Shulou(Shulou.com)06/01 Report--

Iptables is essential to system security and plays a great role in preventing external security.

Iptables is only the notification rule of firewall, which is realized by the system netfilter in the kernel.

Firewalls are divided into two categories. Network layer firewall, application layer firewall.

The principle of the firewall is to set up passing rules in the only way for the message to communicate with the host in order to implement safe release. In general, there are five necessary ways for host communication, corresponding to five hook functions.

Hook function

PREROUTING: before routin

INPUT: the only way to reach the message inside the machine

FORWARD: the only way for messages forwarded by this machine

OUTPUT: the only way for messages sent by this machine

POSTROUTING: after routin

Firewall, divided into four rule menu raw, mangle, nat, filter

Filter: filtering, defining whether to allow through the firewall

Nat: address translation, enabling connection_track

SNAT

DNAT

PNAT

Mangle:

Raw: the goal is to turn off connection tracking enabled on the nat table

The correspondence between the table and the chain:

Filter: INPUT, FORWARD, OUTPUT

Nat: PREROUTING (SNAT), POSTROUTING (DNAT), OUTPUT

Mangle: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

Raw: PREROUTING, OUTPUT

Iptables is just a tool in user space. Write rules and automatically send them to netfilter with immediate effect. So before writing rules, you must pay attention to the rules you write and make sure you release your own connections, lest your ssh remote connections will not be released, blocking yourself out.

Netfilter: receive and take effect rules

Basic syntax:

Iptables [- t TABLE] COMMAND CHAIN CRETIRIA-j TARGET

Iptables [- t TABLE] COMMAND CHAIN CRETIRIA-j TARGET

Which table is added to which the command option link matches the standard processing method

[the above grammatical format is only relatively general, and different commands are used differently]

-t TABLE:

Nat, mangle, raw, filter

Default is filter

Commands for managing chains:

-F:flush, clear the rule chain

-N:new, build a chain by yourself

-X: delete, delete a custom empty chain

-Z:zero, the counter returns to zero

-P:policy, which sets the default policy. For filter tables, the default rule is ACCEPT or DROP

-E: rename custom chain

Rules in the management chain

-A: add

-I: insert

-D: deletin

-R: modify = > if you want to modify a rule, the syntax order should correspond to the time of writing, so I usually don't use it. I usually write a new rule. After the rule to be modified, delete the rule to be changed.

Query rules:

-L

-n: display host address and port in numeric format

-v: detailed format,-vv,-vvv

-- line-numbers: displays the rule number

Pkts bytes target prot opt in out source destination

Packet byte destination protocol inflow interface source address outflow interface source address

-x: exactly, do not convert the counting result of the counter in units, but display its exact value

For the use of all commands, the filter table is used by default without-t table [specified table]

Iptables [- t TABLE]-A chain name matching condition-j processing target

Matching criteria:

Universal matching

-s address: specify the range in which the message source IP address matches; it can be IP or network address; you can use it! Take reverse

-src,-source

-d address: specifies the range in which the destination IP address of the message matches

-dst,-destination

-p protocol: specifies the protocol type that matches the message. There are generally three types of tcp, udp and icmp.

-I INTERFACE: the interface for the flow of datagrams; PREROUTING, INPUT, FORWARD

-o INTERFACE: the API for Datagram outflow; OUTPUT, FORWARD, POSTROUITING

Extended matching

Implicit extension: when using one of-p {tcp | udp | icmp}, you can directly use the extension-specific option

-p tcp:

-- sport PORT [- PORT]: specify the source port

-- dport PORT [- PORT]: specify the destination port

-- tcp-flags

-p udp:

-- sport

-- dport

-p icmp [- m icmp] = > Network message detection protocol

-- icmp-type 0: echo-reply, ping response 8: echo-request, ping request

Iptables

Deal with the target:

Built-in targets:

Generally speaking, DROP does not discard traffic messages quietly. It is best not to use reject.

REJECT

ACCEPT

For example, write a rule that allows you to receive request responses from other hosts on the native ping

[root@apache_13] # iptables-An INPUT-d 172.16.26.13-p icmp--icmp-type 0-j ACCEPT

Release local ping requests to other hosts

[root@apache_13] # iptables-An OUTPUT-p icmp-j ACCEPT

Explicit extension: you must specify which module to use for extension before you can use its extension-specific option

-m state-- state = = > remember that the-m parameter is used once for each different extension

Module: iptables,netfilter each has a part of the code

Multiport: multi-port matching

Can be used to match discontiguous or contiguous ports; up to 15 ports specified

Dedicated options:

-source-ports,-sports port [, port,port:port]

-destination-ports,-dports

-- ports

[root@apache_13] # iptables-I INPUT-p tcp-m multiport-- dports 22 80-j ACCEPT

Release all messages that access port 225080.

Iprange: matches addresses within the specified range

It is useful to match a contiguous address rather than the entire network

Dedicated options:

[!]-- src-ragne IP [- IP]

[!]-dst-range

[root@apache_13] # iptables-I INPUT-p tcp-m multiport-- dports 22 iprange 80-m iprange-- src-range 172.16.26.1-172.16.26.10-j ACCEPT

Release the message of 172.16.26.1-10 to access port 222280 of this machine.

String: string matching, which can detect strings in the message application layer

An efficient algorithm for character matching checking

Kmp, bm

Dedicated options:

-- algo {kmp | bm}

-string "STRING"

-- hex-string "HEX_STRING": HEX_STRING is a string encoded in hexadecimal format

# iptables-I OUTPUT-m string-algo kmp-string "sex"-j DROP

For example, admin is not allowed in the string

[root@apache_13] # iptables-An OUTPUT-m string-- string 'admin'-- algo kmp-j DROP

Time: time-based access control

Dedicated options:

-- datestart YYYY [- MM] [- DD [Thh [: mm [: ss]

-- datestop

For example, no access is allowed between 8-19 and 8-20

[root@apache_13] # iptables-An INPUT-m time-- datestart 2014-08-19-- datestop 2014-08-20-j DROP

-- timestart hh:mm [: ss]

-- timestop hh:mm [: ss]

For example, no access is allowed between 12:00 and 14:00

[root@apache_13] # iptables-An OUTPUT-m time-- timestart 12:00-- timestop 14:00-j DROP

-- weekdays day [, day]

Mon, Tue

For example, no visits are allowed on Monday and Tuesday

[root@apache_13] # iptables-An OUTPUT-m time-- weekdays Mon,Tue-j DROP

Connlimit: limit the number of connections, which limits the number of concurrent connections that can be initiated per IP

Dedicated options:

[!]-- connlimit-above [n]

For example, limit 176hosts to a maximum of 3 ssh connections

[root@apache_13] # iptables-I INPUT 1-s 172.16.26.176-p tcp-- dport 22-m connlimit--connlimit-above 3-j DROP

Limit: rate limit

Dedicated options:

-- limit n [/ second | / minute | / hour | / day]

-- limit-burst n

Example: each ip can only ping me 20 times per minute, and can only concurrently 5 ping packages at a time.

[root@apache_13] # iptables-An INPUT-d 172.16.100.7-p icmp--icmp-type 8-m limit--limit 20/minute-- limit-burst 5-j ACCEPT

State: status check

Dedicated options:

-- state

[root@apache_13] # iptables-I INPUT 3-s 172.16.10.0 ACCEPT 24-d 172.16.26.13-p tcp-m multiport-- destination-ports 22 80-m state-- state NEW,ESTABLISHED-j ACCEPT

Iptables-I OUTPUT 1-m state-- state ESTABLISHED # for all packets in established status, other release rules on the OUTPUT chain can be deleted

Status in connection tracking:

NEW: establish a new session

ESTABLISHED: established connection

RELATED: connections about connections

INVALID: unrecognized connection

Comprehensive exercise 1

Restrict access to the web server of the local host on Monday; the rate of new requests cannot exceed 100pps; the web server does not allow access to pages containing admin strings; and the web server only allows response messages to leave the machine.

Iptables-An OUTPUT-m time-- weekdays Mon-m limit-- limit 100Universe s-m string-- string 'admin'-- algo kmp-j DROP

Speed limit 100th filter string per second filter admin uses kmp algorithm

Adjust the maximum number of connections that the connection tracking feature can accommodate:

/ proc/sys/net/nf_conntrack_max

All connections currently tracked

/ proc/net/nf_conntrack

Attributes for tracking different protocols or connection types:

/ proc/sys/net/netfilter directory:

Release the FTP service in passive mode:

1. Load module / lib/modules/KERNEL_VERSION/kernel/net/netfilter/

Module: nf_conntrack_ftp

2. Release request message:

(1) release the request message for port 21 in NEW status

(2) release ESTABLISHED and RELATED status messages

3. Release response message:

(1) release ESTABLISHED and RELATED status messages

Comprehensive case

Configure routing rules for apache_13 with ssh,httpd service

-An INPUT-p tcp-m tcp-- dport 80-m time-- weekdays Tue-- datestop 2038-01-19T11:14:07-m string-- string "admin"-- algo kmp-- to 65535-j DROP

-An INPUT-p tcp- m tcp--tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG-j DROP

-An INPUT-p tcp- m tcp--tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE-j DROP

-An INPUT-d 172.16.26.13 udp 32-p udp-m udp-- sport 53-j ACCEPT

-An INPUT-d 172.16.26.13 + 32-p tcp-m tcp-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPT

-An INPUT-p tcp-m tcp-- dport 80-m state-- state NEW,ESTABLISHED-j ACCEPT

-An INPUT-s 172.16.26.14 + 32-j ACCEPT

-An INPUT-s 172.16.26.16ax 32-j ACCEPT

-An OUTPUT-s 172.16.26.13 + 32-p udp-m udp-- dport 53-j ACCEPT

-An OUTPUT-p tcp-m state-- state ESTABLISHED-j ACCEPT

-An OUTPUT-p icmp-j ACCEPT

-An OUTPUT-p tcp-m multiport-- sports 22Pol 80-j ACCEPT

-An OUTPUT-d 172.16.26.14 + 32-p tcp-m tcp-- dport 9000-j ACCEPT

Rule saving and reading of iptables

Service iptables save = = > rules are saved to / etc/sysconfig/iptables

You can also save to a custom location

Iptables-save > / tmp/iptables.cnf.

If you want to read it someday, you can iptables-restore < / tmp/iptables.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.