In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Linux network firewall
Netfilter: frame filtering, the filtering framework in the kernel, the location framework where the rules take effect
Iptables: a tool attached to netfilter to generate firewall rules and really realize data packet filtering, NAT,mangle and other rule generation
Firewall: work at the edge of the host or network, check and monitor incoming and outgoing messages, and according to pre-defined rules (including matching standards and processing methods), once the standards are met, the component that processes the message accordingly is called a firewall
The implementation of iptables is actually based on message filtering. Examples are as follows:
1.IP: source address, destination address
TCP: source port, destination port
UDP: source port, destination port
ICMP:icmp message type
The course of development:
Linux2.0
Ipfw/firewall
Linux2.2
Ipchain/firewall
Linux2.4
Iptables/netfilter
Netfilter filtering has the following five rule chains
PREROUTING
INPUT
FORWARD
OUTPUT
POSTROUTING
Four kinds of tables
Filter, filter tabl
INPUT,OUTPUT,FORWARD
Nat, address translation table
Prerouting,output,postrouting
Mangle (split, modify, encapsulate) table
Prerouting,forwarding,output,postrouting
Raw table
Prerouting,output
Iptables:
500 rules
Can I use a custom chain?
You can use a custom chain, but it only works when called, and if no rules in the custom chain match, there should be a return mechanism
* users can delete custom empty chains
* the default chain cannot be deleted
Each rule has two built-in counters
Number of matched messages
The sum of matched messages
Rules include: matching criteria, processing actions
Matching criteria:
1. Universal matching
-smam Murray src source address
The destination address of djue Murray DST
-p (tcp,udp,icmp) specified protocol
-I INTERFACE specifies the interface for Datagram inflow (ethX)
Can be used to define standard chains, PREROUTING, INPUT,FORWARD
-o INTERFACE specifies the interface for Datagram outflow
Can be used for standard-defined chains, OUTPUT,POSTROUTING,FORWARD
two。 Extended matching
a. Implied extension: there is no need to specify which module to extend, because-p (tcp/udp/icmp) is used at this time
-p tcp designated destination port, source port
-- tcp-flags mask comp: check only the flag bits specified by mask, which is a comma-separated list of flag bits; comp: the flag bits that appear in this list must be 1. The flag bits that do not appear in comp, while those in mask, must be 0.
The type of message can be determined according to the value of flag bits such as ACK,FIN,RST,SYN. For example, when SYN=1 and the rest is 0, this message is the first handshake of TCP/IP.
-p-icmp
-- icmp-type-8 is connected by ping
-- icmp-type-1 can send ping messages
-p-udp
Specify destination port and source port
b. Display extension: you must indicate which module is used for the extension, which can be completed by using the-m option in iptables
Use an additional matching mechanism
-m EXTENSTION-- spe-opt
State: state extension-m state-- state NEW-ij ACCEPT
Track the state of the session with ip_constrack
NEW: new connection request
ESTABLISHED: established connection
INVALID: illegal connection
RELATED: associated
-m multiport: discrete multi-port matching extension
-- source-ports
-- destination-ports
-- ports
-m iprange specifies a segment of address
-- src-range
-- dst-range
-m connlimit connection limit
!-connlimit-above n
-m limit
-- limit RATE rate limit
# iptables-save > / etc/sysconfig/iptables.2021
# iptables-restore
< /etc/sysconfig/iptables.2021 命令 管理规则 -A:附加一条规则,添加在链的尾部 -I CHAIN [num]:插入一条规则,插入为对应CHAIN上的第num条 -D CHAIN [num]:删除指定链中的第Num条规则 -R CHAIN [num]:替换指定的规则 管理链 -F [CHAIN]:flush用于清空指定规则链,如果省略CHAIN ,则可以删除对应表中的所有链 -P CHAIN :设定指定链的默认策略 -N :自定义一个新的空链 -X:删除一个自定义的空链 -Z:置零指定链中所有规则的计数器 -E:重命名自定义的链 查看类 -L:显示指定表中的规则 -n:以数字形式显示主机地址和端口号 -x:显示计数器的精确值 -v:显示链和规则的详细信息 -vv: --line-numbers:显示规则号码 执行的动作(target) -j指定 ACCEPT放行,允许通过 DROP丢弃 REJECT拒绝 DNAT目标地址转换 SNAT源地址转换 REDIRECT(端口重定向) MASQUERADE:地址伪装 MAC表的PREROUTING链实现 MARK打标记 LOG 日志 iptables不是服务,但有服务脚本:脚本服务的主要作用在于管理保存的规则 装载或移除iptable/netfilter相关的内核模块 iptables_nat,iptales_filter,iptable_mangle,iptables_raw,ip_nat, 保存规则: #service iptables save /etc/sysconfig/iptables #iptables-save>/ etc/sysconfig/iptables.2021
# iptables-restore < / etc/sysconfig/iptables.2021
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.