Shulou(Shulou.com)06/01 Report--

One: preface

Firewall, it is divided into hardware and software firewall. No matter which network it is, the firewall must work at the edge of the network. To define how the firewall works, it requires firewall policies and rules to enable it to detect and filter IP and data entering and leaving the network.

At present, there are three or four layers of firewalls, called network layer firewalls, and seven layers of firewalls in the market. as far as the seven-layer model of TCP/IP is concerned, we know that the third layer is the network layer, and the three-layer firewall will detect the source and destination addresses in this layer. But for a seven-layer firewall, everything you have will be checked regardless of your source or destination port, source or destination address. Therefore, for users, the seven-layer firewall is more secure, but it reduces the transmission efficiency. Therefore, the usual firewall schemes on the market are a combination of the two.

Second: the history and working principle of iptables

Development of 1.iptables:

The predecessor of iptables is called ipfirewall (kernel 1.x era), which is a simple access control tool that the author transplanted from freeBSD and can work in the kernel to detect data packets. But ipfirewall's work is extremely limited (it needs to put all the rules into the kernel so that the rules can be run, which is generally extremely troublesome). When the kernel developed to 2.x series, the software was renamed ipchains, which can define multiple rules, string them together and work together, but now it is called iptables, which can form a list of rules to achieve absolutely detailed access control functions.

They are all tools that work in user space and define rules, and they are not firewalls themselves. The rules they define can be read by netfilter in kernel space and let the firewall implement the defined rules. The place to put it into the kernel must be in a specific location, and it must be where tcp/ip 's protocol stack passes through. And this place where reading rules can be implemented is called netfilter. (network filter)

The system selects a total of five locations in the kernel space.

1. Kernel space: coming in from one network interface to another

two。 Packets flow from the kernel to user space

3. Packets that flow out of user space

4. Enter / leave the external network interface of this machine

5. Enter / leave the intranet interface of this machine

The working Mechanism of 2.iptables

As shown in the picture, five locations are selected as the chain of control, but have you found that the first three locations can basically block the path completely, but why do you have to set up the level after setting the level at the entrance and exit? Because the packet has not yet made a routing decision and does not know where the data is going, there is no way to achieve data filtering at the import and export. So use the chain that is set in kernel space to forward, the chain that enters user space, and the chain that goes out of user space.

These five positions are also known as five hook functions (hook functions), also known as five rule chains.

1.PREROUTING (before routing)

2.INPUT (packet flow entry)

3.FORWARD (forwarding tube card)

4.OUTPUT (packet egress)

5.POSTROUTING (after routing)

These are the five rule chains stipulated by NetFilter. Any packet, as long as it passes through the local machine, will pass through one of these five chains.

3. The strategy of firewall

Firewall policies are generally divided into two types, one is called "pass" strategy, the other is called "blocking" strategy, the default door is closed, it is necessary to define who can enter. The blocking strategy is that the door is open, but you must have authentication, or you can't enter. So we have to define, let those who come in come in, let those who go out go out, so pass through, and jam, it is a choice. When we define the policy, we need to define multiple functions, among which: define the policy allowed or disallowed in the packet, the function of filter filtering, and define the function of address translation is the nat option. In order to make these functions work alternately, we have developed the definition of "table" to define and distinguish different work functions and processing methods.

We are now using four of the more features:

1.filter filter messages …

2.nat defines the address translation

3.mangle function: modify the original data of the message

4.raw has the highest priority, and raw is generally set in order to no longer let iptables do the link tracking of data packets and improve performance.

The priority of the four tables from high to low is raw-- > mangle-- > nat-- > filter

For example: if there is both a mangle table and an nat table on the PRROUTING chain, then the mangle table is processed first, and then the nat table is processed by the nat table. The RAW table is only used on the PREROUTING chain and the OUTPUT chain, because the priority is the highest, so the received packets can be processed before the connection is tracked. Once the user uses the RAW table, after the RAW table is processed on a certain chain, the NAT table and ip_conntrack processing will be skipped, that is, address translation and packet link tracking will no longer be done.

Note:

For filter, it can only be done on three chains: INPUT, FORWARD, and OUTPUT.

Generally speaking, nat can only be done on three chains: PREROUTING, OUTPUT, and POSTROUTING.

And mangle can be done with all five chains: PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

Iptables/netfilter (this software) works in user space, it allows the rules to take effect immediately, and is not a service in itself. And our iptables is now made into a service that can be started and stopped. If it starts, the rule will take effect directly, and if it stops, the rule will be revoked.

Iptables also supports self-defining chains. But the self-defined chain must be associated with a particular chain. In a level setting, specify to find a specific chain to deal with when data is available, and then return when that chain is finished. Then continue to check in a specific chain.

Note: the order of the rules is very critical. The stricter the rules are, the higher they should be, and when checking the rules, they are checked in a top-down manner.

3. How to write the rules:

The way iptables defines rules is complicated:

Format: iptables [- t table] COMMAND chainCRETIRIA-j ACTION

-t table: 3 filter natmangle

COMMAND: defines how rules are managed

Chain: specify the chain on which you operate the next rule. When defining a policy, it is

Can be omitted

CRETIRIA: specify matching criteria

-j ACTION: specify how to handle it

For example, 172.16.0.0Comp24 is not allowed to access.

Iptables-t filter-An INPUT-s 172.16.0 DROP 16-p udp-- dport 53-j

Of course, if you want to refuse more thoroughly:

Iptables-t filter-R INPUT 1-s 172.16.0 REJECT 16-p udp-- dport 53-j REJECT

Iptables-L-n-v # View the details of defining rules

Four: detailed explanation of COMMAND:

1. Chain management commands (all effective immediately)

-P: set the default policy (set whether the default door is closed or open)

There are generally only two default policies

Iptables-PINPUT (DROP | ACCEPT) is off / on by default

For example:

Iptables-PINPUT DROP rejects the default rule. And no action is defined, so all rules about external connections, including Xshell connections, are rejected.

-F: FLASH, clear the rule chain (note the administrative permissions of each chain)

Iptables-t nat-F PREROUTING

Iptables-t nat-F clears all chains of the nat table

-N:NEW allows users to create a new chain

Iptables-Ninbound_tcp_web indicates that it is attached to the tcp table to check the web.

-X: used to delete a user-defined empty chain

Use the same method as-N, but you must empty the chain before deleting it.

-E: used for Rename chain is mainly used to rename user-defined chains

-E oldnamenewname

-Z: clear the chain, and the counter of the default rule in the chain (there are two counters, how many packets and how many bytes are matched)

Iptables-Z: clear

two。 Rule management command

-A: append, add a rule at the end of the current chain

-I num: insert, insert the current rule into which article.

-I 3: insert as the third

-R num:Replays replaces / modifies rules

Format: iptables-R 3.

-D num: delete, explicitly specify which rule to delete

3. View the administrative command "- L"

Additional subcommand

-n: displays the ip as a number, which displays the ip directly, and if you don't add-n, the ip is inversely resolved to the hostname.

-v: display details

-vv

-vvv: the more the more detailed

-x: displays the exact value on the counter without unit conversion

-- line-numbers: displays the line number of the rule

-t nat: displays information about all levels

Five: explain the matching criteria in detail

1. Universal matching: matching of source address and destination address

-s: specified as source address match. Host name cannot be specified here. It must be IP.

IP | IP/MASK | 0.0.0.0and0.0.0.0

And the address can be reversed, add a "!" Except for which IP

-d: indicates a matching destination address

-p: used to match protocols (there are usually 3 protocols here, TCP/UDP/ICMP)

-I eth0: data inflow from this network card

Inflows are generally used on INPUT and PREROUTING

-o eth0: data outflow from this network card

Outflow is usually on OUTPUT and POSTROUTING.

two。 Extended matching

2.1 implied extension: an extension to the protocol

-p tcp: an extension of the TCP protocol. There are generally three kinds of extensions.

-- dport XX-XX: specify the target port, not multiple discontiguous ports, but only a single port, such as

-- dport 21 or-- dport 21-23 (which means 21, 22, 22, 23)

-- sport: specify the source port

-- the flag bit of tcp-fiags:TCP (SYN,ACK,FIN,PSH,RST,URG)

For it, it usually comes with two parameters:

1. Checked flag bit

two。 Flag bit that must be 1

-tcpflagssyn,ack,fin,rst syn =-syn

Indicates to check these 4 bits, of which the syn must be 1 and the others must be 0. So this meaning is used to detect the first packet of a three-way handshake. There is also an abbreviation for this package with a SYN of 1 that matches the first package, which is called-- syn

Extension of-p udp:UDP protocol

-- dport

-- sport

-extension of p icmp:icmp Datagram

-- icmp-type:

Echo-request (request echo), which is usually represented by 8

So-- icmp-type 8 match request echo packet

Echo-reply (response packet) is generally expressed as 0.

2.2 explicit expansion (- m)

Expand various modules

-m multiport: indicates that multiport expansion is enabled

After that, we can use things like-- dports 21-- 23580.

Six: detailed explanation-j ACTION

Commonly used ACTION:

DROP: discard

Generally speaking, we use DROP to hide our identities and our linked lists.

REJECT: express rejection

ACCEPT: accept

Custom_chain: moving to a custom chain

DNAT

SNAT

MASQUERADE: source address masquerade

REDIRECT: redirect: mainly used for port redirection

MARK: marked with firewall

RETURN: return

Use return after the execution of the custom chain to return to the original rule chain.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.