This section begins with the concept of iptables and instructions in iptables in iptables, and must be case sensitive. Ipchains and iptables are the main differences in grammar, pay attention to: 1. In ipchains, such as an Input chain, is a lowercase name, in iptables, you want to change your uppercase INPUT. 2. In iptables, you want to specify that the rule is to act on that rule table (specified using -t, such as -t NAT), if you do not specify, the preset is the role of the Filter. 3. In ipchains, -i is an interface, but in iptables, -i refers to the direction in which it goes, and is more -o, represents the direction of the out. 4. In iptables, source port To use keyword - sport or - source-port 5. In iptables, destination port To use keywords - Dport or --Destination-port 6. In iptables, "Discard "The disposal movement, no longer use Deny this Target, modify the DROP. 7. In Ipchains record file function -L, it has been changed to the target -j log, and the title of the record file can be specified. 8. In ipchains - in IPTables - Syn or --TCP-FLAG SYN, ACK, FIN SYN 9. In iptables, IMCP Messages type, add keyword -ICP-TYPE, Such as: iptables -a output -o iptables-o o f o - i i t 8 8 t j a a i i 例 例 例 例 例 例 例 例 例 例 例 例 例 例 例 例 例 例If you are familiar with them first, you can use it yourself, so you can enter this world, so you can enter this world. ################################## - ------ ## Preparation ## -------- ## First check the settings on the machine about iptables as follows: iptables -l -n iptablse -t nat -l - N Define the variable IP $ fw_ip = "163.26.197.8" referenced in the following examples to open the core Forward function, the data is as follows: ### -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------- ### # Open Forward features ### --------- ------------------------------------------ ### echo "1 "> / proc / sys / net / ipv4 / ip_forward, or add forward_ipv4 = YES in / etc / sysconfig / network to open forwarding capabilities to clear all rules, as follows :: At the beginning, you should first clear all rules, start, so as not to The old rules affect new settings.
The practices are as follows: ### ------------------------------------------------------------------------------------------ --------- ### # Clear the previous setting ### --------------------------- ------------------------ ### # Clear the preset table Filter, the rules in all rule chains iptables -f # Clear preset table Filter In the rule iptables -x # in the user's self-binding chain Clear the mangle table, the rules in all rule chains iptables -f -t mangle iptables -t mangle -Tangle in the user's custom chain X # Clear the NAT table, rule iptables -f -t nat # in all rule chains clear NAT table, the rule iptables -t nat -x ########### in the user's self-binding chain ##################################> Select preset strategy then What is the strategy of each different rule chain and a preset strategy. The practice is as follows: Preset All Discard: ### ------------------------------------- -------------- ### # Set Filter Table preset strategy ### --------------------- -------------------------------- ### iptables -p input drop iptables -p output Drop iptables -p Forward DROP Or all accept: ### ----------------------------------------- ------------ ### # Set the Filter Table preset strategy ### ----------------------- ------------------------------ ### iptables -p input accept iptables -p output accept iptables -p forward accept ** The preset strategies of each rule chain can be independently set, and do not have to be affected by other chains. ** The following exercises, if the target is DROP (discard), the policy is set to Accept; if the target is accept, the policy is set to DROP, so that the effect can be seen. Open a new interface, as follows: iptables -a input -i lo -j accept- iptables -a output -o lo -j accept Note: IPFW or NetFilter's packet flow, LOCAL Process does not pass forward chain, so LO is only in Input and Output two chain effects. iptables -a input -i eth1 -j accept iptables -a output -o eth1 -j accept iptables -a forward -i eth1 -j accept iptables -a forward -o eth1 -j accept IP camouflage (SNAT application) makes the intranet After the package is camouflage, use the external ETH0 network card as an agent number, an external connection.
The practices are as follows: ### ------------------------------------------------------------------------------------------ --------- ### # Start inside an external delected ### --------------------------- ------------------------ ### iptables -t nat -a postrouting -o eth0 -s 172.16.0.0/16 -j snat --to -Source $ fw_ip The above instructions mean: 172.16.0.0/16 network segment, disguise to $ fw_ip. Virtual host (DNAT application) utilizes destinations, turn Port, allows the package of the external network to reach the server host in the intranet, commonly known as the virtual host. This way protects most of the ports of the server host from outside, only open the open service channels (such as Web Server Port 80), so the security is high. The practices are as follows: ### ------------------------------------------------------------------------------------------ --------- ### # Start outside the internal destination ### --------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------- ### # Wherever the $ fw_ip: 80 connector, add 1 to 172.16.255.2:80 iptables - T Nat -a preording -i eth0 -p tcp -d $ fw_ip --dport 80 -j dnat --to-destination 172.16.255.2:80 Open internal host can open the intranet to the outside host, you can Telnet to the external host . The practices are as follows: (Preset policy for DROP) ### --------------------------------------------------------------------- ---------------- ### # Open external host telnet port 23 ### ------------------- -------------------------------- ### iptables -a output -o eth0 -p tcp -s $ fw_ip - -Sport 1024: 65535 -D Any / 0 - Dport 23 -J Accept iptables -a INPUT -I Eth0 -p TCP! --SYN -S Any / 0 - Sport 23 -D $ fw_ip --dport 1024: 65535 -j Accept opens the mail package transfer channel to open any email host Send a message to your mail server, and your mail server can also send a package in the past.
The practices are as follows: (Preset policy for DROP) ### --------------------------------------------------------------------- ---------------- ### # Open SMTP Port 25 ### ----------------------- ------------------------------ ### # 以下 below: Others can send to you iptables -ainput -i eth0 - P TCP -S ANY / 0 --SPORT 1024: 65535 -D $ fw_ip --dport 25 -j accept iptables -a output -o eth0 -p tcp! --SYN -S $ fw_ip --sport 25 -d Any / 0 - Dport 1024: 65535 -j Accept # below: You can send a letter to others iptables -a output -o ip0 -p tcp -s $ fw_ip --sport 1024: 65535 -d Any / 0 --dport 25 -j Accept iptables -ainput -i eth0 -p tcp! --Syn -s any / 0 --sport 25 -d $ fw_ip --dport 1024: 65525 -j accept opens the external offline download letter to open intranet POP3 Server Take Letters. The practices are as follows: (Preset policy for DROP) ### --------------------------------------------------------------------- ---------------- ### # Open to the external host POP3 port 110 ### --------------- ---------------------------------- ### ptables -a output -o th0 -p tcp -s $ FW_IP - Sport 1024: 65535 -D Any / 0 - Dport 110 -J Accept iptables -a INPUT -I Eth0 -p TCP! --SYN -S Any / 0 - Sport 110 -D $ fw_ip --dport 1024 : 65535 -J Accept Open Watch Watch Open Internet Open Internet Open Website. The practices are as follows: (Preset policy for DROP) ### --------------------------------------------------------------------- ---------------- ### # Open to the external host's http port 80 ### ----------------- ---------------------------------- ### ptables -a output -o th0 -p tcp -s $ FW_IP - Sport 1024: 65535 -d Any / 0 - Dport 80 -J Accept iptables -a input -i eth0 -p TCP! --SYN -S Any / 0 - Sport 80 -d $ fw_ip --dport 1024 : 65535 -J Accept Open Query DNS Host Open Inline Network, you can check any DNS host of the external network.
The practices are as follows: (Preset policy for DROP) ### --------------------------------------------------------------------- ---------------- ### # Open DNS Port 53 ### ----------------------- ------------------------------ ### # For the first time, IPTables -a Output -o Eth0 will be queried with UDP packages. -p udp -s $ fw_ip --sport 1024: 65535 -d Any / 0 - Dport 53 -J ACCEPT iptables -a INPUT -I Eth0 -p udp -s any / 0 --sport 53 -D $ fw_ip - DPORT 1024: 65535 -J ACCEPT # If there is an error, you will use the TCP package to query iptables -a output -o eth0 -p tcp -s $ fw_ip --sport 1024: 65535 -d Any / 0 --dport 53 -j Accept iptables -a input -i eth0 -p tcp! --Syn -s any / 0 --sport 53 -d $ fw_ip --dport 1024: 65535 -j account # open this host DNS and external DNS host Interactive query: Using udp iptables -a output -o eth0 -p udp -s $ fw_ip --sport 53 -d any / 0 --dport 53 -j accept iptables -a input -i eth0 -p udp -s any / 0 --Sport 53 -D $ fw_ip --dport 53 -j accept # Open this host DNS and external DNS host interactive queries: Using TCP iptables -a output -o eth0 -p TCP -S $ FW_IP --SPORT 53 -D ANY / 0 - Dport 53 -J Accept iptables -a input -i eth0 -p tcp! -Y -s any / 0 --sport 53 -d $ fw_ip --dport 53 -j account Playing the inner host can open the intranet to the outside host, and can SSH to the external host. The practices are as follows: (Preset policy for DROP) ### --------------------------------------------------------------------- ---------------- ### # Open external host ssh port 22 ### ------------------- -------------------------------- ### iptables -a output -o eth0 -p tcp -s $ fw_ip - -Sport 1024: 65535 -D Any / 0 - Dport 22 -J Accept iptables -a input -i eth0 -p tcp! --Syn -s any / 0 --sport 22 -d $ fw_ip --dport 1024: 65535 -j accept # below is SSH Protocol comparatively different places iptables -a outprut -o iptable tcp -s $ fw_ip --sport 1020: 1023 -d Any / 0 - Dport 22 -J Accept iptables -a input -i Eth0 -p tcp! --Syn -s any / 0 --sport 22 -d $ fw_ip --dport 1020: 1023 -j Accept Open internal host can open the internal network to the outside host, can FTP to the external host.
The practices are as follows: (Preset policy for DROP) ### --------------------------------------------------------------------- ---------------- ### # Open to external host FTP port 21 ### ------------------ -------------------------------- ### # 以下 打 打 2 21 iptables -a output -o eth0 -p tcp -s $ fw_ip --sport 1024: 65535 -d any / 0 --dport 21 -j accept iptables -a input -i eth0 -p tcp! --syn -s any / 0 --sport 21 -d $ Fw_ip --dport 1024: 65535 -j accept # 以下 以下 资 资 20 iptables -a input -i eth0 -p TCP -S Any / 0 --Sport 20 -d $ fw_ip --dport 1024: 65535 -j accountpter iptables -a output -o eth0 -p tcp! --Syn-S $ fw_ip --sport 1024: 65535 -d Any / 0 - Dport 20 -j Accept # below is open Passive Mode FTP data access iptables -a output - O ETH0 -P TCP -S $ FW_IP - Sport 1024: 65535 -D Any / 0 - Dport 1024: 65535 -J ACCEPT iptables -a Input -i Eth0 -p TCP! --SYN -S ANY / 0 - Sport 1024: 65535 -d $ fw_ip --dport 1024: 65535 -j accept Open PING Options to any host.
