In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Iptables
Packets Filter Firewall; iptables/netfilter: packet filtering firewall; packet filtering firewall with stateful inspection; connection tracking (connection tracking)
Firewall: isolation tool; a set of components that work at the edge of a host or network, detect passing messages according to predefined rules (identification conditions), and implement a predefined processing mechanism for messages that can be matched by rules
Hardware firewall: part of the firewall at the hardware level, and another part of the function is based on software.
Software firewall: a firewall implemented by general hardware running application software processing logic
Host firewall: the scope of service is the current host
Network firewall: the scope of service is LAN
Get help:
CentOS 7:man iptables-extensions
CentOS 6:man iptables
Iptables/netfilter: a host or network firewall implemented by software
Netfilter: a framework;5 hook function located on the tcp/ip protocol stack in the kernel
Iptables: a command-line program in user space that generates rules and sends them to netfilter in the kernel
Hook function hook function:
Prerouting
Input
Forward
Output
Postrouting
Chain chain:
PREROUTING
INPUT
FORWARD
OUTPUT
POSTROUTING
Four tables
Filter: filtering, firewall
Nat:network address translation; is used to modify the source or destination address, or even the port, of a message
Mangle: disassemble the message, make changes, and repackage it
Raw: turn off the connection tracking mechanism enabled on the nat table
Priority order (from high to low):
Raw-- > mangle-- > nat-- > filter
Among the four tables, the corresponding chains for each table are (function hooks):
Raw:PREROUTING,OUTPUT
Mangle:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
Nat:PREROUTING,INPUT,OUTPUT,POSTRUTING
Filter:INPUT,FORWARD,OUTPUT
Message flow:
Message to a certain process on this machine: PREROUTING-- > INPUT
Message forwarded by this: PREROUTING-- > FORWARD-- > POSTROUTING
Issued by this process: OUTPUT-- > POSTROUTING
The constituent parts of the rules:
Matching criteria:
Network layer header attribute value
Transport layer header attribute value
Additional conditions
Processing actions:
TCP/IP protocol stack:
Data link layer: communication between physical and physical devices; (MAC,Media Access Control)
Network layer: communication between source host and destination host
Transport layer: process to process communication
CentOS 5/6:iptables command writing rules
CentOS 7:firewalld
Systemctl disable firewalld.service
Iptables command:
Rule: try to match each message that flows through this place according to the specified matching conditions. once the match is successful, it will be processed by the processing action specified at the end of the rule.
Matching criteria:
Basic matching conditions: simply check some attributes of IP, TCP, UDP and other messages to match
Extended matching condition: the matching condition that needs to be specified by the expansion module is extended matching.
Processing actions:
Basic actions: ACCEPT,DROP,...
Expansion action: an action that needs to be done with the help of an expansion module
Questions to consider when adding rules:
(1) the flow path of the message to determine the chain to which the rule is added
(2) determine the functions to be implemented and determine which table to add rules to.
(3) the matching condition to be specified to match the target message
The format of the rule: iptables [- t table] COMMAND chain [- m matchname [per-match-options]] [- j targetname [per-target-options]]
-t table:
Default is filter;. Other available ones are raw, mangle, nat.
COMMAND:
Chain:
-P:policy, policy, define default policy; generally, there are two choices, ACCEPT and DROP
-N:new, create a custom rule chain; it will not take effect until it is called by the rules on the built-in chain. [- j chain_name]
-X:drop to delete a custom empty chain with a reference count of 0
-F:flush to clear the specified chain
-E: rename custom reference count and chain with 0
Rules:
-A:append, append, append a rule to the end of the specified chain
-I:insert, insert, insert a rule at the specified position (indicates the head of the chain when the position is omitted)
-D:delelte, delete, delete the specified rule
-R:replace, replace, replace the specified rule with a new rule; you cannot modify only parts of the rule, but replace the whole rule completely
View:
-L:list, listing the rules on the chain in the table
-n:numeric, displayed in numeric format
-v:verbose to display detailed format information
-vv.-vvv.
-x:exactly, exact result of the counter
-- line-numbers: displays the rule number in the chain
Counter:
Rules, and default policies have dedicated counters
The record is matched by the current rule:
(1) number of messages
(2) Total number of bytes
Reset the rule counter:
-Z:zero, set 0
Chain:
(1) built-in chain
(2) Custom chain
Matching criteria:
Multiple conditions: the logical relationship is "and"
Basic matching criteria:
[!]-s,-- source address [/ mask] [,...]: check whether the source IP address in the message matches the address or range specified here
[!]-d,-- destination address [/ mask] [,...]: check whether the destination IP address in the message matches the address or range specified here
[!]-p,-- protocol protocol:
Protocol: {tcp | udp | icmp}
[!]-I,-- in-interface name: data message inflow interface; INPUT, FORWARD and PREROUTING
[!]-o,-- out-interface name: data message outflow interface; FORWARD, OUTPUT and POSTROUTING
Extended matching condition
Implicit extension: do not use the-m option to indicate matchname to match with the dedicated options of this match
-p tcp: implied-m tcp
[!]-- source-port,--sport port [: port]: matches the source port of the transport layer in the message
[!]-- destination-port,--dport port [: port]: matches the destination port of the transport layer in the message
[!]-tcp-flags mask comp
SYN,ACK,FIN,RST,URG,PSH
Mask: a comma-separated list of flag bits to check
Comp: flag bits that must be 1, and the remaining flag bits that appear in the mask list must be 0
-- tcp-flags SYN,ACK,FIN,RST SYN
[!]-syn:
Equivalent to-- tcp-flags SYN,ACK,FIN,RST SYN
-p udp: implied-m udp:
[!]-- source-port,--sport port [: port]: matches the source port of the transport layer in the message
[!]-- destination-port,--dport port [: port]: matches the destination port of the transport layer in the message
-p icmp: implied-m icmp:
[!]-- icmp-type {type [/ code] | typename}
8:echo-request
0:echo-reply
Explicit extension: you must use the-m option to indicate matchname, and some match may have dedicated options
1. Multiport extension
Define multi-port matching conditions in a discrete or continuous manner
[!]-- source-ports,--sports port [, port |, port:port]...: specify multiple source ports
[!]-- destination-ports,--dports port [, port |, port:port]...: specify multiple destination ports
[!]-- ports port [, port |, port:port]...: specify multiple ports
2. Iprange extension
Indicate continuous multi-address matching conditions with a continuous range of ip addresses
[!]-- src-range from [- to]: source IP address
[!]-- dst-range from [- to]: destination IP address
3. String extension
Do string matching detection on the application layer data in the message
[!]-- string pattern: to detect a string pattern
[!]-- hex-string pattern: string pattern to be detected, hexadecimal encoding
-- algo {bm | kmp}
4. Time extension
The matching degree is detected according to the arrival time of the message and the specified time range.
-- datestart YYYY [- MM [- DD [Thh [: mm [: ss]: start date time
-- datestop YYYY [- MM [- DD [Thh [: mm [: ss]: end date time
-- timestart hh:mm [: ss]
-- timestop hh:mm [: ss]
[!]-- monthdays day [, day...]
[!]-- weekdays day [, day...]
~] # iptables-I INPUT-d 172.16.100.67-p tcp-- dport 23-m time-- timestart 09:00:00-- timestop 18:00:00-- weekdays Tue,Thu,Sat-j ACCEPT
5. Connlimit extension
Match the number of concurrent connections per client IP
-- connlimit-upto n: if the number of connections is less than or equal to n, it should be allowed at this time
-- connlimit-above n: if the number of connections is greater than n, it should be rejected.
~] # iptables-An INPUT-d 172.16.100.67-p tcp-- dport 23-m connlimit--connlimit-upto 2-j ACCEPT
6. Limit extension
Matching based on the rate of sending and receiving messages
-- limit Rate [/ second | / minute | / hour | / day]: average rate
-- limit-burst number: peak rate
7. State extension
State detection; connection tracking mechanism (conntrack)
INVALID: unrecognized statu
ESTABLISHED: established connection
NEW: new connection
RELATED: associated connection
UNTRACKED: untracked connections
Nf_conntrack kernel module
Tracked connection: / proc/net/nf_conntrack file
The maximum number of connections that can be tracked is defined as: / proc/sys/net/nf_conntrack_max
This value can be defined by yourself, and it is recommended to adjust it to large enough if necessary.
Length of time for connection tracking for different protocols:
/ proc/sys/net/netfilter/
[!]-state STATE
How to open up a modeled ftp service:
(1) load the module that tracks ftp protocol
# modprobe nf_conntrack_ftp
(2) release command connection
~] # iptables-An INPUT-d 172.16.100.67-p tcp-m state-- state ESTABLISHED-j ACCEPT
~] # iptables-An INPUT-d 172.16.100.67-p tcp-- dport 21-m state-- state NEW-j ACCEPT
(3) release data connection
~] iptables-An INPUT-d 172.16.100.67-p tcp-m state-- state RELATED-j ACCEPT
Process action (target)
-j targetname [per-target-options]
Targetname:
ACCEPT: accept
DROP: discard
REJECT: reject
Save and reload rules:
Iptables-save > / PATH/TO/SOME_RULE_FILE
Iptables-restore < / PATH/FROM/SOME_RULE_FILE
CentOS 6:
Save the rule:
Service iptables save
Automatically save rules to / etc/sysconfig/iptables file
Overload rules:
Server iptables restore
Reload rules from the / etc/sysconfig/iptables file
Rule optimization:
(1) all inbound and outbound connections with a status of ESTABLISHED can be safely released
(2) for the rules that serve the same kind of function, the matching conditions should be strictly placed in front and loosely placed behind.
(3) for rules that serve different types of functions, matching messages are more likely to be expanded in front and less in the back.
(4) set the default policy
(a) Last rule setting
(B) default policy settings
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.