INPUT ACCEPT [73: 8213]


: OUTPUT ACCEPT [8: 825]

-A INPUT -i lo -p icmp -j DROP

-A INPUT -i eth0 -p icmp -j DROP


#Completed On Tue Jul 31 14:10:44 2007

No blank line between lines.

Three .Summary

Each bracelet in order iptables rules is important, if the first strip is accept all, then all packets will be allowed through the firewall, and should therefore be appropriate arrangements rule order.

The general rule is: reject all allow a few.
- The ActiveMQ JMS installation and application examples for Linux (Linux)
- floating IP in OpenStack neutron (Server)
- Linux port mapping system (routing and forwarding) (Server)
- Ubuntu system process is bound CPU core (Linux)
- CentOS of NFS (Server)
- Install RAID 6 (Striping double distributed parity) (Linux)
- SELinux security permissions HTTP + PHP service changes (Server)
- Linux file permissions chmod chown (Linux)
- How to install Eclipse Luna IDE on CentOS 7 / RHEL 7 (Linux)
- Using PPA to install the lightweight theme software HotShots 2.1.0 under Ubuntu (Linux)
- Linux kernel TCP / IP parameters analysis and tuning (Linux)
- Turning off the interface eth0: error: Disconnect the device 'eth0' (Linux)
- Oracle Standby Redo Log experiment (Database)
- For the FreeBSD install Adobe Flash plug-in (Linux)
- Linux centos rm directory does not prompt (Linux)
- GitLab upgrade to 8.2.0 (Linux)
- Hadoop - Task Scheduling System Comparison (Server)
- Snapshot DataGuard (Database)
- Based on Google Cloud Storage Mirroring open Maven Central Repository (Server)
- jdbc Oracle database connection string writing pluggable (Database)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.