Note Attention The status mechanism does not look at the flag of the TCP package (that is, the TCP flag is transparent). If we want the New State package through the firewall, we must specify the New Status. We understand that the New status of our understanding refers to the SYN package, but iptables do not view these flags. This is where the problem lies. Some packages do not set SYN or ACK, will also be seen as a New status. Such a package may be used by redundant firewall, but the network is very disadvantageous to only one firewall (may be attacked). So how can we not be affected by such a package? You can use the commands in the New status package that is not set to SYN. There is also a way to install the TCP-WINDOW-TRACKING extension in patch-o-matic, which allows the firewall to be tracked according to some of the TCP signs. 4.5. UDP connection UDP connection is stateless because it does not have any connection establishment and closing the process, and most of them are unquenceless. Two packets received in a sequence are unable to determine their issuance order. However, the kernel can still set the status of the UDP connection. Let's take a look at how to track UDP connections, and related records of Conntrack. As can be seen from the above figure, the UDP connection is established almost the same as the TCP at the perspective of the user. Although ConNTrack information looks a bit different, it is inherently the same. Let's take a look at the first UDP package after the CONNTRACK record. UDP 17 20 SRC = 192.168.1.2 DST = 192.168.1.5 Sport = 137 DPORT = 1025 / [unreplied] src = 192.168.1.5 DST = 192.168.1.2 Sport = 1025 / dport = 137 USE = 1 From the first two values, this Is a UDP package. The first is the name of the protocol, the second is the protocol number, the third is the survival time of this state, the default is 30 seconds. Next is the source, destination address, and port of the package, and the source, destination address, and port of the expectation. [Unreplied] tag description has not received a response. UDP 17 170 SRC = 192.168.1.2 DST = 192.168.1.5 Sport = 137 / dport = 1025 SRC = 192.168.1.5 DST = 192.168.1.2 Sport = 1025 / dport = 137 USE = 1 Once received the first package, The [unreplied] tag will be deleted, and the connection is considered ESTABLISHED, but the Established tag is not displayed in the record. Accordingly, the timeout time of the state has also become 180 seconds. In this example, there is only 170 seconds left, and after 10 seconds, it will be reduced to 160 seconds. There is something that is indispensable, although it may change, it is the previously used [Assured]. To change it to [Assured] status, you must have some traffic on the connection. UDP 17 175 SRC = 192.168.1.5 DST = 195.22.79.2 Sport = 1025 / dport = 53 SRC = 195.22.79.2 DST = 192.168.1.5 Sport = 53 / dport = 1025 [Assured] USE = 1 can be seen, [assoced] There is no major difference in the state record and the front, in addition to the marking by [unreplied] into [Assured]. If this connection continues to 180 seconds, it is to be interrupted. 180 seconds is a short bit, but it is enough for most applications.
As long as you encounter this connection-through the firewall, the timeout value will be reset to the default, all the status is like this. 4.6. ICMP connection ICMP is also a stateless protocol, which is only used to control instead of establishing a connection. There are many types of ICMP packages, but only four types have a response package, they are echo request and reply, timestamp request and reply, information requests, and answers (Information Request and Reply) ), Also address mask requests and answers, which have two states, new and establishs. The timestamp request and information request has been abolished, and the request is still common, such as the ping command is used, the address mask request is not common, but it may sometimes be useful and worthwhile. Take a look at the picture below, you can understand the NEW and ESTABLISHED status of the ICMP connection. As shown, the host sends an echo request to the target, and the firewall thinks this package is in the new state. The goal responds to an obvious answer, the firewall thinks that the package is in Established. When the returns are sent, there is such a record in ip_conntrack: ICMP 1 25 SRC = 192.168.1.6 DST = 192.168.1.10 Type = 8 Code = 0 / ID = 33029 [Unreplied] src = 192.168.1.10 DST = 192.168.1.6 / type = 0 code = 0 ID = 33029 USE = 1 can be seen, ICMP record and TCP, UDP a little difference, protocol name, timeout time, source, destination address, no The port, which added three new fields: Type, Code, and ID. Field TYPE Description ICMP type. Code illustrates the code of ICMP, which has instructions in the appendix ICMP type. The ID is the ID of the ICMP package. Each ICMP package is sent to a ID, and the acceptor assigns the same ID to a response package, so that the sender can recognize which request response. [Unreplied] The meaning is the same as before, and the number of transmissions only occur in one direction, that is, the response is not received. Yes, it is the source, destination address, and the corresponding three new fields. What should be noted that Type and Code have changed as the answer package, the ID and the request package. Like the previous, the answering package is considered to be Established. However, after answering packages, this ICMP connection will no longer have data transmission. Therefore, once the response package passes through the firewall, the ICMP connection tracking record is destroyed. The above circumstances, the request is considered new, and the response is Established. In other words, when the firewall sees a request package, it is considered that the connection is in the new state. When there is a response, it is the Established state. Note Note that the answering package must meet a certain standard, and the connection can be considered as Establish, and each transmission type is like this. The default timeout of ICMP is 30 seconds, which can be modified in / proc / sys / net / ipv4 / netfilter / ip_ct_icmp_timeout. This value is suitable, suitable for most situations.
Another very important role of ICMP is to tell UDP, TCP connection, or is working hard to build what is happening, then the ICMP response is considered to be related. The host is not reaching and the network is not arrival. When trying to connect a certain machine, it is not successful (may be closed), the last router arriving at the packet will return the above ICMP information, which is related, as shown below: We sent a SYN package To a certain address, the firewall thinks it is New. However, the target network is problematic, and the router will return information that is unreachable, this is related. Connection tracking recognizes which connection is connected, the connection is interrupted, and the corresponding record delete will be deleted. When the UDP connection encounters a problem, there will be corresponding ICMP information returns, of course, their status is also related, as shown below: We send a UDP package, of course it is new. However, the target network is prohibited by some firewalls or routers. Our firewall will receive information from the network. The firewall knows that it is related to which opened UDP connection, and puts this information (status is related), and deletes the corresponding record. The client receives information that is prohibited, and the connection will be interrupted. 4.7. The default connection operation is sometimes, the ConNTrack mechanism does not know how to handle a particular protocol, especially when it doesn't understand this protocol or does not know how the agreement works, for example, NetBLT, MUX has EGP. In this case, ConNTrack uses the default operation. This operation is very similar to the UDP connection, that is, the first package is recognized as New, and the subsequent response package and the like are Established. The timeout value of the package that uses the default operation is the same, 600 seconds, that is, 10 minutes. Of course, this value can be changed via / proc / sys / net / ipv4 / netfilter / ip_ct_generic_timeout to adapt to your traffic, especially if there is more time consumption, such as satellite, etc. 4.8. Complex protocols and connection tracks Some protocols are more complicated than other protocols, which means that the connection tracking mechanism is difficult to correctly track them, such as ICQ, IRC, and FTP, they all carry a certain in the data field of the packet. Some information, this information is used to establish additional connections. Therefore, some special helper is required to do work. The following is an example in FTP. The FTP protocol first establishes a separate connection - FTP control session. We publish commands through this connection, and other ports open to transfer data related to this command. There are two ways to establish these connections: active mode and passive mode. First look at the active mode, the FTP client sends port and IP address information to the server side, then, the client opens this port, the server side establishes the connection with this port from its own 20-port (FTP-DATA port number), then You can send data using this connection. The problem is that the firewall does not know that these additional connections (relative to the control session), because these connects are in the data domain of the protocol packet during the establishment, not in the data domain that can be analyzed. Therefore, the firewall does not know whether it will put these connections from the server to the client. The solution is to add a special Helper for the connection tracking module to detect those information. In this way, those connections from the FTP server to the client can be tracked, the status is the Related, which is shown below: The DATA connection is established in the DATA connection in the passive FTP mode of operation. The opposite of the active FTP.
The client tells the server that some data is required, and the server sent the address and port back to the client, and the client establishes the connection acceptance data. If the FTP server is behind the firewall, or you are strict to the user-limited, only all of them are allowed to access all other ports, in order to let the client access to the FTP in the Internet, it is also necessary to increase the above mentioned Helper. Below is the establishment of DATA connection in passive mode: Some Concentrack Helper already included in the kernel. When writing this article, FTP and IRC have the corresponding Conntrack Helper. If you don't have the helper you want in the kernel, you can take a look at the Patch-O-Matic directory of the iptables user space, there are many helper, such as the NTALK or H.323 protocol, etc.. If you don't find it, there are several options: You can check the CVS of iptables, or contact Netfilter-Devel ask if you want. If you can't do it, you only write it yourself, I can introduce you a good article, Rusty Russell's Unreliable Netfilter Hacking How-to, connected to other resources and links in the appendix. ConNTrack Helper can be staticly compiled into the kernel, but also as a module, but use the following command to load: ModProbe ip_conntrack_ * Note that the connection tracking does not process NAT, so you need to increase the corresponding module to the connection. For example, you want NAT and track FTP connections, in addition to the corresponding modules of the FTP, there must be a NAT module. All NAT Helper names start with IP_nat_, this is a naming habit: FTP Nat Helper called IP_NAT_FTP, IRC's corresponding module is IP_nat_irc. The name habit of Concentrack Helper is also followed: Concentrack Helper called IP_CONNTRACK_IRC, FTP is called IP_ConNTrack_FTP. Chapter 5. Saveness and Recovery of Rules The IPTables provides two very useful tools to handle larget sets: iptables-save and iptables-restore, which puts rules into a special format with standard script code only. In the file, or recover the rules from it. 5.1. One of the most important reasons for using iptables-save and iptables-restore is that they can increase their loading and save rules to a considerable extent. The problem with the script changes the rules is that the changes must be transferred to the command iptables, and each time call iptables, which first extract the entire rule set in the NetFilter kernel space, then insert or attach, or do other Change, finally, the new rule set is inserted into the kernel space from its memory space. This will spend a lot of time. In order to solve this problem, you can use the iptables-save and restore. IPTables-save is used to save the rule set into a special format text file, and iptables-restore is used to reload this file into kernel space. The best place in these two commands is that the rule set can be loaded and saved at once, and each rule in the script is called once iptables. Iptables-save runs once, you can extract the entire rule set from the kernel and save it to the file, and iptables-restore is loaded with a rule table each time.
In other words, for a large rule set, if the script is set, then these rules will be uninstalled repeatedly, install many times, and we can now save the entire rule set once, installation It is a table, which saves a lot of time. If your work object is a huge rule, these two tools are obvious options. Of course, they also have deficiencies, the following chapters will be described in detail. 5.2. RESTORE's deficiencies IPTABLES-RESTORE can set up a rule for all scripts? No, until now, it is very likely that you will never do it. The main shortcomings of iptables-restore are not to be used for complex rules sets. For example, we want to get the dynamically assigned IP address of the connection when the computer is started, and then use it in the script. This, use iptables-restore to achieve, more or less impossible. A possible solution is to write a small script to get that IP address and set the corresponding keyword in the configuration file called by iptables-restore, and then replace the keyword with the obtained IP value. You can save the changed configuration file to a temporary file, and then use it by iptables-restore. However, this will bring a lot of problems, and you can't use iptables-save to save profiles with keywords. This method is stupid. Another way is to load into the iptables-restore file, running a specific script to put dynamic rules. In fact, this is also a stupid method. Iptables - Restore is not suitable for use dynamic IP, if you want to use options in profiles to achieve different requirements, iptables-restore is not applicable. Iptables-restore and iptables-save have a deficiencies, which is not complete enough. Because people used are not too many, there are not many people who have found this problem, and there are some Match and Targets that are quoted when they are quoted, which may have behavior outside our expectations. Despite these problems, I also strongly recommend that you use them because they are still very good for most rule sets, as long as they don't include those new, I don't know how to use Match and Target. 5.3. Iptables-saveiptables-save is used to store the current rules into a file for iptables-restore. It is very simple, only two parameters: iptables-save [-c] [-t table] parameter-C function is the value of the package and byte counter. This allows us to lose statistics for packages and bytes after restarting the firewall. The iptables-save command with the -c parameter makes it possible to restart the firewall without interrupting the statistics. This parameter is not used by default. Parameters -T Specify the table to be saved, default is to save all the tables. The output of iptables-save is given below without loading any rules.
#Enerated by iptables-save v1.2.6a on wed Apr 24 10:19:17 2002 * filter: Input Accept [404: 19766]: Forward Accept [0: 0]: Output Accept [530: 43376] commit # completed on WED APR 24 10:19:17 2002 # generated by iptables-save v1.2.6a on WED APR 24 10:19:17 2002 * Mangle: PREROUTING Accept [451: 22060]: Input Accept [451: 22060]: Forward Accept [0: 0]: Output Accept [594: 47151]: Postrouting Accept [594: 47151] commit # completed on wed Apr 24 10:19:17 2002 # generated by iptables-save v1.2.6a on WED APR 24 10: 19:17 2002 * Nat: PREROUTING Accept [0: 0]: PostRouting Accept [3: 450]: Output Accept [3: 450] commit # completed on WED APR 24 10:19:17 2002 Let's explain this output format . # Back is comments. The table begins with *, for example, * mangle. Each table contains chains and rules, and the detailed description of the chain is: [:]. For example, the name of the chain is preverting, the policy is Accept, and then the buckler and byte counter, the two counters and the counter used in the iptables -l -v output. The description of each table ends with keyword commit, which means that the rule is loaded into the kernel. The above example is the most basic, I want to use a short example to show better, which contains a very small rule set iptables-save ruleset.
Iptables-save output is as follows: #enerated by iptables-save v1.2.6a on WED APR 24 10:19:55 2002 * Filter: Input Drop [1: 229]: Forward Drop [0: 0]: Output Drop [0 : 0] -A INPUT -M State --State Related, ESTABLISHED -J ACCEPT-A Forward -i Eth0 -m State --State Related, ESTABLISHED -J ACCEPT-A Forward -i Eth1 -m State --State New, Related, ESTABLISHED -J ACCEPT-A OUTPUT -M State --State New, Related, Established -j AcceptCommit # Completed on Wed Apr 24 10:19:55 2002 # generated by iptables-save v1.2.6a on WED APR 24 10 : 19: 55 2002 * Mangle: PREROUTING ACCEPT [658: 32445]: Input Accept [658: 32445]: Forward Accept [0: 0]: Output Accept [891: 68234]: PostRouting Accept [891: 68234] commit # completed On Wed Apr 24 10:19:55 2002 # generated by iptables-save v1.2.6a on WED APR 24 10:19:55 2002 * Nat: preording accept [1: 229]: PostRouting Accept [3: 450]: Output Accept [3: 450] -a postrouting -o eth0 -j snat --to-source 195.233.192.1commit # Completed on WED APR 24 10:19:55 2002 Before each command, there are packets and byte counters, this description Use the -c parameter. In addition to counter, others are the same as ordinary scripts. The problem now is how to save the output to the file. Very simple, since you use Linux, you should know, use it to redirect: iptables-save -c> / etc / iptables-save This will save the rule set to / etc / iptables-save, and there are counter. 5.4. Iptables-restoreiptables-restore is used to load rule sets saved by iptables-save. Unfortunately, it can only accept input from standard input, and cannot accept from files. Below is its way: iptables-restore [-c] [-n] parameter-C requires the package and byte counter. If you save the counter with iptables-save, you must use this parameter now. Its another longer form is --Counters. Parameters -N tells Iptables-Restore not to overwrite the rules in existing tables or tables. The default is to clear all saved rules. The long form of this parameter is --noflush. There are several ways to load rules with iptables-restore, let's take a look at the simplest, most general: Such rule sets should be properly loaded into the kernel and work normally. If you have any questions, you have to take it. Chapter 6. The rule is how to practice this chapter will discuss how to install your own rules in detail. Rules is to point to the standard, on a chain, block different connections and packets or allow them to go. Each line of the insert chain is a rule.
We will also discuss basic Matche and its usage, and there are also a variety of Targets, and how to build our own target (for example, a new sub-chain). 6.1. Basic, we have explained what is rules. In the kernel, the rule is to determine how to handle a packet. If a package meets all the conditions (that is, we run the target or JUMP instruction. The grammatical format of writing rules is: iptables [-t table] Command [match] [target / jump] There is nothing to say for this sentence, but pay attention to the Target instruction must be in the end. For easy reading, we generally use this grammar. In short, most rules you will see are written in this grammatical. Therefore, if you see the rules written by others, you can find that this kind of grammar is also easy to understand those rules. If you don't want to use a standard table, you must specify a table name at the [Table]. In general, there is no need to specify the table used because iptables defaults to perform all commands using the Filter table. There is no need to specify a table name here, which is actually almost anywhere in the rules. Of course, the name of the name is already the criteria of the convention. Although the command is always on the beginning, or put it directly behind the table name, we must consider what is easy to read. Command tells the program what to do, such as: Insert a rule, or add a rule at the end of the chain, or delete a rule, below will be carefully introduced. Match describes a feature of the package to distinguish this package from all other packages. Here, we can specify the source IP address, network interface, port, protocol type, or anything else. Below we will see many different matches. Finally, it is the target of the packet. If the packet is in line with all the match, the kernel uses target to handle it, or send the bag to Target. For example, we can let the kernel send the package to other chains in the current table (probably our own creation), or just discard this package without any processing, or returning a special response to the sender. There is a detailed discussion below. 6.2. TABLES Options - THP is used to specify which table used, which can be any of the tables described below, the default is the Filter table. Note that the following introduction is just a summary of the chapter table and chain. Table 6-1. The main use of the NAT NAT table is the network address translation, namely NetWork address translation, abbreviated as NAT. The address of the packet that did the NAT operation is changed, of course, this change is based on our rules. A packet belonging to a stream will only pass through this table. If the first package is allowed to do NAT or Masqueraded, then the remaining packages are automatically identical to the same operation. That is, the remaining packets will not pass this table, one one is NAT, but automatically. That is why we should not do any of the main reasons for any filtering in this table, which will have a more detailed discussion on this. The role of the PREROUTING chain is to change its destination address when the package just reaches the firewall, if needed. The Output chain changes the destination address of the localized package. The PostRouting chain change its source address before leaving the firewall. Mangle This table is primarily used by the mangle packet. We can change the contents of different packages and cladheads, such as TTL, TOS or Mark. Note that Mark does not really change the packet, it is just a tag that is packaged in the kernel space.
Other rules or procedures in the firewall (such as TC) can be filtered or advanced with this marker. This table has five built-in chains: preording, postrouting, Output, Input, and Forward. After the PREROUTING after the package enters the firewall, the route judges before changing the package, postrouting is after all routing judgment. Output changes the packet before determining the purpose of the package. INPUT After the package is routed to the local, the package is changed before the user space. After the initial routing judgment, the last time change the packet. Note that the mangle table cannot do any NAT, which is just changing the TTL, TOS or Mark of the packet, not its source address. NAT is operating in the NAT table. The Filter Filter table is a special filter package, built-in three chains, which can do DROP, LOG, ACCEPT, and REJECT, etc. without problems. Forward chain filters all the packages not generated by the local and the destination is not local (so-called local is a firewall), and INPUT is just a local package for those destinations. OUTPUT is used to filter all local generated packages. The most basic content of three different tables is introduced above. You should know that their purpose is completely different, but also know the use of each chain. If you don't know, you may leave a vulnerability on the firewall to give people a machine. In the chapter table and chain, we have discussed these must-have tables and chains in detail. If you don't have a full understanding of how to pass these tables, the chain, I suggest you go back and take a closer look. 6.3. Commands In this section, we will introduce all Command and their use. Command specifies what kind of operation that IPTables should do for the rules we submit. These operations may be increasing or deleted in a table, or do something else. The following is a Command available for iptables. If you don't explain, the default table is a Filter table.): Table 6-2. Commandscommand -a, --appendexample iptables -a input ... Explanation in the selected Add rules. When the source address or destination address is in the form of name instead of IP addresses, if these names can be parsed into multiple addresses, this rule will combine all available addresses. Command -d, --deleteexample iptables -d input --dport 80 -j drop or iptables -d input 1explan Removes rules from the selected chain. There are two ways to specify the rules to be deleted: First, write the rules and finish, and then the specified rules in the selected chain (each chain is numbered). Command -r, --Replaceexample iptables -r input 1 -s 192.168.0.1 -j DROPEXPLANATION On the selected chain selected (each chain is numbered from 1). Its main use is a different rule of test. When the source address or destination address appears in the form of name instead of IP addresses, if these names can be parsed to multiple addresses, the Command will fail. Command -i, - ISERTEXAMPLE IPTABLES -I INPUT 1 - DPORT 80 -J AcceptExplanation Insert rules into the selected chain according to the rule serial number given. If the serial number is 1, the rule will be inserted into the head, in fact, the default number is 1. Command -l, --Listexample iptables -l inputexplan displays all rules of the selected chain.
If no chain is specified, display all the chains in the specified table. If nothing is specified, you will display all the chains of the default table. Precise output is affected by other parameters, such as -n and -V parameters, will be described below. Command -f, - FlusHexample iptables -f inputexplanation empties the selected chain. If no chain is specified, clear all the chains in the specified table. If nothing is specified, clear all the chains of the default table. Of course, you can also delete one by one, but it will be fine with this command. Command -z, - zeeroexample iptables-z inputExplanation All counters of the specified chain (if not specified, it is considered all chains). Command -n, --new-chainexample iptables -n allowedexplanation creates a new chain according to the name specified by the user. The above example establishes a chain called the allowed. Note that the name used cannot be and the same name in the existing chain. Command -X, - DELETE-CHAINEXAMPLE iptables -x allowedExplanation Delete the specified user custom chain. This chain must not be referenced, if referenced, you must delete or replace the rules associated with it before deleting. If the parameters are not given, this command will delete all non-built-in chains of the default table. Command -p, --PolicyExample iptables -p Input Dropexplanation For the chain settings default target (available from DROP and Accept, if there are other available, please tell me), this Target is called a policy. All packets that do not meet the rules are enforced using this strategy. Only the built-in chain can use rules. However, the built-in chain and user custom strands cannot be used as a policy, which means that it is not like this: iptables -p input allowed (or built-in chain). Command -e, --Rename-chainexample iptables-E Allowed DisallowedExplan renames the custom chain, the original name is before, the new name is behind. As mentioned, it is to change the allowed to disallowed. This is just the name of changing the chain, and there is no impact on the structure of the entire table. When using iptables, if the necessary parameters are not input, press Enter, then it will give some prompt information: tell you what parameters, etc. you need. Iptables' options -v is used to display the version of iptables, and a short description of the grammar. . The following will be introduced is some options, and their role. Table 6-3. OptionsOption (Option) -V, --verbose (Detailed) Use this option to --List, --Append, - ISERT, - DELETE, - REPLACEEXPLANATION (Description) This option makes the output Detailed, often used with --List. When serving with -list, the output includes an address, rule option, TOS mask, byte and packet counter in the output, where the counter is k, m, g (here is 10 power rather than 2 Power oh) is in units. If you want to know how many packages have, how many bytes, you have to use the option -X, which will be introduced below. If -v and -append, - insert, - delete or-Replace use, iptables will output detailed information telling you how rules are explained, whether it is correctly inserted.
Option -X, --Exact (Exact) Commands Used with --Listexplan Displays the counter in the -List output to display the exact value without K, M, G and other valuations. Note This option can only be used with -LIST. Option -n, --Numeric (value) Commands buy with --listexplanation makes the IP address and port in the output in the form of a value, not the default name, such as host name, network name, program name, etc. Note This option can only be used with -LIST. Option --Line-NumBersCommands Used with --Listexplanation is another option with -List to use options that show the serial number of each rule in the corresponding chain. This way you can know the serial number, which is useful for inserting new rules. Option -c, - set-counterscommands used with -insert, - fape 20, set the byte counter to 4000. Option --ModProbeCommands used with alleXplanation This option tells IPTables to detect and load the modules to use. This is a very useful option, in case the modprobe command is not used in the search path, it is used. With this option, when the module is loaded, even if there is a module that needs to be used, iptables also knows to search. 6.4. Matches this section, we will discuss some Matche in detail, I will pay them five categories. The first category is Generic Matches, for all rules; the second category is TCP Matches, as the name suggests, which can only be used for TCP packages; third categories are udp matches, of course it can only be used in UDP packages It's up; the fourth category is ICMP Matches, for ICMP packages; fifth categories are special, targeting state, owner (Owner), and accessed Frequency Limit (Limit), they have been divided into more Although they are not completely different. I hope this is a classification that everyone is easy to understand. 6.4.1. Universal Matching Regardless of the agreement we use, no matter what extension we matches, generic matching is available. That is, they can be used directly without what prerequisites, where you will see it, there are many matching operations that require other matching as a premise. Table 6-4. Generic Matchesmatch -p, --Protocolexample iptables -a input -p tcpexplanation matches the specified protocol. The specified protocol has the following: 1, name, regardless of case, but must be defined in / etc / protocols. 2, you can use their corresponding integer values. For example, the value of ICMP is 1, TCP is 6, UDP is 17.3, default settings, all, corresponding values are 0, but pay attention to this represents matching TCP, UDP, ICMP, not / etc / protocols definition All protocols.
4, can be a list of protocols, with a comma in English, such as: UDP, TCP5, can reflect in front of an English in English before the protocol, pay attention to space, such as: --Protocol! TCP means a non-TCP protocol, that is UDP and ICMP. It can be seen that this reflect is only TCP, UDP, and ICMP. Match -s, --src, --sourceexample iptables -a input -s 192.168.1.1explanation Package with IP source address. The address of the address is as follows: 1, a single address, such as 192.168.1.1, can also be written in 192.168.255 or 192.25.2168.0.0.0.04, or 192.168.0.0/255.255.255.03, In the address, add the English exclamation mark, pay attention to space, such as - Source! 192.168.0.0/24 indicates all addresses except for the address 4, the default is all addresses Match -d, --dst, --dstinationexample iptables -A INPUT -D 192.168.1.1Explanation matches the address of the IP destination address. The address of the address is exactly the same as - SOURCE. Match -i, --in-interfaceexample iptables -a input -i eth0explan is entered into the local network interface to match the network interface. Note that this matching operation can only be used for the three chains of Input, Forward and preording, and use anywhere to prompt the error message. The specified interface has a method: 1. Specify the interface name, such as: eth0, PPP0, etc. 2, using wildcard, ie the English plus, which represents the character numeric string. If you use a plus sign directly, iptables -ainput -i represents all packets without considering which interface is used. This is also the default behavior of the interface. Wildcards can also be placed behind a certain type of interface, such as: Eth means all Ethernet interfaces, that is, match all the packages from the Ethernet interface. 3. Adding English exclamation points before the interface indicates to reverse, pay attention to space, such as: -i! Eth0 means matching all packets from except Eth0. Match -o, --out-interfaceexample iptables -a forward -o eth0explan is enabled with the network interface used to leave the local network. The range of use and the specified interface is exactly the same as -in-interface. Match -f, --fragmentexample iptables -a input -fexplanation is used to match the second piece or subsequent portion of a fragmented package. Because they do not include information such as source or destination, or ICMP type, other rules cannot match it, so there is this matching operation. Pay attention to the shard attack. This operation can also be refused to add English exclamation mark, but pay attention to the position, such as:! -F. Inverse, indicating that only the first fragments that can only be matched to the package without fragmentation, and the subsequent sheets will not be. Now the kernel has a complete fragment restructuring function, which prevents the debris attack, so it is not necessary to use the reverse function to prevent the debris. If you use connection tracking, you won't see any debris, because it is handled before they reach any chain. 6.4.2. Include Matching This matching operation is automatically or implied to load into the kernel. For example, when we use -Protocol TCP, you don't need to put anything else to match only some of the IP packets.
