Shulou(Shulou.com)06/01 Report--

This article mainly shows you "what is a Linux firewall", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "what is a Linux firewall" this article.

Building Linux Firewall what is Linux Firewall

The typical setting of a firewall is that there are two network cards, one in and one out. Iptables reads the headers of incoming and outgoing packets, compares them to the planning set (ruleset), and forwards acceptable packets from one network card to another. Rejected packets can be discarded or processed in the way you define.

Control packet filtering by providing firewalls with rules about what to do with packets from a source, to a destination, or with a specific protocol type. These rules are established by using the special command iptables provided by the iptables system and added to the chain in the specific packet filter table in kernel space. The general syntax for the commands to add, remove, and edit rules is as follows:

Iptables [- t table] command [match] [target]

In reality, we usually use this grammar in order to be easy to read. Most of the rules are written in this grammar, so if you look at the rules written by others, you will probably find that this grammar is also used.

If you don't want to use a standard table, specify the table name at [table]. In general, it is not necessary to specify which table to use, because iptables uses the filter table by default to execute all commands. There is no need to specify a table name here; in fact, you can specify a table name almost anywhere in the rule. Of course, it is an established standard to put the table name at the beginning. Although commands are always placed at the beginning or directly after the table name, we have to consider where they are easy to read.

"command" tells the program what to do, such as inserting a rule, adding a rule at the end of the chain, or deleting a rule. The following will be introduced in detail.

"match" describes in detail a feature of a package that distinguishes it from all other packages. Here, we can specify the source IP address, network interface, port, protocol type, or whatever. We will see many different match below.

Finally, the destination of the packet is "target". If the packet conforms to all the match, the kernel processes it with target, or sends the packet to target. For example, we can have the kernel send the packet to another chain in the current table (which we may have built by ourselves), or just discard the packet without doing any processing, or return a special reply to the sender. Let's discuss these options one by one:

Table (table)

The [- t table] option allows you to use any table other than the standard table. A table is a packet filtering table that contains rules and chains that handle only specific types of packets. There are three table options available: filter, nat, and mangle. This option is not required and, if not specified, filter is used as the default table. The functions implemented by each table are described below.

Filter

The filter table is used to filter packets, and we can match packets and filter them at any time. This is where we DROP or ACCEPT the package according to its contents. Of course, we can do some filtering in other places in advance, but this table is designed to filter. Almost all target can be used here.

Nat

The main purpose of the nat table is network address translation, or Network Address Translation, abbreviated to NAT. The address of the packet that has done the NAT operation is changed, of course, according to our rules. Packets belonging to a stream will only pass through this table once.

If the first package is allowed to do NAT or Masqueraded, then the rest of the package will automatically do the same. In other words, the rest of the packages will no longer be passed through this table, one by one will be NAT, but will be completed automatically. This is the main reason why we should not do any filtering in this table. The function of the PREROUTING chain is to change the destination address of a packet as soon as it arrives at the firewall, if necessary. The OUTPUT chain changes the destination address of the locally generated packet.

The POSTROUTING chain changes the source address of the packet before it leaves the firewall. This table is used only for NAT, that is, the source or destination address of the translation packet. Note that only the first packet of the stream will be matched by this chain, and the subsequent packets will automatically be treated the same way. The actual operation can be divided into the following categories:

◆ DNAT

◆ SNAT

◆ MASQUERADE

DNAT operations are mainly used in situations where you have a legal IP address and redirect access to the firewall to another machine (such as DMZ). That is, we are changing the destination address so that the packet can be rerouted to a host.

SNAT changes the source address of the packet, which can hide your local network or DMZ to a great extent. A good example is that we know the external address of the firewall, but we must replace the local network address with this address. With this operation, the firewall can automatically SNAT and De-SNAT the package (that is, reverse SNAT) so that the LAN can connect to the Internet.

If you use an address like 192.168.0. Bind 24, you won't get any response from Internet. Because IANA defines these networks (among others) as private, they can only be used within LAN.

The function of MASQUERADE is exactly the same as that of MASQUERADE, except that the computer is slightly overloaded. Because for each matching packet, MASQUERADE looks for an available IP address, unlike the IP address used by SNAT. Of course, this also has the advantage that we can use the addresses dialed through PPP, PPPOE, SLIP, and so on, which are randomly assigned by ISP's DHCP.

Mangle

This table is mainly used for mangle packets. We can change the contents of different packages and headers, such as TTL,TOS or MARK. Note that MARK doesn't really change the packet, it just sets a flag for the package in kernel space. Other rules or programs within the firewall, such as tc, can use this flag to filter or advanced routing packets. This table has five built-in chains: PREROUTING,POSTROUTING, OUTPUT,INPUT and FORWARD.

PREROUTING changes packets after entering the firewall and before routing decisions, while POSTROUTING changes packets after all routing decisions. OUTPUT changes the packet before determining the destination of the packet. INPUT changes the packet after it is routed locally, but before the program in user space sees it. Note that the mangle table cannot do any NAT, it just changes the TTL,TOS or MARK of the packet, not its source destination address. NAT operates in the nat table, and the following are the only operations in the mangle table:

◆ TOS

◆ TTL

◆ MARK

The TOS operation is used to set or change the service type domain of the packet. This is often used to set policies such as how packets on the network are routed. Note that this operation is not perfect and sometimes does not get what you want. It doesn't work on Internet yet, and many routers don't notice this domain value. In other words, do not set up packets destined for Internet unless you plan to rely on TOS for routing, such as iproute2.

The TTL operation is used to change the lifetime domain of packets, so that all packets have only one special TTL. There is a good reason for it to exist, that is, we can deceive some ISP. Why deceive them? Because they don't want us to share a connection.

Those ISP will look up whether a single computer uses a different TTL and use it as a flag to determine whether the connection is shared.

MARK is used to set special tags for packages. Iproute2 can recognize these tags and determine different routes based on different tags (or no tags). With these tags, we can do bandwidth restrictions and request-based classification.

These are all the contents of this article "what is a Linux Firewall?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.