In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Iptables is essential to system security and plays a great role in preventing external security.
Iptables is only the notification rule of firewall, which is realized by the system netfilter in the kernel.
Firewalls are divided into two categories. Network layer firewall, application layer firewall.
The principle of the firewall is to set up passing rules in the only way for the message to communicate with the host in order to implement safe release. In general, there are five necessary ways for host communication, corresponding to five hook functions.
Hook function
PREROUTING: before routin
INPUT: the only way to reach the message inside the machine
FORWARD: the only way for messages forwarded by this machine
OUTPUT: the only way for messages sent by this machine
POSTROUTING: after routin
Firewall, divided into four rule menu raw, mangle, nat, filter
Filter: filtering, defining whether to allow through the firewall
Nat: address translation, enabling connection_track
SNAT
DNAT
PNAT
Mangle:
Raw: the goal is to turn off connection tracking enabled on the nat table
The correspondence between the table and the chain:
Filter: INPUT, FORWARD, OUTPUT
Nat: PREROUTING (SNAT), POSTROUTING (DNAT), OUTPUT
Mangle: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
Raw: PREROUTING, OUTPUT
Iptables is just a tool in user space. Write rules and automatically send them to netfilter with immediate effect. So before writing rules, you must pay attention to the rules you write and make sure you release your own connections, lest your ssh remote connections will not be released, blocking yourself out.
Netfilter: receive and take effect rules
Basic syntax:
Iptables [- t TABLE] COMMAND CHAIN CRETIRIA-j TARGET
Iptables [- t TABLE] COMMAND CHAIN CRETIRIA-j TARGET
Which table is added to which the command option link matches the standard processing method
[the above grammatical format is only relatively general, and different commands are used differently]
-t TABLE:
Nat, mangle, raw, filter
Default is filter
Commands for managing chains:
-F:flush, clear the rule chain
-N:new, build a chain by yourself
-X: delete, delete a custom empty chain
-Z:zero, the counter returns to zero
-P:policy, which sets the default policy. For filter tables, the default rule is ACCEPT or DROP
-E: rename custom chain
Rules in the management chain
-A: add
-I: insert
-D: deletin
-R: modify = > if you want to modify a rule, the syntax order should correspond to the time of writing, so I usually don't use it. I usually write a new rule. After the rule to be modified, delete the rule to be changed.
Query rules:
-L
-n: display host address and port in numeric format
-v: detailed format,-vv,-vvv
-- line-numbers: displays the rule number
Pkts bytes target prot opt in out source destination
Packet byte destination protocol inflow interface source address outflow interface source address
-x: exactly, do not convert the counting result of the counter in units, but display its exact value
For the use of all commands, the filter table is used by default without-t table [specified table]
Iptables [- t TABLE]-A chain name matching condition-j processing target
Matching criteria:
Universal matching
-s address: specify the range in which the message source IP address matches; it can be IP or network address; you can use it! Take reverse
-src,-source
-d address: specifies the range in which the destination IP address of the message matches
-dst,-destination
-p protocol: specifies the protocol type that matches the message. There are generally three types of tcp, udp and icmp.
-I INTERFACE: the interface for the flow of datagrams; PREROUTING, INPUT, FORWARD
-o INTERFACE: the API for Datagram outflow; OUTPUT, FORWARD, POSTROUITING
Extended matching
Implicit extension: when using one of-p {tcp | udp | icmp}, you can directly use the extension-specific option
-p tcp:
-- sport PORT [- PORT]: specify the source port
-- dport PORT [- PORT]: specify the destination port
-- tcp-flags
-p udp:
-- sport
-- dport
-p icmp [- m icmp] = > Network message detection protocol
-- icmp-type 0: echo-reply, ping response 8: echo-request, ping request
Iptables
Deal with the target:
Built-in targets:
Generally speaking, DROP does not discard traffic messages quietly. It is best not to use reject.
REJECT
ACCEPT
For example, write a rule that allows you to receive request responses from other hosts on the native ping
[root@apache_13] # iptables-An INPUT-d 172.16.26.13-p icmp--icmp-type 0-j ACCEPT
Release local ping requests to other hosts
[root@apache_13] # iptables-An OUTPUT-p icmp-j ACCEPT
Explicit extension: you must specify which module to use for extension before you can use its extension-specific option
-m state-- state = = > remember that the-m parameter is used once for each different extension
Module: iptables,netfilter each has a part of the code
Multiport: multi-port matching
Can be used to match discontiguous or contiguous ports; up to 15 ports specified
Dedicated options:
-source-ports,-sports port [, port,port:port]
-destination-ports,-dports
-- ports
[root@apache_13] # iptables-I INPUT-p tcp-m multiport-- dports 22 80-j ACCEPT
Release all messages that access port 225080.
Iprange: matches addresses within the specified range
It is useful to match a contiguous address rather than the entire network
Dedicated options:
[!]-- src-ragne IP [- IP]
[!]-dst-range
[root@apache_13] # iptables-I INPUT-p tcp-m multiport-- dports 22 iprange 80-m iprange-- src-range 172.16.26.1-172.16.26.10-j ACCEPT
Release the message of 172.16.26.1-10 to access port 222280 of this machine.
String: string matching, which can detect strings in the message application layer
An efficient algorithm for character matching checking
Kmp, bm
Dedicated options:
-- algo {kmp | bm}
-string "STRING"
-- hex-string "HEX_STRING": HEX_STRING is a string encoded in hexadecimal format
# iptables-I OUTPUT-m string-algo kmp-string "sex"-j DROP
For example, admin is not allowed in the string
[root@apache_13] # iptables-An OUTPUT-m string-- string 'admin'-- algo kmp-j DROP
Time: time-based access control
Dedicated options:
-- datestart YYYY [- MM] [- DD [Thh [: mm [: ss]
-- datestop
For example, no access is allowed between 8-19 and 8-20
[root@apache_13] # iptables-An INPUT-m time-- datestart 2014-08-19-- datestop 2014-08-20-j DROP
-- timestart hh:mm [: ss]
-- timestop hh:mm [: ss]
For example, no access is allowed between 12:00 and 14:00
[root@apache_13] # iptables-An OUTPUT-m time-- timestart 12:00-- timestop 14:00-j DROP
-- weekdays day [, day]
Mon, Tue
For example, no visits are allowed on Monday and Tuesday
[root@apache_13] # iptables-An OUTPUT-m time-- weekdays Mon,Tue-j DROP
Connlimit: limit the number of connections, which limits the number of concurrent connections that can be initiated per IP
Dedicated options:
[!]-- connlimit-above [n]
For example, limit 176hosts to a maximum of 3 ssh connections
[root@apache_13] # iptables-I INPUT 1-s 172.16.26.176-p tcp-- dport 22-m connlimit--connlimit-above 3-j DROP
Limit: rate limit
Dedicated options:
-- limit n [/ second | / minute | / hour | / day]
-- limit-burst n
Example: each ip can only ping me 20 times per minute, and can only concurrently 5 ping packages at a time.
[root@apache_13] # iptables-An INPUT-d 172.16.100.7-p icmp--icmp-type 8-m limit--limit 20/minute-- limit-burst 5-j ACCEPT
State: status check
Dedicated options:
-- state
[root@apache_13] # iptables-I INPUT 3-s 172.16.10.0 ACCEPT 24-d 172.16.26.13-p tcp-m multiport-- destination-ports 22 80-m state-- state NEW,ESTABLISHED-j ACCEPT
Iptables-I OUTPUT 1-m state-- state ESTABLISHED # for all packets in established status, other release rules on the OUTPUT chain can be deleted
Status in connection tracking:
NEW: establish a new session
ESTABLISHED: established connection
RELATED: connections about connections
INVALID: unrecognized connection
Comprehensive exercise 1
Restrict access to the web server of the local host on Monday; the rate of new requests cannot exceed 100pps; the web server does not allow access to pages containing admin strings; and the web server only allows response messages to leave the machine.
Iptables-An OUTPUT-m time-- weekdays Mon-m limit-- limit 100Universe s-m string-- string 'admin'-- algo kmp-j DROP
Speed limit 100th filter string per second filter admin uses kmp algorithm
Adjust the maximum number of connections that the connection tracking feature can accommodate:
/ proc/sys/net/nf_conntrack_max
All connections currently tracked
/ proc/net/nf_conntrack
Attributes for tracking different protocols or connection types:
/ proc/sys/net/netfilter directory:
Release the FTP service in passive mode:
1. Load module / lib/modules/KERNEL_VERSION/kernel/net/netfilter/
Module: nf_conntrack_ftp
2. Release request message:
(1) release the request message for port 21 in NEW status
(2) release ESTABLISHED and RELATED status messages
3. Release response message:
(1) release ESTABLISHED and RELATED status messages
Comprehensive case
Configure routing rules for apache_13 with ssh,httpd service
-An INPUT-p tcp-m tcp-- dport 80-m time-- weekdays Tue-- datestop 2038-01-19T11:14:07-m string-- string "admin"-- algo kmp-- to 65535-j DROP
-An INPUT-p tcp- m tcp--tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG-j DROP
-An INPUT-p tcp- m tcp--tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE-j DROP
-An INPUT-d 172.16.26.13 udp 32-p udp-m udp-- sport 53-j ACCEPT
-An INPUT-d 172.16.26.13 + 32-p tcp-m tcp-- dport 22-m state-- state NEW,ESTABLISHED-j ACCEPT
-An INPUT-p tcp-m tcp-- dport 80-m state-- state NEW,ESTABLISHED-j ACCEPT
-An INPUT-s 172.16.26.14 + 32-j ACCEPT
-An INPUT-s 172.16.26.16ax 32-j ACCEPT
-An OUTPUT-s 172.16.26.13 + 32-p udp-m udp-- dport 53-j ACCEPT
-An OUTPUT-p tcp-m state-- state ESTABLISHED-j ACCEPT
-An OUTPUT-p icmp-j ACCEPT
-An OUTPUT-p tcp-m multiport-- sports 22Pol 80-j ACCEPT
-An OUTPUT-d 172.16.26.14 + 32-p tcp-m tcp-- dport 9000-j ACCEPT
Rule saving and reading of iptables
Service iptables save = = > rules are saved to / etc/sysconfig/iptables
You can also save to a custom location
Iptables-save > / tmp/iptables.cnf.
If you want to read it someday, you can iptables-restore < / tmp/iptables.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.