This article is automatically synchronized by Tencent Cloud + Community, the original address is https://stackoverflow.club/article/iptables_in_ubuntu/

Introduction to iptables#

Netfilter/iptables is integrated with the kernel, and there is no such thing as start/stop or disable. You can use the iptables command to create filter rules. (Now the newer kernel is integrated by default, no need to install separately)

And ufw is a tool for simplifying iptables configuration on ubuntu. It defines a series of rules and adds them to iptables. So when ufw is enabled, you can see a series of ufw type words in iptables rules. These specific rules defined by ufw are under /etc/ufw/*.rules.

The following is suitable for Ubuntu 16.04.5 LTS

Basic commands#

View help:

iptables -h

View filter rules##

sudo iptables -vnL --line-numbers

- n: Display ip as a number, it will display ip directly, if -n is not added, ip will be resolved into hostname in reverse
- v: show detailed information
--Line-numbers: Label the rules with numbers, this is useful when deleting rules

The same chain is matched from top to bottom, so num is very important;

Create a new iptables rule without affecting existing connections;

Save the created rules to file##

iptables-save >/etc/iptables.up.rules

Recovering rules from files##

/sbin/iptables-restore </etc/iptables.up.rules

You can also add the last command to /etc/rc.local to restore the rules when the system restarts

Full command rules#

iptables [-t table] command chain [match][-j target]

The following is an explanation of the main parameters of each command.

- t table, table has four options, the default is filter:

filter: general filtering function, the default table
nat: used for NAT functions (port mapping, address mapping, etc.)
mangle: used to modify specific data packages
raw: mainly used to cooperate with NOTRACK response
security: User Mandatory Access Control (MAC) network rules

command, defines how to write rules:

- P: Define the default rules of the chain (data packets that are not matched by all other rules will be executed according to the default rules)
- A: Append, add a rule at the end of the current chain
- I num: Insert, insert the current rule as the first few
- R num: Replays replace/modify the first few rules
- D num: delete, clearly specify which rule to delete num after the chain, see the following application examples.

chain, netfilter can filter in five positions:

PREROUTING (pre-routing)
INPUT (packet flow entry)
FORWARD (port forwarding)
OUTPUT (data packet export)
POSTROUTING (post-routing)

match: Matching rules. The commonly used rules are as follows, and multiple matching rules can be used in parallel:

- p: used to match the protocol (there are usually 3 protocols here, TCP/UDP/ICMP, multiple protocols separated by commas, ALL is indeed set,! means reverse matching)
- s: match source address ip or ip segment (IP or IP/MASK,! means reverse match)
- d: The destination IP address of the matched packet (! means reverse match)
- i: incoming network card
- o: Outgoing network card
-Dport: destination port (two short lines)
-Sport: source port
-State: connection state
- m: Explicitly expand the above rules (that is, it can match multiple states, ports, etc.)

target: the operation/response performed, the following are common:

DROP (quietly drop)
REJECT (Express rejection)
ACCEPT (accepted)
MASQUERADE (source address masquerading)
REDIRECT (redirect)
MARK (marked by the firewall)
RETURN (return)

Practical example#

Open a tcp port##

sudo iptables -A INPUT -p tcp --dport 22-j ACCEPT

Delete a rule##

Rule 1 is deleted here

sudo iptables -t filter -D FORWARD 1

Add a nat record##

sudo iptables -t nat -A POSTROUTING -s 192.168.255.0/24-j MASQUERADE

Save and restore iptables

sudo iptables-save >./iptables.bak
sudo iptables-restore <./iptables.bak

References#

Well-written blog, suitable for getting started

Suitable for in-depth after getting started

ubuntu iptables firewall guide