Shulou(Shulou.com)06/02 Report--

1.1 introduction to iptables Firewall

Netfilter/Iptables (hereinafter referred to as Iptables) is an excellent and open source security and free firewall tool based on packet filtering provided by unix/linux. It is very powerful and flexible to use, and can finely control the data packets flowing into and out of the server. In particular, it can run very well under a very low hardware configuration.

Iptables is an integrated service in Linux2.4 and 2.6 kernels. Its function and security are much more powerful than its * * ipfwadm,ipchains**. Iptables mainly works in the second, third and fourth layers of OSI. If the kernel is recompiled, iptables can also support * * layer 7 control * * (squid Agent + iptables)

1.2 iptables terms and terminology

Containers: the relationship between inclusion and inclusion

Iptables is the container for the table

Iptables contains tables (4 tables) tables are containers for chains, each table contains several chains

The chain is the container of rules, and the real filtering rules belong to the chain.

Level introduction

Iptables countries

Table dart

Chain market

Rule county

1.3 iptables workflow

Iptables uses packet filtering mechanism, so it will analyze the header data of the requested packet and match whether it can enter the host according to our pre-set rules.

Summary of iptables workflow

Firewalls are filtered layer by layer. It is actually filtered from top to bottom and from front to back in the order of the configuration rules. If the rule is matched, that is, it is clear whether the table is blocked or passed, the packet will no longer match the new rule downwards. If it is not clear whether to block or pass through this packet in all rules, that is, there is no match on the new rule, match down, it will not be executed until the matching default rule is explicitly organized or through the firewall, and all the rules of the corresponding chain are executed. 1.4 iptables table (tables) and chain (chains)

According to the definition of function and table, iptables consists of three tables, filter,nat,mangle, each of which contains a different operation chain (Chains).

Filter table is a real firewall function.

INPUT in server OUTPUT out server FORWARD flows through server

Nat table is responsible for packet rewriting, gateway sharing, IP and port mapping.

OUTPUT

PREROUTING

POSTROUTING

Mangle routing tags are not used much.

# all chains

RAW tables are rarely as useful as Mangle.

We can get it through man iptables.

1.5 Table introduction

The control of filter table is an important means for us to realize the local firewall, especially the control of INPUT chain.

1.6 iptables Table and chain Workflow Chart

Tip: iptables mainly has two functions, the first is firewall, the second is routing.

NAT function:

Enterprise case: 1) Local area Network sharing (routing and Gateway) NAT POSTROUTING

2) external IP and port mapping to internal IP and port (DMZ function), NAT PREROUTING

Filter function:

Firewall FILTER INPUT FORWARD

Enterprise case: mainly applied to server firewall

2.1 configuration iptablesiptables has been installed by default [root@web02 ~] # iptables- Viptables v1.4.7 [root@web02 ~] # rpm-qa iptablesiptables-1.4.7-16.el6.x86_64 [root@web02 ~] # / etc/init.d/iptables statusiptables: Firewall is not running.

View iptables rules

[root@web02 ~] # iptables-nLChain INPUT (policy ACCEPT)

Indicates that ACCEPT is the default rule for input chains, and runs through by default

The specific rule ACCEPT all under the target prot opt source destinationinput chain-- 0.0.0.0 ACCEPT all 0 0.0.0.0 Universe 0 state RELATED ESTABLISHEDACCEPT icmp--0.0.0.0 0 0.0.0.0/0ACCEPT all-0.0.0.0 0 0.0.0.0/0ACCEPT tcp-0.0.0.0 0 0.0.0.0 0 state NEW tcp dpt:22REJECT all-0.0.0.0 00.0.0.0 0 reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)-- 0.0.0.0/ 0 0.0.0.0 reject-with icmp-host-prohibitedChain OUTPUT 0 (policy ACCEPT) target prot opt source destination

If no table is specified, the default is the filfer table

Kernel module loaded by iptables by default [root@web02 ~] # lsmod | egrep "nat | filter | ipt" ipt_REJECT 2351 2iptable_filter 2793 1ip_tables 17831 1 iptable_filter

Load the following modules into the linux kernel

Modprobe ip_tablesmodprobe iptable_filtermodprobe iptable_natmodprobe ip_conntrack connection tracking modprobe ip_conntrack_ftp connection tracking modprobe ip_nat_ftpmodprobe ipt_state

Filter again to see how it works

[root@web02 ~] # lsmod | egrep "nat | filter | ipt" nf_nat_ftp 3443 0nf_conntrack_ftp 11953 1 nf_nat_ftpiptable_nat 5923 0nf_nat 22676 2nf _ nat_ftp,iptable_natipt_REJECT 2351 2nf_conntrack_ipv4 9154 5 iptable_nat,nf_natnf_conntrack 79206 6 nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_stateiptable_filter 2793 1ip_tables 17831 2 iptable_nat,iptable_filter

Clear all the rules, leaving only the default rules

[root@web02] # iptables-F [root@web02] # iptables-X [root@web02] # iptables-Z

Iptables-F clears all rules

Iptables-X removes a user-defined rule

The counter of iptables-Z chain is cleared.

2.2 prohibition rules

View Port

[root@web02 ~] # netstat-lntup | grep sshtcp 0 0 0. 0. 0 lntup 22 0 0 0 LISTEN 1329/sshdtcp 0: 22:: * LISTEN 1329/sshd

The command is as follows:

Iptables-t filter-An INPUT-p tcp-- dport 22-j DROP

-An adds a rule to the end of the specified chain, the last one

-I add a rule to the beginning of the specified chain, the first

-t specify the table, or you may not specify filter by default

-p specify protocol (all.tcp,udp.icmp) default all

-- dport designated port

The act of dealing with

ACCPET receive, DROP discard, REJECT reject

It is best to use ACCPET and DROP, because rejection returns information to the user.

Iptables-F can be used to clear the rules

You can also use iptables-D INPUT 1

-D specifies the deleted chain

-- line-number displays serial number

Iptables-nl-- line-number

Tip: need to write the chain and serial number

Warm reminder: restore the SSH connection that was just disconnected

1) go to the computer room to restart the system or log in to the server to delete the previous prohibition rule

2) ask the computer room staff to restart the server or log in with the user password

3) manage through the remote management card of the server (recommended)

4) write a scheduled task first, and stop the firewall every 5 minutes

5) the test environment is tested, written as a script, and executed in batches

Enterprise case 3.1: the difference between plus-An and-I [root@web02] # iptables-An INPUT-p tcp-- dport 80-j DROP [root@web02] # iptables-I INPUT-p tcp-- dport 80-j ACCEPT

According to the iptables matching rule, the first line is matched first, followed by a downward match. It is useless to set rejection in this way.

If you want to insert in the middle, you can specify the insert line number

[root@web02] # iptables-nLChain INPUT (policy ACCEPT) target prot opt source destinationACCEPT tcp-- 0.0.0.0policy ACCEPT 0 0.0.0.0Universe 0 tcp dpt:80DROP tcp-0.0.0.0Universe 0.0.0.0.0Universe 0 tcp dpt:80Chain FORWARD (policy ACCEPT) target prot opt source destinationChain OUTPUT (policy ACCEPT) target prot opt source destination

You can also insert iptables commands by serial number

[root@web02 ~] # iptables-I INPUT 2-p tcp-- dport 80-j ACCEPT [root@web02 ~] # iptables-nL-- line-numberChain INPUT (policy ACCEPT) num target prot opt source destination1 ACCEPT tcp-0.0.0.0x00.0.0.0max 0tcp dpt:802 ACCEPT tcp-- 0.0.0.0.0max 00.0.0.0max 0tcp dpt:803 DROP tcp-- 0.0.0.0max 0.0.0.0.0 / 0 tcp dpt:80Chain FORWARD (policy ACCEPT) num target prot opt source destinationChain OUTPUT (policy ACCEPT) num target prot opt source destination Summary: summarize the methods of deleting rules

1. Iptables-D INPUT-p tcp-- dport 8080-j DROP

2. Iptables-F delete all rules

3. / etc/init.d/iptables restart (all commands configured with the iptables command line are temporary)

4. Iptables-D INPUT rule serial number

3.2: prohibit access to the 10.0.0.0 network segment

Network segment control based on client

[root@web02] # iptables-An INPUT-s 10.0.0.0 Universe 24-j DROP

-s specify source address

You can also use operations that are not in this network segment.

[root@web02 ~] # iptables-An INPUT!-s 10.0.0.0It 24-j DROP

Case: control the incoming data of the 22-port eth0 network card

Iptables-An INPUT-p tcp-- dport 22-I eth0!-s 10.0.0.0 tcp 24-j DROPiptables-An INPUT-p tcp-dport 22-I eth0!-s 192.168.1.1-j DROP

Block port 3306

Iptables-An INPUT-p tcp-- dport 3306-j DROP

Match the specified protocol

Iptables-An INPUT-p tcpiptables-An INPUT-p udp

Matches all protocols other than the specified protocol

Iptables-An INPUT!-p tcp

``matches a single port * *

Iptables-An INPUT-p tcp-- sport 22 source port iptables-An INPUT-p udp-- dport 22 destination port

Match port range:

Iptables-An INPUT-p tcp-- sport 22:80iptables-An INPUT-p tcp-- dport 21 DROP---- 22multiport 23-j DROP---- > erroneous syntax iptables-I INPUT-p tcp-m multiport-- dport 22 231 24 DROPiptables 25-j DROPiptables-I INPUT-p tcp-m multiport!-- dport 22 23 24 INPUT 25-j DROPiptables-I INPUT-p tcp-dport 3306 display 8809-j ACCEPTiptables-I INPUT-p tcp-18:80-j DROP / etc/sysconfig/iptables

The first method is recommended.

Test: I scan the firewall we configured through other servers

Use the nmap tool for analysis, which requires installation

[root@web02 ~] # yum-y install nmap

The use is as follows: more nmap-help can be used.

[root@web02] # nmap 10.0.0.8-p 1-65535Starting Nmap 5.51 (http://nmap.org) at 2016-08-15 04:28 CSTNmap scan report for 10.0.0.8Host is up (0.0000070s latency) .Not shown: 65532 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open http3306/tcp open mysqlNmap done: 1 IP address (1 host up) scanned in 14.21 seconds production maintenance

(1) established rules

Edit / etc/sysconfig/iptables

Add the rules you want: for example

-An INPUT-p tcp-m tcp-- dport 873-j ACCEPT/etc/init.d/iptables reload

Or the command is executed at the same time as the configuration is changed, and it is also in effect forever.

(2) trial and error of the command, no problem, and then put the configuration file. There is no need to restart at this time.

Malicious IP blocking

Seal IP, seal on the first line. 10.0.0.1 this machine attacks our server or posts spam in BBS.

Seal IP manually:

Iptables-I INPUT-s 10.0.0.1-j DROP # is thick and wide in scope, while external attacker Iptables-I INPUT-s 10.0.0.1-j DROPiptables-I INPUT-p tcp-s 10.0.0.1-- dport 80-j DROP # is thin and small in scope. Inside

Automatically seal IP: analyze Web or application log or network connection status to seal off junk IP

Script:

#! / bin/bash#this is a server firewall created by oldboy 17:03 2006-7-2 "e_mail:31333741@qq.com# qqinfo:49000448# function: a server firewall# version:1.1### oldboy trainning info.# QQ 1986787350 7027111" site: http://www.etiantian.org# blog Http://oldboy.blog.51cto.com# oldboy trainning QQ group: 208160987 45039636###define variable PATHIPT=/sbin/iptables#Remove any existing rules$IPT-F$IPT-X$IPT-Z#setting default firewall policy$IPT-- policy OUTPUT ACCEPT$IPT-- policy FORWARD DROP$IPT-P INPUT DROP#setting for loopback interface$IPT-An INPUT-I lo-j ACCEPT$IPT -An OUTPUT-o lo-j ACCEPT#setting access rules#one Ip access rules,allow all the ips of$IPT-An INPUT-s 10.0.10.0 INPUT 24-p all-j ACCEPT$IPT-An INPUT-s 10.0.0.0 24-p all-j ACCEPT## is repeated below Reserved as a point of knowledge Configuration of a single service # second Port access rules#nagios$IPT-An INPUT-s 10.0.10. Port access rules#nagios$IPT-A tcp-- dport 5666-j ACCEPT$IPT-An INPUT-s 10.0.0.0 dport 24-p tcp-- dport 5666-j ACCEPT#db$IPT-An INPUT-s 10.0.0.0 dport 24-p tcp-- dport 3306-j ACCEPT$IPT-An INPUT-s 10.0.0.0 pm 24-p tcp-- dport 3307-j ACCEPT$IPT-An INPUT-s 10.0.10.0 -- dport 3306-j ACCEPT$IPT-An INPUT-s 10.0.10.0According 24-p tcp-- dport 3307-j ACCEPT#ssh difference from other servers here. > > $IPT-An INPUT-s 10.0.0.0Universe 24-p tcp-- dport 52113-j ACCEPT$IPT-An INPUT-s 10.0.10.0On24-p tcp-- dport 52113-j ACCEPT$IPT-An INPUT-p tcp-dport 22-j ACCEPT#http$IPT-An INPUT-p tcp-dport 80-j ACCEPT#snmp$IPT-A INPUT-s 10.0.0.0Compact 24-p UDP-- dport 161j ACCEPT$IPT-An INPUT-s 10.0.10.0Universe 24-p UDP-- dport 161ACCEPT#rsync$IPT-An INPUT-s 10.0.0.0ACCEPT#rsync$IPT 24-p tcp-m tcp-- dport 873-j ACCEPT$IPT-An INPUT-s 10.0.100.0 Universe 24-p tcp-m tcp-- dport 873-j ACCEPT#icmp#$IPT-An INPUT-p icmp- m icmp- icmp-type- Any-j ACCEPT#others RELATED$IPT-An INPUT-m state-- state ESTABLISHED RELATED-j ACCEPT$IPT-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

Enterprise case: write a script to solve the production case of DOS attack

Tip: according to the number of web logs or network connections, monitor when the number of concurrent connections to an IP or PV reaches 100 within a short period of time, that is, the firewall command is called to block the corresponding IP, and the monitoring frequency is every 3 minutes. The firewall command is: iptables-I INPUT-s 10.0.1.10-j DROP

This script is written using test files

[root@db02 scripts] # cat testings 6. Shroud. * [- f / etc/init.d/functions] & &. / etc/init.d/functionsIP_file= "/ server/scripts/ddos.txt" IP_filter_command= "iptables-I INPUT-j DROP-s" IP_recover_command= "iptables-D INPUT-j DROP-s" function IP_check () {grep "EST" ${IP_file} | awk-F "[|:] +'{print $6}'| sort | uniq-c | sort-rn-K1 > / server/scripts/ip.txt} function IP_filter () {exec

< /server/scripts/ip.txtwhile read linedoIP_count=`echo $line|awk '{print $1}'`IP=`echo $line|awk '{print $2}'`IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l`if [ ${IP_count} -gt 25 -a ${IP_fil} -eq 0 ];then${IP_filter_command} ${IP}echo "${IP}" >

> / server/scripts/ip_filtered.txtaction "Filter ${IP}" / bin/truefidone} function IP_recover () {exec

< /server/scripts/ip.txtwhile read linedoIP_count=`echo $line|awk '{print $1}'`IP=`echo $line|awk '{print $2}'`IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l`if [ ${IP_count} -le 25 -a ${IP_fil} -eq 1 ];then${IP_recover_command} ${IP}echo "${IP}" >

> / server/scripts/ip_filtered.txtaction "Recover ${IP}" / bin/truefidone} function main () {case "$1" infilter) IP_checkecho "$(date +% F-%H:%M:%S) filtered by $(whoami)" > > / server/scripts/ip_filtered.txtIP_filter;;recover) IP_checkecho "$(date +% F-%H:%M:%S) recovered by $(whoami)" > / server/scripts/ip_filtered.txtIP_recover *) echo "USAGE:$0 {filter | recover}" exit 1esac} main $* production environment iptables script explanation

Tip: it is best to limit the source address of a server with a public network IP for non-external services. External services cannot be restricted by source address, for example, port 80

Question: whether enterprise hardware firewall and IPTABLES firewall should be used at the same time.

Solution: you can use the enterprise hardware firewall at the same time, which is generally placed in the gateway location, which is equivalent to the security of the building, but every room in the building still needs someone to lock the door of the iptables.

Question: IDC computer room deployed a hardware firewall, our server can not open the firewall?

Answer: absolutely not. With security in the building, will your office door be unlocked?

NAT Settings

Share Internet settings

Linux Gateway B:

Two command methods for LAN sharing:

Method 1: suitable for those with fixed external network address:

Iptables-t nat-A POSTROUTING-s 192.168.1.0 to-source 24-o eth0-j SNAT-- to-source 10.0.0.7

(1)-s192.168.1.0 take 24 office or IDC intranet segment.

(2)-oeth0 is the external network card interface of the gateway.

(3)-jSNAT-- to-source 10.0.0.7 is the IP address of the gateway external network card.

Method 2: suitable for changing the public network address (ADSL):

Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-j MASQUERADE # camouflage.

The configuration is as follows

Step 1: configure the public network server

[root@lb01] # iptables-t nat-A POSTROUTING-s 172.16.1.0 iptables 24-j SNAT-- to-source 10.0.0.5 [root@lb01] # iptables-t nat-L-n

Enable kernel forwarding

Net.ipv4.ip_forward = 1vim / etc/sysctl.confsysctl-p # effective

Need to set up the Internet server

Add rout

Route add default gw 172.16.1." here write the IP address vim / etc/resolv.conf that provides the external network.

Add nameserver 223.5.5.5

Route-n check

Case 2: implement transferring the request for access to 10.0.0.5VR80 to 172.16.1.8VRO 80

[root@web02] # iptables-t nat-A PREROUTING-d 10.0.0.5-p tcp-- dport 80-j DNAT-- to-destination 172.16.1.8 tcp 80 [root@web02] # iptables-P FORWARD DROP

Iptables common enterprise cases:

1. Linux host firewall (table: FILTER control chain: INPUT)

2. Local area network machine sharing Internet access (table: NAT control chain: POSTROUTING)

Iptables-t nat-A POSTROUTING-s 192.168.1.0 to-source 24-o eth0-j SNAT-- to-source 10.0.0.7

3. External address and port, mapped to internal address and port (table: chain controlled by NAT: PREROUTING)

Iptables-t nat-A PREROUTING-d 10.0.0.7-p tcp-- dport 80-j DNAT-- to-destination 192.168.1.8

Enterprise case: implementing an one-to-one mapping of external IP 124.42.34.112 to internal server 10.0.0.8

Gateway Ip:eth0:124.42.60.109 eth2:10.0.0.254

First bind VIP 124.42.34.112 to the routing gateway, which can be an alias or a secondary IP.

-A POSTROUTING-s 10.0.0.0Univer 255.255.240.0-d 124.42.34.112-j SNAT-- to-source 10.0.0.254A PREROUTING-d 124.42.34.112-j DNAT-- to-destination 10.0.0.8RaA POSTROUTING-s 10.0.0.8-o eth0-j SNAT-- to-source 124.42.34.112

Iptables production application scenario

1) sharing the Internet in the local area network (suitable to be the gateway of the internal local area network of the enterprise, and the gateway of the intranet of the IDC computer room [nat POSTROUTING])

2) Server firewall function (suitable for servers with public network IP in IDC computer room) (mainly filter INPUT control)

3) Mapping the external IP and port to the inside of the LAN (either one-to-one IP mapping or for a certain port mapping) or IDC maps the external VIP and port of the website to the load balancer (hardware firewall). (nat PREROUTING)

4) Highway router + gateway function (zebra routing + iptables filtering and NAT+squid forward transparent proxy) 80+ntop/iftop/iptraf traffic view + tc/cbq flow control speed limit

5) Gateway of mail

Application of iptables Firewall

1) Host firewall

2) Application of gateway (IP mapping, port mapping)

3) filter information, monitor traffic restrictions and employees' online behavior (squid (forward proxy caching and filtering) + ntop (graphical traffic monitoring) + usually (traffic restrictions) + iptraf/iftop (traffic viewing))

If IPTABLES's server upgrades the kernel, it can achieve filtering functions similar to squid.

4) the gateway is equipped with antivirus software to monitor port 9999, (gateway antivirus)

Iptables-A PREROUTING-I eth0-d 211.167.253.109-p tcp-m tcp-- dport 25-j DNAT-- to-destination 192.168.10.6 eth0 9025

5) configure enterprise router with zebra

Mapping multiple extranet IP iptables-t nat-A POSTROUTING-s 10.0.0.1Universe 255.255.255.0-o eth0-j SNAT-- to-source 124.42.60.11-124.42.60.16iptables-t nat-A POSTROUTING-s 172.16.1.0 and 255.255.255.0-o eth0-j SNAT-- to-source 124.42.60.103-124.42.60.106#iptables-t nat-A postrouting-S 192. 168.1.0 eth0 22-o eth0-j SNAT-- to-source 10.0.0.241-10.0.0.249

Question:

1. 2000 people were blocked.

2. Limited resources of available port 65535

Enterprise case: ip_conntrack: table full, dropping packet. Error prompt of

The following is the configuration of a server in my production environment:

Net.ipv4.tcp_fin_timeout = 2net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_tw_recycle = 1net.ipv4.tcp_syncookies = 1net.ipv4.tcp_keepalive_time = 600net.ipv4.ip_local_port_range = 4000 65000net.ipv4.tcp_max_syn_backlog = 16384net.ipv4.tcp_max_tw_buckets = 36000net.ipv4.route.gc_timeout = 1net.ipv4.tcp_synack_retries = 1x5, ip_conntrack: table full is displayed in dmesg Dropping packet. The error prompt. How to solve. # the following parameters are optimized for the iptables firewall. The firewall does not prompt for meetings and can be ignored. C58: net.ipv4.ip_conntrack_max = 25000000net.ipv4.netfilter.ip_conntrack_max=25000000net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=180net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=120net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait=60net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait=120## # # C64: net.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_max = 25000000net.netfilter.nf_conntrack_tcp_timeout_established = 180net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

After adjusting the kernel parameter / etc/sysctl.conf, you need to execute / sbin/sysctl-p for the modification to take effect.

Emphasize: if the concurrency is relatively large, or if there is too much PV per day, you should pay attention to turning on the firewall, which may lead to slow access to the website.

Large concurrency (concurrency 10, 000, PV day 30 million) either buy a hardware firewall or do not open the iptables firewall

Brief introduction of iptables parameters

-n digit

-L list

-F clears all rules and does not process default rules

-X removes a user-defined chain

The counter of-Z chain is cleared.

-An adds a rule to the end of the specified chain, the last one

-I add a rule to the beginning of the specified chain, the first

-t specify the table, or you may not specify filter by default

-p specify protocol (all.tcp,udp.icmp) default all

-P sets the default rule

-s specify source address

-d destination address

-- dport designated port

-j processed behavior ACCPET receive, DROP discard, REJECT reject

-iinput matches the interface of the network card entered

-the interface of the network card matched by ooutput

-m state-- state matches network status

For more information about the linux retaining wall iptables, please see the relevant links below.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.