O'REILLYiptables笔记
iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:8080
创新互联专注于长阳网站建设服务及定制,我们拥有丰富的企业做网站经验。 热诚为您提供长阳营销型网站建设,长阳网站制作、长阳网页设计、长阳网站官网定制、小程序设计服务,打造长阳网络公司原创品牌,更为您提供长阳网站排名全网营销落地服务。
解析:
-t nat operate the table
-A PERROUTING by appending the following rule to its PREROUTING chain
-i eth0 match pactets coming in on the eth2 network interface
-p tcp use tcp protocol
--dport 80 intended for local port 80
-j DNAT jump to the DNAT target
--to-destination change the destination address to 192.168.1.3
192.168.1.3:8080 destination port 80
iptables defines five hook points
PREROUTING
INPUT
FORWARD
POSTROUTING
OUTPUT
tables comes with three built-in tables
filter used to set polices for type of traffic allowed into through and out of the computer.unless you refer to a different table explicitly,iptables operate on chains within this table by default.its built-in chains are FORWARD INPUT OUTPUT
mangles used for specialized packet alteration,built-in chains are FORWARD INPUT OUTPUT POSTROUTING PEROUTING
nat used with connection tracking to rediect connection for network address translation;typically based on source or destination address tis built-in chain are OUTPUT,POSTROUTING PREROUTING
chains default,each table has chains ,which are initally empty,for some or all of the hook points. you can create your own custom chains to organize your rules. all user-defined chains have an implict policy of RETURN that cannot be changed.
rules
Matches
targets built-in four targets
ACCEPT let the packet through to the next stage of processing stop traversing the current chain,start
DROP
QUEQU send the packet ro userspace.see the libipq manpage for more information
From a rule in a user-defined chain, discontinue processing this chain, and resume traversing the calling chain at the rule following the one that had this chain as its target. From a rule in a built-in chain, discontinue processing the packet and apply the chain’s policy to it. See the previous section “Chains” for more information about chain policies.
aplications
packet filtering
Accunting using byte packet counters assoiated with packet mataching criteria to moitor netwok traffic volumes.
Connection tracking
packet mangling
network address translation (NAT)
masquerading
port forwarding
loading balancing Load balancing involves distributing connections across a group of servers so that higher total throughput can be achieved.One way to implement so that the destination address is selected in a round-robin fashion from a list of possible destinations
configuring iptables under refer to generic and Red Hat-specific information
persistent rules
chkconfig --list iptables
chkconfig --level 345 iptables on
service iptables start
other configure files /proc
/etc/sysct1.conf contains settings for configurations in the /proc/sys directory that are applied at boot time.
/proc/sys/net/ipv4/ip_conntrack_max controls the size of the connection tracking table in the kernel.default value is calculated based on the amount of RAM in your computer.you may need to increase it if you are getting "ip_conntrack:table full,dropping packet" errors in your log files
connection tracking
ESTABLISHED the connection has already seen packets going in both direction.
INVALID the packet doesn't belong to any tracked connections.
NEW the packet is starting a new connection or is part of a connection that hasn't yet seen packets in both directions.
RELATED the packet is starting a new connection,but the new connection is related to an existing connection (such as the data connection for an ftp transfer
@ the connection tracking logic maintains threee bits of status information
ASSURED for tcp connections indicates the tcp connection setup has been completed for UDP connections,indicates its looks like a udp stream to the kernel.
EXPECTED indicates the connection was expected
SEEN_REPLY indicates that packets have gone in both directions.
ipables connection tracking logic allows plug-in modules
accounting
NAT
NAT helper modules
ip_nat_amanda Amanda backup protocol (requires CONFIG_IP_NFNAT_AMANDA kernel config)
ip_nat_ftp file transfer protocol(requires CONFIG_IP_NF_NAT_FTP kernel config)
ip_nat_snmp_basic simple network management protocol (requires CONFIG_IP_NF_NAT_SNMP_BASIC kernel conifig)
ip_nat_tftp t rivial file transfer protocol (
source NAT and Masquerading source nat is used to share a single internet connection among computers on a network.the computer attached to the internet acts as a gateway and uses
iptables -t nat -A POSTROUTING to eth2 -j SNAT
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
DNAT destination NAT
iptables -t nat -A PREROUTING -i eth2 -p -tcp --dport 80 -j DNAT --to--destination 192.168.1.3:8000
transparent proxying
if you hava an http proxy configured to run as a transparenet proxy on you firewall computer and listen on port 8888. you can add a rule to redirect outbound http traffic to the http proxy
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j redirect --to-port 8888
Load distribution and balancing
stateless and stateful firewalls
tools of the trade
ethereal network protocol analyzer
Nessus Remote security scanner
nmap network mapper
ntop network traffic probe
tcpdump packet capture and dumping
traceroute print the route packets take to a specific host
iptable command reference
-c packet or bytes
--exact synonym(同义)for -x
-j target determines what to do with packets matching this rule.the target can be the name of a user-defined chain,one of the built-in targets,
-M used to load an iptables module with appending inserting or replacing rules
-n displays numeric addresses and ports instead of looking up and displaying domain names for the IP address and displaying service names for the port numbers this can be especially useful if your DNS server is slow or down.
-t table perfroms the specified subcommand on table if this option is not used.the subcommand operates on filter tables by default.
-x display exact numbers for packet and byte counters,rather than the default abbreviatd format with metric suffixes(K M G)
the iptables subcommands
-A chain rule appends rule to chain
--append synonym for -A
-D chain deletes the rule at position index or matching
-E rename chain to new chain
-F flushes (deletes) all rules from chain
--replace synonym for -R
iptables Matches and targets
internet protocol matches (encyclopedic广博的 format)
ah match this match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_AH_ESP enabled
connmark match based on the packets connection mark
--mark match if the packets connection mark is equal to value after applying mask.
CONNMARK target (注意区分大小写)
--set-mark value set the packets connection mark to the integer value
--save-mark save the packets mark into the connection
--retore-mark restore the packets mark from the connection.
DNAT target the DNAT target extension is avaiable only on the PREROUTING AND OUTPUT chain of the nat table.
DRIP target
dscp match use this match to identify packets with particular diffntiated services codepoint(DSCP) values in their IPV4 headers this match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_DSCP enabled.
ecn match CONFIG_IP_NF_MATCH_ECN enabled
esp match match IPsec protocol encapsulation headers,CONFIG_IP_NF_MATCH_AH_ESP enabled
FTOS --set-ftos value Set the IP type of service field to the decimal or hex value (this target does not accept Type of Service names). See Table34 for a list of types of service
helper match CONFIG_IP_NF_MATCH_HELPER
icmp match --icmp-type --icmp-type
iplimit match
ipv4option match
length match CONFIG_IP_NF_MATCH_LENGTH enable
limit match CONFIG_IP_NF_MATCH_LIMIT enabled
iptables -A INPUT -p icmp --icmp-type ping -m limit --limit 10/s -j ACCEPT
log target CONFIG_IP_NF_TARGET enabled
--log-ip-options
--log-level level
--log-prefix prefix
--log-tcp-options
--log-tcp-sequence log level refer to page 49
mac match CONFIG_IP_NF_MATCH_MAC enabled
--mac-source
mark match CONFIG_IP_NF_MATCH_MARK enabled
MASQUERADE target --to-ports CONFIG_IP_NF_TARGET_MASQUERADE
multiport match CONFIG_IP_NF_MATCH_MULTIPORT enabled
netlink target CONFIG_IP_NF_QUEQU
iptable -A INPUT -p icmp --icmp-type ping -j NETLINK --nldrop
NETMAP target CONFIG_IP_NF_TARGET An IPv4 address consists of 32 bits, divided into a network number and a host number based on the network mask. This target strips off the network number and replaces it with a different network number
iptables -t nat -A RREROUTING -d 192.168.1.10/24 -j NETMAP --to 172.16.5.0/24
nth match
owner match CONFIG_IP_NF_MATCH_OWNER enabled
pkttype match
pool match
--srcpool poll match if the source ip address is in pool
--dstpool pool match if the destination ip address is in pool
pool target
psd match the match extension attempts to detect port scans by monitoring connection attempts across port numbers it calulates and maintains a port scan value statictic
QUEUE target match until a quota is reached. --quota amount
random match match all traffic from ip addresses that have seen recent activity of a particulrar kind,
record-rpc match
REDIRECT target CONFIG_IP_NF_TARGET enabled --to-ports
REJECT target CONFIG_IP_NF_TARGET_REJECT enabled
RETURN target
ROUTE target
ROUTE target
SAME target
SNAT target
state match CONFIG_IP_NF_STATE
sting match iptables -A INPUT -m string .pif -j QUEQU
tcp match
tcpmss match CONFIG_IP_NF_MATCH_TCPMSS enable
TCPMSS target CONFIG_IP_NF_TARGET_TCPMSS
time match
tos match CONFIG_IP_NF_MATCH_TOS
TOS target CONFIG_IP_NF_TARGET_TOS
ttl match CONFIG_IP_NF_MATCH_TTL
udp match
ULOG target CONFIG_IP_NF_TARGET_ULOG and CONFIG_IP_NF_QUEUE enabled
unclean match CONFIG_IP_NF_MATCH_UNCLEAN matches unusual or malformed ip icmp udp or tcp headers,Documentation of this match is minimal,but you could use it for logging unusual packets here are a few of the checks it perfoms
ip packet length not less than ip header length
various ip fragmentation checks
noozero ip protocol number
unused ip bits set to zero
icmp date at least two 32 bit words long
icmp code appropriate for icmp type
icmp packet length approgriate for icmp type
udp data at least as big as the minimun-size udp header.
nozero udp destination port
udp fragmentation integrity checks
tcp date at least as big as the minimum-size tcp header
tcp data offset and overall packet data length in accord
nonzero tcp ports
reserved tcp bits set to zero
tcp flags match one of the patterns
various integrity checks on any tcp option
utility command reference
iptables-restore
iptables-save
当前名称:O'REILLYiptables笔记
文章位置:http://myzitong.com/article/jeejoc.html