Shulou(Shulou.com)06/02 Report--

This article mainly introduces the example analysis of software firewall iptables under linux, which has a certain reference value and can be used for reference by friends who need it. I hope you will learn a lot after reading this article. Next, let the editor take you to learn about it.

A firewall is when a user restricts access to certain ip or users to their hosts. Firewalls are divided into two categories: hardware firewall and software firewall. Software firewall is mainly used to filter data packets, while hardware firewall is mainly used to protect against malicious attacks and filter data packets, such as DDOS attacks. Here, we will explain the software firewall under linux-iptables.

Iptables and firewalld

Under centOS6, the default software firewall is iptables, and when it comes to centos7, it is firewalld. What is the connection between them? in fact, firewalld is a new software packaged on the original iptables.

When learning iptables, it is recommended that you first turn off firewalld and turn on iptables

Yum install iptables-servicessystemctl stop firewalldsystemctl start iptables

Tables and chains of iptables

Different tables in iptables represent different functions, and there are 4 tables by default

Filter (filter) nat (address Translation) mangle raw

Under different tables, there is its own chain of rules:

Filter (INPUT/OUTPUT/FORWARD)

Nat (prerouting/output/postouting)

The meanings of these chains are as follows:

INPUT chain-incoming packets apply rules in this rule chain

OUTPUT chain-outgoing packets apply rules in this rule chain

FORWARD chain-rules in this rule chain are applied when forwarding packets

PREROUTING chain-apply the rules in this chain before routing a packet

POSTROUTING chain-rules in this chain are applied after routing packets

Rule viewing and clearing of iptables

Rule View

Usage example: iptables [- t tables]-L [- nv]

Options and parameters:

-t is followed by the table type, omitting this option, the default is filter table.

-L lists the rules for the current table

-n do not check the domain name and ip

-v display more information

# View the rules of the filter table # iptables-nvLChain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 67 4444 ACCEPT all-* * 0.0.0.0 ACCEPT all 0 0.0.0.0 ACCEPT all 0 state RELATED ESTABLISHED 0 0 ACCEPT icmp-- * * 0. 0. 0. 0. 0. 0. 0. 0 ACCEPT all-- lo * 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 00 ACCEPT tcp-- * * 0. 0. 0. 0 REJECT all 0 0. 0. 0 packets 0 state NEW tcp dpt:22 2 286 packets-- * * 0. 0. 0. 0 packets 0 0. 0. 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all-- * * 0.0.0.0 REJECT all 0 0.0.0.0 packets 0 reject-with icmp-host-prohibitedChain OUTPUT (policy ACCEPT 38 packets 4664 bytes) pkts bytes target prot opt in out source destination # View the rules of the nat table iptables-t nat-L-nv

The meaning of the rule options under the chain is as follows:

Target: represents the operation performed, ACCEPT release, drop discard, reject reject

Prot: represents the packet protocol used, including tcp, udp, and icmp

Opt: description information

Source: restrict a source host

Destination: impose restrictions on a target host

The five rules of the INPUT chain shown above have the following implications:

Accept as long as the status of the packet is RELATED,ESTABLISHED

It is accepted as long as it is an icmp package.

As long as it is a local loopback network card, all data is accepted.

TCP packets are accepted as long as they are sent to active connections on port 22.

Reject all packets

Understand the rules of iptables

After centOS7 is installed by default, the system already has many iptables rules. Here we teach you how to clear these rules.

Usage example: iptables [- t tables] [- FXZ]

Options and parameters:

-F Clean up all customized rules

-X cleans up all user-defined rules

-Z sets all statistical counts to zero

# iptables-F# iptables-X# iptables-Z

View specific rules

Use iptables-save to view specific rules

Usage: iptables-save [- t tables]

# iptables-save-t filter# Generated by iptables-save v1.4.21 on Sat Nov 14 21:51:56 2020*filter:INPUT ACCEPT [0:0]: FORWARD ACCEPT [0:0]: OUTPUT ACCEPT [56 2020*filter:INPUT ACCEPT 7196]-An INPUT-m state-- state RELATED ESTABLISHED-j ACCEPT-An INPUT-p icmp- j ACCEPT-An INPUT-I lo-j ACCEPT-An INPUT-p tcp-m state-state NEW-m tcp-dport 22-j ACCEPT-An INPUT-j REJECT-- reject-with icmp-host-prohibited-A FORWARD-j REJECT-- reject-with icmp-host-prohibited # Completed on Sat Nov 14 21:51:56 2020

Define default policy

When we are clear about the rules, there is only the default strategy left. What is the default policy, that is, when none of our rules are met, the default rules are adopted. The default policies are ACCEPT (accept packets) and DROP (drop packets)

Usage: iptables [- t tables]-P [INPUT | OUTPUT | FORWARD.] [ACCEPT | DROP]

Now, we try to change the default of filter's INPUT chain to DROP, OUTPUT, and FORWARD chain to ACCETP

Iptables-t filter-P INPUT DROP# note that after the command is typed, your terminal may be disconnected. Thank you for reading this article carefully. I hope it will be helpful for the editor to share the sample analysis content of the software firewall iptables under linux. At the same time, I also hope that you will support us, pay attention to the industry information channel, and find a detailed solution waiting for you to learn.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.