Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Detailed explanation of linux Firewall netfilter

2025-03-30 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

About linux kernel firewall netfilter detailed explanation

The general flow of information as it passes through the linux host:

Information flow message-> when the message arrives at the host-> do some preprocessing prerouting- > route conversion,-> audit-- > postrouting--- > route selection-> forward it out->

The principle that netfilter can realize firewall function is based on linux kernel scheduling.

[root@lib ~] # systemctl status firewalld

● firewalld.service-firewalld-dynamic firewall daemon

Loaded: loaded (/ usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

Active: inactive (dead)

Docs: man:firewalld (1)

[root@lib ~] # systemctl start firewalld

View all of its default rules

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

79 5656 ACCEPT all-0. 0. 0. 0. 0. 0. 0 ctstate RELATED,ESTABLISHED

0 0 ACCEPT all-- lo 0. 0. 0. 0.

3 390 INPUT_direct all-0.0.0.0Universe 0 0.0.0.0Universe 0

3 390 INPUT_ZONES_SOURCE all-0.0.0.0Universe 0 0.0.0.0Universe 0

3 390 INPUT_ZONES all-0.0.0.0Universe 0 0.0.0.0Universe 0

0 0 DROP all-- 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 ctstate INVALID

2 286 REJECT all-- * 0.0.0.0It 0 0.0.0.0It 0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

0 0 ACCEPT all-- 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 ctstate RELATED,ESTABLISHED

0 0 ACCEPT all-- lo 0. 0. 0. 0.

0 0 FORWARD_direct all-- 0. 0. 0. 0. 0. 0

0 0 FORWARD_IN_ZONES_SOURCE all-- 0. 0. 0. 0. 0. 0

0 0 FORWARD_IN_ZONES all-- 0. 0. 0. 0. 0. 0

0 0 FORWARD_OUT_ZONES_SOURCE all-- 0. 0. 0. 0. 0. 0

0 0 FORWARD_OUT_ZONES all-- 0. 0. 0. 0. 0. 0

0 0 DROP all-- 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 ctstate INVALID

0 0 REJECT all-- * 0. 0. 0. 0. 0. 0. 0. 0. 0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 42 packets, 4480 bytes)

Pkts bytes target prot opt in out source destination

42 4480 OUTPUT_direct all-0. 0. 0. 0. 0. 0. 0. 0

Chain FORWARD_IN_ZONES (1 references)

Pkts bytes target prot opt in out source destination

0 0 FWDI_public all-- ens33 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 [goto]

0 0 FWDI_public all-+ 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)

Pkts bytes target prot opt in out source destination

Chain FORWARD_OUT_ZONES (1 references)

Pkts bytes target prot opt in out source destination

0 0 FWDO_public all-- ens33 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 [goto]

0 0 FWDO_public all-+ 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)

Pkts bytes target prot opt in out source destination

Chain FORWARD_direct (1 references)

Pkts bytes target prot opt in out source destination

Chain FWDI_public (2 references)

Pkts bytes target prot opt in out source destination

0 0 FWDI_public_log all-- 0. 0. 0. 0. 0. 0

0 0 FWDI_public_deny all-- 0. 0. 0. 0. 0. 0

0 0 FWDI_public_allow all-- 0. 0. 0. 0. 0. 0

0 0 ACCEPT icmp-- 0. 0. 0. 0. 0. 0

Chain FWDI_public_allow (1 references)

Pkts bytes target prot opt in out source destination

Chain FWDI_public_deny (1 references)

Pkts bytes target prot opt in out source destination

Chain FWDI_public_log (1 references)

Pkts bytes target prot opt in out source destination

Chain FWDO_public (2 references)

Pkts bytes target prot opt in out source destination

0 0 FWDO_public_log all-- 0. 0. 0. 0. 0. 0

0 0 FWDO_public_deny all-- 0. 0. 0. 0. 0. 0

0 0 FWDO_public_allow all-- 0. 0. 0. 0. 0. 0

Chain FWDO_public_allow (1 references)

Pkts bytes target prot opt in out source destination

Chain FWDO_public_deny (1 references)

Pkts bytes target prot opt in out source destination

Chain FWDO_public_log (1 references)

Pkts bytes target prot opt in out source destination

Chain INPUT_ZONES (1 references)

Pkts bytes target prot opt in out source destination

3 390 IN_public all-- ens33 0.0.0.0It 0 0.0.0.0max 0 [goto]

0 0 IN_public all-+ 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 [goto]

Chain INPUT_ZONES_SOURCE (1 references)

Pkts bytes target prot opt in out source destination

Chain INPUT_direct (1 references)

Pkts bytes target prot opt in out source destination

Chain IN_public (2 references)

Pkts bytes target prot opt in out source destination

3 390 IN_public_log all-0.0.0.0Universe 0 0.0.0.0Universe 0

3 390 IN_public_deny all-0.0.0.0Universe 0 0.0.0.0Universe 0

3 390 IN_public_allow all-0.0.0.0Universe 0 0.0.0.0Universe 0

0 0 ACCEPT icmp-- 0. 0. 0. 0. 0. 0

Chain IN_public_allow (1 references)

Pkts bytes target prot opt in out source destination

0 0 ACCEPT tcp-- 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 tcp dpt:80 ctstate NEW

1 104 ACCEPT tcp-0.0.0. 0 tcp dpt:22 ctstate NEW 0 0.0.0

0 0 ACCEPT tcp-- 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 tcp dpt:443 ctstate NEW

Chain IN_public_deny (1 references)

Pkts bytes target prot opt in out source destination

Chain IN_public_log (1 references)

Pkts bytes target prot opt in out source destination

Chain OUTPUT_direct (1 references)

Pkts bytes target prot opt in out source destination

[root@lib ~] #

[root@lib ~] # yum install firewall-config

Open the graphics firewall configuration command

[root@lib ~] # firewall-config

Detailed explanation of neifilter function module

The process of the message: hook function: prerouting input output forward postrouting chain (built-in): chian PREROUTING INPUT FORWARD OUTPUT POSTROUTING function: filter: filter, firewall; nat:network address translation; is used to modify the source IP or destination IP, or you can change the port; mangle: disassemble the message, make changes, and re-encapsulate it Raw: turn off the connection tracking mechanism enabled on the nat table Function INPUT flows out from the local machine: OUTPUT-- > POSTROUTING forward: PREROUTING-- > FORWARD-- > POSTROUTING netfilter firewall rules can be managed by the iptables command to manage those with a large number of visits and those with small specifications in front of the iptables/netfilter rules: component: try to match the message according to the rule matching conditions, and once the match is successful, it will be processed by the processing action defined by the rule. Matching conditions: basic matching conditions: built-in extension matching conditions: defined by extension module; processing action: basic processing action: built-in extension processing action: defined by extension module Custom processing mechanism: custom chain iptables chain: built-in chain and custom chain built-in chain: corresponding to hook function custom link: for extension and supplement of built-in chain to achieve more flexible rule management mechanism; considerations when adding rules: (1) which function to achieve: judging which table to add to (2) the path through which the message flows: determine which chain to add to; chain: the order of rules on the chain, that is, the order of inspection; therefore, implied certain application rules: (1) similar rules (access to the same application), put on top if the matching range is small. (2) different kinds of rules (accessing different applications), matching to those with more frequent messages; (3) merging multiple rules that can be described by one rule; (4) setting default policy; iptables command: highly modular, with many extension modules to implement the definition of checking conditions or processing actions. / usr/lib64/xtables/ IPv6:libip6t_ IPv4:libipt_, libxt_iptables command: iptables [- t table] COMMAND chain [rulenum] [- m machename [per-match-options]] [- j targetname [per-target-options]] [options] matching condition: basic matching condition:-s,-d,-p,-I -o extended matching condition:-m matchname per-match-options processing action: basic processing action: ACCEPT DROP extension processing action: REJECT,RETURN,LOG,REDIRECT,... User customization chain: COMMAND: chain management:-NMagie talk XLY: chain management:-NMagie talk XLZ rule management:-A meme I talk about it. Rmai talk D View:-LMY LMY,-v,-x,-- line-numbers iptables/netfilter rules: component: try to match the message according to the rule matching conditions, once the match succeeds Deal with the processing actions defined by the rules Matching conditions: basic matching conditions: built-in extension matching conditions: defined by extension module; processing action: basic processing action: built-in extension processing action: defined by extension module Custom processing mechanism: custom chain iptables chain: built-in chain and custom chain built-in chain: corresponding to hook function custom link: for extension and supplement of built-in chain to achieve more flexible rule management mechanism; considerations when adding rules: (1) which function to achieve: judging which table to add to (2) the path through which the message flows: determine which chain to add to; chain: the order of rules on the chain, that is, the order of inspection; therefore, implied certain application rules: (1) similar rules (access to the same application), put on top if the matching range is small. (2) different kinds of rules (accessing different applications), matching to those with more frequent messages; (3) merging multiple rules that can be described by one rule; (4) setting default policy; iptables command: highly modular, with many extension modules to implement the definition of checking conditions or processing actions. / usr/lib64/xtables/ IPv6:libip6t_ IPv4:libipt_ Libxt_ iptables [- t table] {- A |-C |-D} chain rule-specification iptables [- t table]-I chain [rulenum] rule-specification iptables [- t table]-R chain rulenum rule-specification iptables [- t table]-D chain rulenum iptables [- t table]-S [chain [rulenum]] iptables [- t table] {- F |-L |-Z} [chain [rulenum]] [options...] Iptables [- t table]-N chain iptables [- t table]-X [chain] iptables [- t table]-P chain target iptables [- t table]-E old-chain-name new-chain-name rule-specification = [matches...] [target] match =-m matchname [per-match-options] target =-j targetname [per-target-options] Rule format: iptables [- t table] COMMAND chain [- m matchname [per-match-options]]-j targetname [per-target-options]-t table: raw, mangle, nat [filter] COMMAND: chain management:-N:new, customize a new rule chain

[root@lib ~] # iptables-vnL in_web_rules

Chain in_web_rules (0 references) reference count is 0

Pkts bytes target prot opt in out source destination

[root@lib ~] #

-X: delete, delete custom rule chains; Note: only user-defined empty chains with reference count 0 can be deleted

[root@lib] # iptables-X in_web_rules

[root@lib ~] # iptables-vnL in_web_rules

Iptables: No chain/target/match by that name.

[root@lib ~] #

-P:Policy, set the default policy. For the chain in the filter table, the default policy is: ACCEPT: accept DROP: discard REJECT: reject

[root@lib ~] # iptables-vnL FORWARD | head-1

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

[root@lib ~] # iptables-P FORWARD DROP

[root@lib ~] # iptables-vnL FORWARD | head-1

Chain FORWARD (policy DROP 0 packets, 0 bytes)

[root@lib ~] # iptables-P FORWARD ACCEPT

[root@lib ~] # iptables-vnL FORWARD | head-1

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

[root@lib ~] #

-E: rename custom chains; custom chains whose reference count is not 0 cannot be renamed or deleted; rule management:

[root@lib ~] # iptables-vnL in_web_rules

Chain in_web_rules (0 references)

Pkts bytes target prot opt in out source destination

[root@lib] # iptables-E in_web_rules in_web_rules_new1

[root@lib ~] # iptables-vnL in_web_rules_new1

Chain in_web_rules_new1 (0 references)

Pkts bytes target prot opt in out source destination

[root@lib ~] # iptables-vnL in_web_rules

Iptables: No chain/target/match by that name.

[root@lib ~] #

-A:append, append;-I:insert, insert, specify the location, indicate the first rule when omitted;-D:delete, delete; (1) specify the rule serial number; (2) specify the rule itself

[root@lib] # iptables-vnL FORWARD-- line-numbers

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

100 ACCEPT all-- 0.0.0.0It 0 0.0.0.0Universe 0 ctstate RELATED,ESTABLISHED

200 ACCEPT all-- lo 0.0.0.0It 0 0.0.0.0It 0

3 0 0 FORWARD_direct all-- 0. 0. 0. 0.

4 0 0 FORWARD_IN_ZONES_SOURCE all-- 0. 0. 0. 0. 0.

500 FORWARD_IN_ZONES all-0.0.0.0Universe 0 0.0.0.0Universe 0

600 FORWARD_OUT_ZONES_SOURCE all-- 0.0.0.0Universe 0 0.0.0.0Universe 0

7 0 0 FORWARD_OUT_ZONES all-0.0.0. 0. 0. 0. 0

8 00 DROP all-- 0.0.0.0Universe 0 0.0.0.0pacing 0 ctstate INVALID

9 0 0 REJECT all-0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0 of the reject-with icmp-host-prohibited

[root@lib ~] # iptables-D FORWARD 8 Delete Rule 8 forward

[root@lib] # iptables-vnL FORWARD-- line-numbers

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

100 ACCEPT all-- 0.0.0.0It 0 0.0.0.0Universe 0 ctstate RELATED,ESTABLISHED

200 ACCEPT all-- lo 0.0.0.0It 0 0.0.0.0It 0

3 0 0 FORWARD_direct all-- 0. 0. 0. 0.

4 0 0 FORWARD_IN_ZONES_SOURCE all-- 0. 0. 0. 0. 0.

500 FORWARD_IN_ZONES all-0.0.0.0Universe 0 0.0.0.0Universe 0

600 FORWARD_OUT_ZONES_SOURCE all-- 0.0.0.0Universe 0 0.0.0.0Universe 0

7 0 0 FORWARD_OUT_ZONES all-0.0.0. 0. 0. 0. 0

8 00 REJECT all-- 0.0.0.0Universe 0 0.0.0.0pacing 0 reject-with icmp-host-prohibited

[root@lib ~] #

-R:replace to replace the specified rule on the specified chain;-F:flush, to clear the specified rule chain

[root@lib ~] # iptables-vnL INPUT View INPUT link rules

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

77 5976 ACCEPT all-0. 0. 0. 0. 0. 0. 0. 0 ctstate RELATED,ESTABLISHED

0 0 ACCEPT all-- lo 0. 0. 0. 0.

7 1087 INPUT_direct all-0. 0. 0. 0. 0. 0. 0. 0

7 1087 INPUT_ZONES_SOURCE all-0. 0. 0. 0. 0. 0. 0. 0

7 1087 INPUT_ZONES all-0. 0. 0. 0. 0. 0. 0. 0

0 0 DROP all-- 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 ctstate INVALID

7 1087 REJECT all-- * 0.0.0.0It 0 0.0.0.0Universe 0 reject-with icmp-host-prohibited

[root@lib ~] #

[root@lib] # iptables-F INPUT

[root@lib ~] # iptables-vnL INPUT

Chain INPUT (policy ACCEPT 7 packets, 575 bytes)

Pkts bytes target prot opt in out source destination

[root@lib ~] #

-Z:zero, zero; each rule of iptables has two counters: (1) the number of matched messages, and (2) the sum of the sizes of all matched messages.

[root@lib] # iptables-Z INPUT

View:-L:list, listing all the rules on the specified v:verbose;-n:numberic, displaying the address and port number in numeric format;-v:verbose, details -vv,-vvv-x:exactly, displays the exact value of the counter result;-- line-numbers: displays the serial number of the rule

[root@lib] # iptables-L-n

[root@lib] # iptables-L-- line-numbers-v-n

[root@lib] # iptables-L-line-numbers-vv-n

[root@lib] # iptables-L-line-numbers-v-n-x

[root@lib] # iptables-vnxL-- line-number

[root@lib ~] # iptables-vnxL INPUT

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

8539 737755 ACCEPT all-0. 0. 0. 0. 0. 0. 0. 0 ctstate RELATED,ESTABLISHED

0 0 ACCEPT all-- lo 0. 0. 0. 0.

1175 174348 INPUT_direct all-0. 0. 0. 0. 0. 0. 0

1175 174348 INPUT_ZONES_SOURCE all-0. 0. 0. 0. 0. 0. 0

1175 174348 INPUT_ZONES all-0. 0. 0. 0. 0. 0. 0

0 0 DROP all-- 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0 ctstate INVALID

1168 173260 REJECT all-- * 0.0.0.0It 0 0.0.0.0Universe 0 reject-with icmp-host-prohibited

[root@lib ~] #

[root@lib] # iptables-L

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT all-anywhere anywhere

INPUT_direct all-anywhere anywhere

INPUT_ZONES_SOURCE all-anywhere anywhere

INPUT_ZONES all-anywhere anywhere

DROP all-anywhere anywhere ctstate INVALID

REJECT all-anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

ACCEPT all-anywhere anywhere ctstate RELATED,ESTABLISHED

ACCEPT all-anywhere anywhere

FORWARD_direct all-anywhere anywhere

FORWARD_IN_ZONES_SOURCE all-anywhere anywhere

FORWARD_IN_ZONES all-anywhere anywhere

FORWARD_OUT_ZONES_SOURCE all-anywhere anywhere

FORWARD_OUT_ZONES all-anywhere anywhere

DROP all-anywhere anywhere ctstate INVALID

REJECT all-anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

OUTPUT_direct all-anywhere anywhere

Chain FORWARD_IN_ZONES (1 references)

Target prot opt source destination

FWDI_public all-- anywhere anywhere [goto]

FWDI_public all-- anywhere anywhere [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)

Target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)

Target prot opt source destination

FWDO_public all-- anywhere anywhere [goto]

FWDO_public all-- anywhere anywhere [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)

Target prot opt source destination

Chain FORWARD_direct (1 references)

Target prot opt source destination

Chain FWDI_public (2 references)

Target prot opt source destination

FWDI_public_log all-anywhere anywhere

FWDI_public_deny all-anywhere anywhere

FWDI_public_allow all-anywhere anywhere

ACCEPT icmp-anywhere anywhere

Chain FWDI_public_allow (1 references)

Target prot opt source destination

Chain FWDI_public_deny (1 references)

Target prot opt source destination

Chain FWDI_public_log (1 references)

Target prot opt source destination

Chain FWDO_public (2 references)

Target prot opt source destination

FWDO_public_log all-anywhere anywhere

FWDO_public_deny all-anywhere anywhere

FWDO_public_allow all-anywhere anywhere

Chain FWDO_public_allow (1 references)

Target prot opt source destination

Chain FWDO_public_deny (1 references)

Target prot opt source destination

Chain FWDO_public_log (1 references)

Target prot opt source destination

Chain INPUT_ZONES (1 references)

Target prot opt source destination

IN_public all-- anywhere anywhere [goto]

IN_public all-- anywhere anywhere [goto]

Chain INPUT_ZONES_SOURCE (1 references)

Target prot opt source destination

Chain INPUT_direct (1 references)

Target prot opt source destination

Chain IN_public (2 references)

Target prot opt source destination

IN_public_log all-anywhere anywhere

IN_public_deny all-anywhere anywhere

IN_public_allow all-anywhere anywhere

ACCEPT icmp-anywhere anywhere

Chain IN_public_allow (1 references)

Target prot opt source destination

ACCEPT tcp-anywhere anywhere tcp dpt:http ctstate NEW

ACCEPT tcp-anywhere anywhere tcp dpt:ssh ctstate NEW

ACCEPT tcp-anywhere anywhere tcp dpt:https ctstate NEW

Chain IN_public_deny (1 references)

Target prot opt source destination

Chain IN_public_log (1 references)

Target prot opt source destination

Chain OUTPUT_direct (1 references)

Target prot opt source destination

[root@lib ~] #

Chain: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING matching conditions: basic matching conditions: no modules need to be loaded, provided by iptables/netfilter itself; [!]-s,-source address [/ mask] [,...]: check whether the source IP address in the message matches the address or range specified here. [!]-d,-- destination address [/ mask] [,...]: check whether the destination IP address in the message matches the address or range specified here All addresses: 0.0.0.0amp 0 [!]-p,-- protocol: tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or "all" {tcp | udp | icmp} [!]-I -- in-interface name: the API for the inflow of datagrams It can only be applied to data packet inflow, and can only be applied to PREROUTING,INPUT and forward chains. [!]-o,-- out-interface name: data message outflow interface; can only be applied to Datagram outflow links, and can only be applied to FORWARD, OUTPUT and POSTROUTING chains. Processing action:-j targetname [per-target-options] ACCEPT DROP REJECT

Centos 7 has 7 tables

[root@lib ~] # iptables-L default filter table

[root@lib] # iptables-t filter-L

[root@lib] # iptables-t mangle-L

[root@lib] # iptables-t raw-L

[root@lib] # iptables-t nat-L

[root@lib] # iptables-t security-L

[root@lib ~] # systemctl stop firewalld

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

[root@lib ~] #

For example, allow the 192.168.0.0Compact 24 network to access the local computer.

[root@lib] # iptables-t filter-An INPUT-s 192.168.0.0 ACCEPT 24-d 192.168.0.103-p tcp-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

6 432 ACCEPT tcp-192.168.0.0Universe 24 192.168.0.103

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4 packets, 592bytes)

Pkts bytes target prot opt in out source destination

[root@lib ~] #

Allow local access to the 192.168.0.0ax 24 network segment

[root@lib] # iptables-t filter-An OUTPUT-s 192.168.0.103-d 192.168.0.0Unip 24-p tcp-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

18424 ACCEPT tcp-- 192.168.0.0Plus 24 192.168.0.103

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

4 592 ACCEPT tcp-192.168.0.103 192.168.0.0Universe 24

[root@lib ~] #

-d,-p does not write for all

[root@lib ~] # iptables-P INPUT DROP

[root@lib ~] # iptables-P FORWARD DROP

[root@lib ~] # iptables-P OUTPUT DROP

Set up a whitelist after DROP

[root@lib ~] # iptables-vnL

Chain INPUT (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

381 27776 ACCEPT tcp-192.168.0.0Universe 24 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

79 9064 ACCEPT tcp-192.168.0.103 192.168.0.

[root@lib ~] #

192.168.0.101ping is not available in 192.168.0.103. In English, its INPUT only opens the flow of tcp protocol, and ping is the ICMP protocol.

C:\ Users\ kerberos > ping 192.168.0.103

Pinging 192.168.0.103 with 32 bytes of data:

Request timed out.

Let it in.

[root@lib] # iptables-t filter-An INPUT-s 192.168.0.101-d 192.168.0.103-p icmp-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

766 57344 ACCEPT tcp-192.168.0.0Universe 24 192.168.0.103

0 ACCEPT icmp-192.168.0.101 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

36208 ACCEPT tcp-192.168.0.103 192.168.0.

[root@lib ~] #

The ping still doesn't work, because it hasn't been released.

C:\ Users\ kerberos > ping 192.168.0.103

Pinging 192.168.0.103 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 192.168.0.103:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

C:\ Users\ kerberos >

You can tell by grabbing the bag.

[root@lib] # tcpdump-I ens33-nn icmp

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

16 id 18 IP 21.075645 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 347, length 40

16 id 18 IP 26.077079 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 348, length 40

16 id 18 IP 31.079188 IP 192.168.0.101 > 192.168.0.103: ICMP echo request, id 1, seq 349, length 40

Add a rule and let it out.

[root@lib] # iptables-t filter-An OUTPUT-s 192.168.0.103-d 192.168.0.101-p icmp-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

1070 79152 ACCEPT tcp-192.168.0.0Accord 24 192.168.0.103

6 360 ACCEPT icmp-192.168.0.101 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

484 53984 ACCEPT tcp-192.168.0.103 192.168.0.

0 ACCEPT icmp-192.168.0.103 192.168.0.101

[root@lib ~] #

Re-ping

C:\ Users\ kerberos > ping 192.168.0.103

Pinging 192.168.0.103 with 32 bytes of data:

Reply from 192.168.0.103: bytes=32 time 192.168.0.103: ICMP echo request, id 1, seq 353, length 40

16 id 21 IP 10.442357 192.168.0.103 > 192.168.0.101: ICMP echo reply, id 1, seq 353, length 40

Firewall customization mechanism: generally use whitelist mechanism, reject all, allow specific.

[root@lib ~] # systemctl status firewalld

Exercise: local address 172.16.0.67 1, open all local tcp services to all hosts # iptables-I INPUT-d 172.16.0.67-p tcp-j ACCEPT # iptables-I OUTPUT-s 172.16.0.67-p tcp-j ACCEPT 2, open all udp services of the local machine to hosts in the 172.16.0.0 16 network, but excluding 172.16.0.200 # iptables-I INPUT 2-d 172.16.0.67-s 172.16.0.200-p udp-j REJECT # iptables-I INPUT 3-d 172.16.0.67-s 172.16.0.0OUTPUT 16-p udp-j ACCEPT # iptables-I OUTPUT 2-s 172.16.0.67-d 172.16.0.0 ACCEPT 16-p udp-j ACCEPT 3, the default policy is REJECT Extension: 1. Only the native ssh service is open to the hosts in 172.16.0.0Universe 16, and does not include 172.16.0.200

Iptables/netfilter

Framework: netfilter

Five chains:

PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

Filter: packet filtering; nat: address translation; mangle: message modification; raw: turn off the connection tracking mechanism enabled on the nat table Security: filter:INPUT,FORWARD,OUTPUT nat:PREROUTING,INPUT,OUTPUT,POSTROUTING mangle:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING raw:OUTPUT PREROUTINGiptables command: iptables [- t table] COMMAND chain [rulenum] [- m machename [per-match-options]] [- j targetname [per-target-options]] [options] matching condition: basic matching condition:-s,-d,-p,-I -o extended matching condition:-m matchname per-match-options processing action: basic processing action: ACCEPT DROP extension processing action: REJECT,RETURN,LOG,REDIRECT,... User-customized chain: COMMAND: chain management:-NMagee talk XLY management:-NMagee talk XLY talk Emae maestro talk Fmai ZRule Management:-A Magi I mae Lifei RMI Q Q D View:-LMY Q n,-v,-x,-- line-numbers

Uppercase processing

Lowercase condition matching

[root@lib ~] # rpm-ql iptables | grep-I-E 'tcp | icmp | upd'

/ usr/lib64/xtables/libip6t_icmp6.so

/ usr/lib64/xtables/libipt_icmp.so

/ usr/lib64/xtables/libxt_TCPMSS.so

/ usr/lib64/xtables/libxt_TCPOPTSTRIP.so

/ usr/lib64/xtables/libxt_tcp.so

/ usr/lib64/xtables/libxt_tcpmss.so

[root@lib ~] #

Iptables (2)

Iptables [- t table] COMMAND [chain] [PARAMETERS] [- m matchname [per-match-options]] [- j targetname [per-target-options]]

Matching criteria: basic matching conditions: PARAMETERS extension matching conditions: implicit extension: when using the-p option to indicate a specific protocol, it is no longer necessary to use the-m option to indicate the extension mechanism of the extension module; explicit extension: you must use the-m option to indicate the extension mechanism of the extension module to be invoked Implicit extensions: extension modules do not need to be loaded manually; because they are extensions to the protocol, any use of-p to indicate the protocol indicates that the module to be extended has been indicated; tcp: [!]-- source-port,-- sport port [: port]: the source port of the matching message; can be a port range [!]-- destination-port,--dport port [: port]: the destination port of the matching message; it can be a port range. [!]-- tcp-flags mask comp mask is the flags which we should examine, written as a comma-separated list, such as SYN,ACK,FIN,RST comp is a comma-separated list of flags which must be set For example, SYN for example: "--tcp-flags SYN,ACK,FIN,RST SYN" means that the four flag bits to be checked are SYN,ACK,FIN,RST, of which SYN must be 1 and the rest must be 0 [!]-- syn: used to match the first handshake, equivalent to "--tcp-flags SYN,ACK,FIN,RST SYN"

Allow 192.168.0.0amp 24 to access 192.168.0.103 port 22 service

[root@lib] # iptables-I INPUT-s 192.168.0 INPUT 24-d 192.168.0.103-p tcp-- dport 22-j ACCEPT I for insertion

[root@lib] # iptables-I OUTPUT-s 192.168.0.103-d 192.168.0.0A 24-p tcp-- dport 22-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

9148 ACCEPT tcp-192.168.0 tcp dpt:22 24 192.168.0.103

2221 175K ACCEPT tcp-192.168.0.0Candle 24 192.168.0.103

10 600 ACCEPT icmp-192.168.0.101 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

0 ACCEPT tcp-192.168.0.103 192.168.0.0 tcp dpt:22

1391 152K ACCEPT tcp-192.168.0.103 192.168.0.0Universe 24

4 240 ACCEPT icmp-192.168.0.103 192.168.0.101

[root@lib ~] #

Ssh can not connect, there is a problem, it seems that the client connection ssh shows that the port is not 22, but a random port, not this reason, but the above OUTPUT exit should be-- sport 22

Delete reconfiguration

[root@lib ~] # iptables-D OUTPUT 1

[root@lib] # iptables-I OUTPUT-s 192.168.0.103-d 192.168.0.0A 24-p tcp-- sport 22-j ACCEPT

At this point, if you execute [root@lib ~] # iptables-F to clean up the policy, there is only the default policy, that is, policy DROP.

The ssh can't be connected.

In order to remove the above risks

Specify the following rules, which are equivalent to the default policy DROP, but without the risk of iptables-F above

[root@lib] # iptables-An INPUT-d 192.168.0.103-j REJECT

[root@lib] # iptables-An OUTPUT-s 192.168.0.103-j REJECT

[root@lib ~] # iptables-P INPUT ACCEPT

[root@lib ~] # iptables-P OUTPUT ACCEPT

DROP equivalent to the default policy

[root@lib] # iptables-vnL-- line-numbers

Chain INPUT (policy ACCEPT 18 packets, 2660 bytes)

Num pkts bytes target prot opt in out source destination

1619 52768 ACCEPT tcp-192.168.0 tcp dpt:22 24 192.168.0.103

2 31 1860 ACCEPT icmp-192.168.0.101 192.168.0.103

3 00 REJECT all-0.0.0.0 reject-with icmp-port-unreachable 0 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

1215 39652 ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

24 240 ACCEPT icmp-192.168.0.103 192.168.0.101

3 30 2460 REJECT all-192.168.0.103 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

Ping can communicate by himself.

[root@lib ~] # ping 127.0.0.1

PING 127.0.0.1 (127.0.0.1) 56 (84) bytes of data.

64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.035 ms

64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.027 ms

^ C

-127.0.0.1 ping statistics-

2 packets transmitted, 2 received, 0% packet loss, time 999ms

Rtt min/avg/max/mdev = 0.027max 0.031max 0.035max 0.004 ms

Go back to the previous default policy

[root@lib ~] # iptables-P INPUT DROP

[root@lib ~] # iptables-P OUTPUT DROP

[root@lib ~] # iptables-D INPUT 3

[root@lib ~] # iptables-D OUTPUT 3

[root@lib] # iptables-vnL-- line-numbers

Chain INPUT (policy DROP 1 packets, 143bytes)

Num pkts bytes target prot opt in out source destination

1,953 77040 ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

2 31 1860 ACCEPT icmp-192.168.0.101 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

Num pkts bytes target prot opt in out source destination

1,396 60380 ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

24 240 ACCEPT icmp-192.168.0.103 192.168.0.101

Ping himself, ping is different. He is too nervous.

[root@lib ~] # ping 127.0.0.1

PING 127.0.0.1 (127.0.0.1) 56 (84) bytes of data.

Ping: sendmsg: Operation not permitted

Ping: sendmsg: Operation not permitted

^ C

-127.0.0.1 ping statistics-

2 packets transmitted, 0 received, 100% packet loss, time 999ms

[root@lib ~] #

Back to production mode.

[root@lib] # iptables-An INPUT-d 192.168.0.103-j REJECT

[root@lib] # iptables-An OUTPUT-s 192.168.0.103-j REJECT

[root@lib ~] #

[root@lib ~] # iptables-P INPUT ACCEPT

[root@lib ~] # iptables-P OUTPUT ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

1902 148K ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

31 1860 ACCEPT icmp-192.168.0.101 192.168.0.103

0 0 REJECT all-0.0.0.0 reject-with icmp-port-unreachable 0 192.168.0.103

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

955 132K ACCEPT tcp-192.168.0.103 192.168.0.0Univer 24 tcp spt:22

4 240 ACCEPT icmp-192.168.0.103 192.168.0.101

0 REJECT all-192.168.0.103 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

Or you can set up the network card like this.

[root@lib] # iptables-An INPUT-I ens33-j REJECT

[root@lib] # iptables-An OUTPUT-o ens33-j REJECT

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

2135 165K ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

31 1860 ACCEPT icmp-192.168.0.101 192.168.0.103

0 0 REJECT all-0.0.0.0 reject-with icmp-port-unreachable 0 192.168.0.103

1 143 REJECT all-- ens33 * 0.0.0.0It 0 0.0.0.0It 0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

1082 147K ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

4 240 ACCEPT icmp-192.168.0.103 192.168.0.101

0 REJECT all-192.168.0.103 0.0.0.0 reject-with icmp-port-unreachable

0 0 REJECT all-- * ens33 0.0.0.0 reject-with icmp-port-unreachable 0 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

You can delete the third configuration at this time.

[root@lib ~] # iptables-D INPUT 3

[root@lib ~] # iptables-D OUTPUT 3

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

2217 171K ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

31 1860 ACCEPT icmp-192.168.0.101 192.168.0.103

3 429 REJECT all-- ens33 * 0.0.0.0 REJECT all 0 0.0.0.0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

1127 153K ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

4 240 ACCEPT icmp-192.168.0.103 192.168.0.101

0 0 REJECT all-- * ens33 0.0.0.0 reject-with icmp-port-unreachable 0 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

[root@lib ~] # ping 127.0.0.1

PING 127.0.0.1 (127.0.0.1) 56 (84) bytes of data.

64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms

64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.052 ms

^ C

-127.0.0.1 ping statistics-

2 packets transmitted, 2 received, 0% packet loss, time 1000ms

Rtt min/avg/max/mdev = 0.031 ms, 0.041, 0.052, 0.012

[root@lib ~] #

Samba 137138 udp dns tcp53 or upd53 139445 tcp udp [!]-- source-port,-- sport port [: port]: source port of matching message; can be port range; [!]-- destination-port,--dport port [: port]: destination port of matching message Can be a port range; icmp [!]-- icmp-type {type [/ code] | typename} echo-request:8 echo-reply:0

[root@lib ~] # iptables-D INPUT 2

[root@lib ~] # iptables-D OUTPUT 2

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

2453 187K ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

38 5520 REJECT all-- ens33 * 0.0.0.0 REJECT all 0 0.0.0.0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

1299 188K ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

462 42904 REJECT all-- * ens33 0.0.0.0 REJECT all 0 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

[root@lib ~] # ping 192.168.0.101

PING 192.168.0.101 (192.168.0.101) 56 (84) bytes of data.

From 192.168.0.103 icmp_seq=1 Destination Port Unreachable

Ping: sendmsg: Operation not permitted

From 192.168.0.103 icmp_seq=2 Destination Port Unreachable

Ping: sendmsg: Operation not permitted

^ C

-192.168.0.101 ping statistics-

2 packets transmitted, 0 received, + 2 errors, 100% packet loss, time 1000ms

[root@lib ~] #

Add Rul

Let it out.

[root@lib] # iptables-I OUTPUT 2-s 192.168.0.103-p icmp--icmp-type 8-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

3041 236K ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

55 9273 REJECT all-- ens33 * 0.0.0.0 REJECT all 0 0.0.0.0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

1715 235K ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

0 ACCEPT icmp-192.168.0.103 0.0.0.0 icmptype 8

486 50288 REJECT all-- * ens33 0.0.0.0 REJECT all 0 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

Try ping, you can ping out, but you can't receive reply, because there is no configuration.

[root@lib ~] # ping 192.168.0.100

PING 192.168.0.100 (192.168.0.100) 56 (84) bytes of data.

[root@lamp] # tcpdump-I ens33-nn icmp

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

20 id 21 IP 25.826655 192.168.0.103 > 192.168.0.100 ICMP echo request, id 6301, seq 81, length 64

20 id 21 IP 25.826691 192.168.0.100 > 192.168.0.103: ICMP echo reply, id 6301, seq 81, length 64

20 id 21 IP 26.826886 192.168.0.103 > 192.168.0.100: ICMP echo request, id 6301, seq 82, length 64

ICMP echo reply, id 6301, seq 82, length 64

After giving a configuration, you can accept reply

[root@lib] # iptables-I INPUT 2-d 192.168.0.103-p icmp--icmp-type 0Bank 0-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

3412 266K ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

1 84 ACCEPT icmp-0.0.0.0 ACCEPT icmp 0 192.168.0.103 icmptype 0 code 0

27642 REJECT all-- ens33 * 0.0.0.0It 0 0.0.0.0It 0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

1923 271K ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

13524 ACCEPT icmp-192.168.0.103 0.0.0.0 icmptype 8

679 79464 REJECT all-- * ens33 0.0.0.0 REJECT all 0 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

[root@lib ~] # ping 192.168.0.100

PING 192.168.0.100 (192.168.0.100) 56 (84) bytes of data.

64 bytes from 192.168.0.100: icmp_seq=1 ttl=64 time=0.526 ms

64 bytes from 192.168.0.100: icmp_seq=2 ttl=64 time=0.325 ms

^ C

-192.168.0.100 ping statistics-

2 packets transmitted, 2 received, 0% packet loss, time 999ms

Rtt min/avg/max/mdev = 0.325 ms 0.425 ms 0.526 max 0.102

[root@lib ~] #

Success

Other people's ping doesn't make sense, because there is no configuration.

[root@lamp ~] # ping 192.168.0.103

PING 192.168.0.103 (192.168.0.103) 56 (84) bytes of data.

^ C

-192.168.0.103 ping statistics-

3 packets transmitted, 0 received, 100% packet loss, time 2000ms

[root@lamp ~] #

Reconfigure

[root@lib] # iptables-I INPUT 3-d 192.168.0.103-p icmp--icmp-type 8-j ACCEPT

[root@lib] # iptables-I OUTPUT 3-s 192.168.0.103-p icmp--icmp-type 0Bank 0-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

4417 349K ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

1 84 ACCEPT icmp-0.0.0.0 ACCEPT icmp 0 192.168.0.103 icmptype 0 code 0

2 168 ACCEPT icmp-0.0.0.0 icmptype 0 192.168.0.103

264 30983 REJECT all-- ens33 * 0.0.0.0 REJECT all 0 0.0.0.0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

2599 346K ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

13524 ACCEPT icmp-192.168.0.103 0.0.0.0 icmptype 8

2 168 ACCEPT icmp-192.168.0.103 0.0.0.0 icmptype 0 code 0

712 89640 REJECT all-- * ens33 0.0.0.0 REJECT all 0 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

[root@lamp ~] # ping 192.168.0.103

PING 192.168.0.103 (192.168.0.103) 56 (84) bytes of data.

64 bytes from 192.168.0.103: icmp_seq=1 ttl=64 time=0.341 ms

64 bytes from 192.168.0.103: icmp_seq=2 ttl=64 time=0.317 ms

^ C

-192.168.0.103 ping statistics-

2 packets transmitted, 2 received, 0% packet loss, time 1000ms

Rtt min/avg/max/mdev = 0.317, 0.329, 0.341, 0.012 ms

[root@lamp ~] #

Configure samba shared server rules

[root@lib] # iptables-I INPUT-d 192.168.0.103-p udp-- dport 137 INPUT 138-j ACCEPT

[root@lib] # iptables-I OUTPUT-s 192.168.0.103-p udp-- sport 137 OUTPUT 138-j ACCEPT

[root@lib ~] # iptables-vnL

Chain INPUT (policy ACCEPT 1 packets, 356 bytes)

Pkts bytes target prot opt in out source destination

0 0 ACCEPT udp-0.0.0.0 udp dpts:137:138 0 192.168.0.103

5246 420K ACCEPT tcp-192.168.0.0 tcp dpt:22 24 192.168.0.103

1 84 ACCEPT icmp-0.0.0.0 ACCEPT icmp 0 192.168.0.103 icmptype 0 code 0

2 168 ACCEPT icmp-0.0.0.0 icmptype 0 192.168.0.103

857 119K REJECT all-- ens33 * 0.0.0.0 ens33 0 0.0.0.0 Universe 0 reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1 packets, 356 bytes)

Pkts bytes target prot opt in out source destination

0 ACCEPT udp-192.168.0.103 0.0.0.0 udp spts:137:138

3057 430K ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:22

13524 ACCEPT icmp-192.168.0.103 0.0.0.0 icmptype 8

2 168 ACCEPT icmp-192.168.0.103 0.0.0.0 icmptype 0 code 0

1257 253K REJECT all-- * ens33 0.0.0.0 ens33 0 0.0.0.0 reject-with icmp-port-unreachable

[root@lib ~] #

Telnet is still not available after configuration

[root@lamp ~] # telnet 192.168.0.103 137

Trying 192.168.0.103...

^ C

[root@lamp ~] # telnet 192.168.0.103 138

Trying 192.168.0.103...

^ C

[root@lamp ~] #

[root@lamp ~] # smbclient / / 192.168.0.103/HRDept-U smbuser4

Connection to 192.168.0.103 failed (Error NT_STATUS_IO_TIMEOUT)

[root@lamp ~] #

139 and 445 port

Explicit extension: the extension module must be loaded manually, [- m matchname [per-match-options]]

Explicit extension: you must use the-m option to indicate the extension mechanism of the extension module to be called; 1. Multiport This module matches a set of source or destination ports. Up to 15 ports can be specified. A port range (port:port) counts as two ports. It can only be used in conjunction with one of the following protocols: tcp, udp, udplite, dccp and sctp. Define multi-port matching conditions in a discrete or continuous manner, up to 15; [!]-- source-ports,--sports port [, port |, port:port]...: specify multiple source ports; [!]-- destination-ports,--dports port [, port |, port:port]...: specify multiple destination ports # iptables-I INPUT-d 172.16.0.7-p tcp-m multiport-- dports 22, 80, 139, 445, 3306-j ACCEPT

-R,-- replace chain rulenum rule-specification

Replace a rule in the selected chain. If the source and/or destination names resolve

To multiple addresses, the command will fail. Rules are numbered starting at 1.

[root@lib] # iptables-R INPUT 2-d 192.168.0.103-p tcp-m multiport-- dports 22 80139445-j ACCEPT

[root@lib] # iptables-R OUTPUT 2-s 192.168.0.103-p tcp-m multiport-- sport 22 80139445-j ACCEPT

[root@lib ~] # iptables-nvL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

0 0 ACCEPT udp-0.0.0.0 udp dpts:137:138 0 192.168.0.103

152 10960 ACCEPT tcp-0.0.0.0 ACCEPT tcp 0 192.168.0.103 multiport dports 22 80139445

1 84 ACCEPT icmp-0.0.0.0 ACCEPT icmp 0 192.168.0.103 icmptype 0 code 0

2 168 ACCEPT icmp-0.0.0.0 icmptype 0 192.168.0.103

3609 557K REJECT all-- ens33 * 0.0.0.0 ens33 0 0.0.0.0 Universe 0 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

Pkts bytes target prot opt in out source destination

249 54072 ACCEPT udp-192.168.0.103 0.0.0.0 udp spts:137:138

9 1480 ACCEPT tcp-192.168.0.103 0.0.0.0 multiport sports 22 ACCEPT tcp 80139445

1 84 ACCEPT icmp-192.168.0.103 0.0.0.0 icmptype 8

2 168 ACCEPT icmp-192.168.0.103 0.0.0.0 icmptype 0 code 0

2645 863K REJECT all-- * ens33 0.0.0.0 ens33 0 0.0.0.0 Universe 0 reject-with icmp-port-unreachable

[root@lib ~] #

[root@lamp] # smbclient-L 192.168.0.103

Enter SAMBA\ root's password:

Anonymous login successful

Sharename Type Comment-print$ Disk Printer Drivers HRDept Disk HR share file IPC$ IPC IPC Service (Samba 4.8.3)

Reconnecting with SMB1 for workgroup listing.

Anonymous login successful

Server Comment-Workgroup Master-SAMBA LIB

[root@lamp ~] #

2. Iprange indicates the matching condition of multiple IP addresses in the way of contiguous address blocks. [!]-- src-range from [- to] [!]-- dst-range from [- to] # iptables-I INPUT-d 172.16.0.7-p tcp-m multiport-- dports 2280 tcp 139iptables 3306-m iprange-- src-range 172.16.0.61-172.16.0.70-j REJECT # iptables-I OUTPUT-s 172.16 .0.7-p tcp-m multiport-- sports 22 REJECT 80 sports 139 REJECT 445 3306-m iprange-- src-range 172.16.0.61-172.16.0.70-j REJECT 3, Time This matches if the packet arrival time/date is within a given range. -- timestart hh:mm [: ss]-- timestop hh:mm [: ss] [!]-- weekdays day [, day...] [!]-monthdays day [ Day...]-- datestart YYYY [- MM [- DD [Thh [: mm [: ss]-- datestop YYYY [- MM [- DD [Thh [: mm [: ss]-- kerneltz: use the kernel-configured time zone instead of the default UTC Iptables-R INPUT 3-d 172.16.0.7-p tcp-m multiport-- dports 22 80 dports 445 3306-m iprange-- src-range 172.16.0.61-172.16.0.70-m time-- timestart 10:00:00-- timestop 16:00:00-- weekdays 1 weekdays 2jue 3jue 4 5-- kerneltz-j REJECTiptables-R INPUT 3-s 172.16.0.7-p tcp-m multiport-- sports 2280 multiport 139 iprange 445 3306-m iprange-- dst-range 172.16.0.61-172.16.0.70-m time-- timestart 10:00:00-- timestop 16:00:00-- weekdays 1Mei 2Ling 4L5-- kerneltz-j REJECT 4, string checks whether the encoded characters match This modules matches a given string by using some pattern matching strategy. -- algo {bm | kmp} algorithm [!]-- string pattern [!]-- hex-string pattern-- from offset-- to offset ~] # iptables-I OUTPUT-m string-algo bm-- string "gay"-j REJECTThe string pattern can be used for simple text characters. Iptables-An INPUT-p tcp-- dport 80-m string-- algo bm-- string 'GET / index.html'-j LOG # The hex string pattern can be used for non-printable characters, like | 0D0A | or | 0D0A |. Iptables-p udp-- dport 53-m string-- algo bm-- from 40-- to 57-- hex-string'| 03 | www | 09 | net- filter | 03 | org | 00 |'5, connlimit denial of service *, limit the number of concurrency of single client access (or client address block). -- connlimit-upto n-- the default rule of connlimit-above n firewall is rejected, so if it falls below, allow, ~] # iptables-I INPUT-d 172.16.0.7-p tcp-- syn-- dport 22-m connlimit--connlimit-above 2-j REJECT

[root@lib ~] # systemctl start mariadb

[root@lib ~] #

[root@lib ~] # mysql

Welcome to the MariaDB monitor. Commands end with; or\ g.

Your MariaDB connection id is 2

Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or'\ h' for help. Type'\ c'to clear the current input statement.

MariaDB [(none)] >

MariaDB [(none)] > create user 'test'@'%' IDENTIFIED BY' test'

Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)] > flush privileges

Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)] > select user,host from mysql.user where user = 'test'

+-+ +

| | user | host |

+-+ +

| | test |% | |

+-+ +

1 row in set (0.00 sec)

MariaDB [(none)] >

Can't access.

[root@lamp] # mysql-u test-h 192.168.0.103-p

Enter password:

ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.0.103' (110)

[root@lamp ~] #

Add Firewall Rul

[root@lib] # iptables-I INPUT 2-s 192.168.0 ACCEPT 24-d 192.168.0.103-p tcp-- dport 3306-j ACCEPT

[root@lib] # iptables-I OUTPUT 2-d 192.168.0 ACCEPT 24-s 192.168.0.103-p tcp-- sport 3306-j ACCEPT

[root@lib ~] # iptables-vnL | grep 3306

1 60 ACCEPT tcp-192.168.0 tcp dpt:3306 24 192.168.0.103

0 ACCEPT tcp-192.168.0.103 192.168.0.0 tcp spt:3306

[root@lib ~] #

[root@lamp] # mysql-u test-h 192.168.0.103-p

Enter password:

Welcome to the MariaDB monitor. Commands end with; or\ g.

Your MariaDB connection id is 5

Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or'\ h' for help. Type'\ c'to clear the current input statement.

MariaDB [(none)] >

Modify the first inbound rule to reject redundant connections if the same client has more than 2 connections, that is, to check the number of TCP3 handshakes.

[root@lib] # iptables-R INPUT 2-d 192.168.0.103-s 192.168.0.0 ACCEPT 24-p tcp-- dport 3306-m connlimit--connlimit-upto 2-j ACCEPT

[root@lib ~] # iptables-vnL | grep 3306

0 ACCEPT tcp-192.168.0.0According to 24 192.168.0.103 tcp dpt:3306 # conn src/32 / PATH/TO/SOME_RULE_FILE overload: iptabls-restore

< /PATH/FROM/SOME_RULE_FILE -n, --noflush:不清除原有规则 -t, --test:仅分析生成规则集,但不提交 CentOS 6: 保存规则: service iptables save 保存规则于/etc/sysconfig/iptables文件,覆盖保存; 重载规则: service iptables restart 默认重载/etc/sysconfig/iptables文件中的规则 配置文件:/etc/sysconfig/iptables-config CentOS 7: (1) 自定义Unit File,进行iptables-restore; (2) firewalld服务; (3) 自定义脚本;规则优化的思路: 使用自定义链管理特定应用的相关规则,模块化管理规则; (1) 优先放行双方向状态为ESTABLISHED的报文; (2) 服务于不同类别的功能的规则,匹配到报文可能性更大的放前面; (3) 服务于同一类别的功能的规则,匹配条件较严格的放在前面; (4) 设置默认策略:白名单机制 (a) iptables -P,不建议; (b) 建议在规则的最后定义规则做为默认策略; 关闭服务器80 主动往外的链接,即出站不为NEW 状态,只能为ESTABLISHED,防止*** iptables/netfilter: netfilter: raw 链接追踪,mangle报文修改, nat地址转换, filter PREROUTING -->

INPUT

PREROUTING-- > FORWARD-- > POSTROUTING

OUTPUT-- > POSTROUTING

Filter:INPUT,FORWARD,OUTPUT

Nat:PREROUTING,INPUT,OUTPUT,POSTROUTING

Iptables: [- t table] COMMAND [chain] rule-specification-m matchname [per-match-options]-t targetname [per-target-options] [options] matching condition: basic matching condition:-s,-d,-p,-m,-I,-o extension matching condition: implicit extension:-p tcp:-- dport -- sport,-- tcp-flags,-- syn-p udp:--dport,-- sport-p imcp:-- icmp-type explicit extension: multiport:--sports,-- dports iprange:--src-range,-- dst-range time:--timestart,-- timestop,-- weekdays,-- monthdays Datestart,-- datestop string:--algo {bm | kmp},-- string connlimit:--connlimit-upto,-- connlimit-above limit:--limit,-- limit-burst state:--state NEW, ESTABLISHED, RELATED, INVALID UNTRACKED target:-j: ACCEPT/DROP REJECT:--reject-with LOG:--log-level,-- log-prefix custom chain RETURNiptables-save/iptables-restore

Iptables (3)

Iptables/netfilter Network Firewall:

(1) Gateway

(2) FORWARD chain of filter table

Attention should be paid to: (1) request-response messages will pass through the FORWARD chain, so pay attention to the direction of the rules; (2) if you want to enable the conntrack mechanism, it is recommended to release the messages with a bilateral status of ESTABLISHED directly.

Hide the private network IP address. When the internal network IP accesses the external network server, the source IP address translates into the IP address of the external network gateway.

NAT: Network Address Translation request message: defined by administrator; response message: automatically implemented by NAT's conntrack mechanism; request message: change source address: SNAT,MASQUERADE change destination address: DNAT iptables/netfilter: NAT is defined in nat table PREROUTING,INPUT,OUTPUT,POSTROUTING SNAT:POSTROUTING change source IP DNAT:PREROUTING to destination IP PAT: change source port cloud public network IP server, note the number of link tracking target: SNAT: This target is only valid in the nat table, in the POSTROUTING and INPUT chains, and user-defined chains which are only called from those chains. To-source [ipaddr [- ipaddr]] DNAT: This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. To-destination [ipaddr [- ipaddr]] [: port [- port]] MASQUERADE This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. The rules applied to the POSTROUTING chain in the SNAT scenario implement source address translation, but when the public network address is not fixed, use this target; REDIRECT This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. -- to-ports port [- port] layer7 Host A: 192.168.10.2 Server C: 172.16.0.67

Host B routing function INC1: 192.168.10.254 INC2: 172.16.0.6 enable IPv4 forware function

Add rout

# route add-net 192.168.10.0Plus 24 gw 172.16.0.6

Add Firewall Rul

# iptables-A FORWARD-j REJECT

Request the message to go out

# iptables-I FORWARD-s 192.168.10.Universe 24-p tcp-- dport 80-j ACCEPT

Come back in response to the message

# iptables-I FORWARD-d 192.168.10.Universe 24-p tcp-- sdport 80-j ACCEPT

#

Using status links, hosts on the internal network can access any network service on the external network, while the external network cannot access the intranet.

# iptables-D FORWARD 1

# iptables-D FORWARD 1

# iptables-I FORWARD-m state-- state ESTABLISHED-j ACCEPT

# iptables-I FORWARD 2-s 192.169.10.0 pound 24-m state-- state NEW-j ACCEPT

#

Open a service in the private network to access the public network

# iptables-I FORWARD 3-d 192.169.10.0 pound 24-p tcp-- dport 80-m state-- state NEW-j ACCEPT

Open multiple service charges for public network access

# iptables-R FORWARD-3-d 192.168.10.2-p tcp-m multiport-- dports 21 tcp 23 80139445-m state-- state NEW-j ACCEPT

# iptables-I FORWARD 4-d 192.168.10.2-p udp-- dport 137 udp 138-m state-- state NEW-j ACCEPT

# modprobe nf_conntrack_ftp

[root@lib ~] # lsmod | grep nf_conntrack_ftp

[root@lib ~] #

[root@lib ~] # modprobe nf_conntrack_ftp

[root@lib ~] # lsmod | grep nf_conntrack_ftp nf_conntrack_ftp 18638 0

Nf_conntrack 111302 1 nf_conntrack_ftp

[root@lib ~] #

Open the opportunity to fail

Permanently useful

[root@lib ~] # diff / etc/sysconfig/iptables-config / etc/sysconfig/iptables-config.bk.20190806

6c6

< IPTABLES_MODULES="nf_conntrack_ftp" IPTABLES_MODULES="" [root@lib ~]# 开放ftp访问 #iptables -I FORWARD 5 -d 192.168.10.2 -p tcp -m state --state RELATED -j ACCEPT #NAT 功能实现 #iptables -F FORWARD 内网主机访问外网服务,隐藏内网IP,通过构建SNAT实现 #iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.0.6 DNAT 实现 外网访问内网服务 #iptables -t nat -F #iptables -t nat -A PREROUTING -d 172.16.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2 PAT 实现 也可以通过DNAT实现 外网访问内网服务80, 实际是访问8080 #iptables -t nat -R PREROUTING 1 -d 172.16.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.10.2:8080 #iptables -A FORWARD -s 172.16.0.200 -p tcp --dport 8080 -d 192.168.10.2 -j REJECT 本地端口映射 #iptables -A PREROUTING -t nat -d 192.168.10.2 -p tcp --dport 80 -j REDIRECT --to-ports 8080 tcp_wrapper: 库文件:libwrap.so,tcp包装器;判断一个服务程序是否能够由tcp_wrapper进行访问控制的方法: (1) 动态链接至libwrap.so库; ldd /PATH/TO/PROGRAM libwrap.so (2) 静态编译libwrap.so库文件至程序中: strings /PATH/TO/PGRGRAM hosts_access配置文件:/etc/hosts.allow, /etc/hosts.deny See 'man 5 hosts_options' and 'man 5 hosts_access' for information on rule syntax. 配置文件语法: daemon_list : client_list[ : option : option ...] daemon_list:程序文件名称列表 (1) 单个应用程序文件名; (2) 程序文件名列表,以逗号分隔; (3) ALL:所有受tcp_wrapper控制的应用程序文件; client_list: (1) 单个IP地址或主机名; (2) 网络地址:n.n.n.n/m.m.m.m,n.n.n.; (3) 内建的ACL: ALL:所有客户端主机; LOCAL:Matches any host whose name does not contain a dot character. UNKNOWN KNOWN PARANOID OPERATORS: EXCEPT list1 EXCEPT list2 EXCEPT list3 sshd: 172.16. EXCEPT 172.16.100. EXCEPT 172.16.100.68 [ : option : option ...] deny:拒绝,主要用于hosts.allow文件中定义"拒绝"规则; allow:允许,主要用于hosts.deny文件中定义"允许"规则; spawn:生成,发起,触发执行用户指定的任意命令,此处通常用于记录日志; vsftpd: 172.16. : spawn /bin/echo $(date) login attempt from %c to %s >

> / var/log/tcp_wrapper.log

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report