Shulou(Shulou.com)06/01 Report--

A node on a tcp/ip protocol network, with open doors, socket sessions, requires ip and ports, checks for socket messages, sockets, and tcp/ip protocol differences. The host firewall works on the host. Enter the network card, go to the tcp/ip protocol stack in the kernel, work on the tcp/ip protocol stack, put a sentry in some places on some protocol stacks, and set the check rules.

Network firewall, outside the network.

Firewall: a suite that works with the host or the edge of the network, checks incoming and outgoing messages according to defined rules, and then processes the messages matched by the rules most appropriately

Network layer firewall, check the frame header of the message, IP header, tcp header, can not check the data content.

Iptables/netfilter and netfilter are the outposts on the tcp/ip protocol stack, adding rules with iptables

Rule priority from high to low and working sentry position:

Raw: the goal is to turn off the connection tracking function started on the nat table, PREROUTING OUTPUT

Mangle; modifies some features of the tcp/ip header, anywhere.

Nat: address translation, POSTROUTING PREROUTING OUTPUT

Filter; filter INPUT FORWORD OUTPUT

INPUT: the card whistle set when data enters the application space is also called chain.

FORWORD: the sentry of the host routing process

OUTPUT: the sentry through which data is sent from the application

PREROUTING: the sentry before the data enters the network card for routing policy.

POSTROUTING: the sentry before the data finally chooses the network card to leave

Data message flow: communicate with the local computer internally, PREROUTING INPUT OUTPUT POSTROUTING

Data forwarded by this machine: PREROUTING FORWORD POSTROUTING

Pay attention to the flow of data packets to determine the source IP destination IP.

Iptables: a user space tool that writes rules and automatically sends them to netfilter, effective immediately.

Basic grammar

Iptables [- t TABLE]-A chain name matching condition-j processing target

Default table filter

COMMAND: there are several kinds of answers below

1. Some commands for the rules on the chain-A: add a rule at the end

-I: insert a new rule

-D: delete a rule

-R: replace Rul

-L: query rule-L-n: displays the address and port in numeric format. -L-v: detailed format-- line-numbers displays the rule line number-x does not convert the unit of the counter count result, but displays the exact value.

two。 Some commands for the chain:-F: clear the rule chain

-N: build a chain that can only be called

-X Delete a custom chain

-Z counter returns to zero

-P: set the default policy. For filter tables, the default rule is ACCEPT or DROP

-E: rename custom chain

Iptables [- t TABLE]-A chain name matching condition-j processing target

Matching criteria: universal matching

-s address: specify the message source IP address matching range: can be IP or network address, you can use! Take it backwards.

-d address: message destination ip address

-p protocol, which specifies the protocol type that matches the message, general tcp udp icmp

-I: data message flows into the network card: it can only be used in the first half of the data input PREROUTING INPUT FORWORD.

-o: data outflow Nic: it can only be used in the second half of data incoming FORWORD OUTPUT POSTROUTING.

Extended matching calls netfilter with-m

Implicit extension: the corresponding module is called by default when using one of-p {tcp | udp | icmp}, and the extension option can be used directly.

-p tcp is effective for tcp/ip protocol:-- sport specifies source port-dport destination port

-- tcp-flags syn,ack,rst,fin syn all (select all, or all values are 1) none (values are all 0)

-- tcp-flags syn,ack,rst,fin syn this is the first handshake that defines tcp.

-- syn ALL can also define tcp's first handshake

-p icmp mainly restricts ping:-- icmp-type 8 is the message type that can request, and 0 is the message type that responds.

Explicit extension: you must clearly indicate which module to use for extension in order to use the extension option

-m extension module name (this module is required on both iptables and netfilter)

1) multiport is used to match discontiguous or contiguous ports and specify 15 more ports

-- sports [port,port:port] specifies the source port

-- dports target port

-- both the ports source and destination contain

Iptables-I INPUT-s 192.168.0 multiport 16-d 192.168.147.128-p tcp-m multiport-- dports 22Power80-j ACCEPT is a host firewall, added on the target host to implement specific ip to connect to the http and ssh services of the host. Filtering is implemented on the filter table by default without specifying a table. Tcp messages on the INPUT chain from the 192.168 segment to 192.168.147.128 use the multiport module to specify that the port on the 192.168.147.128 host can accept messages

2) iprange: matches addresses within a specified range, matches a contiguous address rather than the entire network.

[!]-- src-range IP [- P]

[!]-dst-range IP [- P]

3) string: string matching to detect strings in application layer messages. String algorithm, kmp, bm

Special option-- algo {kmp | bm}

-- string

-- hex-string hexadecimal string

4) state: status check requires enabling the status connection feature, which is not suitable for servers with high concurrency.

-- state

Status in connection tracking

NEW: establish a new session

ESTABLISHED: established connection

RELATED: associated connection

INVALID: unrecognized connection

Adjust the maximum number of connections that can be held by the connection tracking function

/ proc/sys/net/nf_conntrack_max

All connections currently tracked

/ proc/net/nf_conntrack

Tracking properties when tracking different protocols or connection types

/ proc/sys/net/netfilter directory

Release ftp services in passive mode

1. Installed in module / lib/modules/KERNEL_VERSION/kernel/net/netfilter/

Module: nf_conntrack_ftp

Modeprobe loading module

two。 Release message request

a. Release the request for port 21 in NEW status

b. Release all ESTABLISHED and RALATED status messages

3. Release response message

Release all ESTABLISHED and RALATED status messages limit: rate limit

-- limit n [/ second/minute/hour/day]

-- limit-burst n: how many can be saved at most

Time: time-based access control

-- datestart

-- datestop

-- timestart

-- timestop

-- weeks

Connlimit; connection limit, limit on the number of concurrent connections that can be initiated per IP

-- connlimit-above N

Deal with the target:

Built-in targets:

DROP: quietly discard

REJECT: tough refusal

ACCEPT: accept

Writing rules: first determine the function (table), determine the message flow direction, determine the goal to be achieved, and determine the matching conditions.

Flow direction: 1. Access to native processes, PREROUTING INPUT

two。 Message of going out, OUTPUT POSTROUTING

3. Local forwarding, PRETOUTING FORWARD POSTRONTING

4. Response, PRETOUTING FORWARD POSTRONTING

Iptables syntax check netfilter takes effect immediately

Remember: add and release your own session before writing to the rule

Permanent, rule file, or script rule file is / etc/sysconfig/iptables

Save rule iptables-save > / etc/sysconfig/iptables

Service iptables save

Effective iptables-restore < / etc/sysconfig/iptables

Service iptables restart

Set the default policy

Iptables-P chain target

Modify a rule

Iptables-R OUTPUT 1 specifies the number of rules on that chain of that table, followed by the complete change rule

Optimization rules: minimize rule entries, extraneous rules put large traffic on top, and matching specifications that belong to the same function are strictly on top.

For better management of rules, custom chains

Iptables-t filter-N http_in

Delete an empty custom chain

Iptables-X http_in

Rename a custom chain

Iptables-E oldname newname

Address translation SNAT original address translation

-- to-source

MASQUERADE: automatically get the translated address

DNAT destination address translation

-- to-destination

PNAT port translation

FULL NAT convert all

Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-j SNAT-to-source 172.16.100.7 original address translated to 172.16.100.17 host address

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.