Iptables is an important part of Linux firewall system. The main function of Iptables is to control network data packets entering and leaving devices and forwarding. Iptables is used to control data packets that need to enter, exit, forward, and route the device. The Linux iptables command will be described in detail in a few ways to help you.
The iptables profile
Iptables is a packet filtering firewall system integrated into the Linux kernel. Iptables allows you to add and delete specific filtering rules. By default, Iptables maintains four tables and five chains into which all firewall policy rules are written.
Four tables refer to the functions of iptables. The default iptables rule tables are Filter, NAT, mangle, and RAW.
- Filter table: controls whether packets are allowed to enter, exit, and FORWARD. You can control the INPUT, FORWARD, and OUTPUT links.
- NAT table: Controls address translation in packets. PREROUTING, INPUT, OUTPUT, and POSTROUTING links can be controlled.
- Mangle: Changes the original data in data packets. PREROUTING, INPUT, OUTPUT, FORWARD, and POSTROUTING links can be controlled.
- Raw: Controls the status of PREROUTING and OUTPUT links in the NAT table.
The “five chains” refer to the five regular chains defined by the NetFilter that controls the network in the kernel. Each rule table contains multiple data chains: INPUT (inbound data filtering), OUTPUT (outbound data filtering), FORWARD (FORWARD data filtering), PREROUTING (pre-routing filtering), and POSTROUTING (post-routing filtering). Firewall rules need to be written to these specific data chains.
The Filtering framework for the Linux firewall is shown in Figure 1.
As you can see, if an external host sends a packet to the firewall machine, the data will pass through the PREROUTING chain and INPUT chain. If the firewall sends data packets to the external host, the data will pass through the OUTPUT chain and POSTROUTING chain. If the firewall is responsible for forwarding the data as a route, the data will go through the PREROUTING chain, FORWARD chain, and POSTROUTING chain.
Iptables syntax format
The basic syntax of the iptables command is as follows:
[root@liangxu ~]# iptables [-t table] COMMAND [chain] CRETIRIA -j ACTION
The meanings of each parameter are as follows:
- -t: specifies filter, NAT, mangle, or RAW rules to be maintained. If -t is not used, the filter table is used by default.
- COMMAND: defines the management of rules.
- Chain: indicates a linked list.
- CRETIRIA: Matches parameters.
- ACTION: triggers the ACTION.
Table 2 lists the common options and functions of the iptables command
| Selected items | Can work |
|---|---|
| -A | Adding firewall Rules |
| -D | Deleting firewall Rules |
| -I | Inserting firewall Rules |
| -F | Clearing firewall Rules |
| -L | List the rules for adding a firewall |
| -R | Replacing firewall Rules |
| -Z | Clear firewall statistics |
| -P | Set the chain default rules |
Table 3 lists the common matching parameters of the iptables command and their functions.
| And the number | Can work |
|---|---|
| [!] -p | Match protocol,! Said the not |
| [!] -s | Matching the Source Address |
| [!] -d | Matching target address |
| [!] -i | Matches the inbound nic interface |
| [!] -o | Matches the outbound nic interface |
| [!] –sport | Matching source Ports |
| [!] –dport | Matching the destination Port |
| [!] –src-range | Matches the source address range |
| [!] –dst-range | Matches the target address range |
| [!] –limit | Quad data table rate |
| [!] –mac-source | The source MAC address was matched |
| [!] –sports | Matching source Ports |
| [!] –dports | Matching the destination Port |
| [!] –stste | Matching status (INVALID, ESTABLISHED, NEW, RELATED) |
| [!] –string | Matches the application layer string |
Table 4 shows the triggering actions and functions of the iptables command.
| Trigger action | Can work |
|---|---|
| ACCEPT | Allow packets to pass |
| DROP | Discarding packets |
| REJECT | Deny packets |
| LOG | Log packet information in syslog |
| DNAT | Target address translation |
| SNAT | Source address translation |
| MASQUERADE | Address spoofing |
| REDIRECT | redirect |
The kernel checks the iptables firewall rules in sequence. If a matching rule directory is found, the kernel immediately stops searching down the rule directory. If all firewall rules fail to match, the default policy is adopted. Adding A firewall rule with the -A option appends the rule to the end of the chain, while the firewall rule added with the -I option is inserted as the first rule by default.
Note In Linux CentOS, iptables is installed by default. If the iptables tool is not available, install it first.
View and clear rules
You can use the iptables command to view, add, modify, and delete specific rules
1) Check the rules
To view rules, run the following command:
[root@liangxu ~]# iptables -nvL
The meanings of each parameter are as follows:
- -l displays all the rules of the current table. By default, the filter table is displayed. To view the NAT table, you can add the -t NAT parameter.
- -n indicates that IP addresses are not reverse-checked, and the display speed is accelerated if this parameter is added.
- -v displays detailed information, including the number of packets that pass the rule, total bytes, and corresponding network interfaces.
Check the rules. Run the su command to switch the current user to the root user. Then enter the following command on the terminal page:
[root@liangxu ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Copy the code2) Add rules
The add rule has two parameters: -a and -i. -a is added to the end of the rule. -I can be inserted to the specified position. If no position is specified, it is inserted to the header of the rule by default.
View the current rule. Run the su command to switch the current user to the root user. Then run the following command on the terminal page:
[root@liangxu ~]# iptables -nL --line-number Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT All -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT TCP -- 0.0.0.0/0 0.0.0.0/0 STATE NEW TCP DPT :22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 REJECT -with icmp-host-prohibited ......Copy the codeAdd a rule to the end. Run the su command to switch the current user to the root user. Then run the following command on the terminal page:
[root@liangxu ~]# iptables -a INPUT -s 192.168.1.5 -j DROP [root@liangxu ~]# iptables -nl --line-number Chain INPUT (Policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT ALL -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT TCP -- 0.0.0.0/0 0.0.0.0/0 state NEW TCP REJECT all -- 0.0.0.0/0 0.0.0.0/0 REJECT -with ICMP-host-shell6 DROP all -- 192.168.1.5 0.0.0.0/0Copy the code3) Modify the rules
You need to use the -r parameter when modifying rules. Change the DROP added to the rule at line 6 to ACCEPT. Run the su command to switch the current user to the root user. Then run the following command on the terminal page:
[root@liangxu ~]# iptables -r INPUT 6 -s 194.168.1.5 -j ACCEPT [root@liangxu ~]# iptables -nl --line-number Chain INPUT (Policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT ALL -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT TCP -- 0.0.0.0/0 0.0.0.0/0 state NEW TCP 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 REJECT -with ICMP-host-shell6 ACCEPT all -- 0.0.0.0/0Copy the codeThe comparison shows that the target of the rule in line 6 has been changed to ACCEPT.
4) Delete rules
There are two ways to delete rules, but both must use the -d argument. Delete the rule added in line 6. Run the su command to switch the current user to the root user. Then run the following command on the terminal page:
[root@liangxu ~]# iptables -D INPUT 6 -s 194.168.1.5 -j ACCEPT
or
[root@liangxu ~]# iptables -D INPUT 6
Note that sometimes the rule to be deleted is long and a long string of code is required to delete the rule, which is easy to write errors. In this case, you can use -line-number to find the line number of the rule and then delete the rule according to the line number.
Firewall backup and restoration
The default iptables firewall rules take effect immediately, but if you do not save them, all the rules will be lost after the computer restarts. Therefore, it is necessary to save the rules in a timely manner.
The Iptables package provides two very useful tools that we can use to handle a large number of firewall rules. The two tools are iptables-save and iptables-restore, which can be used to save and restore firewall rules. The biggest advantage of both tools is that they are very fast to process large rule sets.
CentOS 7 Firewall rules in the system are saved in the /etc/sysconfig/iptables file by default. Using the iptables-save command to save the rules to the file can save the firewall rules. After the computer restarts, the rules in the file will be automatically loaded. If you use the iptables-save command to save rules to another location, you can back up firewall rules. When you need to restore firewall rules, you can use iptables-restore to import the backup file to the current firewall rules.
1. Iptables -save command
Using the iptables-save command, you can export Linux firewall rules in batches. The syntax is described as follows:
Save in the default folder (save firewall rules) : [root@liangxu ~]# iptables-save > /etc/sysconfig/iptables
Save in another location (backup firewall rules) : [root@liangxu ~]# iptables-save > file name
- Run the iptables-save command directly: all the enabled rules are displayed in the order of RAW, mangle, NAT, and filter, as follows:
[root@liangxu ~]# iptables-save # Generated by iptables-save v1.4.7 on Thu Aug 27 07:06:36 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [602:39026] ……. COMMIT # Completed on Thu Aug 27 07:06:36 2020
Among them:
- # indicates a comment;
- *filter indicates the table.
- : Default policy of chain name indicates the corresponding chain and default policy. The command name iptables is omitted in the rule part.
- “COMMIT” at the end means to COMMIT the previous rule Settings.
- Back up to another file. For example, file: text, as shown below:
[root@liangxu ~]# iptables-save > test [root@liangxu ~]# ls test [root@bogon ~]# cat test # Generated by iptables-save V1.4.7 on Thu Aug 27 07:09:47 2020 *filter……
- To list the rule contents of the NAT table, run the following command:
[root@liangxu ~]# iptables-save -t nat
-t Table name: lists a table.
2. Iptables -restore command
The iptables-restore command can import Linux firewall rules in batches and specify the location of backup files in combination with redirection input. The command is as follows:
[root@liangxu ~]# iptables-restore < file name
Note that the imported files must be exported using the iptables-save tool.
Run the iptables-restore command to restore the text file. Then run the iptables -t nat-nvl command to check whether the cleared rules are restored.
[root@liangxu ~]# iptables-restore < test [root@liangxu ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination