Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to turn on the firewall in linux service. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

There are two ways:

I. service mode

View firewall status:

[root@centos6 ~] # service iptables status

Iptables: the firewall is not running.

Turn on the firewall:

[root@centos6 ~] # service iptables start

Turn off the firewall:

[root@centos6 ~] # service iptables stop

II. Iptables mode

Enter the init.d directory first, and use the following command:

[root@centos6 ~] # cd / etc/init.d/

[root@centos6 init.d] #

And then

View firewall status:

[root@centos6 init.d] # / etc/init.d/iptables status

Temporarily turn off the firewall:

[root@centos6 init.d] # / etc/init.d/iptables stop

Restart iptables:

[root@centos6 init.d] # / etc/init.d/iptables restart

Let's take a look at the basics of Linux Firewall

I. Classification of firewalls

(1) packet filtering firewall.

Packet filtering (packet Filtering) technology is to select data packets at the network layer, which is based on the filtering logic set in the system, which is called access control list (access control lable,ACL). Check factors such as the source and destination address of each packet in the data flow, the port number and protocol status used, or their combination to determine whether the packet is allowed to pass.

The advantage of packet filtering firewall is that it is transparent to users, fast and easy to maintain. The disadvantage is that once illegal access breaks through the firewall, it can attack the software and configuration vulnerabilities on the host; the source address, destination address and IP port number of the data packet are all in the head of the packet and can be easily forged. "IP address spoofing" is a common attack method used by hackers against this type of firewall.

(2) proxy service firewall

Proxy service (proxy service) is also called link-level gateway or TCP channel. It is a firewall technology introduced in view of the shortcomings of packet filtering and application gateway technology, and its characteristic is that all the network communication links across the firewall are divided into two segments. When the proxy server receives a user's request for access to a site, it checks whether the request conforms to the control rules. If the rule allows the user to visit the site, the proxy server will retrieve the required information for the user to that site and forward it to the user. The access of internal and external network users is realized through the "link" on the proxy server, thus isolating the computer system inside and outside the firewall.

In addition, the agent service also analyzes and registers past data packets, forms reports, warns the network administrator when there are signs of attack, and keeps attack records to help with evidence collection and network maintenance.

Second, the working principle of firewall

(1) the working principle of packet filtering firewall

Packet filtering is implemented at the IP layer, so it can be done only with routers. Packet filtering determines whether a packet is allowed to pass or not according to the header information such as source IP address, destination IP address, source port, destination port and packet delivery direction, and filters user-defined content, such as IP address. Its working principle is that the system checks data packets at the network layer, which has nothing to do with the application layer. Packet filters are widely used because CPU is negligible when it is used to handle packet filtering. And this kind of protective measure is transparent to users, legitimate users in and out of the network, simply do not feel its existence, it is very convenient to use. In this way, the system has good transmission performance and is easy to expand.

But this kind of firewall is not very secure because the system is not aware of the application layer information-that is, they do not understand the content of the communication and cannot filter at the user level, that is, they cannot identify different users and prevent address theft. If an attacker sets the IP address of his host to the IP address of a legitimate host, he can easily pass the packet filter, making it easier for hackers to break. Based on this working mechanism, the packet filtering firewall has the following shortcomings:

1. Communication information: the packet filtering firewall can only access the header information of some packets.

2. Communication and application state information: the packet filtering firewall is stateless, so it is impossible to save state information from communications and applications.

3. Information processing: the ability of packet filtering firewall to process information is limited.

(2) the working principle of proxy service firewall

The proxy service firewall implements the firewall function on the application layer. It can provide partial status related to transmission, can provide application-related status and partially transmitted information in the outer ring, and it can also process and manage information.

Third, use iptables to implement packet filtering firewall.

(1) Overview and principle of iptables

Iptables, a new kernel package worry management tool, has been used since kernel 2.4, which makes it easier for users to understand how it works, easier to use, and more powerful.

Iptables is just a tool for managing kernel packet filtering, which can add, insert, or delete rules in core packet filtering tables (chains). What actually implements these filtering rules is netfilter (a common architecture in the linux core) and its related modules (such as the iptables module and the nat module).

Netfilter is a general architecture in the core of linux, which provides a series of "tables", each table consists of several "chains", and each chain can be composed of one or more rule. It can be understood that netfilter is a container for tables, tables are containers for chains, and chains are containers for rules.

The default table of the system is "filter", which contains three chains: INPUT, FORWARD and OUTPUT. There can be one or more rules in each chain, and each rule is defined as follows: "if the packet header meets such a condition, this is how the packet is processed." When a packet reaches a chain, the system starts with the first rule to see if it meets the conditions defined by the rule, and if so, the packet is processed according to the method defined by the rule; if not, continue to check the next rule Finally, if the packet does not meet any of the rules in the chain, the packet is processed according to the predefined policy (policy) of the chain.

(2) the process of transmitting data packets by iptables

When a packet enters the system, and the system first decides which chain to send the packet to according to the routing table, there are three possible situations:

1. If the destination address of the packet is local, the system sends the packet to the INPUT chain. If it passes the rule check, the packet is sent to the corresponding local process for processing; if it fails the rule check, the system will discard the packet.

2. If the address on the packet is not local, that is to say, the packet will be forwarded, the system will send the packet to the FORWARD chain. If it passes the rule check, the packet will be sent to the corresponding local process for processing. If it fails the rule check, the system will discard the packet.

3. If the packet is generated by the local system process, the system sends it to the OUTPUT chain. If it passes the rule check, the packet is sent to the corresponding local process for processing; if it fails the rule check, the system will discard the packet.

Users can define rules for each chain, and when a packet arrives at each of these chains, iptables processes the packet according to the rules defined in the chain. Iptables compares the header information of the packet with each rule in the chain to which it is passed to see if it exactly matches each rule. If the packet matches a rule, iptables performs the action specified by the rule on the packet. For example, if a rule in a chain decides to DROP a packet, the packet will be discarded at that chain; if the rule in the chain ACCEPT the packet, the packet can move on; however, if the packet does not match this rule, it will be compared to the next rule in the chain. If the packet does not meet any of the rules in the chain, iptables will decide how to handle the packet based on the default policy pre-defined by the chain, which would ideally tell iptables to DROP the packet.

(3) the advantages of iptables

The biggest advantage of netfilter/iptables is that it can be configured with a stateful firewall, which is an important function that previous tools such as ipfwadm and ipchains could not provide. Stateful firewalls can specify and remember the state of connections established to send or receive packets. The firewall can obtain this information from the connection tracking status of the packet. The state information used by the firewall can increase its efficiency and speed when deciding on new packet filtering. There are four valid states, named ESTABLISHED, INVALID, NEW, and RELATED.

The status ESTABLISHED indicates that the packet belongs to an established connection that has been used to send and receive packets and is fully valid. The INVALID status indicates that the packet is not associated with any known stream or connection and may contain incorrect data or headers. The status NEW indicates that the packet has started or will initiate a new connection, or that it is associated with a connection that has not been used to send and receive packets. Finally, RELATED indicates that the packet is starting a new connection and that it wants to associate with an established connection.

Another important advantage of netflter/iptables is that it gives users complete control over firewall configuration and packet filtering. You can customize your own rules to meet specific needs, thus allowing only the desired network traffic to enter the system.

(4) basic knowledge of iptables

1. Rules (rule)

A rule is a condition predetermined by a network administrator, which is generally defined as "if the packet header meets such a condition, the packet is processed in this way." Rules are stored in the packet filtering table in kernel space, specifying the source address, destination address, transport protocol (TCP, UDP, ICMP), and service type (such as HTTP, FTP, SMTP), respectively. When the packets match the rules, iptables processes the packets according to the methods defined by the rules, such as ACCEPT, REJECT, or DROP. The main rules for configuring firewalls are to add, modify, and delete these rules.

2. Chain (chains)

Chains is the path of packet propagation, and each chain is actually a checklist of many rules, and there can be one or more rules in each chain. When a packet reaches a chain, iptables will start with the first rule in the chain to see if the packet meets the conditions defined by the rule. If so, the system will process the packet according to the method defined by that rule, otherwise iptables will continue to check the next rule. If the packet does not meet any of the rules in the chain, iptables processes the packet according to the default policy predefined by the chain.

3. Table (tables)

Table (tables) provides specific functions. Iptables has three built-in tables, namely, filter table, nat table and mangle table, which are used to realize packet filtering, network address translation and packet reconstruction respectively.

(1) filter table. The filter table is mainly used to filter packets, which filter eligible packets according to a set of rules predefined by the system administrator. As for the firewall, it mainly uses a series of rules specified in the filter table to filter data packets.

The filter table is the default table for iptables, and if you don't specify which table to use, iptables uses the filter table by default to execute all commands. The filter table contains INPUT chains

(processing incoming packets), FORWARD chain (processing forwarded packets), and OUTPUT chain (processing locally generated packets). Only packets are allowed to be accepted or discarded in the filter table, but packets cannot be changed.

(2) nat table. Nat is mainly used for network address translation NAT, this table can achieve one-to-one, one-to-many and many-to-many NAT work. Iptables uses this table to achieve shared Internet access. The nat table contains PREROUTING chains (modifying incoming packets), OUTPUT chains (modifying locally generated packets before routing), and POSTROUTING chains (modifying outgoing packets).

(3) mangle table. Mangle table is mainly used to modify specified packets, because some special applications may overwrite some transmission characteristics of packets, such as TTL and TOS of rational packets, but the utilization rate of this table is not high in practical applications.

(5) turn off the system firewall

Because the firewall function of the system is also realized by iptables, it is easy to conflict if users set rules on the iptables of the system, so it is recommended to turn off the firewall function of the system before iptables learning.

(VI) iptables command format

The command format of iptables is complex, and the general format is as follows:

# iptables [- t table]-Command matching operation

Note: iptables is case-sensitive for all options and parameters!

1. Table options

The table option is used to specify which iptables built-in table the command applies to. Iptables built-in tables include filter table, nat table, and mangle table.

2. Command options

Command options specify how iptables is executed, including insert rules, delete rules, add rules, and so on:

-P or-- policy defines the default policy

-L or-- list view the list of iptables rules

-An or-- append adds a rule to the end of the rule list

-I or-- insert inserts a rule at the specified location

-D or-- delete deletes a rule from the rule list

-R or-- replace replaces a rule in the list of rules

-F or-- flush deletes all rules in the table

-Z or-- zero will zero the count and flow counters of all chains in the table

3. Matching options

The matching option specifies the characteristics that the packet should have to match the rule, including source address, destination address, transport protocol (such as TCP, UDP, ICMP), and port number (such as 80,21,110):

-I or-- in-interface specifies the network interface from which the packet enters

-o or-- out-interface specifies the network interface from which the packet is output

-p or-- porto specifies the protocol to match the packet, such as TCP, UDP

-s or-- source specifies the source address that the packet matches

-- sport specifies the source port number that the packet matches. You can specify a range of ports using the format "start port number: end port number".

-d or-- destination specifies the destination address where the packet matches

-- dport specifies the destination port number for which the packet matches. You can specify a range of ports using the format "start port number: end port number".

4. Action options

The action option specifies what action should be taken, such as accept or discard, when the packet matches the rule.

ACCEPT accepts packets

DROP discards packet

REDIRECT redirects packets to a port on this machine or another host, which is usually used to implement transparent proxies or some services that open the private network to the outside world.

SNAT source address translation, that is, changing the source address of a packet

DNAT destination address translation, that is, changing the destination address of a packet

MASQUERADE IP camouflage is often referred to as NAT technology. MASQUERADE can only be used for IP camouflage for dial-up access, such as ADSL, that is, the host's IP address is dynamically assigned by ISP; if the host's IP address is statically fixed, use SNAT

LOG log function, which records information about packets that conform to the rules in the log, so that administrators can analyze and troubleshoot

(7) the use of the iptables command

1. View iptables rules

There are no rules for the initial iptables, but if you choose to install the firewall automatically during installation, there will be default rules in the system. You can check the default firewall rules first:

# iptables [- t table name]

[- t table name]: a list of rules that defines which table to view. Table names can use filter, nat and mangle. If there is no final table name, fliter table is used by default.

: list the rules for the specified table and chain

Define the rules for viewing which chain in the specified table, and if you do not specify which chain, you will view the rules for all chains in a table

# iptables-L-n (view rules for all chains of filter table)

Note: by adding the-n parameter at the end, the conversion between IP and HOSTNAME can be avoided, and the display speed will be much faster.

# iptables-t nat-L OUTPUT (view the rules of the OUTPUT chain of nat table)

2. Define the default policy

When a packet does not meet any of the rules in the chain, iptables will process the packet according to the default policy of the chain. The default policy is defined as follows

# iptables [- t table name]

[- t table name]: rules that define which table to view. Table names can use filter, nat and mangle. If there is no treasure, filter table is used by default.

Define default policy

Defines the rules for viewing which chain in the specified table, and if not specified, it will view the rules for all chains in a table

For the action of processing packets, you can use ACCEPT (accept) and DROP (drop)

# iptables-P INPUT ACCEPT (defines the default policy of the filter table INPUT chain as accept)

# iptables-t nat-P OUTPUT DROP (the default policy of the OUTPUT chain of the nat table is defined as discard)

Create the simplest example of a rule. For users who have no experience and time, it is necessary to set a simple and practical rule, the most basic principle is "reject all packets first, and then allow the required data packets", that is to say, it is usually defined as a chain of filter tables. INPUT is generally defined as DROP, so that any packet can be prevented from entering, and other projects are defined as ACCEPT, so that the data sent to the outside can go out.

# iptables-P INPUT DROP

# iptables-P FORWARD ACCEPT

# iptables-P OUTPUT ACCEPT

3. Add, insert, delete and replace rules

# iptables [- t table name] chain name [rule number] [- I | o Nic] [- p protocol type] [- s source IP | source subnet] [--sport source port number] [- d destination IP | destination subnet] [--dport destination port number]

[- t table name]: the rule that defines which table to view. The table name can be filter, nat and mangle. If it is not defined, filter table is used by default.

-A: add a rule, which will be added to the last line of the rule list. This parameter cannot use the rule number.

-I: insert a rule, and the rule in that position will move sequentially after it. If no rule number is specified, insert it before the first rule.

-D: delete a rule, you can enter the full rule, or specify the rule number directly

-R: replace a rule, the replacement of the rule will not change the order, you must specify the replacement rule number

Specify the rules for viewing a chain in the specified table. You can use INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, POSTROUTIN

[rule number]: the rule number is used when inserting, deleting, and replacing rules. The number is arranged in the order of the list of rules. The first rule number is 1.

[- I | o Nic name]: I refers to the Nic from which the packet is inputted and o is the Nic from which the batch packet is output

[- p protocol type]: you can specify the protocol to which the rule is applied, including TCP, UDP, ICMP, etc.

[- s source IP | Source subnet]: source IP or subnet of the packet

[--sport source port number]: the source port number of the packet

[- d destination IP | destination subnet]: the destination IP or subnet of the packet

[--dport destination port number]: the destination port number of the packet

The action of processing a packet

# iptables-An INPUT-I lo-j ACCEPT (add a rule to accept all packets from the lo interface)

# iptables-An INPUT-s 192.168.0.44-j ACCEPT (add a rule to accept all packets from 192.168.0.44)

# iptables-An INPUT-s 192.168.0.44-j DROP (add a rule to discard all packets from 192.168.0.44)

Note: if the rules are read sequentially by iptables, if the two rules conflict, the first rule shall prevail.

# iptables-I INPUT 3-s 192.168.1.0 DROP 24-j DROP (insert a rule before the third rule in the INPUT chain and discard all packets from 192.168.1.0 DROP)

Note: if the-I parameter does not specify the insertion location, it will be inserted at the front of all rules.

# iptables-D INPUT 2 (delete the second rule in the INPUT chain in the filter table)

# iptables-R INPUT 2-s 192.168.10 DROP 24-p tcp-- dport 80-j DROP (replace the second rule in the INPUT chain of the filter table, which forbids 192.168.10.0max 24 from accessing port 80 of TCP)

4. Clear rules and counters

When creating new rules, it is often necessary to clear the existing or old rules so as not to affect the new rules. If there are many rules, it is troublesome to delete them one by one, and you can use the clear rule parameters to quickly delete all rules.

# iptables [- t table name]

[- t table name]: specify which table the policy will be applied to. Filter, nat, and mangle can be used. If not specified, the default is filter table.

-F: delete all rules in the specified table

-Z: returns packet counters and traffic counters in the specified table to zero

# iptables-Z (zero packet counters and traffic counters in the filter table)

# iptables-F (delete all rules in the filter table)

5. Record and restore firewall rules

You can use the record and restore firewall rule command to copy the existing firewall mechanism and restore it directly when it is needed.

# iptables-save > File name (record current firewall rules)

# iptables-restore > filename (restore firewall rules to the current host environment)

This is the end of the article on "how to turn on the firewall in linux service". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.