This article is automatically synchronized by Tencent Cloud + Community, the original address is https://stackoverflow.club/article/iptables_in_ubuntu/
Introduction to iptables#
Netfilter/iptables is integrated with the kernel, and there is no such thing as start/stop or disable. You can use the iptables command to create filter rules. (Now the newer kernel is integrated by default, no need to install separately)
And ufw is a tool for simplifying iptables configuration on ubuntu. It defines a series of rules and adds them to iptables. So when ufw is enabled, you can see a series of ufw
type words in iptables rules. These specific rules defined by ufw are under /etc/ufw/*.rules
.
The following is suitable for Ubuntu 16.04.5 LTS
Basic commands#
View help:
iptables -h
View filter rules##
sudo iptables -vnL --line-numbers
-
- n: Display ip as a number, it will display ip directly, if -n is not added, ip will be resolved into hostname in reverse
-
- v: show detailed information
- --Line-numbers: Label the rules with numbers, this is useful when deleting rules
The same chain is matched from top to bottom, so num is very important;
Create a new iptables rule without affecting existing connections;
Save the created rules to file##
iptables-save >/etc/iptables.up.rules
Recovering rules from files##
/sbin/iptables-restore </etc/iptables.up.rules
You can also add the last command to /etc/rc.local to restore the rules when the system restarts
Full command rules#
iptables [-t table] command chain [match][-j target]
The following is an explanation of the main parameters of each command.
- t table, table has four options, the default is filter:
- filter: general filtering function, the default table
- nat: used for NAT functions (port mapping, address mapping, etc.)
- mangle: used to modify specific data packages
- raw: mainly used to cooperate with NOTRACK response
- security: User Mandatory Access Control (MAC) network rules
command, defines how to write rules:
-
- P: Define the default rules of the chain (data packets that are not matched by all other rules will be executed according to the default rules)
-
- A: Append, add a rule at the end of the current chain
-
- I num: Insert, insert the current rule as the first few
-
- R num: Replays replace/modify the first few rules
-
- D num: delete, clearly specify which rule to delete num after the chain, see the following application examples.
chain, netfilter can filter in five positions:
- PREROUTING (pre-routing)
- INPUT (packet flow entry)
- FORWARD (port forwarding)
- OUTPUT (data packet export)
- POSTROUTING (post-routing)
match: Matching rules. The commonly used rules are as follows, and multiple matching rules can be used in parallel:
-
- p: used to match the protocol (there are usually 3 protocols here, TCP/UDP/ICMP, multiple protocols separated by commas, ALL is indeed set,! means reverse matching)
-
- s: match source address ip or ip segment (IP or IP/MASK,! means reverse match)
-
- d: The destination IP address of the matched packet (! means reverse match)
-
-
- -Dport: destination port (two short lines)
- -Sport: source port
- -State: connection state
-
- m: Explicitly expand the above rules (that is, it can match multiple states, ports, etc.)
target: the operation/response performed, the following are common:
- DROP (quietly drop)
- REJECT (Express rejection)
- ACCEPT (accepted)
- MASQUERADE (source address masquerading)
- REDIRECT (redirect)
- MARK (marked by the firewall)
- RETURN (return)
Practical example#
Open a tcp port##
sudo iptables -A INPUT -p tcp --dport 22-j ACCEPT
Delete a rule##
Rule 1 is deleted here
sudo iptables -t filter -D FORWARD 1
Add a nat record##
sudo iptables -t nat -A POSTROUTING -s 192.168.255.0/24-j MASQUERADE
Save and restore iptables
sudo iptables-save >./iptables.bak
sudo iptables-restore <./iptables.bak
References#
Well-written blog, suitable for getting started
Suitable for in-depth after getting started