Shulou(Shulou.com)06/01 Report--

A brief introduction to iptables

The predecessor of iptables is ipfirewall (kernel 1.x era), which is a simple access control tool that is transplanted from freeBSD and can work in the kernel to detect data packets. But ipfirewall's work is extremely limited (it requires all the rules to be put into the kernel so that the rules can be run, which is generally extremely difficult). When the kernel extends to the 2.x series, the software is renamed ipchains, which can define multiple rules, string them together and work together, but now it is called iptables, which can form a list of rules to achieve absolutely detailed access control functions.

The relationship between iptables and netfilter is a very confusing issue. Many people know iptables but don't know netfilter. In fact, iptables is just an administrative tool for Linux Firewall, located at / sbin/iptables. The real firewall function is netfilter, which is the internal structure of packet filtering in the Linux kernel.

II. Iptables Foundation

A rules is actually a condition predefined by a network administrator, which is generally defined as "if the packet header meets such a condition, the packet will be processed in this way." Rules are stored in the packet filtering table in kernel space, specifying the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP), respectively. When packets match the rules, iptables processes the packets according to the methods defined by the rules, such as accept, reject, drop, and so on. The main job of configuring a firewall is to add, modify, and delete these rules.

Third, the process of transmitting data packets by iptables

① when a packet enters the network card, it first enters the PREROUTING chain, and the kernel determines whether it needs to be forwarded according to the packet destination IP.

② if the packet enters the machine, it will move down the diagram to reach the INPUT chain. After the packet reaches the input chain, any process will receive it. Programs running on this machine can send packets that pass through the OUTPUT chain and then reach the POSTROUTING chain output.

③ if the packet is to be forwarded and the kernel allows it to be forwarded, the packet moves to the right as shown in the figure, through the FORWARD chain, and then to the POSTROUTING chain output.

IV. Rules and chains of iptables

The five positions in the image above are also known as five hook functions (hook functions), also known as five rule chains.

1.PREROUTING (before routing)

2.INPUT (packet flow entry)

3.FORWARD (forwarding tube card)

4.OUTPUT (packet egress)

5.POSTROUTING (after routing)

These are the five rule chains stipulated by netfilter. Any packet, as long as it passes through the local machine, will pass through one of these five chains.

Iptables contains 4 tables and 5 chains. The table is distinguished according to the operation of the packet, the chain is distinguished according to different Hook points, and the table and the chain are actually the two dimensions of netfilter.

(1) 4 Table:

Filter,nat,mangle,raw, the default table is filter (filter table is when no table is specified)

Filter: general filtering function

Nat: for nat functions (port mapping, address mapping, etc.)

Mangle: used to modify specific packets

Raw: limited level is the highest. When setting raw, it is generally to stop iptables from doing link tracking of data packets and improve performance.

(2) 5-chain: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING.

PREROUTING: before the packet enters the routing table

INPUT: after passing the routing table, the destination is the local machine

FORWARDING: after passing the routing table, the destination is not local

OUTPUT: generated by this machine and forwarded to the outside

POSTROUTING: before sending to the Nic interface.

(3) Table of rules:

1.filter table-three chains: INPUT, FORWARD, OUTPUT

Function: filter packet kernel module: iptables_filter.

2.Nat table-three chains: PREROUTING, POSTROUTING, OUTPUT

Function: for network address translation (IP, port) kernel module: iptable_nat

3.Mangle table-five chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD

Purpose: modify the service type of the packet, TTL, and configure routing to implement the QOS kernel module: iptable_mangle (don't look at this table so troublesome, we hardly use it when setting policies)

4.Raw table-two chains: OUTPUT, PREROUTING

Function: determine whether the packet is processed by the state tracking mechanism kernel module: iptable_raw

(4) chain of rules:

1. Inbound packets apply the policies in this rule chain

2. Output-outgoing packets apply the policies in this rule chain

3. Forward _ color-apply the policies in this rule chain when forwarding packets

4. PREROUTINGML-apply the rules in this chain before routing a packet

Remember! All packets are handled by this chain first when they come in)

5. POSTROUTINGmuri-apply the rules in this chain after routing packets

(all packets are handled by this chain when they come out.)

(v) priority between rule tables:

Raw--mangle--nat--filter

V. Command management of iptables

Command format: iptables [- t table] SUBCOMMAND chain [matches...] [target]

As shown in the diagram

Detailed introduction:

(1) chain management

-N: new, add a custom chain

-X:delete, delete the custom empty chain

-P:policy, which sets the default policy for the chain

ACCEPT: accept

DROP: discard

REJECT: reject

-E:rename, renaming a custom unreferenced chain (reference count is 0)

(2) Rule management

-A:append, appended. Default is the last one.

-I:insert, insert. Default is the first.

-D:delete, delete

(1) rule specification

(2) rule number

-R:replace, replace

-F:flush, clear the rule

-Z:zero, set 0

Each rule of iptables has two counters:

(1) all packets matched by this rule

(2) all bytes matched by this rule

-S:selected to display the rules on the chain in the format of the iptables-save command

Example: virtual machine ip address is 192.168.1.108, httpd service has been installed, write a rule to make all hosts inaccessible

1 [root@bogon] # iptables-t filter-An INPUT-d 192.168.1.108-p tcp-- dport 80-j REJECT

At this point, the apache test page cannot be accessed through the browser.

Write another rule that can be accessed by hosts in the 192.168.1.X network segment

123456789101112 [root@bogon] # iptables-t filter-D INPUT 1 # delete the previous rule [root@bogon ~] # iptables-t filter-I INPUT-s 192.168.1.0 INPUT 24-d 192.168.1.108-j ACCEPT # add rule [root@bogon ~] # iptables-nvL-line-number # View Chain INPUT (policy ACCEPT 3 packets Num pkts bytes target prot opt in out source destination 1 72 5308 ACCEPT all-* * 192.168.1.0 Chain FORWARD 24 192.168.1.108 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 51 packets, 5708 bytes) num pkts bytes target prot opt in out source destination

Modify these rules so that the apache test page cannot be accessed in this network segment

1 [root@bogon] # iptables-t filter-R INPUT 1-s 192.168.1.0 pound 24-d 192.168.1.108-j REJECT

(3) View

-L: list, list rules

-n:numeric to display addresses and ports in numeric format

-v:verbose, details;-vv,-vvv

-x:exactly, which displays the exact value of the counter instead of the result of unit conversion

-- line-numbers: displays the number of the rule on the chain

Combination:-nvL

123456789 [root@bogon] # iptables-nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Matching condition

(4) basic matching: the matching mechanism of netfilter.

[!]-s,-- source address [/ mask] [,...]: original address match

[!]-d,-- destination address [/ mask] [,...]: destination address match

[!]-I,-- in-interface name: the API that restricts the inflow of messages. It can only be used for PREROUTING,INPUT and FORWARD.

[!]-o,-- out-interface name: an API that limits the outflow of messages. It can only be used for OUTPUT,FORWARD and POSTROUTING.

(5) extended matching: the matching mechanism introduced by the extension module,-m matchname

Implicit extension: you can load the response module without using the-m option; only if you use the-p option to match which protocol

Tcp 、 udp 、 icmp

Explicit extension: the response module must be specifically loaded by the-m option

Multiport

Iprange

String

Time

Connlimit

Limit

State

(5.1) implicit extension

[!]-p,-- protocol PROTOCOL PROTOCOL:

Protocol: tcp, udp, icmp, icmpv6, esp, ah, sctp, mh or "all"

Tcp: implicitly indicates "- m tcp", with special options:

[!]-- source-port,--sport port [: port]: matches the source port of the tcp header in the message; it can be a port range

[!]-- destination-port,--dport port [: port]: the destination port of the tcp header in the match message; it can be a port range.

[!]-- tcp-flags mask comp: check the tcp flag bits specified by mask in the message, which must be 1 in comp.

-- tcp-flags syn,fin,ack,rst syn

-- tcp-flags syn,fin,ack,rst ack,fin

[!]-syn:

-- syn is equivalent to "--tcp-flags syn,fin,ack,rst syn"; the first three-way handshake of tcp

Udp: implicitly indicates "- m udp", with special options:

[!]-- source-port,--sport port [: port]: matches the source port of the udp header in the message; it can be a port range

[!]-- destination-port,--dport port [: port]: matches the destination port of the udp header in the message; it can be a port range.

Icmp: implicitly indicates "- m icmp", with special options:

[!]-- icmp-type {type [/ code] | typename}

Type/code:

0/0:echo reply, others can ping themselves.

8/0:echo request can ping others by himself.

Example: set the virtual machine 192.168.1.108 so that you can ping others, but others cannot ping yourself.

For the ping protocol, 8 (ping) comes in and 0 (response) goes out. In order to achieve our goal, we need 8 to go out and allow 0 to come in.

12 [root@bogon ~] # iptables-t filter-An INPUT-d 192.168.1.108-p icmp--icmp-type 8-j DROP # set other people's own ping packets cannot go through [root@bogon ~] # iptables-t filter-An OUTPUT-s 192.168.1.108-p icmp--icmp-type 0-j ACCEPT # set yourself to ping other people's packets can pass

(5.2) explicit extension

5.2.1 multiport: multi-port matching

Define multi-port matching in a discrete manner, up to 15 ports can be specified

[!]-- source-ports,--sports port [, port |, port:port]

[!]-- destination-ports,--dports port [, port |, port:port]

[!]-- ports port [, port |, port:port]

12 [root@bogon ~] # iptables-I INPUT-s 0Universe 0-d 192.168.1.108-p tcp-m multiport-- dports 22Go 80-j ACCEPT # allows all hosts to access ports 22 and 80 of 192.168.1.108 [root@bogon] # iptables-I OUTPUT-d 0x0-s 192.168.1.108-p tcp-m multiport-sports 225080-j ACCEPT # allows hosts of 192.168.1.108 to send packets through ports 22 and 80

5.2.2 iprange: indicates a contiguous range of ip addresses as the source or destination address match

[!]-- src-range from [- to]: source address range

[!]-- dst-range from [- to]: destination address range

1 [root@bogon] # iptables-An INPUT-p tcp-m iprange-- src-range 192.168.0.100-192.168.0.105-- dport 22-j ACCEPT # matches a set of ip addresses 192.168.0.100-192.168.0.105

5.2.3 string: do string matching detection on the application layer data in the message

-- algo {bm | kmp}: indicates the algorithm

(bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)

[!]-- string pattern: given the string pattern to check

[!]-- hex-string pattern: given the string pattern to check

1 [root@bogon] # iptables-I OUTPUT-s 192.168.1.108-d 0max 0-p tcp-- sport 80-m string-- algo bm-- string "old"-j REJECT # denied access with "old" string

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.