Shulou(Shulou.com)06/03 Report--

A brief overview of firewalls:

Iptables/netfilter is a kind of packet filtering firewall, which mainly works with the network layer, according to the message entering and leaving the host or the network.

The pre-defined inspection rules are used for matching detection, and components that can be matched by the rules are processed accordingly.

Types of firewalls: software firewall, hardware firewall

Iptables/netfilter components:

The iptables:iptables component is a tool, also known as userspace, for setting up data filtering and nat rules

Netfilter: components, also known as kernelspace, are part of the kernel and consist of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering.

Linked list rules: four tables and five chains

Iptables has five built-in hook functions: the chain of 5 corresponding to input,output,forward,prerouting,postrouting

Built-in chain: PREROUTING, INPUT, FORWARD, OUTPUT,POSTROUTING

PREROUTING: process packets before routing table selection

INPUT: processing inbound packets

FORWARD: processing forwarded packet

OUTPUT: processing outbound packets

POSTROUTING: processing packets after routing

Table and function: filter, nat, mangle, raw

Filter: the main filter function: can be used for chain: INPUT,FORWARD,OUTPUT

Nat:network address translation is used to modify source IP, destination IP or port; PREROUTING, OUTPUT,POSTROUTING

Mangle: Mark packets, disassemble messages, make modifications and re-encapsulate them: PREROUTING, INPUT, FORWARD, OUTPUT,POSTROUTING

Raw: turn off the connection tracking mechanism enabled on the nat table: PREROUTING,OUTPUT

As shown in the figure:

Order of rules table: raw--mangle--nat--filter

Message flow:

Flow into the local machine: PREROUTING-- > INPUT

Outflow from this machine: OUTPUT-- > POSTROUTING

Forward: PREROUTING-- > FORWARD-- > POSTROUTING

3. The following figure shows how packets flow through the native iptables feature:

4.iptables rule command parameters use the

Rule: the component matches the message according to the rule matching condition, and once the match is successful, it is processed by the action defined by the rule.

Matching conditions: basic matching conditions, extended matching conditions

Processing actions: basic processing actions, extended processing actions, custom processing mechanisms

Format: iptables [- t bable] COMMAND chain [- m matchname [per-match-options]]-j target [per-target-options]

Table management-traw,mangle,nat,filter. The default table is filter but COMMAND can be omitted.

Chain management-NCreate a new user-defined chain by the given name, customize the new rule chain

-XDelete the optional user-defined chain specified. Delete custom rule chain

-P--policy chain target, set the default policy, for filter: ACCEPT/DROP

-E--rename-chain old-chain new-chain renaming rule management-Amura,-- append chain rule-specification, append

-I #

-- insert chain [rulenum] rule-specification, inserted, can be specified location, omitted to indicate the first item

-Ddelete deletion; can specify the rule serial number or specify the rule itself

-Rreplace, replacing the specified rule on the specified chain

-Fflush [chain] clear and control rule chain

-Z

Zero, to zero; each rule chain of iptables has two counters: the number of matching messages,

The sum of the size of all the matched messages

-Sselect, displaying the rules on the chain in iptables-save command format

View

-L

-- list, listing all rules on the specified chain

-n:numberic, which displays the port and address in numeric format, without inversing the service name

-v:verbose-x: displays the exact value of the counter result

-- line-number: display the serial number of the rule if used in combination:-nvL

Matching criteria options basically match conditions without loading any modules, provided by iptables/netfilter

[!]-s--source address [/ mask] [,...] Match the source address ip/mask, [!] In addition to this IP

[!]-d--destination address [/ mask] [,...] Match the destination address ip/mask, [!] In addition to this IP

[!]-i--in-interface name: the interface for the inflow of datagrams; it can only be applied to the links of Datagram inflows and can only be applied to PREROUTING,INPUT and FORWARD chains.

[!]-o--out-interface name: the interface of Datagram outflow. It can only be applied to Datagram outflow, and can only be applied to FORWARD, OUTPUT and POSTROUTING chains.

[!]-p--protocol protocol matching protocol: tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the special keyword "all"-j target name

Processing action

ACCEPT allows passing through

Continue to match the next rule after LOG record

REJECT refuses to pass and will be prompted if necessary

DROP discards directly and does not give any response.

RETURN returns the call chain

MASK does firewall marking and does not do any access control

DNAT destination address translation

SNAT source address translation

MASQUERADE address masquerade

Extension matching criteria: the extension module needs to be loaded to take effect.

Implicit extension condition: you do not need to manually load the extension module, but you need to use the-p option to indicate the protocol

-p:-- protocol protocol

Tcp: equivalent to "- m tcp" / udp

[!]-- source-port,-- sport port [: port]: matches the message source port, which can be a continuous range of ports

[!]-- destination-port,-- dport port [: port]: matches the source destination port of the message, which can be a continuous range of ports

Icmp:

[!]-- icmp-type {type [/ code] | typename}

Echo-request:8/0

Echo-reply:0/0

Usage: type can be specified separately: allow 192.168.0.0Universe 24 to request 192.168.1.11

Iptables-An INPUT-s 192.168.0 ACCEPT 24-d 192.168.1.11-p icmp--icmp-type 8-j ACCEPT

[!]-tcp-flags mask comp

Comp is a comma-separated list of flags which must be set, such as SYN

For example, "--tcp-flags SYN,ACK,FIN,RST SYN" indicates that the four flag bits to be checked are SYN,ACK,FIN,RST

Where SYN must be 1 and the rest must be 0

[!]-- syn: used to match the first handshake, equivalent to "--tcp-flags SYN,ACK,FIN,RST SYN"

Display expansion conditions: you must indicate the expansion module to load [- m matchname [per-match-options]]

1) multiport: define multi-port matching in a discrete way, with a maximum of 15 ports specified

[!]-- source-ports,-- sports port [, port |, port:port] Specify multiple source ports port:port represents contiguous port

[!]-- destination-ports,--dports port [, port |, port:port].... Specify multiple destination ports

[!]-ports port [, port |, port:port]

Eg: allow hosts of 172.16.0.0amp 16 network segment to access port 22Magi 80 of 67 hosts.

Iptables-An INPUT-s 172.16.0 ACCEPT 16-d 192.168.1.10-p-m ACCEPT-- dport 22 80-j ACCEPT

2) iprange:This matches on a given arbitrary range of IP addresses. Match a given contiguous IP address

[!]-src-range from [- to] Match source IP in the specified range. Match source IP address

[!]-- dst-range from [- to] matches the destination IP address

Eg: open port 80 access to server 192.168.1.10 from 192.168.1.80 to 192.168.1.100

Iptables-An INPUT-d 192.168.1.10-p tcp-- dport 80-m iprange-- src-range 192.168.1.80-192.168.1.100-j ACCEPT

3) string: need to make-- algo

Do pattern matching to the application layer data string in the message, and apply it to the response message-- OUTPUT

-- algo {bm | kmp}: Select the pattern matching strategy chooses pattern matching strategy

(bm = Boyer-Moore, kmp = Knuth-Pratt-Mor- ris)

[!]-string pattern: Matches the given pattern. Match the given string pattern

[!]-- hex-string pattern: Matches the given pattern in hex notation.16 binary format

Eg:iptables-An OUTPUT-s 192.168.1.101-d 192.168.0.0 algo bm 24-p tcp-- sport 80-m string-- algo bm-- string "bad"-j REJECT

4) time: matches the arrival time of the message with the specified time range. UTC time is used by default.

-- datestart YYYY [- MM [- DD [Thh [: mm [: ss]]

-- datestop YYYY [- MM [- DD [Thh [: mm [: ss]]

-- timestart hh:mm [: ss]

-- timestop hh:mm [: ss]

[!]-- monthdays day [, day...]

[!]-weekdays day [, day...]-weekdays Mon, Tue, Wed, Thu, Fri, Sat, Sun, or values from 1 to 7

Eg: iptables-An INPUT-s 192.168.0.0 timestop 24-d 192.168.1.100-p tcp-- dport 80-m time-- timestart 08:00-timestop 17:00

-- weekdays 1, 2, 3, 4, 5-j ACCEPT

5) connlimit: match the number of concurrent connections per client IP

Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).

-- connlimit-upto n: match when the number of connections is less than or equal to n

-- connlimit-above n: match when the number of connections is greater than n

# iptables-An INPUT-d 172.16.100.67-p tcp-- dport 21-m connlimit--connlimit-above 2-j REJECT

Iptables-An INPUT-d 172.16.100.67-p tcp-- dport 21-m connlimit--connlimit-upto 2-j ACCEPT

6) limit: This module matches at a limited rate using a token bucket filter. Use Ling × × barrel filter for rate matching

-- limit second [/ second | / minute | / hour | / day]

-- limit-burst number rate burst value limit

Eg: iptables-I INPUT-d 172.16.100.67-p icmp--icmp-type 8-m limit--limit 3/minute-limit-burst 5-j ACCEPT

7) state

The "state" extension is a subset of the "conntrack" module. "state" allows access to the connection tracking state for this packet.

According to the connection tracking mechanism to check the status of the connection, a storage space in memory is called the connection tracking template conntrack template

[!]-state state

Conntrack mechanism: tracks the relationship between requests and responses on the local machine; the states are as follows:

NEW: The packet has started a new connection or otherwise associated with a connection which has not seen packets in both directions.

A new request is made, and the connection between them does not have any data

The state of communication that occurs during the period before the entry created for it in the connection tracking template expires after the ESTABLISHED:NEW status

RELATED:The packet is starting a new connection, but is associated with an existing con-nection

An associated connection, such as the relationship between a data connection and a command connection in the ftp protocol

INVALID: invalid connection

UNTRACKED: untracked connections; raw table removes the connection tracking function

Eg: local port 225080 only releases new requests and established connections

Iptables-An INPUT-d 192.168.1.100-p tcp-m multiport-- dports 22 80-m state-- state NEW,ESTABLISHED-j ACCEPT

Iptables-An OUTPUT-s 192.168.1.100-p tcp-m multiport-- sports 22 80-m state-- state ESTABLISHED-j ACCEPT

5.SNAT and DNAT

Snat:POSTROUTING, OUTPUT modify the source address in the IP message

When the host in the local network accesses the external network through a specific address, the address camouflage can be realized, which can solve the shortage of IP resources.

Request: it is initiated by a private network host to modify the source IP. If modified, it will be defined by the administrator.

Response: modify the target IP, but the nat automatically implements the modification according to the tracking mechanism in the session table.

Target of the nat table:

SNAT

-- to-source [ipaddr [- ipaddr]] [: port [- port]]

-- random

Dnat:PREROUTING modifies the destination address in the IP message

When a service on a host in the local network is open to users in the external network

Request: initiated by the public network host to modify its destination address, defined by the administrator

Response: modify the source address, but the nat automatically implements the modification according to the tracking mechanism in the session table.

DNAT

-- to-destination [ipaddr [- ipaddr]] [: port [- port]]

The implementation of SNAT is shown in the figure:

Iptables-t nat A POSTROUTING-s 10.0.1.10-j SNAT-- to-source 192.168.1.10

DNAT: iptables-t nat A PREROUTING-d 192.168.1.10-p tcp-- dport 80-j DNAT-- to-destination 10.0.1.10

7. How to open ftp services in passive mode?

6. The term of validity of the rules:

Using the rule defined by the iptables command, the effective period of the rule is the kernel survival period before it is manually deleted, and it will disappear after shutdown:

Save the rule to the specified file:

CentOS 6:

~] # service iptables save

Save the rule to the / etc/sysconfig/iptables file

~] # iptables-save > / PATH/TO/SOME_RULES_FILE

CentOS 7:

~] # iptables-save > / PATH/TO/SOME_RULES_FILE

Iptables-S > / PATH/TO/SOME_RULES_FILE

Reload the rules in the stored rules file:

~] # iptables-restore < / PATH/FROM/SOME_RULES_FILE

CentOS 6:

~] # service iptables restart is placed in the default path / etc/sysconfig/iptables file overload

Rules in the automatic effective rules file:

(1) Save each iptables command with a script; let the script run automatically when it is powered on

Add script path to / etc/rc.d/rc.local file

/ PATH/TO/SOME_SCRIPT_FILE

/ usr/bin/iptables.sh

(2) Save the rules in the rule file, and automatically load the rules in the rule file when you boot.

/ etc/rc.d/rc.local file add:

Iptables-restore < / PATH/FROM/IPTABLES_RULES_FILE

Etc/sysconfig/iptables.v2

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.