首页 > 系统相关 >iptables简介

iptables简介

时间:2023-08-27 10:34:17浏览次数:50  
标签:iptables target chain -- 简介 packet connection rule


DESCRIPTION

       Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.  Several different tables may


       be defined. 

Each table contains a number of built-in chains and may also contain user-defined chains.



       Each chain is a list of rules which can match a set of packets.  Each rule specifies what to do with a packet that matches.  This is  called


       a `target',

which may be a jump to a user-defined chain in the same table.


TARGETS

       A  firewall rule specifies criteria for a packet and a target. 

If the packet does not match,; if


       it

does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the  spe‐


       cial values ACCEPT, DROP, QUEUE or RETURN.



       ACCEPT means to let the packet through.  DROP means to drop the packet on the floor.  QUEUE means to pass the packet to userspace.  (How the


       packet can be received by a userspace process differs by the particular queue handler.  2.4.x and 2.6.x kernels up  to  2.6.13  include  the


       ip_queue  queue  handler.   Kernels 2.6.14 and later additionally include the nfnetlink_queue queue handler.  Packets with a target of QUEUE


       will be sent to queue number '0' in this case. Please also see the NFQUEUE target as described later in this man page.)  RETURN  means  stop


       traversing this chain and resume at the next rule in the previous (calling) chain.  If the end of a built-in chain is reached or a rule in a


       built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.





用法:

iptables [-t TABLE] COMMANDS PARAMETERS [-m MATCHES] [-j TARGET]


TABLE

filter, nat, mangle, raw, security

COMMANDS

-N chain  #增加一个用户自定义的chain

-X chain  #删除用户自定义的chain

-P chain target  #为chain预设policy,只有内建的chains可以有policy, 而且内建的chains和用户自定义的chains都不能做为policy的target.

-A chain  rule-specification  #添加rule到chain的尾部

-I chain [rulenum] rule-specification  #向chain的指定位置插入rule

-D chain rulenum   #从chain中删除指定的rule

-L [chain]  #列出指定chain的所有的rule,如果没有指定chain,那么所有的chain的rule都会被列出来

PARAMETERS

-p [!] protocol  # protocol可以为 tcp, udp, udplite, icmp, esp, ah,  sctp or  all

-s [!] address[/mask][,...]

-d [!] address[/mask][,...]

-j target  #指定rule的target,这个target可以是用户自定义的chain, 可以是内建的target, 或者是一个EXTENSION

-g chain #即使packet和这个rule相符合,也会继续在用户指定的chain中继续进行

-i [!] interface-name

-o [!] interface-name

MATCH EXTENSIONS

iptables can use extended packet matching modules.  These are loaded in two ways: implicitly, when -p or --protocol is  specified,  or  with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module.  You can specify multiple extended match modules in one line, and you can use the -h or  --help  options  after  the module has been specified to receive help specific to that module.

match modules:

addrtype | ah | cluster | comment | connbytes | connlimit | cpu |

conntrack

    This module, when combined with connection tracking, allows access to the connection tracking state for this packet/connection.

    --ctstate statelist

     statelist is a comma separated list of the connection states to match.  Possible states are listed below:

       INVALID
              meaning that the packet is associated with no known connection

       NEW    meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen  packets  in  both
              directions, and

       ESTABLISHED
              meaning that the packet is associated with a connection which has seen packets in both directions,

       RELATED
              meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or
              an ICMP error.

       UNTRACKED
              meaning that the packet is not tracked at all, which happens if you use the NOTRACK target in raw table.

       SNAT   A virtual state, matching if the original source address differs from the reply destination.

       DNAT   A virtual state, matching if the original destination differs from the reply source

icmp

    This extension can be used if `--protocol icmp' is specified. It provides the following option:

       [!] --icmp-type {type[/code]|typename}
              This  allows specification of the ICMP type, which can be a numeric ICMP type, type/code pair, or one of the ICMP type names shown by
              the command
               iptables -p icmp -h

tcp
    These extensions can be used if `--protocol tcp' is specified. It provides the following options:

        [!] --syn
              Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared.  Such packets are used to  request  TCP  connection
              initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP connec‐
              tions will be unaffected.  It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN.  If the "!" flag precedes the "--syn", the  sense  of
              the option is inverted.

tos

ttl

matches the time to live field in the IP header.

       --ttl-eq ttl
              Matches the given TTL value.

       --ttl-gt ttl
              Matches if TTL is greater than the given TTL value.

       --ttl-lt ttl
              Matches if TTL is less than the given TTL value.

udp

TARGET EXTENSIONS

iptables can use extended target modules: the following are included in the standard distribution.

AUDIT | CHECKSUM | CLUSTERIP |

DNAT

       This  target  is  only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. 

       It specifies that the destination address of the packet should be modified (and all future packets in this connection will also  be mangled), and rules

       should cease being examined.  It takes one type of option:

       --to-destination [ipaddr[-ipaddr]][:port[-port]]
              which  can  specify  a  single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is
              only valid if the rule also specifies -p tcp or -p udp).  If no port range is specified, then the destination port will never be mod‐
              ified. If no IP address is specified then only the destination port will be modified.

              In  Kernels  up  to  2.6.10 you can add several --to-destination options. For those kernels, if you specify more than one destination
              address, either via an address range or multiple --to-destination options, a simple round-robin (one after  another  in  cycle)  load
              balancing  takes  place between these addresses.  Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges any‐
              more.

       --random
              If option --random is used then port mapping will be randomized (kernel >= 2.6.22).

       --persistent
              Gives a client the same source-/destination-address for each connection.  This supersedes the SAME  target.  Support  for  persistent
              mappings is available from 2.6.29-rc2.
| LOG | MARK | NFLOG | NFQUEUE |

MASQUERADE

This  target is only valid in the nat table, in the POSTROUTING chain.  It should only be used with dynamically assigned IP (dialup) connec‐
       tions: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent  to  specifying  a  mapping  to  the  IP
       address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down.  This
       is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are  lost
       anyway).

       --to-ports port[-port]
              This  specifies  a  range  of source ports to use, overriding the default SNAT source port-selection heuristics (see above).  This is
              only valid if the rule also specifies -p tcp or -p udp.

       --random
              Randomize source port mapping If option --random is used then port mapping will be randomized (kernel >= 2.6.21).

REJECT

This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating  TAR‐
       GET,  ending  rule  traversal.   This  target  is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only
       called from those chains.

SNAT

This target is only valid in the nat table, in the POSTROUTING chain.  It specifies that the source address of the packet should be modified
       (and all future packets in this connection will also be mangled), and rules should cease being examined.

TTL
       This is used to modify the IPv4 TTL header field.  The TTL field determines how many hops (routers) a packet can traverse until it's time to
       live is exceeded.

       Setting or incrementing the TTL field can potentially be very dangerous, so it should be avoided at any cost. This target is only  valid  in
       mangle table.

       Don't ever set or increment the value on packets that leave your local network!

       --ttl-set value
              Set the TTL value to `value'.

       --ttl-dec value
              Decrement the TTL value `value' times.

       --ttl-inc value
              Increment the TTL value `value' times.

ULOG


补充

  • chain的几种类型

PREROUTING

存在于nat表中,主要用来修改目的地址

INPUT链

存在于filter表中,用来处理进入本机的封包

FORWARD链

存在于filter表中,用来处理转发的封包

OUTPUT链

存在于filter表中,用来处理离开本机的封包

POSTROUTING

存在nat表中,主要用来修改源地址


  • 几种nat的区别

NAT

function

SNAT

转换源地址,多在包离开时候

DNAT

转换目的地址,多在包进入时候

MASQUERADE

转化源地址为某个接口,不明确指定ip地址

  • 几种表和链的关系图

iptables简介_ci


参考资料

http://blog.chinaunix.net/uid-11852254-id-3141844.html

man iptables

http://bbs.ywlm.net/thread-482-1-1.html


标签:iptables,target,chain,--,简介,packet,connection,rule
From: https://blog.51cto.com/u_5173797/7251102

相关文章

  • iptables使用方法
    -A(添加-I(插入-D(删除-F(清除所有-L(显示 -P(默认策略举例:iptables-AINPUT-s10.7.226.135iptcp--dport22-jDROP(丢弃iptables-LINPUT(输入  FORWARD(转发 OUTPUT(输出iptables-AINPUT-s192.168.1.10-jACCEPT(同意 iptables-IINPUT2-s192.168.1.1......
  • 每日一库:fsnotify简介
    fsnotify是一个用Go编写的文件系统通知库。它提供了一种观察文件系统变化的机制,例如文件的创建、修改、删除、重命名和权限修改。它使用特定平台的事件通知API,例如Linux上的inotify,macOS上的FSEvents,以及Windows上的ReadDirectoryChangesW。fsnotify具有以下特点:跨平台支持:fs......
  • 【Matlab 教程】-01 简介
    1、背景介绍MatrixLaboratory高级编程语言许多有用的toolboxs和内置functions简单的可视化2、课程目标如何使用Matlab编写程序,通过大量实践、实验解决工程上的问题3、课程计划1.简介2.Matlab基本操作与矩阵输入3.结构化程式与自定函数4.变量与文件存......
  • Hadoop 和 Spark 简介
    Hadoop和Spark简介Hadoop是一个由Apache基金会所开发的分布式系统基础架构。用户可以在不了解分布式底层细节的情况下,开发分布式程序。充分利用集群的威力进行高速运算和存储。Hadoop过去一直是大数据的经典解决方案,它包含两个部分:HadoopHDFS和HadoopMapReduce,分别是......
  • ABP Framework 7.4 RC 新增功能简介:增强微服务架构支持
    ABPFramework版本号:7.4.0-rc.1发布时间:2023.8.16阅读原文:ABP.IOPlatform7.4RCHasBeenPublished翻译:iEricLee原文首发:知识乐ABPFramework专题该版本中发布的主要特性:设置系统支持动态存储新增AdditionalAssemblyAttribute特性分布式事件支持关联ID(Corr......
  • centos系统firewalld&iptables常用命令
    firewalld添加规则:firewall-cmd--permanent--add-rich-rule="rulefamily="ipv4"sourceaddress="192.168.142.166"portprotocol="tcp"port="5432"accept" 允许192.168.142.166访问5432端口firewall-cmd--add-port=80/t......
  • Exceptionless系列:简介和部署(Windows、Linux、Docker)
    目录一、简介二、版本三、运行说明1、Exceptionless2、Elasticsearch3、Exceptionless.UI四、打包Exceptionless.UI五、window部署1.Elasticsearch2.Exceptionless六、Docker部署一、简介Exceptionless为您提供了跟踪错误、日志和事件的工具,同时指导您找到可行的解决方案。首先......
  • STL简介
    STL六大部件容器(classtemplate)分配器(为容器服务,classtemplate)算法(functiontemplate)迭代器(泛化的指针,容器和算法之间的桥梁)(classtemplate)适配器(classtemplate)仿函数(classtemplate),为算法提供服务。 数据和操作放在一起就是走OOP类道路,数据和操作......
  • LangChain-Chatchat的简介
    LangChain-Chatchat的简介LangChain-Chatchat(原Langchain-ChatGLM):基于Langchain与ChatGLM等大语言模型的本地知识库问答应用实现。下面是他的官方介绍:......
  • Sigma-Delta ADC 简介
    本文转自:什么是Sigma-DeltaADC(linkchip.cn) Sigma-DeltaADC是一种目前使用最为普遍的高精度ADC结构,在精度达到20位以上的场合,Sigma-Delta是必选的结构。通过采用过采样、噪声整形以及数字滤波技术,降低对模拟电路的设计要求,实现了其他类型的ADC无法达到的高精度和低功耗。通......