Shulou(Shulou.com)06/02 Report--

Chapter 1 Firewall iptables

A network firewall is a firewall located between a computer and the network to which it is connected. All network traffic that flows in and out of the computer passes through this firewall. The firewall scans the network traffic that flows through it so that it can filter out some of the traffic so that it will not be executed on the target computer. Firewalls can also close ports that are not in use. And it can also ban outflow traffic from specific ports and block Troy. Finally, it can prohibit access from special sites, thereby preventing all communications from unknown people.

Introduction of 1.1iptables

Usually said that iptables is a firewall, in fact, iptables is a combination of iptables/netfilter, only iptables/netfilter should be called a firewall, it is based on the work of software network firewall. Iptables works in user space and is a rule writing tool for firewalls. Rules written in iptables and sent to netfilter; firewall have just been put into netfilter. It is a network architecture that can make rules effective and works in kernel space.

What is iptables?

Firewalls, fireproof walls.

Iptables is firewall software to prevent illegal access to our website or server.

Firewalls have hardware and software:

1. Iptables is a software firewall

2. Hardware firewall

[commercial firewall]

Huawei

Be convinced

Cisco

H3C

Juniper

Tianrongxin

Flying tower

Wangkang

Green League Science and Technology

Golden Shield

Open source firewall tool based on packet filtering.

You can also do NAT mapping: 1) Gateway: local area network sharing. 2) IP or port mapping.

Iptables mainly works in the second, third and fourth layers of OSI layer 7, if the kernel is recompiled

Iptables can also support layer 7 control (squid agent + iptables).

Iptables enterprise application scenario

1. Host firewall (INPUT chain of filter table).

2. Share the Internet in the local area network (POSTROUTING chain of the nat table). Half a router, NAT function.

3. Port and IP mapping (PREROUTING chain of nat table), NAT function of hard defense.

4. IP one-to-one mapping.

1.2iptables packet filtering process

Summary of iptables workflow:

1. Firewalls are filtered layer by layer. It is actually filtered from top to bottom and from front to back in the order of the configuration rules.

2. If a rule is matched, that is, whether it is blocked or passed, the packet will no longer match the new rule downwards.

3. If all rules do not clearly indicate whether to block or pass this packet, that is, there is no matching upper rule, match down until the matching default rule is explicitly blocked or passed.

4. The default rule of the firewall is that it will not be executed until all the rules of the corresponding chain have been executed (the last executed rule).

What exactly does 1.3iptables consist of?

Include relationships:

Iptables Firewall = > 4 tables (tables) = = > there are 5 chains in total = (chains) = = > rules (policy)

Specific execution of affairs on behalf of different functions (entry, outflow, forwarding)

Work content: just need to know which table which chain, configure the appropriate rules, so as to control the processing of data packets!

Iptables contains 4 tables:

1.filter (responsible for host firewall function) *

2.nat (Port or IP Mapping and shared Internet access) *

3.mangle (configure routing tag ttltos mark) does not need to be learned.

4.raw need not be introduced.

The corresponding chain of the table:

Filter:INPUT,OUTPUT,FORWARD

NAT:POSTROUTING,PREROUTING,OUTPUT

Mangle:INPUT,OUTPUT,FORWARD,POSTROUTING,PREROUTING

Raw

5 chain:

* INPUT: the packet that enters the host. Host firewall (INPUT chain of filter table)

OUTPUT: packets that flow out of the host.

FORWARD: packets that flow through the host.

* PREROUTING: enter the chain through which the server first passes, NAT port or IP mapping. (PREROUTING chain of nat)

* POSTROUTING: NAT shares the Internet in the last chain that flows out of the server. Local area network sharing Internet (POSTROUTING chain of nat table)

1.4iptables common command parameters

Two ways to view firewall information

[root@web01 ~] # / etc/init.d/iptables status

Table: filter

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 ACCEPT all-- 0.0.0. 0. 0. 0. 0. 0. 0

2 ACCEPT icmp-0. 0. 0. 0. 0. 0. 0

3 ACCEPT all-0. 0. 0. 0. 0. 0. 0. 0

4 ACCEPT tcp-- 0.0.0.0Universe 0 0.0.0.0Uniplex 0 state NEW tcpdpt:22

5 REJECT all-- 0.0.0.0Universe 0 0.0.0.0Sterling 0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

Num target prot opt source destination

1 REJECT all-- 0.0.0. 0. 0. 0. 0. 0. 0

Chain OUTPUT (policy ACCEPT)

Num target prot opt source destination

[root@web01 ~] # iptables-nL

Chain INPUT (policy ACCEPT)

Target prot opt source destination

ACCEPT all-0.0.0.0Universe 0 0.0.0.0Universe 0 state RELATED,ESTABLISHED

ACCEPT icmp-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT all-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT tcp-0.0.0.0Universe 0 0.0.0.0Universe 0 state NEW tcp dpt:22

REJECT all-0.0.0.0Universe 0 0.0.0.0Universe 0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

REJECT all-0.0.0.0Universe 0 0.0.0.0Universe 0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

[root@web01 ~] #

View Startup status command:

Iptables-nL-- line-number

-n #

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.