Shulou(Shulou.com)06/01 Report--

Iptables is called a packet filter and can only check the protocols of the data link layer, IP layer and transport layer.

Iptables has five built-in chains:

PREROUTING: routing money (cannot do filtering)

INPUT: the message is forwarded to this machine

FORWARD: message forwarding and output to other machines

OUTPUT: forwarded via native processes

POSTROUTING: after the routing decision occurs

Functions of iptables:

Filter: filtering, firewall

Nat: used to modify the source IP or destination IP, or the port

Mangle: disassemble the message, modify it, and re-encapsulate it

Raw: turn off the connection tracking mechanism enabled on the nat table

Correspondence of functional chains:

The function can only be applied to those chains

Raw:PREROUTING,OUTPUT

Mangle:PREOUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

Nat:PREROUTING, {Centos 7 INPUT} OUTPUT,POSTROUTING

Filter:INPUT,FORWARD,OUTPUT

Message flow:

Inflow to this machine: PREROUTING-- > INPUT

Outflow from this machine: OUTPUT-- > POSTROUTING

Forwarding: PREROUTING-- > FORWARD-- > POSTROUTING

Iptables (administrative tools, command line configuration) / netfilter (kernel module, which implements specific functions)

Component: try to match the message according to the rule matching conditions. once the match is successful, the processing action defined by the rule will be processed.

Matching criteria:

Basic matching condition

Extended matching condition

Processing actions:

Basic processing action

Extended processing action

Custom processing action

Added considerations:

(1) to achieve that function: determine which table to add to

(2) the path through which messages flow: determine which chain to add to

Chain: the order of rules on the chain, that is, the order of inspection; therefore, there are certain application rules implied.

(1) similar rules (access to the same application), those with small matching range are put on top.

(2) different kinds of rules (accessing different applications) are matched to those with higher frequency of messages.

(3) combine multiple rules that can be described by a single rule

(4) set the default policy

Iptables rule format:

Iptables [- t table] COMMAND chain [- m matchname [per-match-options]]-j targetname [per-target-options]

-t table: the default is filter without the-t option

Raw,mangle,nat,filter

COMMAND:

Chain management:

-N:new, customize a new rule chain

-X:delete, delete the custom rule chain

-P:Policy, which sets the default policy; for chains in the filter table, the default policy is

ACCEPT: accept

DROP: discard

REJECt: reject

-E: rename custom chains; custom chains whose reference count is not 0 cannot be renamed or deleted

Rule management:

-A:append, append

-I:Insert, insert, indicate the location, and indicate the first item when omitted

-D:delete, delete

(1) specify rule serial number

(2) specify the rules themselves

-R:replace to replace the specified rule chain

-F:flush to clear the specified rule chain

-Z:zero, zero

Each rule of iptables has two counters

(1) the number of matched messages

(2) the sum of the size of all matched messages

View:

-L:list, listing all rules on the specified chain

-n-- line-numbers to display the address and port number in numeric format

-v:verbose, details

-x:exactly, which displays the exact value of the counter result

Chain:

PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

Matching criteria:

Basic matching conditions: no modules need to be loaded, provided by iptables/netfilter itself

[!]-Sforce talk source address [/ mask] [,...]: check whether the source IP address in the message matches the address or range of this processing.

[!]-dQuery talk destination address [/ mask] [,...]: check whether the destination IP address in the message matches the address range specified here.

[!]-pmam talk protocol protocol

Protocol:tcp,udp,icmp

[!]-iQuin talk interface name: the interface for the inflow of datagrams. It can only be used to mitigate the inflow of datagrams, and can only be applied to PREROUTING,INPUT and FORWARD chains.

[!]-name: interface for outflow of Datagram; it can only be used for outflow of Datagram.

Expansion matching condition: the extension module needs to be loaded before it can take effect

Implicit extension: there is no need to manually load extension modules; because they are extensions to the protocol, whenever the protocol is indicated by-p, it indicates the module to be extended.

Tcp:

[!]-- source-port,--sport port [: port]: the source port of the matching message; it can be a port range

[!]-- destination-port,--dport port [: port]: the destination port of the matching message; it can be a port range.

[!]-tcp-flage mask comp

For example, "--tcp-flagsSYN,ACK,FIN,RST SYN" means that the four flag bits to be checked are SYN,ACK,FIN,RST, of which SYN must be 1 and the rest must be 0

[!]-- syn: used for the first handshake, equivalent to "--tcp-flagsSYN,ACK,FIN,RST SYN"

Udp:

[!]-- source-port,--sport port [: port]: the source port of the matching message; it can be a port range

[!]-- destination-port-- dport port [: port]: the destination port of the matching message; it can be a port range.

Icmp:

[!]-- icmp-type {type [/ code] | typename}

Echo-requesr:8 request

Echo-reply:0: response

Show extensions: the extension module must be loaded manually, [- m matchname [per-match-options]]

The display extension will be explained in detail with specific examples in the next summary

Processing actions:

-j targetname

ACCEPT

DROP

REJECT

Firewall (service)

Centos 6:

Sevice iptables {start | stop | restart | status}

Start: read the pre-saved rules and apply them to netfilter

Stop: clear the rules on the netfilter, restore the default policy, etc.

Status: show rules that are in effect

Restart: clear the rules on netfilter, read the previously saved rules, and apply them to netfilter

Centos 7:

Systemctl start | stop | restart | status firewalld.service

Systemctl disabled firewalld.server

Systemctl stop firewalld.service

Basic firewall configuration commands:

View iptables rule chain commands

Iptables-t filter-L-n-- line-numbers-v

Clear the rule chain

Iptables-t filter-F

Clear the custom rule chain

Iptables-t filter-X

Now let's set 192.168.32.144 (native) to deny all access to the 192.168.32.145 host

Iptables-t filter-An INPUT-s 192.168.32.145-d 192.168.32.144-j DROP

Delete this rule

Iptables-t filter-D INPUT 1

Modify the above rule chain to restrict only 192.168.32.145 to the native icmp protocol

Iptables-t filter-R INPUT 1-s 192.168.32.145-d 192.169.32.144-p icmp-j REJECT

Iptables-An INPUT-s 192.168.32.145-d 192.168.32.144-p icmp-j REJECT

Restrict the access of icmp protocol to 192.168.32.145 on the local inflow interface.

Iptables-An INPUT-s 192.168.32.145-d 192.168.32.144-p icmp-o eno16777736-j DROP

Restrict 192.168.32.145 hosts from using ssh to access 192.168.32.144

Iptables-t filter-An INPUT-s 192.168.32.145-d 192.168.32.144-p tcp-- dport 22-j DROP

Restrict other hosts to ping the local host, but do not restrict this host to ping other hosts

Iptables-An INPUT-d 192.168.32.144-p icmp--icmp-type 8-j DROP

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.