1, Concept of rules
In the description of the last blog, we always mentioned the rules, but we didn't elaborate. Now let's talk about it.
First talk about the concept of rules, and then explain it in a popular way.
Rule: try to match each message flowing through here according to the specified matching conditions. Once the matching is successful, it will be processed by the processing action specified later in the rule;
Let's explain the rules of iptables in a popular way. For example, each "chain" is a "level", and each message passing through the "level" must match the rules on the level. If it matches, the message will be processed accordingly. For example, you and I are like two "messages" at the moment, You and I both want to enter the pass at the moment, but the city master has a life. Only those who are dignified can enter the pass, and those who do not meet this condition cannot enter the pass. Therefore, the customs guards began to look at you and me according to the "rules" formulated by the city master. Finally, you successfully entered the pass, and I have been rejected. Because you meet the "dignified" standard, you are "released", I did not meet the standard, so I was not released. In fact, "dignified" is a "matching condition", "release" is an "action", and "matching condition" and "action" constitute the rules.
After understanding the concept of rules, let's talk about the components of rules. Here is just a general list of the structure of rules, which will be summarized separately later.
Rules consist of matching conditions and processing actions.
1.1 matching conditions
Matching conditions are divided into basic matching conditions and extended matching conditions
-
Basic matching conditions
- Source address Source IP, Destination IP
The above contents can be used as basic matching conditions.
-
Extended matching criteria
In addition to the above conditions, there are many other conditions that can be used for matching. These conditions are generally called extension conditions. In fact, these extension conditions are also part of netfilter and exist in the form of modules. If you want to use these conditions, you need to rely on the corresponding extension module.
Source Port, Source Port, Destination Port
The above contents can be used as extended matching conditions
1.2 processing action
Processing actions are called target in iptables (this is not accurate, let's call it temporarily). Actions can also be divided into basic actions and extended actions.
Here are four common actions:
ACCEPT Release the data packet. After this processing, it will no longer compare other rules and directly jump to the next rule chain. REJECT If the data packet is rejected, a response message will be sent to the data sender if necessary, and the client will receive the rejection message as soon as it requests. DROP Directly discard the data packet without giving any response information. At this time, the client will feel that its request is in the sea, and will respond after the timeout. REDIRECT Perform port mapping on the local machine and redirect the packet to another port. After this processing action, it will continue to compare other rules.
2, Use of iptables
2.1 iptables installation and startup
1,install Iptables [root@m01 ~]# yum install iptables* 2,start-up Iptables [root@m01 ~]# systemctl start iptables 3,close firewalld [root@m01 ~]# systemctl disable --now firewalld
2.2 addition, deletion, modification and query of rules
Format: iptables -t Table name selection Necklace name agreement condition action -t Specifies the table for the operation -L, --list List current rules -v Displays packets and packet sizes -n Do not reverse address -A, --append Append a rule to the chain -I, --insert Insert a rule to the top -F, --flush empty -Z, --zero Clear counter (number of packets, packet size) -D, --delete Delete rules in the chain -R, --replace modify -S, --list-rules List all rules -N, --new-chain Create a custom chain -X, --delete-chain Delete a custom chain -P, --policy Specifies the default policy for the chain
Case presentation:
iptables -t filter -L -n -v # View rules iptables -t filter -I INPUT -p icmp -j REJECT # Add rule iptables -t filter -R INPUT 1 -p icmp -j DROP # Modify rules iptables -t filter -Z # Clear counter iptables -t filter -D INPUT 1 # Specify number deletion rule
2.3 iptables basic condition matching -p protocol
TCP(http) UDP ICMP(ping) ALL
2.4 -s, - d source address, destination address
Source address: the address where the request is sent Destination address : Address accessed
2.5 --sport source port and -- dport target port
Source port: the port to send the request Destination port: the port that receives the request
2.6 -i, - o, - m, - j action
-i : Incoming network card -o : Outgoing network card -m : Specify module -j : Forwarding action
3, Basic matching rule related cases
Case 1: only port 22 is allowed to be accessed, and all other ports cannot be accessed. iptables -t filter -A INPUT -p TCP --dport 22 -j ACCEPT iptables -t filter -A INPUT -p TCP -j DROP Case 2: only ports 22 and 80443 are allowed to access, and all other ports cannot be accessed. iptables -t filter -A INPUT -p TCP --dport 22 -j ACCEPT iptables -t filter -A INPUT -p TCP --dport 80 -j ACCEPT iptables -t filter -A INPUT -p TCP --dport 443 -j ACCEPT iptables -t filter -A INPUT -p TCP -j DROP Case 3: 192 required.168.15.81 It can be linked through port 22, but others can't iptables -t filter -A INPUT -p TCP -d 192.168.15.81 --dport 22 -j ACCEPT iptables -t filter -A INPUT -p TCP -j DROP Case 4: only 192 allowed.168.15.71 It can be linked through port 22, but not others. iptables -t filter -A INPUT -p TCP -s 192.168.15.71 -d 192.168.15.81 --dport 22 -j ACCEPT iptables -t filter -A INPUT -p TCP -j DROP Case 5: requirements 192.168.15.71 Invisible to the outside iptables -t filter -A INPUT -p TCP -d 192.168.15.71 -j DROP Case 6: required use eth0 All requests from the network card are rejected iptables -t filter -A INPUT -p TCP -i etho -j DROP Use 172.16.1.71 The login window does not allow access to Baidu: iptables -t filter -A OUTPUT -p TCP -o eth1 -j DROP Case 7: Port 8080 of the access server is required to be forwarded to port 80 iptables -t nat -A PREROUTING -p TCP --dport 8080 -j REDIRECT --to-port 80 Case 8: requirement only allowed windows adopt ssh Connection 192.168.15.81,Other rejections iptables -t filter -A INPUT -p TCP -s 192.168.15.1 -d 192.168.15.81 --dport 22 -j ACCEPT iptables -t filter -A INPUT -p TCP -j DROP
4, Condition matching of Iptables extension - module
4.1 continuously matching multiple ports
-m: Use specified module
--dports : Specify multiple ports(Different ports are separated by commas, and consecutive ports are separated by colons). eg:Request that 22,80,443 And 30000-50000 All ports are exposed to the outside, and other ports are rejected iptables -t filter -A INPUT -p TCP -m multiport --dports 22,80,443,30000:50000 -j ACCEPT iptables -f filter -A INPUT -p TCP -j DROP
4.2 specify a continuous ip address range (iprange)
--src-range from[-to]: Source address range --dst-range from[-to] Destination address range eg:Requirement 192.168.15.1 - 192.168.15.10 All between IP Able to connect 192.168.15.81,Other rejection iptables -t filter -A INPUT -p TCP -m iprange --src-range 192.168.15.1-192.168.15.10 -j ACCEPT iptables -f filter -A INPUT -p TCP -j DROP
4.3 match the specified string (string)
--string pattern # Specifies the string to match
--algo {bm|kmp} # Matching query algorithm
eg:Requires access to data contained in the package HelloWorld Your data is not allowed to pass.
iptables -t filter -A INPUT -p TCP -m string --string "HelloWorld" --algo kmp -j DROP
4.4 matching message according to time period (time)
--timestart hh:mm[:ss] # start time --timestop hh:mm[:ss] # End time --monthdays day[,day...] # Specify a day of the month --weekdays day[,day...] # Specify week or Sunday eg:It is required that access is not allowed between 12:00 and 13:00 every day iptables -t filter -A INPUT -p TCP -m time --timestart 4:00 --timestop 5:00 -j DROP
Note: UTC time (current time -8h) must be used here
4.5 forbidden ping(icmp)
--icmp-type {type[/code]|typename}
echo-request (8) request
echo-reply (0) respond
eg:Ask others not to ping This machine, but this machine can ping others
iptables -t filter -A INPUT -p ICMP -m icmp --icmp-type "echo-request" -j DROP
By default, if the machine cannot ping others, others cannot ping themselves
4.6 limit the number of links and concurrent connections (connlimit)
--connlimit-upto n # Matches if the number of existing connections is less than or equal to n --connlimit-above n # Match if the number of existing connections is greater than n eg:A maximum of 2 host connections are required iptables -t filter -A INPUT -p TCP --dport 22 -m connlimit --connlimit-above 2 -j DROP
4.7 limit the message rate. Seconds, minutes, hours, days.
--limit rate[/second|/minute|/hour|/day] # Number of messages --limit-burst number # Number of messages (default: 5) eg1:10 data messages are allowed to pass quickly, and more than 10 data messages are allowed: 1/m iptables -t filter -I INPUT -p icmp -m limit --limit 1/m --limit-burst 10 -j ACCEPT iptables -t filter -A INPUT -j DROP eg:It is required to limit the speed to 500 k/s about iptables -t filter -A INPUT -p TCP -m limit 300/s -j ACCEPT iptables -t filter -A INPUT -p TCP -j DROP
Note: precise restrictions cannot be achieved here