Shulou(Shulou.com)06/01 Report--

Iptables explains how to use

In the Linux system, firewall (Firewall), URL translation (NAT), packet (package) recording, traffic statistics, these functions are provided by the Netfilter subsystem, and iptables is the tool to control Netfilter. Iptables organizes many complex rules into easy-to-control ways so that administrators can perform group tests, or close or start a set of rules.

Iptable can create a firewall for Unix, Linux, and BSD personal workstations, as well as firewalls for one subnet to protect other system platforms. Iptable only reads packet headers and does not burden the information flow and does not require validation.

When setting packets, fire protection agents have a set of rules that are followed and grouped. These rules are stored in a dedicated message packet filter table, and these tables are integrated in the Linux kernel. In the packet routing table, the rules are grouped into the chain we call. The netfilter/iptables ip packet routing system is a powerful tool for adding, editing, and removing rules.

Linux fire protection is a typical overloaded fire protection, which can be checked to arrive according to the information in the package to determine which data packets can be passed and which should be blocked. The fire protection behavior is mainly based on the destination address, port number and protocol type of the packets. All of this should be specified by the manager.

The package spooler engine in Linux has been upgraded in the kernel of version 2.4. Fire prevention tools were originally called ipchains. The reason for this name is that the fire alarm combines a series of rules into a series of rules that should be applied to network packets. Iptables goes a step further by combining groups with similar functions into a single table.

The above syntax is a bit abstract. Now consider a concrete example. The table used by iptables by default is filter. It contains three categories by default. They are forworld,input and output. Which of the rules defined in forward apply to the number of packets that need to be forwarded to another network interface. The custom rules in input apply to the number of packets sent to the local machine. The rules defined in output apply to the number of packets sent out of this machine.

Usually defining a filter table caters to most security requirements, because this table contains all the contents of the packet filter. In addition to filter,iptables, it also includes nat and mangle. Nat is used for web address translation. Mangle is used to modify network packets other than nat and packet filters.

1. Interpretation of terms

DNATDestination Network Address Translation destination network address translation. DNAT is a technology that changes the destination ip address of a packet. It is often used with SNAT so that multiple servers can share an ip address to connect to Internet and continue to serve. The flow of data is determined by assigning different ports to the same ip address. SNATSource Network Address Translation source network address translation. This is a technique for changing the source ip address of a packet and is often used to cause multiple computers to share a single Internet address. This is only used in IPv4, because the address of IPv4 is running out, and IPv6 will solve the problem.

2. Overview of iptable

Chain and table structure of iptable

As can be seen in the above figure, the overall structure of iptable.

5 chains (chain)

PREROUTING modifies the packet after it enters the firewall and before route judgment INPUT after the packet is routed locally, but before the user space program sees it, after the OUTPUT user space program processes the packet, it is issued locally Change the packet before being routed again FORWARD modifies the packet after the initial routing decision and before changing the source address of the packet for the last time POSTROUTING modifies the packet after all routing decisions

Note: chains are different links that each packet flow needs to go through. You can set different filtering policies according to your needs in different links. The default policy for each chain is accept.

4 tables (table)

Mangle table this table is mainly used for mangle packages, you can use mangle matching to change some properties of the package, such as TOS (type OF service), TTL (time TO LIVE), MARK (subsequent flow control TC, etc.) Nat table this table is only used for NAT, that is, the source or destination address of the translation package. Note that, as we said earlier, only the first packet of the stream will be matched by this chain, and the subsequent packets will be automatically DNAT,SNAT,MASQUERADE this table is used to filter packets, we can match packets and filter them at any time. This is where we DROP or ACCEPT the package according to its contents.

In iptalbe, the-t parameter is used to specify which table to operate. If there is no-t parameter, the filter table is operated by default. The Raw table has the highest priority. Raw is generally set in order to no longer let iptables do packet link tracking processing to improve performance.

Note: a table is a collection of rules. The rule entries in each table are matched sequentially. You can set rules in different segments of the packet. The processing priority of the table is: raw > mangle > nat > filter.

Detailed packet flow

As can be seen from the above figure, the packet flow link and the table are used together.

Iptable application scenario

The above figure is a simple topology description of the application scenario, and the following application scenarios are all for reference.

When the system starts up, all the default policies are ACCEPT, and in the following scenario example, we set iptable on this premise. The following examples of each scenario are independent and unrelated.

Gateway server security policy

Goal: gateway server system self-generated security policy, which only opens port 22 (sshd service) to intranet users.

# clear filter table [root@localhost] # iptables-F-t filter [root@localhost] # iptables-X-t filter [root@localhost] # iptables-Z-t filter # clear nat table [root@localhost] # iptables-F-t nat [root@localhost] # iptables-X-t nat [root@localhost] # iptables-Z-t nat # set the default policy (INPUT chain defaults to DROP) [root@localhost] # iptables-t filter-P INPUT DROP [root@localhost] # iptables-t filter-P OUTPUT ACCEPT [root@localhost] # iptables-t filter-P FORWARD ACCEPT # Loopback Interface (lo) Default accept [root@localhost] # iptables-An INPUT-p ALL-I lo-j ACCEPT # sshd service is only available to intranet users [root@localhost] # iptables-An INPUT-p tcp-s 192.168.138.0 dport 24-- dport 22-j ACCEPT

Note: the policy order of firewalls is generally from non-trust = > trust, turn off all access permissions by default, and then open access permissions one by one as needed.

Shared Internet access (nat)

Goal: to enable users of the local area network to access the servers of the external network

[root@localhost] # echo 1 > / proc/sys/net/ipv4/ip_forward [root@localhost] # iptables-t nat-A POSTROUTING-o ppp0-j MASQUERADE

Description: the difference between SNAT and MASQUERADE

SNAT: no matter how many addresses it is, the ip to be SNAT must be clearly specified. It is suitable for gateway servers to have fixed addresses or fixed address ranges. MASQUERADE: designed for the scenario of ADSL dynamic dialing, the current ip address is automatically obtained from the network interface of the server to do NAT, so dynamic SNAT address translation is realized.

External service of the server in the intranet (port mapping)

Goal: to enable external network users to access the HTTP service of LAN 192.168.138.21

[root@localhost] # echo 1 > / proc/sys/net/ipv4/ip_forward [root@localhost] # iptables-t nat-A PREROUTING-p tcp-m tcp-- dport 80-j DNAT-- to-destination 192.168.138.21 [root@localhost] # iptables-t nat-A POSTROUTING-o ppp0-j MASQUERADE

Perform a transparent proxy on the gateway server

Goal: to enable local area network users to automatically use squid as a web transparent proxy server when accessing the external network web service.

[root@localhost] # echo 1 > / proc/sys/net/ipv4/ip_forward [root@localhost] # iptables-t nat-A PREROUTING-s 192.168.138.0 DNAT 24-p tcp-- dport 80-I eth0-j DNAT-- to 192.168.138.1 [root@localhost] # iptables-t nat-A PREROUTING-s 192.168.138.0MB 24-p tcp-dport 80-I eth0-j REDIRECT-to 3128 [root@localhost] # iptables-t nat-A POSTROUTING-o ppp0-j MASQUERADE

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.