Linux firewall iptables detailed introduction, configuration method and case

1.1 Introduction to iptables firewall

Netfilter/Iptables (hereinafter referred to as Iptables) is an excellent, open source, secure and free **packet filtering-based firewall tool** that comes with Unix/Linux. It is very powerful and flexible to use, and can perform very fine control over the data packets flowing into and out of the server. In particular, it can run very well on a very low hardware configuration

Iptables is an integrated service in the Linux 2.4 and 2.6 kernels. Its functions and security are much more powerful than **ipfwadm, ipchains**. Iptables mainly works at the second, third and fourth layers of OSI seven layers. If the kernel is recompiled, iptables can also support **7-layer control** (squid proxy + iptables)

1.2 iptables terms and terminology

Container: The relationship between containing and being contained

iptables is a container for tables

Iptables contains tables (4 tables). Tables are containers for links. Each table contains several links.

The chain is a container for rules, and the actual filtering rules belong to the chain.

Level Introduction

iptables country

Table Province

Chain Market

Rules County

1.3 iptables workflow

Iptables works by using a packet filtering mechanism, so it will analyze the header data of the requested data packet and match it based on our pre-set rules to see whether it can enter the host.

Summary of iptables workflow

• The firewall filters layer by layer. In fact, filtering is performed from top to bottom and from front to back in the order of configuration rules.
• If the rule is matched, that is, it is clear whether to block or pass, the data packet will no longer match the new rule downward.
• If all rules do not clearly indicate whether to block or pass the packet, that is, no new rule is matched, the packet is matched downwards until the default rule is matched to determine whether it is blocked or passed.
• The default rule of the firewall is that it will be executed only after all the rules of the corresponding chain have been executed.

1.4 iptables tables and chains

Iptables consists of three tables according to the functions and table definitions: filter, nat, and mangle. Each table contains different operation chains.

The Filter table is the real firewall function

INPUT into the server OUTPUT out of the server FORWARD through the server

Nat table is responsible for data packet rewriting, gateway sharing, IP and port mapping

OUTPUT

PREROUTING

POSTROUTING

Mangle table routing tags are not used much

####All chains are available

RAW table is rarely used, just like Mangle.

We can get it through man iptables

1.5 Table Introduction

Control of the filter table is an important means for us to implement the local firewall, especially the control of the INPUT chain.

1.6 iptables table and chain workflow diagram

Tip: iptables has two main functions, the first is firewall, the second is routing.

NAT function:

Enterprise Case: 1) LAN Internet Sharing (Routing and Gateway) NAT POSTROUTING

2) External IP and port mapping to internal IP and port (DMZ function), NAT PREROUTING

Filter function:

That is, FILTER INPUT FORWARD

Enterprise case: Mainly used in server firewall

2.1 Configure iptables

Iptables is installed by default [root@web02 ~]# iptables -V
iptables v1.4.7
[root@web02 ~]# rpm -qa iptables
iptables-1.4.7-16.el6.x86_64
[root@web02 ~]# /etc/init.d/iptables status
iptables: Firewall is not running.

View iptables rules

[root@web02 ~]# iptables -nL
Chain INPUT (policy ACCEPT)

Indicates that ACCEPT is the default rule for the input chain, and it is run by default

target prot opt ​​source destination
The specific rules under the input chain are ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt ​​source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination

If no table is specified, the default is the filfer table

Kernel module loaded by default for iptables [root@web02 ~]# lsmod |egrep "nat|filter|ipt"
ipt_REJECT 2351 2
iptable_filter 2793 1
ip_tables 17831 1 iptable_filter

Load the following modules into the Linux kernel

modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack Connection tracking modprobe ip_conntrack_ftp Connection tracking modprobe ip_nat_ftp
modprobe ipt_state

Filter again to see the effect

[root@web02 ~]# lsmod |egrep "nat|filter|ipt"
nf_nat_ftp 3443 0
nf_conntrack_ftp 11953 1 nf_nat_ftp
iptable_nat 5923 0
nf_nat 22676 2 nf_nat_ftp,iptable_nat
ipt_REJECT 2351 2
nf_conntrack_ipv4 9154 5 iptable_nat,nf_nat
nf_conntrack 79206 6 nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state
iptable_filter 2793 1
ip_tables 17831 2 iptable_nat,iptable_filter

Clear all rules and leave only the default rules

[root@web02 ~]# iptables -F
[root@web02 ~]# iptables -X
[root@web02 ~]# iptables -Z

iptables -F clears all rules

iptables -X deletes user-defined rules

iptables -Z chain counters are cleared

2.2 Prohibition Rules

View Ports

[root@web02 ~]# netstat -lntup|grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1329/sshd
tcp 0 0 :::22 :::* LISTEN 1329/sshd

The command is as follows:

iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

-A Add rules to the end of the specified chain, the last one

-I Add rules to the beginning of the specified chain, the first

-t specifies the table, or not specifying the default is filter

-p specifies the protocol (all.tcp,udp.icmp) by default all

--dport specifies the port

-j Processing behavior

ACCPET: accept, DROP: discard, REJECT: reject

It is better to use ACCPET and DROP, because rejection will return information to the user.

To clear the rules, use iptables -F

You can also use iptables -D INPUT 1

-D specifies the chain to delete

--line-number show serial number

iptables -nl --line-number

Tip: You need to write the chain and serial number

Tips: Restore the SSH connection that was just disconnected

1) Go to the computer room to restart the system or log in to the server to delete the previous prohibition rule

2) Ask the computer room staff to restart the server or ask the computer room staff to log in with the user password

3) Management via the server's remote management card (recommended)

4) First write a scheduled task to stop the firewall every 5 minutes

5) Test the test environment, write it into scripts, and execute it in batches

Corporate Cases

3.1: The difference between adding -A and -I

[root@web02 ~]# iptables -A INPUT -p tcp --dport 80 -j DROP
[root@web02 ~]# iptables -I INPUT -p tcp --dport 80 -j ACCEPT

According to the iptables matching rules, the first line will be matched first, and then the other lines will be matched downwards. This setting of reject is useless.

If you want to insert in the middle, you can specify the insertion line number

[root@web02 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt ​​source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
DROP tcp --0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
target prot opt ​​source destination
Chain OUTPUT (policy ACCEPT)
target prot opt ​​source destination

You can also insert iptables commands by serial number

[root@web02 ~]# iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT
[root@web02 ~]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num target prot opt ​​source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
3 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain FORWARD (policy ACCEPT)
num target prot opt ​​source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt ​​source destination

Summary: Summarize the method of deleting rules

1. iptables -D INPUT -p tcp --dport 8080 -j DROP

2. iptables -F delete all rules

3. /etc/init.d/iptables restart (commands configured using the iptables command line are only effective temporarily)

4. iptables -D INPUT rule number

3.2: Prohibit access to the 10.0.0.0 network segment

Based on client segment control

[root@web02 ~]# iptables -A INPUT -s 10.0.0.0/24 -j DROP

-s specifies the source address

You can also use a network segment other than this one to perform the operation.

[root@web02 ~]# iptables -A INPUT ! ​​-s 10.0.0.0/24 -j DROP

Example: Control the data coming in from port 22 of the eth0 network card

iptables -A INPUT -p tcp --dport 22 -i eth0 ! -s 10.0.0.0/24 -j DROP
iptables -A INPUT -p tcp --dport 22 -i eth0 ! -s 192.168.1.1 -j DROP

Block port 3306

iptables -A INPUT -p tcp --dport 3306 -j DROP

Matches the specified protocol

iptables -A INPUT -p tcp
iptables -A INPUT -p udp

Matches all protocols except the specified protocol

iptables -A INPUT ! ​​-p tcp

``Match a single port**

iptables -A INPUT -p tcp --sport 22 source port iptables -A INPUT -p udp --dport 22 destination port

Match port range:

iptables -A INPUT -p tcp --sport 22:80
iptables -A INPUT -p tcp --dport 21,22,23 -j DROP ----> Wrong syntax iptables -I INPUT -p tcp -m multiport --dport 22,23,24,25 -j DROP
iptables -I INPUT -p tcp -m multiport ! --dport 22,23,24,25 -j DROP
iptables -I INPUT -p tcp --dport 3306:8809 -j ACCEPT
iptables -I INPUT -p tcp --dport 18:80 -j DROP <---- best approach

Match ICMP type

iptables -A INPUT -p icmp-type 8

There are many types of icmp, 8 of which represents ping

example:

iptables -A INPUT -p icmp --icmp-type 8 -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT

Because there are many types of icmp, you can use any, all types of icmp are prohibited

iptables -A INPUT -s 192.168.1.0/24 -p icmp -m icmp --icmp-type any -j ACCEPT

Ping ban in enterprise scenarios

iptables -A INPUT -p icmp --icmp-type 8 -s 10.0.0.0/24 -j ACCEPT

Matching network status

-m state --state

NEW: A new connection has been or is started

ESTABLISHED: Established connection

RELATED: New connection being initiated

INVALID: Illegal or unrecognizable

FTP service is special and requires stateful connection

Allow the associated status packets to pass (Web services should not use FTP services)

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Limit the number of packets allowed to pass and the number of concurrent packets within a specified time period

-m limit --limit n/{second/minute/hour}

The request rate within a specified time period is represented by "n" which is the rate, followed by the time in seconds, minutes, and hours.

--limit-burst [n]

The number of requests allowed to pass at the same time is "n". If not specified, the default value is 5.

iptables -I INPUT -s 10.0.1.0/24 -p icmp --icmp-type 8 -m limit --limit 5/min --limit-burst 2 -j ACCEPT

Manually execute iptables commands to configure the enterprise production environment firewall

Two modes of configuring host firewall in production environment

1. Allow all programs to deny operation damage Application scenario: Enterprise configuration of Internet gateway routing

2. Deny all operations and allow specified operations Application scenario: Server host firewall

Configuring the Enterprise Host Firewall

[root@web02 ~]# iptables -F
[root@web02 ~]# iptables -X
[root@web02 ~]# iptables -Z

1. Set the port to allow SSH login

[root@web02 ~]# iptables -A INPUT -p tcp --dport 22 -j ACCETP
[root@web02 ~]# iptables -A INPUT -p tcp -s 10.0.0.1/24 -j ACCEPT

2. Set rules to allow local lo communication

[root@web02 ~]# iptables -A INPUT -i lo -j ACCEPT
[root@web02 ~]# iptables -A OUTPUT -o lo -j ACCEPT

3. Set default rules

[root@web02 ~]# iptables -P INPUT DROP
[root@web02 ~]# iptables -P OUTPUT ACCEPT
[root@web02 ~]# iptables -P FORWARD DROP

Check the rules (the current server is the safest)

[root@web02 ~]# iptables -nL --line-number
Chain INPUT (policy DROP)
num target prot opt ​​source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 ACCEPT tcp -- 10.0.0.0/24 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
num target prot opt ​​source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt ​​source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

4. Enable the trusted IP segment

Allow access from IDC LAN/WAN and office network IP, as well as external cooperation organizations

iptables -A INPUT -s 124.23.62.96/27 -p all -j ACCEPT #Fixed IP segment of the office iptables -A INPUT -s 192.168.2.0/24 -p all -j ACCEPT #Intranet segment of the IDC computer room iptables -A INPUT -s 10.0.0.0/24 -p all -j ACCEPT #Intranet segment of other computer rooms iptables -A INPUT -s 203.82.24.0/24 -p all -j ACCEPT #Extranet segment of the IDC computer room iptables -A INPUT -s 203.82.23.0/24 -p all -j ACCEPT #Extranet segment of other IDC computer rooms

Now it is only accessible to us, and it is not accessible to the outside world.

5. Allow icmp type protocols to pass

iptables -A INPUT -p icmp -m icmp-type any -j ACCEPT

Tip: If you don’t want to open it, don’t execute this command.

iptables -A INPUT -p icmp -s 10.0.0.0/24 -m icmp --icmp-type any -j ACCEPT

6. Allow the associated status packets to pass (Web services do not use FTP services)

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Tip: The above configuration is what a qualified server should be configured for

save

The default iptables is not saved permanently and becomes invalid after a reboot.

First method:

/etc/init.d/iptables save

Save to /etc/sysconfig/iptables

Display the following format

[root@web02 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon Aug 15 01:33:44 2016
*nat
:PREROUTING ACCEPT [1413:153792]
:POSTROUTING ACCEPT [132:8834]
:OUTPUT ACCEPT [132:8834]
COMMIT
# Completed on Mon Aug 15 01:33:44 2016
# Generated by iptables-save v1.4.7 on Mon Aug 15 01:33:44 2016
*filter
:INPUT DROP [1798:662465]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [288:21100]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.0.0.0/24 -p tcp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Aug 15 01:33:44 2016

Second method:

[root@web02 ~]# iptables-save >/etc/sysconfig/iptables

The first method is recommended

Test: I scanned our configured firewall through other servers

Use nmap tool for analysis, this tool needs to be installed

[root@web02 ~]# yum -y install nmap

Use as follows: For more information, you can use nmap --help

[root@web02 ~]# nmap 10.0.0.8 -p 1-65535
Starting Nmap 5.51 ( http://nmap.org ) at 2016-08-15 04:28 CST
Nmap scan report for 10.0.0.8
Host is up (0.0000070s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 14.21 seconds

Production maintenance

(1) Determined rules;

Edit /etc/sysconfig/iptables

Add the desired rules: e.g.

-A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
/etc/init.d/iptables reload

Or if the command is executed while the configuration is changed, it will take effect permanently.

(2) Try the command and if it works, then put the configuration file in. You don't need to restart.

Malicious IP blocking

Block IP, block it in the first line. 10.0.0.1 This machine attacks our server or posts spam in the BBS

Manually block IP:

iptables -I INPUT -s 10.0.0.1 -j DROP #Rough, large range, external attackers Iptables -I INPUT -s 10.0.0.1 -j DROP
iptables -I INPUT -p tcp -s 10.0.0.1 --dport 80 -j DROP #Fine, small range. internal

Automatically block IP: Analyze web or application logs or network connection status to block junk IPs

script:

#!/bin/bash
#this is a server firewall created by oldboy 17:03 2006-7-26
# e_mail:31333741@qq.com
# qqinfo:49000448
# function: a server firewall
# version:1.1
################################################
# oldboytraining info.
# QQ 1986787350 70271111
# site: http://www.etiantian.org
# blog: http://oldboy.blog.51cto.com
# oldboytraining QQ group: 208160987 45039636
################################################
#define variable PATH
IPT=/sbin/iptables
#Remove any existing rules
$IPT -F
$IPT -X
$IPT -Z
#setting default firewall policy
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD DROP
$IPT -P INPUT DROP
#setting for loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
#setting access rules
#one,ip access rules,allow all the ips of
$IPT -A INPUT -s 10.0.10.0/24 -p all -j ACCEPT
$IPT -A INPUT -s 10.0.0.0/24 -p all -j ACCEPT
##The following are repeated and are kept as knowledge points. Configuration of a single service #second, port access rules
#nagios
$IPT -A INPUT -s 10.0.10.0/24 -p tcp --dport 5666 -j ACCEPT
$IPT -A INPUT -s 10.0.0.0/24 -p tcp --dport 5666 -j ACCEPT
#db
$IPT -A INPUT -s 10.0.0.0/24 -p tcp --dport 3306 -j ACCEPT
$IPT -A INPUT -s 10.0.0.0/24 -p tcp --dport 3307 -j ACCEPT
$IPT -A INPUT -s 10.0.10.0/24 -p tcp --dport 3306 -j ACCEPT
$IPT -A INPUT -s 10.0.10.0/24 -p tcp --dport 3307 -j ACCEPT
#ssh difference from other servers here.>>
$IPT -A INPUT -s 10.0.0.0/24 -p tcp --dport 52113 -j ACCEPT
$IPT -A INPUT -s 10.0.10.0/24 -p tcp --dport 52113 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#http
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#snmp
$IPT -A INPUT -s 10.0.0.0/24 -p UDP --dport 161 -j ACCEPT
$IPT -A INPUT -s 10.0.10.0/24 -p UDP --dport 161 -j ACCEPT
#rsync
$IPT -A INPUT -s 10.0.0.0/24 -p tcp -m tcp --dport 873 -j ACCEPT
$IPT -A INPUT -s 10.0.10.0/24 -p tcp -m tcp --dport 873 -j ACCEPT
#icmp
#$IPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
#others RELATED
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Enterprise case: Write a script to solve DOS attack production case

Tip: According to the web log or the number of network connections, monitor when the number of concurrent connections of a certain IP or PV in a short period of time reaches 100, call the firewall command to block the corresponding IP, and the monitoring frequency is every 3 minutes. The firewall command is: iptables -I INPUT -s 10.0.1.10 -j DROP

This script is written using the test file

[root@db02 scripts]# cat test_6.sh
#!/bin/sh
#
[ -f /etc/init.d/functions ] && . /etc/init.d/functions
IP_file="/server/scripts/ddos.txt"
IP_filter_command="iptables -I INPUT -j DROP -s"
IP_recover_command="iptables -D INPUT -j DROP -s"
function IP_check(){
grep "EST" ${IP_file}|awk -F "[ |:]+" '{print $6}'|sort |uniq -c|sort -rn -k1 > /server/scripts/ip.txt
}
function IP_filter(){
exec < /server/scripts/ip.txt
while read line
do
IP_count=`echo $line|awk '{print $1}'`
IP=`echo $line|awk '{print $2}'`
IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l`
if [ ${IP_count} -gt 25 -a ${IP_fil} -eq 0 ];then
${IP_filter_command} ${IP}
echo "${IP}" >> /server/scripts/ip_filtered.txt
action "Filter ${IP}" /bin/true
fi
done
}
function IP_recover(){
exec < /server/scripts/ip.txt
while read line
do
IP_count=`echo $line|awk '{print $1}'`
IP=`echo $line|awk '{print $2}'`
IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l`
if [ ${IP_count} -le 25 -a ${IP_fil} -eq 1 ];then
${IP_recover_command} ${IP}
echo "${IP}" >> /server/scripts/ip_filtered.txt
action "Recover ${IP}" /bin/true
fi
done
}
function main(){
case "$1" in
filter)
IP_check
echo "$(date +%F-%H:%M:%S) filtered by $(whoami)" >> /server/scripts/ip_filtered.txt
IP_filter
;;
recover
IP_check
echo "$(date +%F-%H:%M:%S) recovered by $(whoami)" >> /server/scripts/ip_filtered.txt
IP_recover
;;
*)
echo "USAGE:$0 {filter|recover}"
exit 1
esac
}
main $*

Explanation of iptables script in production environment

Tips: For servers with external IP addresses that do not provide services to the outside world, it is best to restrict the source address. The services provided to the outside world cannot be restricted by source address, for example: port 80

Question: Should enterprise hardware firewall and IPTABLES firewall be used at the same time?

Solution: You can use the enterprise hardware firewall at the same time. It is usually placed at the gateway, which is equivalent to the security of the building. However, each room in the building still needs someone to lock the door iptables

Question: The IDC computer room has deployed a hardware firewall. Can our server operate without the firewall?

Answer: Absolutely not. If the building has security guards, does that mean your office door is not locked?

NAT table settings

Internet Sharing Settings

Linux gateway B:

Two command methods for LAN sharing:

Method 1: Suitable for those with fixed external network addresses:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.7

(1)-s192.168.1.0/24: office or IDC intranet segment.

(2)-oeth0 is the external network card interface of the gateway.

(3)-jSNAT --to-source 10.0.0.7 is the IP address of the gateway's external network card.

Method 2: Suitable for changing external network address (ADSL):

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE #Masquerade.

The configuration is as follows

Step 1: External server configuration

[root@lb01 ~]# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j SNAT --to-source 10.0.0.5

[root@lb01 ~]# iptables -t nat -L -n

Enable kernel forwarding

net.ipv4.ip_forward = 1
vim /etc/sysctl.conf
sysctl -p #take effect

Need to set up an Internet server

Adding Routes

route add default gw 172.16.1.5#Write the IP address of the external network here vim /etc/resolv.conf

Add nameserver 223.5.5.5

route -n check

Case 2: Redirecting requests to 10.0.0.5:80 to 172.16.1.8:80

[root@web02 ~]# iptables -t nat -A PREROUTING -d 10.0.0.5 -p tcp --dport 80 -j DNAT --to-destination 172.16.1.8:80
[root@web02 ~]# iptables -P FORWARD DROP

Common enterprise cases of iptables:

1. Linux host firewall (table: FILTER control chain: INPUT)

2. LAN machines share Internet access (Table: NAT control chain: POSTROUTING)

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.0.0.7

3. External address and port, mapped to internal address and port (Table: NAT controlled chain: PREROUTING)

iptables -t nat -A PREROUTING -d 10.0.0.7 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.8:9000

Enterprise case: Implement one-to-one mapping of external IP 124.42.34.112 to internal server 10.0.0.8

Gateway IP: eth0:124.42.60.109 eth1:10.0.0.254

First, bind VIP 124.42.34.112 on the routing gateway, which can be an alias or auxiliary IP.

-A POSTROUTING -s 10.0.0.0/255.255.240.0 -d 124.42.34.112 -j SNAT --to-source 10.0.0.254
-A PREROUTING -d 124.42.34.112 -j DNAT --to-destination 10.0.0.8
-A POSTROUTING -s 10.0.0.8 -o eth0 -j SNAT --to-source 124.42.34.112

iptables production application scenarios

1) LAN shared Internet access (suitable for enterprise internal LAN Internet gateway and IDC room intranet Internet gateway [nat POSTROUTING])

2) Server firewall function (suitable for servers with external IP in IDC computer room) (mainly filter INPUT control)

3) Map the external IP and port to the LAN (one-to-one IP mapping or mapping to a specific port is possible). It is also possible that the IDC maps the website's external VIP and website port to the load balancer (hardware firewall). (nat PREROUTING)

4) Office router + gateway function (zebra routing + iptables filtering and NAT + squid forward transparent proxy) 80 + ntop/iftop/iptraf traffic viewing + tc/cbq traffic control speed limit

5) Mail Gateway

Application of iptables firewall

1) Host firewall

2) Gateway application (IP mapping, port mapping)

3) Filter information, monitor and limit traffic and employee Internet behavior (squid (forward proxy cache plus filtering) + ntop (graphical traffic monitoring) + usual (traffic restriction) + iptraf/iftop (traffic viewing))

If the IPTABLES server upgrades its kernel, it can implement filtering functions similar to Squid.

4) Install anti-virus software on the gateway to monitor port 9999 (gateway anti-virus)

iptables -A PREROUTING -i eth0 -d 211.167.253.109 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.10.6:9025

5) Combine Zebra to configure enterprise-level routers

Map multiple external IP addresses to the Internet

iptables -t nat -A POSTROUTING -s 10.0.0.1/255.255.255.0 -o eth0 -j SNAT --to-source 124.42.60.11-124.42.60.16

iptables -t nat -A POSTROUTING -s 172.16.1.0/255.255.255.0 -o eth0 -j SNAT --to-source 124.42.60.103-124.42.60.106

#iptables -t nat -A postrouting -S 192.168.1.0/22 ​​-o eth0 -j SNAT --to-source 10.0.0.241-10.0.0.249

question:

1. 2,000 people were blocked

2. Available port 65535 resources are limited

Enterprise case: ip_conntrack: table full, dropping packet. error message

The following is the configuration of a server in my production environment:

net.ipv4.tcp_fin_timeout = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
#5. dmesg shows the error message ip_conntrack: table full, dropping packet. How to solve it? 
#The following parameters are optimizations for the iptables firewall. If the firewall does not prompt you, you can ignore it. 
c58:
 
net.ipv4.ip_conntrack_max = 25000000
net.ipv4.netfilter.ip_conntrack_max=25000000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120
################################################################
C64:
 
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

After adjusting the kernel parameters /etc/sysctl.conf, you need to execute /sbin/sysctl -p to make the changes take effect.

Emphasis: If the concurrency is large or the daily PV is high, be careful when opening the firewall, as it may cause slow website access.

For large concurrency (10,000 concurrent users, 30 million PV per day), either purchase a hardware firewall or do not use the iptables firewall.

Introduction to iptables parameters

-n number

-L list

-F clears all rules and does not process default rules

-X Delete user-defined chains

-Z chain counter cleared

-A Add rules to the end of the specified chain, the last one

-I Add rules to the beginning of the specified chain, the first

-t specifies the table, or it can be left unspecified, the default is filter

-p specifies the protocol (all.tcp,udp.icmp) by default all

-P Set default rules

-s specifies the source address

-d destination address

--dport specifies the port

-j processing behavior ACCPET receive, DROP discard, REJECT reject

-iinput matches the incoming network interface

-ooutput matches the outgoing network card interface

-m state --state Match network state

For more detailed information about Linux anti-wall iptables, please see the following related links