Shulou(Shulou.com)06/01 Report--

Firewall and netfilter basics

firewall

A component that works at the edge of a host or network, checks incoming and outgoing messages according to predefined rules, and processes messages that can be matched by rules.

Can be divided into host firewall and network firewall

It can be software, hardware, professional hardware firewall: checkpoint, netscreen

iptables: rules management tool, a program that works in user space and automatically checks for syntax errors;

netfilter: network filter, which is a framework working on the TCP/IP network protocol stack in kernel space;

IDS: Intrusion Detection System

NIDS: Network *** Detection System

HIDS: Host *** Detection System

IPS: Intrusion Protec System

HoneyPot: Honeypot

Iptables

development course

ipfw --> ipchains--> iptables/netfilter

Linux originally had no firewall system. It was ported from OpenBSD and named ipfw. Later, it was discovered that the firewall's protection function relied on a large number of rule chains strung together, so it was renamed ipchains. Later, the rules were planned in more and more detail, and the protection function relied on the combination of multiple chains. Finally, it was named iptables/netfilter.

Time of routing occurrence:

After the message enters the machine:

Determine target address

Before the message leaves the machine:

determining which interface to send;

Location of message flow:

To this interior: preouting, input

Output, postrouting

Previewing, forward, postrouing

Components of the rule:

Matching conditions of messages, how to deal with them after matching

Matching conditions: basic matching conditions, extended matching conditions

How to handle: built-in processing mechanism, custom processing mechanism (custom chain)

Note: Messages cannot pass through custom chains, custom chains only take effect when referenced on built-in chains (i.e. as custom targets)

Functions of netfilter rules:

filter: filtering

NAT Server (Network Address Translation)

mangle: modify some information in the message header

raw: turn off connection tracking enabled on nat table

The above is the four tables of iptables

hooks function

prerouting:

After entering the local machine, before the routing function occurs

①：raw，mangle，nat

input：

Arrive inside the machine

②：mangle，filter

output:

from local

③：raw，mangle，nat，filter

forward:

transmitted locally

④：mangle，filter

postrouting：

After the routing function occurs, just before leaving the machine

⑤：mangle，nat

The above is the five-chain (CHAIN) of iptables, which is combined to form the framework specially used to realize message inspection function in the kernel--netfilter

There are many rules in each hook, which are stored by function. Rules with the same function are stored in a centralized way, while rules with different functions are stored separately. After the message arrives, it will be checked in order according to the priority of the function, thus forming the iptables table.

Position of each function:

filter：input, forward, output

nat: prerouting, output, postrouting

mangle：prerouting, input, forward, output, postrouting

raw: preouting, output, supplementary function of nat, can only occur in the first half of nat

Priority of function:

From high to low: raw --> mangle --> nat --> filter

Schematic diagram of packet filtering matching process

Points to consider when adding rules:

(1)Function to be realized: judge which table to add;

(2)Message flow direction and route: judge which chain to add;

The order of rules in the chain is the order of inspection, so there are certain rules.

(1)Same kind of rules, small matching range on top;

(2)Different types of rules, match the message probability is larger put on the top;

(3)Default policies should be set;

Basic usage of iptables

iptables command

generate rules and send them to netfilter;

Rules are sent directly to the kernel via kernel interfaces; they take effect immediately, but not permanently;

To be valid permanently, it needs to be saved to a configuration file, and this configuration file needs to be automatically loaded after booting or manually loaded by the user.

syntax format

iptables[-t TABLE] SUBCOMMAND CHAIN CRETERIA -j TARGET

common options

-t TABLE: indicates the table to be operated on, the default is filter when omitted, there are four tables available: filter, nat, mangle, raw;

SUBCOMMAND: Subcommand

CHAIN: indicates the chain to operate on

CRETERIA: Indicates matching conditions

-j TARGET: indicates the action to be taken

SUBCOMMAND

chain manipulation

-F: flush, clear all rules on the specified chain of the specified table, if the chain name is omitted, clear all rules of all chains in the default table;

-N: new, create a user-defined chain. The custom chain can only be used as a jump object on the default chain, that is, the custom chain takes effect by reference on the default chain;

-X: drop, delete user-defined empty chain, built-in chain cannot be deleted;

-Z: zero, setting the counter of the rule to 0; each rule on each chain has two counters, one recording the number of messages matched by the current rule and the other recording the sum of the message sizes matched by the current rule;

-P: policy, which sets the default processing mechanism of the chain. When all chains cannot match, or when they can match but cannot make an effective processing mechanism, the default processing mechanism will take effect;

Available policies for filter table: ACCEPT, DROP, REJECT

-E: rename, rename custom chain;

Note: The referenced chain cannot be deleted or renamed.

Operations on rules on chains

-A: append, appends a rule to the end of the chain;

-I: insert, insert a rule at the specified position;

-D: delete, delete the specified rule;

-R: replace, replaces the specified rule;

peek operation

-L: list, lists all rules on the specified chain;

-n:numeric, displays the address and port number in numeric format, i.e. does not reverse;

-v:verbose, a detailed format that displays detailed information about the rule, including rule counters, etc.;

--line-numbers: Display rule numbers;

-x:exactly, displays the exact value of the counter, i.e. without unit conversion;

pktsbytes target prot opt in out source destination

pkts: Number of messages matched by this rule;

bytes: sum of the sizes of all messages matched by this rule;

target: Process target (target can be user-defined chain);

prot: protocol {tcp, udp, icmp};

opt: optional;

in: packet incoming interface;

out: packet outgoing interface;

source: source address;

destination: destination address;

CRETERIA (matching condition)

Check IP headers, check TCP, UDP or ICMP headers;

Based on the extension mechanism, additional checks can also be performed, such as connection tracing.

Multiple matching conditions can be specified at the same time. In this case, all specified conditions must be satisfied before they can be matched.

Universal matching

-s, --src, --source IP| Network: Check the IP address of the message source;

-d, --dst,--destination: Check the IP address of the message destination;

-p,--protocol: Check the protocol in the message, that is, the protocol identified by protocols in the IP header (one of TCP, UDP and ICMP);

-i,--in-interface: check the incoming interface of the message; usually only used for rules on the PREROUTING, INPUT,FORWARD chain;

-o,--out-interface: Check the outgoing interface of the message; usually only used for rules on the FORWARD, OUTPUT, POSTRUTING chain;

Note: You can reverse it by adding "! "

extended matching

Implementing extensibility checking mechanisms using iptables modules

implicit extension

[-m module name] can be omitted if the protocol is indicated using the-p option on the generic match

tcp

--dport: destination port

--sport: source port

--tcp-flags LIST1 LIST2

LIST1: Identification bits to be checked

LIST2: The ones that appear in LIST1 and must be 1 flag bits, and the rest must be 0

Example: "--tcp-flags syn,ack,fin,rst syn": indicates that only 4 identification bits syn,ack,fin,rst are checked, and syn must =0, while ack,fin,rst must =1

--syn: used to match the first three-way handshake of a tcp session

udp

--dport

--sport

icmp

--icmp-type

8: echo request(ping request)

0: echo reply(ping response)

Example: Configure native dns service and release it; default policy is drop

Note: Rules 1 and 2 can only release external points to the local machine to do parsing, without rules 3 and 4, the local machine's own request for parsing will not be released

explicit extension

The extension mechanism used must be specified

Format: -m Module name, each module introduces a new matching mechanism

Query available modules command

rpm -ql iptables

Lower-case letters ending with ".so"

Multiport extensions:

Define multiport matching discretely; specify up to 15 ports;

Dedicated options:

--source-ports,--sports PORT[,PORT,...]

--destination-ports,--dports PORT[,PORT,...]

--portsPORT[,PORT,...]

Examples:

# iptables -I INPUT 1 -d 172.16.100.11 -ptcp -m multiport --dports 22,80,443 -j ACCEPT

# iptables -I OUTPUT 1 -s 172.16.100.11 -ptcp -m multiport --sports 22,80,443 -j ACCEPT

iprange extension:

Specifies a contiguous ip address range; used when matching non-entire network addresses;

Dedicated options:

[!]-- src-range IP[-IP]

[!]-- dst-range IP[-IP]

Examples:

# iptables -A INPUT -d 172.16.100.11 -p tcp--dport 23 -m iprange --src-range 172.16.100.1-172.16.100.100 -j ACCEPT

# iptables -A OUTPUT -s 172.16.100.11 -p tcp--sport 23 -m iprange --dst-range 172.16.100.1-172.16.100.100 -j ACCEPT

string extension:

Check the character string appearing in the message to match the given character string;

String matching checking algorithm:

kmp,bm

Dedicated options:

--algo{kmp|bm}

--string"STRING"

--hex-string "HEX_STRING": HEX_STRING is a string encoded in hexadecimal format;

Examples:

# iptables -I OUTPUT 1 -s 172.16.100.11 -ptcp --sport 80 -m string --string "sex" --algo kmp -j REJECT

Time extension:

Access control based on time intervals

Dedicated options:

--datestartYYYY[-MM][-DD][hh[:mm[:ss]]]

--dattestop

--timestart

--timestop

--weekdaysDAY1[,DAY2,...]

Examples:

#iptables -R INPUT 1 -d 172.16.100.11 -p tcp --dport 80 -m time --timestart08:30 --timestop 18:30 --weekdays Mon,Tue,Thu,Fri -j REJECT

connlimit Extension:

Limiting the number of concurrent connections each IP can initiate;

Dedicated options:

--connlimit-above[n]

Examples:

#iptables -I INPUT 2 -d 172.16.100.11 -p tcp --dport 22 -m connlimit--connlimit-above 5 -j REJECT

Limit extension:

limiting based on packet rate;

Dedicated option: Token bucket algorithm

--limit n[/second|/minute|/hour|/day]

--limit-burstn

Examples:

# iptables -R INPUT 3 -d 172.16.100.11 -picmp --icmp-type 8 -m limit --limit 10/minute --limit-burst 5 -j ACCEPT

State Extension:

-j TARGET

-j (jump), jump to target

built-in target

ACCEPT: Accepted

DROP: discard

REJECT: Rejected

custom connection

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.