当前位置：网站首页>Small list of iptables common commands

Small list of iptables common commands

2022-07-24 15:37:00 【InfoQ】

iptables Small list of common commands

iptables brief introduction

iptables It is integrated. Linux Kernel

Packet filtering firewall system

. Use iptables You can add 、 Delete specific filtering rules ,

iptables Default maintenance 4 A watch and 5 A chain

, All firewall policy rules are written into these tables and chains respectively .

**“ beyond the limits of the visible world ”** Refer to iptables The function of , default iptable s What is the rule table filter surface （ Filter rule table ）、nat surface （ Address translation rule table ）、mangle（ Modify data marker bit rule table ）、raw（ Tracking data table rule table ）：

filter surface
： Control whether packets are allowed in and out and forward , The links that can be controlled are INPUT、FORWARD and OUTPUT.

nat surface
： Control address translation in packets , The links that can be controlled are PREROUTING、INPUT、OUTPUT and POSTROUTING.

mangle
： Modify the original data in the packet , The links that can be controlled are PREROUTING、INPUT、OUTPUT、FORWARD and POSTROUTING.

raw
： control nat The enabled status of the connection tracking mechanism in the table , The links that can be controlled are PREROUTING、OUTPUT.

**“ Five chains ”** It refers to the control network in the kernel NetFilter Defined 5 A chain of rules . Each rule table contains multiple data links ：

INPUT（ Inbound data filtering ）、
OUTPUT（ Outbound data filtering ）、
FORWARD（ Forward data filtering ）、
PREROUTING（ Filtering before routing ）
and POSTROUTING（ Post routing filtering ）,

Firewall rules need to be written into these specific data links .

Linux Firewall filtering framework , Pictured 1 Shown .

It can be seen that ,

If the external host sends packets to the local firewall , The data will go through PREROUTING Chain and INPUT chain ;

If it is a firewall, send packets to the external host , The data will go through OUTPUT Chain and POSTROUTING chain ;

If the firewall is responsible for forwarding data as a route , Then the data will go through PREROUTING chain 、FORWARD Chain and POSTROUTING chain .

iptables grammar

iptables [-t table] command [match] [target]

-t： Used to specify the table to be operated on , Default if not specified filter surface command： Specific command actions , For example, add... To the specified chain / Deletion rule match： Matching rules for the package to be processed target： Packet processing action

command

Each chain consists of rules , For a chain, you can add rules 、 Deletion rule 、 Check whether this rule exists , The corresponding command options are as follows ：

match

1、 Universal matching

2、 Show match

adopt -m Option specifies the name of the matching module to be loaded , Followed by the corresponding options . Such as filtration mac Address operation , Specify modules mac, Options are as follows ：

target

Finally, let's talk about the processing action of data packets , Through parameters -j Appoint

IP There are two kinds of address filtering strategies , Or set which addresses are allowed to pass , Or we'll decide which addresses to ban .

iptables Input order of command options :

iptables -t  Table name  <-A/I/D/R>  Rule chain name  [ Rule number ] <-i/o  adapter name > -p  The name of the agreement  <-s  Source IP/ Source subnet > --sport  Source port  <-d  The goal is IP/ Target subnet > --dport  Target port  -j  action

Table name

Include :

raw: Advanced features , Such as : Website filtering

mangle: Packet modification (QOS), To achieve quality of service

net: address translation , For gateway routers

filter: Packet filtering , For firewall rules

Rule chain name

Include :

INPUT chain : Processing input packets

OUTPUT chain : Processing output packets

PORWARD chain : Processing forwarding packets

PREROUTING chain : For target address translation (DNAT)

POSTOUTING chain : For source address translation (SNAT)

action

Include :

accept: Receive packets

DROP: Discard packets

REDIRECT: Redirect , mapping , Transparent proxy

SNAT: Source address translation

DNAT: Target address translation

MASQUERADE:IP camouflage (NAT), be used for ADSL

LOG: logging

example

Clear existing iptables The rules

iptables -F
iptables -X
iptables -Z

Develop the specified port

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT # Allow local loopback interface ( That is, run native to access native )
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow established or associated traffic 
iptables -A OUTPUT -j ACCEPT # Allow all native outbound access 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # allow access to 22 port 
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # allow access to 80 port 
iptables -A INPUT -p tcp --dport 21 -j ACCEPT # allow ftp Service 21 port 
iptables -A INPUT -p tcp --dport 20 -j ACCEPT # allow FTP Service 20 port 
iptables -A INPUT -j reject # Prohibit other rules that are not allowed to access 
iptables -A FORWARD -j REJECT # Prohibit other rules that are not allowed to access

shielding IP

iptables -I INPUT -s 123.45.6.7 -j DROP # Shield individual IP The order of 
iptables -I INPUT -s 123.0.0.0/8 -j DROP # Seal the whole section from 123.0.0.1 To 123.255.255.254 The order of 
iptables -I INPUT -s 124.45.0.0/16 -j DROP # seal IP Segment from 123.45.0.1 To 123.45.255.254 The order of 
iptables -I INPUT -s 123.45.6.0/24 -j DROP # seal IP Segment from 123.45.6.1 To 123.45.6.254 The order is

View the added iptables The rules

iptables -L -n -v perhaps iptables -nvL
The meaning of each parameter is ：
-L Represents to view all rules of the current table , The default view is filter surface , If you want to look at nat surface , You can add -t nat Parameters .-n Said is wrong IP Counter check the address , With this parameter, the display speed will be faster .-v Represents the output details , Contains the number of packets passing the rule 、 The total number of bytes and the corresponding network interface .

iptables -L -n -v
Chain INPUT (policy DROP 48106 packets, 2690K bytes)
 pkts bytes target prot opt in out source destination
 5075 589K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
 191K 90M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
1499K 133M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4364K 6351M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
 6256 327K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes)
 pkts bytes target prot opt in out source destination
 5075 589K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

[ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-v76C8hLf-1648025815595)(C:\Users\FLY\AppData\Roaming\Typora\typora-user-images\image-20220317141405406.png)]

Will all iptables Display with serial number mark , perform ：

iptables -L -n --line-numbers

Delete added iptables The rules

For example, to delete INPUT The serial number is 8 The rules of , perform ：

iptables -D INPUT 8

iptables debugging

use raw Table for debugging [ Failed to transfer the external chain picture , The origin station may have anti-theft chain mechanism , It is suggested to save the pictures and upload them directly (img-Tug7jTuy-1648025815596)(https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg)]

Use to raw surface 、ipt_LOG The kernel module 、 Log in kern.log in .

The specific steps are as follows ：

1. Get ready ipt_LOG The kernel module

modprobe ipt_LOG
modprobe nf_log_ipv4
sysctl net.netfilter.nf_log.2=nf_log_ipv4

2. Use raw surface , Add tracking rules

iptables -t raw -A PREROUTING -p icmp -j TRACE
iptables -t raw -A OUTPUT -p icmp -j TRACE

iptables -t raw -A PREROUTING -p tcp -dport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp -dport 80 -j TRACE

raw Tables can only be used in PREROUTING and OUTPUT Add processing rules , Packages that meet the rules will be tracked , And output to the log .