Shulou(Shulou.com)06/01 Report--

Detailed explanation of firewall 1. Brief introduction of firewall

The so-called firewall refers to a protective barrier composed of software and hardware and constructed on the interface between the intranet and the extranet and between the private network and the public network. It is a combination of computer hardware and software to establish a security gateway between Internet and Intranet, thus protecting the intranet from illegal users. The firewall is mainly composed of service access rules, verification tools, packet filtering and application gateway. Firewall is a software or hardware located between the computer and the network it is connected to. All network traffic and packets flowing into and out of the computer go through this firewall.

In the network, the so-called "firewall" refers to a method of separating the intranet from the public access network (such as Internet). It is actually an isolation technology. A firewall is an access control measure that is implemented when two networks communicate. It allows people and data you "agree" to enter your network, while shutting out people and data you "disagree". To the maximum extent possible to prevent people in the network from accessing your network. In other words, without going through the firewall, people inside the company cannot access people on the Internet,Internet or communicate with people inside the company.

II. Classification of firewalls

1. According to the form of expression, it can be divided into hardware firewall and software firewall.

(1) hardware firewall

Hardware firewalls mainly include: cisco (pix--- "asa), Tianrongxin (network security guardian), H3C (secpath), Digital China and Ruijie, etc., all of which work in the network layer, as well as convinced firewalls, which can work in the application layer.

(2) Software firewall

The implementation of software firewall is mainly implemented on the host, such as ISA (internet security acceleration) of windows and iptables of linux.

2. according to the classification of work level, it can be divided into application layer firewall and network layer firewall.

(1) Network layer firewall

The network layer firewall can be regarded as an IP packet filter that operates on the underlying TCP/IP protocol stack. We can enumerate that only packets that meet specific rules are allowed to pass, and the rest are prohibited from passing through the firewall (except for viruses, which cannot prevent virus intrusion). These rules can usually be defined or modified by an administrator, but some firewall devices may only apply built-in rules.

(2) Application layer firewall

The application layer firewall operates on the "application layer" of the TCP/IP stack, and the data flow generated when you use the browser or the data flow when using FTP belong to this layer. The application layer firewall can intercept all packets entering and leaving an application and block other packets (usually discarding packets directly). In theory, this type of firewall can completely block external data flow from entering the protected machine.

III. Introduction of the main modules of iptables

1. String (string matching, which can be used for content filtering)

# cat string/info

Iptables-I FORWARD-m string-string "Tencent"-j DROP

Iptables-I FORWARD-s 192.168.3.159-m string-- string "qq.com"-j DROP

Iptables-I FORWARD-d 192.168.3.0 pound 24-m string-- string "Broadband Cinema"-j DROP

Iptables-I FORWARD-d 192.168.3.0 string 24-m string-- string "* *"-j DROP

Iptables-I FORWARD-d 192.168.3.0 string 24-p tcp-- sport 80-m string-- string "advertisement"-j DROP

As for how to use flexibly, it depends on your own needs.

2. Comment (remarks match, which can support up to 256characters)

Supported options:

-- comment COMMENT

This option adds CONFIG_IP_NF_MATCH_COMMENT and an annotation matching module. This match allows you to add any rule to a comment, which can be up to 256 characters, such as

Example: (example:)

-An INPUT-s 192.168.0 comment 16-m comment-- comment "A privatized IP block"

Translator: this is how I test using this comment

Iptables-I FORWARD-s 192.168.3.159-p tcp-- dport 80-j DROP-m comment-- comment "the bad guy can not online"

Iptables-I FORWARD-s 192.168.3.159-m string-string "qq.com"-j DROP-m comment-comment "denny go to qq.com"

In this way, when you iptables-L, you will see the comments after each rule. It can improve the readability and understanding of this rule.

This comment has been officially included in 2.6.x.

3. Connlimit (limit the number of connections to match at the same time)

# cat connlimit/info

This addition of an iptables match allows you to limit the number of concurrent tcp connections per client's ip address, that is, the number of simultaneous connections to a server.

Examples: example:

# allow 2 telnet connections per client host (allows two telnet connections per client at the same time)

Iptables-p tcp-- syn-- dport 23-m connlimit--connlimit-above 2-j REJECT

# you can also match the other way around: (you can also match other methods:)

Iptables-p tcp-- syn-- dport 23-m connlimit!-- connlimit-above 2-j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized (this example limits port 80 to 16 connection requests at the same time)

# network (24 bit netmask)

Iptables-p tcp-- syn-- dport 80-m connlimit--connlimit-above 16-- connlimit-mask 24-j REJECT

Module connlimit function: connection limit

-- how many connlimit-above n is limited to

-- connlimit-mask n the mask of this group of hosts. The default is connlimit-mask 32, that is, per ip.

This mainly limits the network usage of intranet users, while for servers, it can limit the number of connections initiated by each ip. More practical

For example, only 5 ports 80 per ip are allowed to be forwarded at the same time, and discarded if more than:

Iptables-I FORWARD-p tcp-- syn-- dport 80-m connlimit--connlimit-above 5-j DROP

For example, only 10 80 ports per group of Class C ip are allowed to forward at the same time:

Iptables-I FORWARD-p tcp-- syn-- dport 80-m connlimit--connlimit-above 10-- connlimit-mask 24-j DROP

For example, to prevent too many DOS connections, you can allow up to 15 initial connections, more than discarded.

/ sbin/iptables-An INPUT-s 192.186.1.0 connlimit-above 24-p tcp-- syn-m connlimit--connlimit-above 15-j DROP

/ sbin/iptables-An INPUT-s 192.186.1.0 ACCEPT 24-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

4. Time (time matching)

Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun; default everyday)

(only matches the given day, format Mon,Tue,Wed,Thu,Fri,Sat,Sun; default daily)

(start date)

Match only if it is after `date' (Inclusive, format: YYYY] hjimmjime s start from 0; default to 1970)

(only matches the value after the start date (including, format: YYYY] hPeragne s start from 0; default is 1970):

Match only if it is before `date' (Inclusive, format: YYYY] hjimmjime s start from 0; default to 2037)

(it only matches the value before the start date (including format: YYYY] hPeragne s start from 0; default is 2037):

Example: (example:)

-An INPUT-m time-- timestart 8:00-- timestop 18:00-- days Mon,Tue,Wed,Thu,Fri

Will match packets that have an arrival timestamp in the range 8 will match packets that have an arrival timestamp in the range 00-> 18:00 from Monday to Friday.

(the above will match bags with arrival dates from 8:00 to 18:00 from Monday to Friday)

An OUTPUT-m time-- timestart 8:00-- timestop 18:00-- Days Mon-- date-stop 2010

Will match the packets (locally generated) that have a departure timestamp in the range 8 that have a departure timestamp in the range 00-> 18:00 on Monday only, until 2010

(the above will match the locally generated time range from 8:00 to 18:00 on every Monday until 2010)

NOTE: the time match does not track changes in daylight savings time

5. Iprange (ip range matching)

This patch makes possible to match source/destination IP addresses against inclusive IP address ranges.

This patch enables matching source / destination IP addresses to match against the given range of addresses

Examples: (example)

Iptables-A FORWARD-m iprange-- src-range 192.168.1.5-192.168.1.124-j ACCEPT

This example allows packets with a source ip address range of 192.168.1.5-192.168.1.124 to pass through

Iptables-A FORWARD-m iprange-- dst-range 10.0.0.0-10.255.255.255-j ACCEPT

This example allows packets with a destination ip address range of 10.0.0.0-10.255.255.255 to pass through 192.168.2.10-192.168.2.20

6. Geoip (match according to geographical location)

This patch makes possible to match a packet by its source or destination country.

This patch enables a package to match according to the source or destination country (region)

GeoIP options: (option:)

-src-cc,-source-country country

Match packet coming from (one of) the specified country (ies)

Match based on the source (or non-source) region of the package

-dst-cc,-destination-country country

Match packet going to (one of) the specified country (ies)

Match according to the destination (or non-destination) of the packet

NOTE: The country is inputed by its ISO3166 code.

Note: this country region list is in the ISO3166 code.

The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx). Both files are generated from a countries & subnets database with the csv2bin tool,available at www.cookinglinux.org/geoip/. Both files MUST also be moved in / var/geoip/ as the shared library is statically looking for that pathname (ex.: / var/geoip/geoipdb.bin).

You need an extra binary file geoipdb.bin and its index file geoipdb.idx. These two files are national and regional network databases, which are generated by csv2bin tool and can be obtained in www.cookinglinux.org/geoip/. These files must be placed under / var/geoip/ as a shared library to find path names such as / var/geoip/geoipdb.bin

7. Nth (the nth packet matches)

# cat nth/info

Title: iptables nth match (title: iptables Nth match)

Author: Fabrice MARIE (author: name, email address)

Status: Works (status: operation)

Repository: base (warehouse: basic)

# cat nth/help

This option adds an iptables `Nth' match, which allows you to match every Nth packet encountered. By default there are 16 different counters that can be used.

This option adds an Nth match, allowing you to match every N packets. By default, there are 16 different calculation methods that can be used.

This match functions in one of two ways

1) Match ever Nth packet, and only the Nth packet.

Example: (example)

Iptables-t mangle-A PREROUTING-m nth-- every 10-j DROP

This rule will drop every 10th packet.

This rule will discard every 10 packets

2) Unique rule for every packet. This is an easy and quick method to produce load-balancing for both inbound and outbound.

Apply a unique rule to each package, which is an easy and fast load balancing method

Example: (for example)

Iptables-t nat-A POSTROUTING-o eth0-m nth-- counter 7-- every 3-- packet 0-j SNAT-- to-source 10.0.0.5

Iptables-t nat-A POSTROUTING-o eth0-m nth-- counter 7-- every 3-- packet 1-j SNAT-- to-source 10.0.0.6

Iptables-t nat-A POSTROUTING-o eth0-m nth-- counter 7-- every 3-- packet 2-j SNAT-- to-source 10.0.0.7

This example evenly splits connections between the three SNAT addresses.

The above example splits the connection smoothly by three source ip addresses

By using the mangle table and iproute2, you can setup complex load-balanced routing. There's lot of other uses. Be creative!

With iptables's mangle table and advanced routing iproute2, you can set up a composite load-balanced route. There are other uses, creative settings.

Suppported options are: (supported options are:)

-- every Nth Match every Nth packet (matches every N packets)

Num Use counter 0-15 (default:0) (with calculator (default is 0))

Num Initialize the counter at the number 'num' instead of 0. Must be between 0 and Nth-1

Initialize a calculator with this num value instead of 0. 0. Must be a number between 0 and N minus 1

Num Match on 'num' packet. Must be between 0 and Nth-1. If-packet is used for a counter than

There must be Nth number of-packet rules, covering all values between 0 and Nth-1 inclusively.

Match 'num' package, must be a number between 0 and N minus 1, if the package is used with a calculator, it must be the Nth digital package rule, and cover all values from 0 to Nth-1 (this translation is not good, please correct)

8. Ipp2p (point-to-point matching)

# cat ipp2p/info

Title: Detects some P2P packets (title: reconnaissance of P2P packets)

Author: Eicke Friedrich (author: name, email address)

Status: Stable (condition: stable)

Repository: extra (Warehouse: extra)

Recompile: netfilter, iptables (recompile: netfilter | iptables)

# cat ipp2p/help

This option makes possible to match some P2P packets therefore helps controlling such traffic.

Dropping all matches prohibits P2P networks.

Combined with conntrack,CONNMARK and a packet scheduler it can be used for accounting or shaping of P2P traffic.

This option can match some P 2 P packets to help control traffic. Discard all matching P2P. Combined with connection tracking, and a packet scheduler, it can be used for calculation and × × a P2 traffic

Examples: (for example:)

Iptables-A FORWARD-m ipp2p-- edk-- kazaa-- bit-j DROP

Iptables-A FORWARD-p tcp-m ipp2p-- ares-j DROP

Iptables-A FORWARD-p udp-m ipp2p-- kazaa-j DROP

The above example can block a lot of P2P software such as bt.

For more parameters, more detailed references are ipp2p/iptables/extensions/libipt_ipp2p.man or http://www.ipp2p.org.

9. Quota (quota matching)

# cat quota/info Title: iptables quota match (title: iptables quota matching)

Author: Sam Johnston (author: name, email address)

Status: worksforme (status: operational)

Repository: base (warehouse: basic)

# cat quota/help

This option adds CONFIG_IP_NF_MATCH_QUOTA, which implements network quotas by decrementing a byte counter with each packet.

This option adds a module matching packet to achieve the quota passed by the network packet.

Supported options are: (supported options are:)

-- quota

The quota in bytes. (in bytes)

Iptables-I FORWARD-s 192.168.3.159-p tcp-- dport 80-m quota-- quota 500-j DROP

In the above example, the ip192.168.3.159 will be discarded within 500 bytes with a target port of 80. It will not be discarded until the 500 bytes are matched, that is to say, the web page can be opened.

KNOWN BUGS: this does not work on SMP systems.

Known bug: this does not work on SMP systems, (SMP, symmetric multiprocessing multiprocessing technology)

10. State module

-m state-- state NEW ESTABLISHED RELATED

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.