Shulou(Shulou.com)05/31 Report--

This article mainly introduces "what are the iptables firewall knowledge points of LINUX". In the daily operation, I believe that many people have doubts about the knowledge points of LINUX iptables firewall. The editor has consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "what are the knowledge points of LINUX iptables firewall?" Next, please follow the editor to study!

one。 Iptables Firewall 1.1 netfilter

Packet filtering function system located in Linux kernel

The "kernel state" known as the Linux firewall

1.2 iptables

Tools for managing firewall rules located at / sbin/iptables

The "user mode" called Linux firewall

Both of the above two names can represent Linux firewall

1.3Table and chain structure of iptables 1.3.1 regular chain

The role of rules: filter or process packets

The role of the chain: accommodate a variety of firewall rules

Classification basis of chains: different timing of processing packets

1.3.2 includes 5 rule chains by default

INPUT: processing inbound packet

OUTPUT: processing outbound packet

FORWARD: processing forwarded packet

POSTROUTING chain: processing packets after routing

PREROUTING chain: processing packets before routing

1.3.3 rules table

The role of the table: to accommodate a variety of rule chains

The division of the table is based on the similar function of firewall rules.

1.3.4 includes 4 rule tables by default

Raw table: determines whether to perform state tracking on the packet

Mangle: setting tags for packet

Nat table: modifies the source or destination IP address or port in a packet

Filter table: determines whether to release the packet (filtering)

1.4 matching process for packet filtering

The order between the rule tables: rawcharts manglebones natured filter

Order between rule chains

Inbound: PREROUTING input

Outbound: OUTPUTSB posturing

Forward: PREROUTINGFORWARDER POSTROUTING

1.5 matching order within the rule chain

Check in order, match and stop (LOG policy exception)

If no matching rule is found, it will be handled according to the default policy of the chain.

two。 Iptables basic Syntax 2.1 format

Iptables [- t table name] option chain name condition-j control type

/ / write reject at the beginning of the INPUT chain of the table filter (prompt will be given if necessary) data in icmp protocol

Example: iptables-t filter-I INPUT-p icmp-j REJECT

Note: if the-t table name is not written, the default is filter table

When a chain name is not specified, the default refers to all chains in the table

Unless you set the default policy for the chain, you must specify matching conditions

Options, chain names, control types use uppercase letters, and the rest are lowercase

2.2 Common types of control for packets

ACCEPT: allow through

DROP: discard it directly without giving any response

REJECT: refuse to pass and will give a prompt if necessary

LOG: log information and pass it to the next rule to continue matching

three。 Management of iptables: 3.1Adding new rules

-A: append a rule to the end of the chain

-I: insert a rule (uppercase I) at the beginning of the chain (or specify the serial number)

/ the end of the INPUT chain of the table filter writes the data inbound rules that allow tcp protocol.

Example: iptables-t filter-An INPUT-p tcp-j ACCEPT

/ / write data inbound rules that are allowed to use tcp protocol at the beginning of the INPUT chain of the table filter

Iptables-t filter-I INPUT-p tcp-j ACCEPT

/ / the second row of the INPUT chain of the table filter writes the data inbound rules that allow tcp protocol.

Iptables-t filter-I INPUT 2-p tcp-j ACCEPT

3.2 View the list of rules

-L: list all rule entries

-n: displays address, port and other information in digital form

-v: display rule information in a more detailed manner

-- line-numbers: displays the serial number of the rule

Example: iptables-nL INPUT / /-nL non-transferable position

3.3 deleting and emptying rules

-D: a rule that deletes the specified serial number (or content) in the chain

-F: clear all the rules

Example: iptables-D INPUT 3 / / deletes rule 3 in chain INPUT in table filter

Iptables-t nat-F / / Delete all rules for all chains in table nat

3.4 set default policy

-P: sets the default rule for the specified chain

Note: the default policy is either ACCEPT or DROP

/ / the default rule of table filter is to discard all forwarded data.

Example: iptables-t filter-P FORWARD DROP

3.5 matching conditions for rules 3.5.1 Universal matching

Can be used directly without relying on other conditions or extensions

Including network protocol, IP address, network interface and other conditions

3.5.2 implied matching

It is required to take specific protocol matching as the premise.

Including port, TCP tag, ICMP type and other conditions

3.5.3 explicit matching

The type is required to be clearly indicated in the form of "- m expansion module"

Including conditions such as multi-port, MAC address, IP range, packet status, etc.

3.5.4 Common matching conditions

Protocol matching:-p protocol name

Address matching:-s source address,-d destination address

Interface matching:-I inbound Nic,-o outbound Nic

/ / write the rules for discarding inbound data using icmp protocol at the beginning of the INPUT chain of the table filter

Example: iptables-I INPUT-p icmp-j DROP

/ the end of the FORWARD chain of the table filter writes rules that allow data to be forwarded except for the icmp protocol.

Iptables-A FORWARD-p! icmp-j ACCEPT

/ the INPUT chain of table filter is written at the end of the discarded network card eth2, and the inbound data rules of network segment 1.0 are written.

Iptables-An INPUT-I eth2-s 192.168.1.0 Unique 24-j DROP

/ / meaning is the same as above

Iptables-An INPUT-I eth2-s 172.16.0.0 Universe 12-j DROP

3.5.5 commonly used implicit matching conditions

Port matching:-- sport source port,-- dport destination port

TCP tag match:-- tcp-flags check the flag whose range is set

ICMP type matching:-- icmp-type ICMP type

/ / write data rules at the end of the chain FORWARD that allow forwarding to udp protocol, network segment 1.0, port 53

Example: iptables-A FORWARD-s 192.168.1.0 Universe 24-p udp-- dport 53-j ACCEPT

/ / write the inbound data rules at the end of the chain INPUT that are allowed to use the protocol tcp, port 20521.

Iptables-An INPUT-p tcp-- dport 20:21-j ACCEPT

/ write the inbound data rule of type 8 to the discarded protocol icmp at the end of the chain INPUT. 8 please

Ask, 0 echo, 3 unreachable

Iptables-An INPUT-p icmp--icmp-type 8-j DROP

/ the inbound data rule with type 0 discarded by protocol icmp is written at the end of the chain INPUT

Iptables-An INPUT-p icmp--icmp-type 0-j ACCEPT

/ the inbound data rule with type 3 of discarding protocol icmp is written at the end of the chain INPUT.

Iptables-An INPUT-p icmp--icmp-type 3-j ACCEPT

3.5.6 commonly used explicit matching conditions

Multi-port matching:-m multiport-- sports source port list

-m multiport-- dports destination port list

IP range matching:-m iprange-- src-range IP range

MAC address matching:-m mac--mac-source MAC address

State matching:-m state-- state connection status

/ / write inbound data rules that are allowed to use tcp protocol and multi-port (only one here) 80 at the beginning of the chain INPUT

Example: iptables-I INPUT-p tcp-m multiport-- dport 80-j ACCEPT

/ / write inbound data rules that allow tcp protocol and connection status ESTABLISHED,RELATED at the beginning of the chain INPUT

Iptables-I INPUT-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

/ / write the inbound data rules at the end of the chain INPUT that are allowed to use tcp protocol and multi-port 25ppm 80110143.

Iptables-An INPUT-p tcp-m multiport-- dport 25 80110143-j ACCEPT

/ / write inbound data rules with tcp protocol and address range of 4.21-4.28 at the end of the chain RORWARD.

Iptables-A FORWARD-p tcp-m iprange-- src-range 192.168.4.21-192.168.4.28

-j ACCEPT

/ / the inbound data rules from mack address 00:0c:29:c0:55:3f are written at the end of the chain INPUT.

Iptables-An INPUT-m mac--mac-source 00:0c:29:c0:55:3f-j DROP

four。 SNAT strategy

Application environment: local area network hosts share a single public network IP address to access Internet

Principle: source address translation, modifying the source address of the packet

4.1 conditions

IP address / subnet mask is set correctly for each host in the LAN

Each host in the local area network correctly sets the default gateway address

Linux gateway supports IP routing forwarding

4.2 write SNAT conversion rules

/ / write the end of the chain POSTROUTING of the table nat to the outbound of the source network segment 1.0 with SNAT policy.

The rule of translating the outgoing address of the network card eth2 into the destination address 2.39 (translating the address of the intranet)

Iptables-t nat-A POSTROUTING-s 192.168.1.0 to-source 24-o eth2-j SNAT-- to-source 192.168.2.39

/ / 192.168.1.0 Compact 24: private network segment

/ / eth2: the name of the public network API

/ / 192.168.2.39: the IP address of the public network interface

4.3verifying SNAT results

The local area network host 192.168.1.40 can access the Web server 192.168.2.40 of the external network.

Check the access log of the Web host 192.168.1.40, and the recorded visitor should be the gateway host's public network IP address 192.168.2.39. You can also use the client-side ping server to see if it is connected.

five。 DNAT strategy

Application environment: publishing servers located in the enterprise LAN in Internet

Principle: destination address translation, modifying the destination address of the packet

5.1 conditions

The Web server of the LAN can access Internet

The gateway's public network IP address has the correct DNS resolution record.

Linux gateway supports IP routing forwarding

5.2 write DNAT conversion rules

/ / write at the end of the chain PREROUTING of table nat to tcp protocol with DNAT policy, port: 80, destination address 2.39

The rule of translating to source address 1.40 via inbound network card eth0 (translated public network Internet address)

Iptables-t nat-A PREROUTING-I eth0-d 192.168.2.39-p tcp-- dport 80-j DNAT

-- to-destination 192.168.1.40

/ / 192.168.2.39: the IP address of the public network interface

/ / 80: published service port

/ / 192.168.1.46:Web: private network IP address of the firewall

5.3 validate DNAT results

The Web service located on the intranet can be accessed in the extranet client 192.168.2.40 at

Http://192.168.2.39

Check the access log of the Web server 192.168.1.40 and record the IP address of the client in the public network 192.168.2.40

You can also use the external network client ping intranet web server to see if it is connected.

5.4 modify the target port at release

The destination address is specified in the form "IP:Port" in the DNAT rule

/ / write at the end of the chain PREROUTING of table nat to tcp protocol with DNAT policy, port: 2346, destination address 2.39

The address from the inbound network card eth0 is converted to the source address 1.40, the rule of port: 22 (port is also changed)

Iptables-t nat-A PREROUTING-I eth2-d 192.168.2.39-p tcp-- dport 2346-j DNAT

-- to-destination 192.168.1.46 purl 22

/ / 2346: target port to be accessed

/ / 22: the port on which the service is actually provided

At this point, the study of "what are the iptables firewall knowledge points of LINUX" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.