Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "Linux system security configuration iptables service example analysis", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "Linux system security configuration iptables service example analysis" this article.

Introduction to Linux Firewall

The firewall function of the Linux system is implemented by the kernel. From the kernel after version 2.4, the packet filtering mechanism is netfilter and the management tool is iptables.

Netfilter

The function system of packet filtering firewall located in the system kernel is called the "kernel state" of Linux firewall.

Iptables

Located at / sbin/iptables, it is a command tool for managing firewalls, and is called the "user mode" of linux firewalls.

Introduction to tables and chains of iptables

Chain is a collection of firewall rules or policies. To filter or process data packets, we should put all kinds of rules into different "chains" according to the different processing mechanisms.

The default five chains are as follows:

INPUT: processing inbound packets

OUTPUT: processing outbound packets

FORWARD: processing forwarded packet

POSTROUTING: processing packets after routing

PREROUTING: process packets before routing

A table is a collection of rule chains, rules with a certain kind of similar function, which are incorporated into different tables after they are transferred to different chains according to different mechanisms.

The default four tables are as follows:

Raw table: determines whether to trace the state of the packet

Mangle: setting tags for data

Nat table: modifies the source, destination IP, or port in a packet

Filter table: filtering or processing packets

The structure of the table and chain of iptables is as follows

Introduction to Iptables packet filtering matching

Priority between tables

Raw--- > mangle-- > nat--- > filter

Matching order between chains

Inbound data: PREROUTING-- > INPUT

Outbound data: OUTPUT--- > POSTROUTING

Forwarding data: PRETOUTING-- > FORWARD--- > POSTROUTINGS

Matching order in the chain

1. Check sequentially, and stop checking when you find a matching rule.

2. If no matching rule is found, it will be handled according to the default policy.

The flow chart of packet matching is as follows

Iptables management and configuration

Command syntax format

Iptables [- t table name] option [chain name] [matching condition] [- j target action]

Note: when the table name is not specified, the default is filter table.

The default is all chains in the table when the chain name is not specified

In addition to setting the default policy for the chain, you need to specify matching conditions

[root@host] # iptables-t filter-An INPUT-p tcp-j ACCEPT

[root@host] # iptables-I INPUT-p udp-j ACCEPT

[root@lhost] # iptables-I INPUT 2-p icmp-j ACCEPT

[root@host ~] # iptables-P INPUT DROP

[root@host] # iptables-L INPUT-- line-numbers

Chain INPUT (policy DROP)

Num target prot opt source destination

1 ACCEPT udp-anywhere anywhere

2 ACCEPT icmp-anywhere anywhere

3 ACCEPT tcp-anywhere anywhere

Configure conditional commands to match packets

Protocol matching (tcp/udp/icmp)

-p protocol name

Iptables-A FORWARD-p! Icmp-j ACCEPT

Iptables-A FORWARD-p tcp-j ACCEPT

Address matching

-s source address-d destination address

Iptables-A FORWARD-s 10.0.0.0swap 24-j ACCEPT

Iptables-An INPUT-I eth0-s 100.0.0.100-j ACCEPT

Port matching

-- sport source port-- dport destination port

Iptables-A FORWARD-p tcp-- dport 22-j ACCEPT

Iptables-An OUTPUT-p tcp-- sport 20:80-j ACCEPT

Processing actions of common data packets

ACCEPT: release packet

DROP: drop packet

REJECT: reject packet

Import and export management of iptables rules

Export: iptables-save > / etc/sysconfig/iptables

Import: iptables-restore

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.