Shulou(Shulou.com)06/01 Report--

What is a firewall?

A defense system that separates the local network from the outside network. generally speaking, a firewall is a fireproof wall, and its main purpose is to isolate the fire and establish a secure area. so for the Internet or computer, the firewall may work at the edge of the host or network (the edge of the computer may be a network card, and the edge of the network may be a route). Check and monitor the standards in the pre-defined rules for incoming and outgoing messages, and once they meet the standards, we will take the processing actions defined by this rule, which we call host firewalls or network firewalls.

Linux Network Firewall:

There are two sets of frameworks, and netfilter is the main one to realize the function of fire prevention.

Netfilter: is the filtering framework in the kernel, is the network filter

Iptables: is a tool that produces fire protection rules and can attach them to netfilter to achieve data packet filtering. Of course, this is only one of the functions, such as NAT, mangle and other rule generation tools. And it itself can not be fireproof, the real firewall function is the rules, the rules can only be put into effect on the netfilter. Rules include processing standards and processing methods. Firewalls can be hardware or software. Both hardware and software need to define rules and make them effective before they can really work in the work domain.

Netfilter works in kernel space (where rules can be placed), iptables works in user space, rules can be written, and rules are placed in their corresponding position through system calls, and the application will be useless only after it takes effect.

1. Evolution of links to tables

Ipfw-- > ipchains-- > iptables

Each chain is seen as the evolution of each column.

Iptables/netfilter: network filter

It only works when enabled in netfiler:kernel

Hookfunction (hook function): or chain

It is understood as checking out a certain target port process to match the filtering rules.

WKioL1ce-3qysfRNAACDSFO5xZw518.jpg

WKiom1ce-uOjVVwnAAcgYH62j1I503.png

[extension]: use reference, use man, for iptables, is a multi-module command, you can use maniptables;man iptables-extensions

Iptables

The implementation of firewall function is mainly based on some of these rules, and the implementation of these rules is written by iptables.

Message flow

(1) inflow from the outside to the inside of the host

(2) the messages inside the machine flow out to the outside.

(3) forwarding of messages

As long as a message passes, it must pass through one of the locations, and the destination IP in the routing table can determine which way it should take. This is called a routing decision, which occurs when a message is received by the local network card and sent to the TCP/IP protocol stack. The above three flows are three hook functions that work on the TCP/IP protocol stack. Any packet passing through any of these flows will be checked. If it is matched by one of the rules, the processing method will be executed.

Hook: hook functions that are checked one by one from top to bottom. Five rules:

Prerouting: before routin

Input: come in locally

Output: go out locally

Forward: forwardin

Postrouting: after routin

And each rule is combined to form a chain, called a rule chain, and each function corresponding to a hook should have a chain.

Five rule chains:

PREROUTING

INPUT

FORWARD

OUTPUT

POSTROUTING

WKiom1ce-3CydLNNAAFPBoC38FU548.jpg

Iptables structure:

WKiom1ce-7iicyKiAABrr3KcSVA460.jpg

Iptables built-in chain and Custom chain

Built-in chain: (uppercase): corresponds to a hook function

PREROUTING,INPUT,FORWARD,OUTPUT, POSTROUTING

Custom chain:

You can use a custom chain, but it only works when it is called, and if it is not matched by any rules in the custom chain, there should be a return mechanism; users can delete a custom empty chain, but the default chain cannot be deleted. Each rule has two built-in counters, one record the number of matched messages and the other record the sum of the matched message sizes

The mode of operation of Iptables rules

WKiom1ce--KgC8JxAADDIH1CWGQ393.jpg

When the routing function occurs

After the message enters this machine:

Determine whether the target host is local or not?

Yes: input

No: forward

WKioL1ce_NmQOQ1cAABvjZOtC4E327.jpg

Before the message leaves the machine:

Determine which interface to send to the next hop?

Rules for Iptables:

Component: try to match the message according to the matching condition of the rule, and deal with the successful message according to the processing action defined by the rule.

Matching criteria:

Basic match:

Extended matching:

Processing actions:

Basic processing action

Extended processing action

Custom processing action

Considerations for iptables when adding rules:

1. What function to achieve: determine which table to add rules to

2. Where the message flows: determine which chain to add rules to

IP header

WKiom1ce_D3SetbRAADxM52lB10026.jpg

Iptables rule implementation command

Firewall boot processing mode

Boot mode on different versions of the system

Centos7

~] # Systemctl stop firewalld.service

~] # Systemctl disabled fireealld.service

Centos6

~] # Service iptables stop

~] # Chkconfig iptables off

Iptables rule command syntax

Command format: iptables [- ttable] SUBCOMMAND chain (chain) [matches …] [- j target]

Parameters:

-t table: indicates the table to be operated on

Four: Raw,mangle,nat,filter

SUBCOMMAND: command for operation

Chain: chain to operate

Match: matching conditions, which can be multiple

-j: specify the action to be executed later

Chain management:

-add a custom chain to N:new

Iptables-N testchain (add an empty chain (reference count is 0))

Iptables-nL view

[root@bogon ~] # iptables-Ntestchain

[root@bogon ~] # iptables-nL

ChainINPUT (policy ACCEPT)

Target prot opt source destination

ChainFORWARD (policy ACCEPT)

Target prot opt source destination

ChainOUTPUT (policy ACCEPT)

Target prot opt source destination

Chaintestchain (0 references)

Target prot opt source destination

-X:delete, delete the custom empty chain

[root@bogon ~] # iptables-Xtestchain

[root@bogon ~] # iptables-nL

ChainINPUT (policy ACCEPT)

Target prot opt source destination

ChainFORWARD (policy ACCEPT)

Target prot opt source destination

ChainOUTPUT (policy ACCEPT)

Target prot opt source destination

-P:policy, which sets the default rules for a chain

The default policies are as follows:

ACCEPT: accept

Drop: discard

Reject: reject

[root@localhost ~] # iptables-t filter-P FORWARD DROP

The default rule for setting the filter table is DROP

Note: when the packet is not matched by any rule in the rule list, according to this default rule, the action cannot be preceded by-j, which is the only case in which the matching action is not preceded by-j.

[extension] if you can't connect remotely if Input is drop, the solution: write a @ timing (cycle) plan and clear the rules

Symptom: all changed to drop remote and ping are not connected, but port 22 ssh is still listening

-E:rename renames a custom unreferenced chain (reference count is 0)

[root@bogon ~] # iptables-Ntestchain

[root@bogon ~] # iptables-Etestchain mychain

[root@bogon ~] # iptables-nL

ChainINPUT (policy ACCEPT)

Target prot opt source destination

ChainFORWARD (policy ACCEPT)

Target prot opt source destination

ChainOUTPUT (policy ACCEPT)

Target prot opt source destination

Chainmychain (0 references)

Target prot opt source destination

[root@bogon ~] #

Rule management:

-A: append appends a rule (default is put at the end)

[root@localhost] # iptables-t filter-An INPUT-j DROP

Append a rule to the input chain of the filter table (as the last rule, match all packets accessing the native ip, and the matching discarded) for example, the pseudo terminal of the ssh login is also terminated.

-I: insert [rule number] insert a rule

[root@localhost] # iptables-IINPUT-j DROP

Insert a rule in the INPUT chain of the filter table (insert as the first)

[root@localhost] # iptables-IINPUT 3-j DROP

Insert a rule in the INPUT chain of the filter table (insert as Article 3)

Note: 1.-t filter can not be written. If it is not written, it automatically defaults to filter table.

2.-I chain name [rule number]. If the rule number is not written, the default is 1.

3. Make sure that the rule number is ≤ (the number of existing rules + 1), otherwise an error will be reported.

-D

Delete deletes a rule

[root@localhost ~] # iptables-D INPUT 3

Delete the third rule in the INPUT chain of the filter table (match by number)

Note: after deleting the 3rd, the original 4th becomes the 3rd.

[root@localhost~] # iptables-D INPUT-s 192.168.1.1-jDROP

Delete the rule "- s 192.168.1.1-j DROP" in the INPUT chain of the filter table (regardless of its location)

Note:。

1. If there are multiple identical rules in the rule list, only the one with the lowest serial number will be deleted by content matching.

2. When deleting by number matching, make sure that the rule number ≤ already has the number of rules, otherwise an error will be reported.

3. When deleting by content matching, make sure that the rule exists, otherwise an error will be reported.

-R:

Replace replaces a rule

[root@localhost] # iptables-RINPUT 3-j ACCEPT

Replace the rule content originally numbered 3 with "- j ACCEPT"

Note: make sure the rule number

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.