Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of iptables in CentOS. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

One: preface

Firewall, to put it bluntly, is used to achieve the function of access control under Linux, it is divided into hardware or software firewall. No matter which network it is, the firewall must work at the edge of the network. And our task is to define how the firewall works in the end, this is the strategy and rules of the firewall, in order to enable it to detect IP and data entering and leaving the network.

At present, there are 3 or 4 layers of firewalls, called the network layer firewalls, and 7 layers of firewalls, which are actually the gateways of the proxy layer.

For the seven-layer model of TCP/IP, we know that the third layer is the network layer, where the firewall detects the source and destination addresses. But for a seven-layer firewall, everything you have will be checked regardless of your source or destination port, source or destination address. Therefore, in terms of design principles, seven-layer firewalls are more secure, but this leads to less efficiency. Therefore, the usual firewall schemes on the market are a combination of the two. And because we all need to access from this port controlled by the firewall, the work efficiency of the firewall has become one of the most important control of how much data users can access, and poor configuration may even become a bottleneck of traffic.

Second: the history and working principle of iptables

Development of 1.iptables:

The predecessor of iptables is called ipfirewall (kernel 1.x era), which is a simple access control tool that the author transplanted from freeBSD and can work in the kernel to detect data packets. But ipfirewall's work is extremely limited (it requires all the rules to be put into the kernel so that the rules can be run, which is generally extremely difficult). When the kernel developed to 2.x series, the software was renamed ipchains, which can define multiple rules, string them together and work together, but now it is called iptables, which can form a list of rules to achieve absolutely detailed access control functions.

They are all tools that work in user space and define rules, and they are not firewalls themselves. They define rules that can be read by netfilter in kernel space and implemented to make the firewall work. The place where you put it into the kernel must be a specific location, and it must be where the tcp/ip protocol stack passes through. The place where the tcp/ip stack must pass and where the reading rules can be implemented is called netfilter. (network filter)

The author chooses a total of five locations in kernel space.

1. Kernel space: coming in from one network interface to another

two。 Packets flow from the kernel to user space

3. Packets that flow out of user space

4. Enter / leave the external network interface of this machine

5. Enter / leave the intranet interface of this machine

The working Mechanism of 2.iptables

From the above development, we know that the author has chosen five locations as the place of control, but have you found that the first three locations have basically completely blocked the path? but why do you have to use the internal card after setting up a level at the entrance and exit? Because the packet has not yet made a routing decision and does not know where the data is going, there is no way to achieve data filtering at the import and export. So it is necessary to set the forwarding level in the kernel space, the level to enter the user space, and the level to go out from the user space. So, if they are useless, why should we put them? Because when we are doing NAT and DNAT, the destination address translation must be translated before routing. Therefore, we must set up checkpoints at the interface of the external network and then the internal network.

These five positions are also known as five hook functions (hook functions), also known as five rule chains.

1.PREROUTING (before routing)

2.INPUT (packet flow entry)

3.FORWARD (forwarding tube card)

4.OUTPUT (packet egress)

5.POSTROUTING (after routing)

These are the five rule chains stipulated by NetFilter. Any packet, as long as it passes through the local machine, will pass through one of these five chains.

3. The strategy of firewall

Firewall policies are generally divided into two types, one is called "pass" strategy, the other is called "blocking" strategy, the default door is closed, it is necessary to define who can enter. The blocking strategy is that the door is open, but you must have authentication, or you can't enter. So we have to define, let those who come in come in, let those who go out go out, so pass through, and jam, it is a choice. When we define the policy, we need to define multiple functions, among which: define the policy allowed or disallowed in the packet, the function of filter filtering, and define the function of address translation is the nat option. In order to make these functions work alternately, we have developed the definition of "table" to define and distinguish different work functions and processing methods.

We are now using three of the more features:

1.filter defines what is allowed or disallowed

2.nat defines the address translation

3.mangle function: modify the original data of the message

We modify the original data of the message to modify the TTL. It is possible to split the metadata of the packet and mark / modify the content in it. The firewall tag, in fact, is realized by mangle.

Small expansion:

For filter, it can only be done on three chains: INPUT, FORWARD, and OUTPUT.

Generally speaking, nat can only be done on three chains: PREROUTING, OUTPUT, and POSTROUTING.

And mangle can be done with all five chains: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

Iptables/netfilter (this software) works in user space, it allows rules to take effect, it is not a service in itself, and the rules take effect immediately. And our iptables is now made into a service that can be started and stopped. If it starts, the rule will take effect directly, and if it stops, the rule will be revoked.

Iptables also supports self-defining chains. But the self-defined chain must be associated with a particular chain. In a level setting, specify to find a specific chain to deal with when data is available, and then return when that chain is finished. Then continue to check in a specific chain.

Note: the order of the rules is very critical. The stricter the rules are, the higher they should be, and when checking the rules, they are checked in a top-down manner.

3. How to write the rules:

The way iptables defines rules is complicated:

Format: iptables [- t table] COMMAND chain CRETIRIA-j ACTION

-t table: 3 filter nat mangle

COMMAND: defines how rules are managed

Chain: specify the chain on which you operate the next rules, which can be omitted when defining policies

CRETIRIA: specify matching criteria

-j ACTION: specify how to handle it

For example, 172.16.0.0Comp24 is not allowed to access.

Iptables-t filter-An INPUT-s 172.16.0 DROP 16-p udp-- dport 53-j DROP

Of course, if you want to refuse more thoroughly:

Iptables-t filter-R INPUT 1-s 172.16.0 REJECT 16-p udp-- dport 53-j REJECT

Iptables-L-n-v # View the details of defining rules

Four: detailed explanation of COMMAND:

1. Chain management commands (all effective immediately)

-P: set the default policy (set whether the default door is closed or open)

There are generally only two default policies

Iptables-P INPUT (DROP | ACCEPT) is off / on by default

For example:

Iptables-P INPUT DROP rejects the default rule. And no action is defined, so all rules about external connections, including Xshell connections, are rejected.

-F: FLASH, clear the rule chain (note the administrative permissions of each chain)

Iptables-t nat-F PREROUTING

Iptables-t nat-F clears all chains of the nat table

-N:NEW allows users to create a new chain

Iptables-N inbound_tcp_web indicates that it is attached to the tcp table to check the web.

-X: used to delete a user-defined empty chain

Use the same method as-N, but you must empty the chain before deleting it.

-E: used for Rename chain is mainly used to rename user-defined chains

-E oldname newname

-Z: clear the chain, and the counter of the default rule in the chain (there are two counters, how many packets and how many bytes are matched)

Iptables-Z: clear

two。 Rule management command

-A: append, add a rule at the end of the current chain

-I num: insert, insert the current rule into which article.

-I 3: insert as the third

-R num:Replays replaces / modifies rules

Format: iptables-R 3.

-D num: delete, explicitly specify which rule to delete

3. View the administrative command "- L"

Additional subcommand

-n: displays the ip as a number, which displays the ip directly, and if you don't add-n, the ip is inversely resolved to the hostname.

-v: display details

-vv

-vvv: the more the more detailed

-x: displays the exact value on the counter without unit conversion

-- line-numbers: displays the line number of the rule

-t nat: displays information about all levels

Five: explain the matching criteria in detail

1. Universal matching: matching of source address and destination address

-s: specified as source address match. Host name cannot be specified here. It must be IP.

IP | IP/MASK | 0.0.0.0and0.0.0.0

And the address can be reversed, add a "!" Except for which IP

-d: indicates a matching destination address

-p: used to match protocols (there are usually 3 protocols here, TCP/UDP/ICMP)

-I eth0: data inflow from this network card

Inflows are generally used on INPUT and PREROUTING

-o eth0: data outflow from this network card

Outflow is usually on OUTPUT and POSTROUTING.

two。 Extended matching

2.1 implied extension: an extension to the protocol

-p tcp: an extension of the TCP protocol. There are generally three kinds of extensions.

-- dport XX-XX: specify the target port, not multiple discontiguous ports, but only a single port, such as

-- dport 21 or-- dport 21-23 (which means 21, 22, 22, 23)

-- sport: specify the source port

-- the flag bit of tcp-fiags:TCP (SYN,ACK,FIN,PSH,RST,URG)

For it, it usually comes with two parameters:

1. Checked flag bit

two。 Flag bit that must be 1

-tcpflags syn,ack,fin,rst syn =-syn

Indicates to check these 4 bits, of which the syn must be 1 and the others must be 0. So this meaning is used to detect the first packet of a three-way handshake. There is also an abbreviation for this package with a SYN of 1 that matches the first package, which is called-- syn

Extension of-p udp:UDP protocol

-- dport

-- sport

-extension of p icmp:icmp Datagram

-- icmp-type:

Echo-request (request echo), which is usually represented by 8

So-- icmp-type 8 match request echo packet

Echo-reply (response packet) is generally expressed as 0.

2.2 explicit expansion (- m)

Expand various modules

-m multiport: indicates that multiport expansion is enabled

After that, we can use things like-- dports 21-- 23580.

Six: detailed explanation-j ACTION

Commonly used ACTION:

DROP: quietly discard

Generally speaking, we use DROP to hide our identities and our linked lists.

REJECT: express rejection

ACCEPT: accept

Custom_chain: moving to a custom chain

DNAT

SNAT

MASQUERADE: source address masquerade

REDIRECT: redirect: mainly used for port redirection

MARK: marked with firewall

RETURN: return

Use return after the execution of the custom chain to return to the original rule chain.

Exercise 1:

Anyone from the 172.16.0.0amp 16 network segment is allowed to access my native SSHD service of 172.16.100.1.

Analysis: first of all, it must be defined in the allow table. Because there is no need to do NAT address translation, and then look at our SSHD service, on port 22, the processing mechanism is to accept, for this table, we need to have two rules, whether we allow it or reject it, for accessing the local service, we'd better define it on the INPUT chain, and then OUTPUT will define it. (the initial end of the session is defined first), so the rule is:

Defined as: iptables-t filter-An INPUT-s 172.16.0 ACCEPT 16-d 172.16.100.1-p tcp-- dport 22-j ACCEPT

Defined: iptables-t filter-An OUTPUT-s 172.16.100.1-d 172.16.0.0 ACCEPT 16-p tcp-- dport 22-j ACCEPT

Change the default policy to DROP:

Iptables-P INPUT DROP

Iptables-P OUTPUT DROP

Iptables-P FORWARD DROP

Seven: status detection:

Is an explicit extension to detect the connection between sessions. With detection, we can extend the functionality between sessions.

What is status detection? For the whole TCP protocol, it is a connected protocol. In the three-way handshake, the first handshake is called NEW connection, and after the second handshake, the ack is 1, which is normal data transmission. The second and third handshake with tcp is called established connection (ESTABLISHED), and there is a state that is weird, such as: SYN=1 ACK=1 RST=1, for this kind of handshake that we can't recognize. We all call it something that INVALID doesn't recognize. There is also a fourth, the ancient feature of FTP, each port is independent, ports 21 and 20 go back and forth, and there is a relationship between them, which we call RELATED.

So we have four states:

NEW

ESTABLISHED

RELATED

INVALID

So for the exercise we just did, we can add state detection. For example, those who come in only allow those with the status of NEW and ESTABLISHED to come in, and those who go out only allow the status of ESTABLISHED to go out, which can provide a good control mechanism for the more common rebound Trojans.

For the expansion of exercises:

Those who come in refuse permission to go out, those who come in only allow ESTABLISHED to come in, and those who go out only allow ESTABLISHED to go out. The default rules all use reject

Iptables-L-n-- line-number: see which line the previous rule is on

Rewrite INPUT

Iptables-R INPUT 2-s 172.16.0 ACCEPT 16-d 172.16.100.1-p tcp-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPT

Iptables-R OUTPUT 1-m state-- state ESTABLISHED-j ACCEPT

At this time, if you want to release another port 80, how to release it?

Iptables-An INPUT-d 172.16.100.1-p tcp-- dport 80-m state-- state NEW,ESTABLISHED-j ACCEPT

Iptables-R INPUT 1-d 172.16.100.1-p udp-- dport 53-j ACCEPT

Exercise 2:

If we allow ourselves to ping others, but others ping their own ping, how can it be realized?

Analysis: for the ping protocol, the incoming one is 8 (ping) and the outgoing one is 0 (response). In order to achieve our goal, we need 8 to go out and allow 0 to come in.

On the outgoing port: iptables-An OUTPUT-p icmp--icmp-type 8-j ACCEPT

On the incoming port: iptables-An INPUT-p icmp--icmp-type 0-j ACCEPT

Small extension: special for 127.0.0.1, we need to define it clearly

Iptables-An INPUT-s 127.0.0.1-d 127.0.0.1-j ACCEPT

Iptables-An OUTPUT-s 127.0.0.1-d 127.0.0.1-j ACCEPT

Eight: the implementation of SNAT and DNAT

As our IP addresses are very tight and have been allocated, we have to carry out address translation to save what little IP resources we have left. So how to achieve address translation of NAT through iptables?

1.SNAT translation based on original address

The translation based on the original address is generally used when many of our internal network users surf the Internet through an external network port, when we convert the address of our internal network into an external network IP, we can realize the function of connecting to other external network IP.

So we need to define exactly how to convert in iptables:

Defined style:

For example, we are now going to convert all the IP of 192.168.10.0 network segment to the hypothetical public network address of 172.16.100.1:

Iptables-t nat-A POSTROUTING-s 192.168.10.0 SNAT 24-j SNAT-- to-source 172.16.100.1

In this way, all those from the local network who try to access the network through the network card will be converted to the 172.16.100.1 IP.

So, what if 172.16.100.1 is not fixed?

We all know that when we use Unicom or telecom to surf the Internet, it usually randomly generates an IP of the external network every time you turn it on, meaning that the address of the external network is dynamically changed. At this time, we have to change the external network address to MASQUERADE (dynamic camouflage): it can automatically find the external network address, and automatically change it to the correct external network address. So, this is what we need to set up:

Iptables-t nat-A POSTROUTING-s 192.168.10.0max 24-j MASQUERADE

Note here: address camouflage does not apply everywhere.

2.DNAT destination address translation

For destination address translation, the data flow is from outside to inside, the outside is the client, and the inside is the server through the target address translation. We can let the external ip access different servers of our servers through our external network ip, while our services are placed on different servers of the intranet server.

How to do destination address translation? :

Iptables-t nat-A PREROUTING-d 192.168.10.18-p tcp-- dport 80-j DNAT-- todestination 172.16.100.2

The destination address translation needs to be done before it reaches the network card, so it should be done in the PREROUTING location.

Nine: control the storage and opening of rules

Note: everything you define will expire when you restart it. For us to take effect, we need to use a command to save it.

1.service iptables save command

It will be saved in the file / etc/sysconfig/iptables

2.iptables-save command

Iptables-save > / etc/sysconfig/iptables

3.iptables-restore command

It will automatically load / etc/sysconfig/iptabels when it is turned on

If the boot does not load or does not load, and you want a self-written configuration file (assuming iptables.2) to take effect manually:

Iptables-restore / etc/sysconfig/iptables.2

Complete the manual entry into force of the rules defined in iptables

This is the end of this article on "sample Analysis of iptables in CentOS". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.