Shulou(Shulou.com)06/01 Report--

Iptables

Packets Filter Firewall; iptables/netfilter: packet filtering firewall; packet filtering firewall with stateful inspection; connection tracking (connection tracking)

Firewall: isolation tool; a set of components that work at the edge of a host or network, detect passing messages according to predefined rules (identification conditions), and implement a predefined processing mechanism for messages that can be matched by rules

Hardware firewall: part of the firewall at the hardware level, and another part of the function is based on software.

Software firewall: a firewall implemented by general hardware running application software processing logic

Host firewall: the scope of service is the current host

Network firewall: the scope of service is LAN

Get help:

CentOS 7:man iptables-extensions

CentOS 6:man iptables

Iptables/netfilter: a host or network firewall implemented by software

Netfilter: a framework;5 hook function located on the tcp/ip protocol stack in the kernel

Iptables: a command-line program in user space that generates rules and sends them to netfilter in the kernel

Hook function hook function:

Prerouting

Input

Forward

Output

Postrouting

Chain chain:

PREROUTING

INPUT

FORWARD

OUTPUT

POSTROUTING

Four tables

Filter: filtering, firewall

Nat:network address translation; is used to modify the source or destination address, or even the port, of a message

Mangle: disassemble the message, make changes, and repackage it

Raw: turn off the connection tracking mechanism enabled on the nat table

Priority order (from high to low):

Raw-- > mangle-- > nat-- > filter

Among the four tables, the corresponding chains for each table are (function hooks):

Raw:PREROUTING,OUTPUT

Mangle:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

Nat:PREROUTING,INPUT,OUTPUT,POSTRUTING

Filter:INPUT,FORWARD,OUTPUT

Message flow:

Message to a certain process on this machine: PREROUTING-- > INPUT

Message forwarded by this: PREROUTING-- > FORWARD-- > POSTROUTING

Issued by this process: OUTPUT-- > POSTROUTING

The constituent parts of the rules:

Matching criteria:

Network layer header attribute value

Transport layer header attribute value

Additional conditions

Processing actions:

TCP/IP protocol stack:

Data link layer: communication between physical and physical devices; (MAC,Media Access Control)

Network layer: communication between source host and destination host

Transport layer: process to process communication

CentOS 5/6:iptables command writing rules

CentOS 7:firewalld

Systemctl disable firewalld.service

Iptables command:

Rule: try to match each message that flows through this place according to the specified matching conditions. once the match is successful, it will be processed by the processing action specified at the end of the rule.

Matching criteria:

Basic matching conditions: simply check some attributes of IP, TCP, UDP and other messages to match

Extended matching condition: the matching condition that needs to be specified by the expansion module is extended matching.

Processing actions:

Basic actions: ACCEPT,DROP,...

Expansion action: an action that needs to be done with the help of an expansion module

Questions to consider when adding rules:

(1) the flow path of the message to determine the chain to which the rule is added

(2) determine the functions to be implemented and determine which table to add rules to.

(3) the matching condition to be specified to match the target message

The format of the rule: iptables [- t table] COMMAND chain [- m matchname [per-match-options]] [- j targetname [per-target-options]]

-t table:

Default is filter;. Other available ones are raw, mangle, nat.

COMMAND:

Chain:

-P:policy, policy, define default policy; generally, there are two choices, ACCEPT and DROP

-N:new, create a custom rule chain; it will not take effect until it is called by the rules on the built-in chain. [- j chain_name]

-X:drop to delete a custom empty chain with a reference count of 0

-F:flush to clear the specified chain

-E: rename custom reference count and chain with 0

Rules:

-A:append, append, append a rule to the end of the specified chain

-I:insert, insert, insert a rule at the specified position (indicates the head of the chain when the position is omitted)

-D:delelte, delete, delete the specified rule

-R:replace, replace, replace the specified rule with a new rule; you cannot modify only parts of the rule, but replace the whole rule completely

View:

-L:list, listing the rules on the chain in the table

-n:numeric, displayed in numeric format

-v:verbose to display detailed format information

-vv.-vvv.

-x:exactly, exact result of the counter

-- line-numbers: displays the rule number in the chain

Counter:

Rules, and default policies have dedicated counters

The record is matched by the current rule:

(1) number of messages

(2) Total number of bytes

Reset the rule counter:

-Z:zero, set 0

Chain:

(1) built-in chain

(2) Custom chain

Matching criteria:

Multiple conditions: the logical relationship is "and"

Basic matching criteria:

[!]-s,-- source address [/ mask] [,...]: check whether the source IP address in the message matches the address or range specified here

[!]-d,-- destination address [/ mask] [,...]: check whether the destination IP address in the message matches the address or range specified here

[!]-p,-- protocol protocol:

Protocol: {tcp | udp | icmp}

[!]-I,-- in-interface name: data message inflow interface; INPUT, FORWARD and PREROUTING

[!]-o,-- out-interface name: data message outflow interface; FORWARD, OUTPUT and POSTROUTING

Extended matching condition

Implicit extension: do not use the-m option to indicate matchname to match with the dedicated options of this match

-p tcp: implied-m tcp

[!]-- source-port,--sport port [: port]: matches the source port of the transport layer in the message

[!]-- destination-port,--dport port [: port]: matches the destination port of the transport layer in the message

[!]-tcp-flags mask comp

SYN,ACK,FIN,RST,URG,PSH

Mask: a comma-separated list of flag bits to check

Comp: flag bits that must be 1, and the remaining flag bits that appear in the mask list must be 0

-- tcp-flags SYN,ACK,FIN,RST SYN

[!]-syn:

Equivalent to-- tcp-flags SYN,ACK,FIN,RST SYN

-p udp: implied-m udp:

[!]-- source-port,--sport port [: port]: matches the source port of the transport layer in the message

[!]-- destination-port,--dport port [: port]: matches the destination port of the transport layer in the message

-p icmp: implied-m icmp:

[!]-- icmp-type {type [/ code] | typename}

8:echo-request

0:echo-reply

Explicit extension: you must use the-m option to indicate matchname, and some match may have dedicated options

1. Multiport extension

Define multi-port matching conditions in a discrete or continuous manner

[!]-- source-ports,--sports port [, port |, port:port]...: specify multiple source ports

[!]-- destination-ports,--dports port [, port |, port:port]...: specify multiple destination ports

[!]-- ports port [, port |, port:port]...: specify multiple ports

2. Iprange extension

Indicate continuous multi-address matching conditions with a continuous range of ip addresses

[!]-- src-range from [- to]: source IP address

[!]-- dst-range from [- to]: destination IP address

3. String extension

Do string matching detection on the application layer data in the message

[!]-- string pattern: to detect a string pattern

[!]-- hex-string pattern: string pattern to be detected, hexadecimal encoding

-- algo {bm | kmp}

4. Time extension

The matching degree is detected according to the arrival time of the message and the specified time range.

-- datestart YYYY [- MM [- DD [Thh [: mm [: ss]: start date time

-- datestop YYYY [- MM [- DD [Thh [: mm [: ss]: end date time

-- timestart hh:mm [: ss]

-- timestop hh:mm [: ss]

[!]-- monthdays day [, day...]

[!]-- weekdays day [, day...]

~] # iptables-I INPUT-d 172.16.100.67-p tcp-- dport 23-m time-- timestart 09:00:00-- timestop 18:00:00-- weekdays Tue,Thu,Sat-j ACCEPT

5. Connlimit extension

Match the number of concurrent connections per client IP

-- connlimit-upto n: if the number of connections is less than or equal to n, it should be allowed at this time

-- connlimit-above n: if the number of connections is greater than n, it should be rejected.

~] # iptables-An INPUT-d 172.16.100.67-p tcp-- dport 23-m connlimit--connlimit-upto 2-j ACCEPT

6. Limit extension

Matching based on the rate of sending and receiving messages

-- limit Rate [/ second | / minute | / hour | / day]: average rate

-- limit-burst number: peak rate

7. State extension

State detection; connection tracking mechanism (conntrack)

INVALID: unrecognized statu

ESTABLISHED: established connection

NEW: new connection

RELATED: associated connection

UNTRACKED: untracked connections

Nf_conntrack kernel module

Tracked connection: / proc/net/nf_conntrack file

The maximum number of connections that can be tracked is defined as: / proc/sys/net/nf_conntrack_max

This value can be defined by yourself, and it is recommended to adjust it to large enough if necessary.

Length of time for connection tracking for different protocols:

/ proc/sys/net/netfilter/

[!]-state STATE

How to open up a modeled ftp service:

(1) load the module that tracks ftp protocol

# modprobe nf_conntrack_ftp

(2) release command connection

~] # iptables-An INPUT-d 172.16.100.67-p tcp-m state-- state ESTABLISHED-j ACCEPT

~] # iptables-An INPUT-d 172.16.100.67-p tcp-- dport 21-m state-- state NEW-j ACCEPT

(3) release data connection

~] iptables-An INPUT-d 172.16.100.67-p tcp-m state-- state RELATED-j ACCEPT

Process action (target)

-j targetname [per-target-options]

Targetname:

ACCEPT: accept

DROP: discard

REJECT: reject

Save and reload rules:

Iptables-save > / PATH/TO/SOME_RULE_FILE

Iptables-restore < / PATH/FROM/SOME_RULE_FILE

CentOS 6:

Save the rule:

Service iptables save

Automatically save rules to / etc/sysconfig/iptables file

Overload rules:

Server iptables restore

Reload rules from the / etc/sysconfig/iptables file

Rule optimization:

(1) all inbound and outbound connections with a status of ESTABLISHED can be safely released

(2) for the rules that serve the same kind of function, the matching conditions should be strictly placed in front and loosely placed behind.

(3) for rules that serve different types of functions, matching messages are more likely to be expanded in front and less in the back.

(4) set the default policy

(a) Last rule setting

(B) default policy settings

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.