Shulou(Shulou.com)06/01 Report--

1. Ipables Firewall

Netfilter/iptables framework can implement packet filtering, network address translation, and packet management functions.

The firewall system in linux consists of two parts: netfilter and iptables. Netfilter is located in the system kernel space

Is part of the linux kernel Specifically, netfilter is a series of hooks for the linux kernel, which allow

Allows the data table filter function to be mounted into the system kernel. And iptables is a user tool, because netfilter is in kernel space

Users cannot directly contact and modify the kernel, so command-line tools such as iptables are needed to add and remove tools

Filter rules for the body.

2. Iptables rule table, chain structure, priority between tables, priority of rule chain

2.1. Rule table

Iptables manages four different rule tables, which are implemented by independent kernel modules

Filter table (filter rule table): contains 3 chains INPUT OUTPUT FORWARD

Nat table (address translation rules table): PREROUTING POSTROUTING OUTPUT

(1) DNAT: change the destination address of the packet so that the packet can be rerouted to a machine (so that the public network can access the server of the local area network)

(2) SNAT: change the source address of the packet (so that the local area network can access the public network)

(3) NASQUERADE: like SNAT, the local area network can access the public network. No fixed IP can be dialed into Internet using PPP.PPPoE, etc.

Mangle table (modify data tag bit rule table): PREROUTING POSTROUTING INPUT OUTPUT FORWARD

Mangle table modifies the packet to change the contents of the packet header (TTL, TOS, MARK)

(1) TOS: set to change the service type of packets. Do not use TOS to set packets destined for Internet unless you intend to rely on TOS for routing. You cannot configure any filtering in the table. SNAT 、 DNAT

(2) TTL: changing the lifetime of a data packet allows the packet to have only one special TTL to deceive the ISP. Some ISP do not want multiple computers to share a connection to access the Internet,ISP by checking whether the data packet sent by a computer contains different TTL.

(3) MaRk: set special tags to packets, configure bandwidth limits through tags, and classify based on requests.

Raw table (trace data table rule table): OUTPUT PREROUTING

2.2, rule chain

INPUT chain: the rules for applying this chain when a packet (inbound) accessing the firewall is received

OUTPUT chain: apply the rules in this chain when the firewall sends packets locally (outbound)

FORWARD chain: apply this chain when you receive packets that need to be sent to other addresses through the firewall

PREROUTING chain: apply this chain before making a routing choice

POSTROUTING chain: apply this chain after routing a packet

2.3. Rule table priority

Raw mangel nat filter

2.4 Rule chain priority

III. The grammatical format of the firewall

Usage: iptables [- t table name] {command-A |-D |-I |-F |-L |-Z |-P} chain name [condition match] [- j trigger action]

3.2. Detailed description of command parameters:

-An adds (--append) a new rule to the end of the specified chain

[root@server136] # iptables-An INPUT-p tcp-s 192.168.8.8-j DROP (add a rule to prohibit

192.168.8.8 access the local machine)

-D delete (--delete) specify a rule in the chain and determine the rule to be deleted according to the rule serial number or content

[root@server136 ~] # iptables-D INPUT-p tcp-s 192.168.8.8-j DROP (delete this rule)

-I inserts a new rule in the specified chain. If no insertion position is specified, it is inserted at the beginning of the chain by default

[root@server136] # iptables-I INPUT 2-p tcp-- dport 443-j ACCEPT (at INPUT

Insert a rule in the second line to allow port 443 to enter)

-R modifies or replaces a rule in a specified chain to determine the rule to be replaced according to the rule serial number or content

[root@server136 ~] # iptables-R INPUT 2-s 192.168.8.9-j REJECT (replace the second rule, deny this ip access to this machine)

-L lists all the rules in the specified chain for viewing. If no chain name is specified, the contents of all chains in the table are listed.

[root@server136 ~] # iptables-L-n (view rules in the filter table)

-F clear all rules in the specified chain, and if no chain name is specified, clear the contents of all chains in the table

[root@server136 ~] # iptables-F (clear all rules in the filter table)

-N create a user-defined rule chain

[root@server136 ~] # iptables-t nat-N tarace (create a new rule for nat table)

-X deletes the user-defined rule chain from the table

[root@server136 ~] # iptables-t nat-X tarace (delete the newly created tarace rule chain)

-P sets the default policy for the specified chain (large p)

[root@server136 ~] # iptables-P INPUT DROP (the policy that defines the INPUT rule chain is discarded. If you use it with caution, the remote will be completely disconnected)

Use the policy that needs to add port 22 before using.

[root@server136] # iptables-I INPUT-p tcp-- dport 22-j ACCEPT

[root@server136 ~] # / etc/init.d/iptables save

Iptables: Saving firewall rules to / etc/sysconfig/iptables: [OK]

[root@server136 ~] # service iptables restart

Iptables: Setting chains to policy ACCEPT: nat filter [OK]

Iptables: Flushing firewall rules: [OK]

Iptables: Unloading modules: [OK]

Iptables: Applying firewall rules: [OK]

-n displays the output in numeric form, such as the IP address of the host instead of the host name

[root@server136 ~] # iptables-n-L (to be used with-L parameter)

-v displays detailed information when viewing a list of rules

[root@server136] # iptables-n-L-v

Chain INPUT (policy DROP 13 packets, 2753 bytes)

Pkts bytes target prot opt in out source destination

81 7629 ACCEPT tcp-- * 0.0.0.0 tcp dpt:22 0 0.0.0.0 tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 75 packets, 9341 bytes)

Pkts bytes target prot opt in out source destination

-V View the version information of the iptables command tool

[root@server136] # iptables-V

Iptables v1.4.7

-h View command help information

[root@server136] # iptables-h

When line-numbers views the list of rules, it also displays the sequence number and place of the rules in the chain.

[root@server136] # iptables-n-L-- line-numbers

3.3. The matching condition type of the rule chain

3.3.1 Universal matching: can be used directly without relying on other conditions or extensions, including network protocols, IP addresses, network interfaces, etc.

1. Protocol matching:-p protocol name

[root@server136] # iptables-A FORWARD!-p icmp-j ACCEPT (except for the icmp protocol

Packets, packets of other protocols can be forwarded)

2. Address matching:-s source address,-d destination address

3. Interface matching:-I inbound Nic,-o outbound Nic

[root@server136] # iptables-I FORWARD-s 192.168.8.10-p tcp-o eht1-- sport 80-j ACCEPT

(Port 80 of the source address 192.168.8.10 can respond to requests from Eth2 network cards)

3.3.2. Implicit matching: specific protocol matching is required, including port, tcp tag, icmp type, etc.

1. Port matching:-- sport source port,-- dport destination port

[root@server136] # iptables-A FORWARD-s 192.168.8.0 take 24-p udp-- dport 53-j ACCEPT

(the 192.168.8.0 network can access port 53 of other networks)

[root@server136] # iptables-A FORWARD-d 192.168.9.0 take 24-p udp-- sport 53-j ACCEPT

(packets from port 53 can access hosts on the 192.168.9.0 network segment)

2. TCP tag match-- tcp-flags [check range] [set tag]

[root@server136] # iptables-IINPUT-I eth2-p tcp--tcp-flags SYN,RST,ACK SYN-j DROP

(when inbound syn packets are detected, they are discarded)

3. ICMP type:-- icmp-type icmp type (8 requests, 0 returns, 3 requests but the host is unreachable)

[root@server136] # iptables-An INPUT-p icmp--icmp-type 8-j DROP

(someone asks to ping my host, discard it)

[root@server136] # iptables-An INPUT-p icmp--icmp-type 0-j ACCEPT (I am allowed to return when I ping someone else)

3.3.3. Display conditions match

1. Multi-port matching:-m multiport-- sports source port list

-m multiport-- list of dport target ports

[root@server136] # iptables-An INPUT-p tcp-m multiport-- dport 80110443-j ACCEPT

2. Ip range matching:-m iprange-- src-range source IP range

-m iprange-- dst-range target IP range

[root@server136 ~] # iptables-A FORWARD-p tcp-m iprange-- src-range 192.168.7.10-192.168.7.123-j ACCEPT (allow the above ip address range packets to pass)

[root@server136] # iptables-A FORWARD-p tcp-m iprange-- dst-range 192.168.8.10-192.168.123-j ACCEPT

3. MAC address matching:-m mac--mac-source source mac address

[root@server136] # iptables-An INPUT-m mac--mac-source 00:0c:29:b1:f6:c4-j ACCEPT

4. State matching:-m state-- state connection status

NEW: regardless of any connection

ESTABLISHED: responding to a request or having established a connection

RELATED: related to existing connections

[root@server136] # iptables-I INPUT-m state-- state ESTABLISHED-j ACCEPT

Fourth, trigger action

ACCEPT allows the database to pass through

DROP discards packet

REJECT denies the packet passing through

LOG records packet information in syslog log

DNAT destination address translation

SNAT source address translation

MASQUERADE address spoofing

REDIRECT redirection

5. Notes on writing rules:

Server: first in, then out

Client: first out, last in

First block them all before issuing a pass * can be intercepted without issuing a pass to him

When making the release rules, there must be both in and out, otherwise the release will not succeed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.