Shulou(Shulou.com)06/01 Report--

Linux network firewall

Netfilter: frame filtering, the filtering framework in the kernel, the location framework where the rules take effect

Iptables: a tool attached to netfilter to generate firewall rules and really realize data packet filtering, NAT,mangle and other rule generation

Firewall: work at the edge of the host or network, check and monitor incoming and outgoing messages, and according to pre-defined rules (including matching standards and processing methods), once the standards are met, the component that processes the message accordingly is called a firewall

The implementation of iptables is actually based on message filtering. Examples are as follows:

1.IP: source address, destination address

TCP: source port, destination port

UDP: source port, destination port

ICMP:icmp message type

The course of development:

Linux2.0

Ipfw/firewall

Linux2.2

Ipchain/firewall

Linux2.4

Iptables/netfilter

Netfilter filtering has the following five rule chains

PREROUTING

INPUT

FORWARD

OUTPUT

POSTROUTING

Four kinds of tables

Filter, filter tabl

INPUT,OUTPUT,FORWARD

Nat, address translation table

Prerouting,output,postrouting

Mangle (split, modify, encapsulate) table

Prerouting,forwarding,output,postrouting

Raw table

Prerouting,output

Iptables:

500 rules

Can I use a custom chain?

You can use a custom chain, but it only works when called, and if no rules in the custom chain match, there should be a return mechanism

* users can delete custom empty chains

* the default chain cannot be deleted

Each rule has two built-in counters

Number of matched messages

The sum of matched messages

Rules include: matching criteria, processing actions

Matching criteria:

1. Universal matching

-smam Murray src source address

The destination address of djue Murray DST

-p (tcp,udp,icmp) specified protocol

-I INTERFACE specifies the interface for Datagram inflow (ethX)

Can be used to define standard chains, PREROUTING, INPUT,FORWARD

-o INTERFACE specifies the interface for Datagram outflow

Can be used for standard-defined chains, OUTPUT,POSTROUTING,FORWARD

two。 Extended matching

a. Implied extension: there is no need to specify which module to extend, because-p (tcp/udp/icmp) is used at this time

-p tcp designated destination port, source port

-- tcp-flags mask comp: check only the flag bits specified by mask, which is a comma-separated list of flag bits; comp: the flag bits that appear in this list must be 1. The flag bits that do not appear in comp, while those in mask, must be 0.

The type of message can be determined according to the value of flag bits such as ACK,FIN,RST,SYN. For example, when SYN=1 and the rest is 0, this message is the first handshake of TCP/IP.

-p-icmp

-- icmp-type-8 is connected by ping

-- icmp-type-1 can send ping messages

-p-udp

Specify destination port and source port

b. Display extension: you must indicate which module is used for the extension, which can be completed by using the-m option in iptables

Use an additional matching mechanism

-m EXTENSTION-- spe-opt

State: state extension-m state-- state NEW-ij ACCEPT

Track the state of the session with ip_constrack

NEW: new connection request

ESTABLISHED: established connection

INVALID: illegal connection

RELATED: associated

-m multiport: discrete multi-port matching extension

-- source-ports

-- destination-ports

-- ports

-m iprange specifies a segment of address

-- src-range

-- dst-range

-m connlimit connection limit

!-connlimit-above n

-m limit

-- limit RATE rate limit

# iptables-save > / etc/sysconfig/iptables.2021

# iptables-restore

< /etc/sysconfig/iptables.2021 命令 管理规则 -A：附加一条规则，添加在链的尾部 -I CHAIN [num]：插入一条规则，插入为对应CHAIN上的第num条 -D CHAIN　［num］:删除指定链中的第Num条规则 -R CHAIN [num]：替换指定的规则 管理链 -F [CHAIN]：flush用于清空指定规则链，如果省略CHAIN ，则可以删除对应表中的所有链 -P CHAIN ：设定指定链的默认策略 -Ｎ ：自定义一个新的空链 -Ｘ：删除一个自定义的空链 -Z：置零指定链中所有规则的计数器 -E：重命名自定义的链 查看类 -L：显示指定表中的规则 -n：以数字形式显示主机地址和端口号 -x：显示计数器的精确值 -v：显示链和规则的详细信息 -vv： --line-numbers：显示规则号码 执行的动作（target） -j指定 ACCEPT放行，允许通过 DROP丢弃 REJECT拒绝 DNAT目标地址转换 SNAT源地址转换 REDIRECT（端口重定向） MASQUERADE：地址伪装 MAC表的PREROUTING链实现 MARK打标记 LOG 日志 iptables不是服务，但有服务脚本：脚本服务的主要作用在于管理保存的规则 装载或移除iptable/netfilter相关的内核模块 iptables_nat,iptales_filter,iptable_mangle,iptables_raw,ip_nat, 保存规则： #service iptables save /etc/sysconfig/iptables #iptables-save>

/ etc/sysconfig/iptables.2021

# iptables-restore < / etc/sysconfig/iptables.2021

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.