Shulou(Shulou.com)06/01 Report--

Detailed explanation of Firewall

I. introduction of firewalls

Firewall refers to a defense system isolated between the local network and the external network, which is usually used in the interconnection environment between the private network and the public network, especially the network connected to the Internet. It is the only channel to get in and out of the information between different network security domains, and can control the flow of information in and out of the network according to the security policy, such as permission, denial, monitoring, etc., it is a very effective security mode on the Internet. It can isolate the link of the risk area without hindering the user's access to the risk area, thus effectively monitoring the activities between the intranet and the Internet and ensuring the security of the internal network. The main function of the firewall is according to the IP.

And TCP two messages.

Second, the characteristics and functions of the firewall

Characteristics of firewalls:

(1) two-way flow of information must pass through it.

(2) only information flows authorized by security policies are allowed to pass.

(3) the system itself has high anti-* performance.

Functions of the firewall:

(1) provide a barrier to network security

(2) strengthen the network security strategy.

(3) Monitoring the access and access of the audit network

(4) prevent the leakage of internal information

III. Some rules of the firewall

(1) matching function: such as: IP: source IP, destination IP

TCP:SPORT,DPORT, standard bit:

UDP:SPORT,DPORT

ICMP:icmp-type

(2) Datagram filtering: Linux2.0 ipfw/firewall

Linux2.2 ipchain/firewall

Linux2.4 iptables/netfilter

(3) hook function: hook functions prerouting, input, output, forward, postrouting

(4) Rule chain: PREROUTING, INPUT, OUTPUT, FORWARD, POSTROUTING

IV. The function and built-in chain of the three tables and their functions in various tables

(1): filter (filtering packets)

INPUT: applies to packets destined for this machine

DORWARD: applies to packets routed locally

OUTPUT: locally generated packet

(2): nat (Network address Translation)

PREROUTING: modifies the destination address of the packet when it just arrives at the firewall

OUTPUT: modifies the destination address of locally generated packets

POSTROUTING: modifies the source address of packets to leave the firewall

(3): mangle (modify packet)

PREROUTING: change the packet after it enters the firewall and before the route is determined

OUTPUT: change the packet before determining the destination of the packet

POSTROUTING: change the packet after determining the purpose of the packet

INPUT: after the packet is routed locally, the user program changes the packet before it sees it.

5. Introduction to iptables

A custom chain can be used, but it only works when called, and if no rules in the custom chain match, there should be a return mechanism that can be used to delete a custom empty chain, and the default chain cannot be deleted.

Each rule has two built-in counters: 1, the number of matched messages, and 2, the sum of matched message sizes.

Rules of Iptables: matching criteria, processing actions

For example: iptables [- t TABLE] COMMAND CHAIN [num] matching condition-j processing action

Matching criteria:

1. Universal matching

-dst: specify the source;-d,-dst: specify the destination address;-p {source | udp | icmp} specify the protocol

-i:INTERFACE: specifies the interface for the inflow of datagrams

A chain that can be used to define a standard: PREROUTING,INPUT,FORWARD

-o INTERFACE: specifies the interface for Datagram outflow

A chain that can be used to define a standard: OUTPUT,POSTROUTING,FORWAD

2. Extended matching

Implied extension: there is no need to specify which module is doing the extension, because-p {tcp | udp | icmp} is used at this time.

-p tcp

-- sport PORT [- PORT]: source port-- dport PORT [- PORT]: destination port

For example, the source address is 172.16.38.1. SSHD is 22/tch.

-- tcp-flags mask comp: check only the flag bits specified by mask, which is a comma-separated list of flag bits: comp. The tags that appear in this list must be 1, which does not appear in comp, while those in mask, must be 0.

-- tcp-flags SYN,FIN,ACK,RST SYN,ACK

-- syn

P icmp--icmp-type 0:echo-reply 8:echo-repy

-p udp-sport-dport

To display the extension, you must indicate which module has been extended, which can be accomplished by using the-m option in iptables

-m EXTESTLON-- spe-opt

State: state extension

Track the state of the session with ip_conntrack

NEW: new link request ESTABLISHED: established link

INVALID: illegal link RELATED: associated

-m state-- state NEW-j ACCEPT

Multiport: discrete multi-port matching extension

-source-ports-destination-ports-ports

6. The command of iptables:

Management rules:

-A: add a rule to the end of the chain

-I:CHAIN [num] insert a rule as section num on the corresponding CHAIN

-D CHAIN [num]: deletes rule num in the specified chain

-R CHINA [num]: replaces the specified rule

Management chain:

-F: [chin]: flush: clear the specified rule chain. If CHAIN is omitted, you can delete all chains in the corresponding table.

-P: CHAIN: sets the default policy for the specified chain

-N: customize a new empty chain

-X: delete a custom empty chain

-Z: set zero to specify the counter for all rules in the chain

-E: rename a custom chain

View the class:

Lsmod | grep []

-L: displays the rules in the specified table

-n: displays the host address and port number in numeric format

-v: displays the details of chains and rules

-x: displays the exact value of the counter

-- lline-numbers: displays the rule number

7. Iptables action (target)

-J

ACCEPT: release DROP: discard REJECT: reject DNAT: (destination address translation)

SNAT: original address translation REDIRECT: Port redirection MASQUERADE: address masquerade

NOTRACK (do not do any tracking) LOG: log MARK: marking machine

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.