Shulou(Shulou.com)06/03 Report--

Introduction to iptables

Netfilter/iptables (abbreviated as iptables) constitutes a packet filtering firewall under the Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering, packet redirection and network address translation (NAT) and other functions.

Iptables Foundation

A rules is actually a condition predefined by a network administrator, which is generally defined as "if the packet header meets such a condition, the packet will be processed in this way." Rules are stored in the packet filtering table in kernel space, specifying the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP), respectively. When packets match the rules, iptables processes the packets according to the methods defined by the rules, such as accept, reject, drop, and so on. The main job of configuring a firewall is to add, modify, and delete these rules.

The relationship between iptables and netfilter:

This is the first place to say, the relationship between Iptables and netfilter is a very confusing issue. Many people know iptables but don't know netfilter. In fact, iptables is just an administrative tool for Linux Firewall, located at / sbin/iptables. The real firewall function is netfilter, which is the internal structure of packet filtering in the Linux kernel.

The process of transmitting a packet by iptables

① when a packet enters the network card, it first enters the PREROUTING chain, and the kernel determines whether it needs to be forwarded according to the packet destination IP.

② if the packet enters the machine, it will move down the diagram to reach the INPUT chain. After the packet reaches the input chain, any process will receive it. Programs running on this machine can send packets that pass through the OUTPUT chain and then reach the POSTROUTING chain output.

③ if the packet is to be forwarded and the kernel allows it to be forwarded, the packet moves to the right as shown in the figure, through the FORWARD chain, and then to the POSTROUTING chain output.

Iptables's rule table and chain:

Tables provides specific functions. Iptables has built-in four tables, namely, filter table, nat table, mangle table and raw table, which are used for packet filtering, network address translation, packet reconstruction (modification) and data tracking processing.

Chains is the path of packet propagation, and each chain is actually a checklist of many rules, and there can be one or more rules in each chain. When a packet reaches a chain, iptables checks from the first rule in the chain to see if the packet meets the conditions defined by the rule. If so, the packet is processed according to the method defined by the rule; otherwise, iptables will continue to check the next rule, and if the packet does not meet any of the rules in the chain, iptables will process the packet according to the default policy predefined by the chain.

Iptables adopts a hierarchical structure of "table" and "chain". In REHL4, there are three tables and five chains. Now REHL5 has four tables and five chains, but the extra watch doesn't use much, so it's basically the same as before. Below is a list of these four tables and five chains. Be sure to understand the relationship and function of these tables and chains.

Rule table:

1.filter table-three chains: INPUT, FORWARD, OUTPUT

Function: filter packet kernel module: iptables_filter.

2.Nat table-three chains: PREROUTING, POSTROUTING, OUTPUT

Function: for network address translation (IP, port) kernel module: iptable_nat

3.Mangle table-five chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD

Purpose: modify the service type of the packet, TTL, and configure routing to implement the QOS kernel module: iptable_mangle (don't look at this table so troublesome, we hardly use it when setting policies)

4.Raw table-two chains: OUTPUT, PREROUTING

Function: determine whether the packet is processed by the state tracking mechanism kernel module: iptable_raw

(this is not available in REHL4, but don't be afraid, it doesn't use much.)

Rule chain:

1. Inbound packets apply the policies in this rule chain

2. Output-outgoing packets apply the policies in this rule chain

3. Forward _ color-apply the policies in this rule chain when forwarding packets

4. PREROUTINGML-apply the rules in this chain before routing a packet

Remember! All packets are handled by this chain first when they come in)

5. POSTROUTINGmuri-apply the rules in this chain after routing packets

(all packets are handled by this chain when they come out.)

Priority between rule tables:

Raw--mangle--nat--filter

Priority between rule chains (in three cases):

The first case: inbound data flow

Packets arriving at the firewall from the outside are first processed by the PREROUTING rule chain (whether to modify the packet address, etc.), and then routed (to determine where the packet should be sent). If the target host of the packet is the firewall local machine (for example, the Internet user accesses the web server in the firewall host), then the kernel passes it to the INPUT chain for processing (to determine whether to allow it to pass, etc.) Respond by handing it to the upper application of the system (such as the Apache server) later.

Second impulse: forward data flow

After arriving at the firewall, the packet from the outside is first processed by the PREROUTING rule chain, and then it will be routed. If the destination address of the packet is another external address (such as a packet accessed by a local area network user to a QQ site through a gateway), the kernel passes it to the FORWARD chain for processing (whether to forward or block it), and then to the POSTROUTING rule chain (whether to change the address of the packet, etc.) for processing.

The third case: outbound data flow

Packets sent locally by the firewall to external addresses (for example, when testing a public network DNS server in a firewall host) are first processed by the OUTPUT rule chain, then routed, and then passed to the POSTROUTING rule chain (whether to modify the address of the packet, etc.) for processing.

Manage and set iptables rules

Basic grammatical format of iptables

Iptables [- t table name] command option [chain name] [condition match] [- j target action or jump]

Description: the table name and chain name are used to specify the tables and chains operated by the iptables command, and the command options are used to specify the way to manage iptables rules (such as insert, add, delete, view, etc.; condition matching is used to specify the processing of packets that meet the conditions; the target action or jump is used to specify the processing method of the data packet (such as allow pass, reject, discard, jump (Jump) to other chain processing.

Administrative control options for the iptables command

-An adds (append) a new rule to the end of the specified chain

-D delete (delete) specify a rule in the chain, which can be deleted by rule serial number and content

-I insert (insert) a new rule in the specified chain, adding it on the first line by default

-R modify, replace (replace) specify a rule in the chain, which can be replaced by rule serial number and content

-L list (list) all rules in the specified chain to view

-E rename the user-defined chain without changing the chain itself

-F clear (flush)

-N create (new-chain) a user-defined rule chain

-X deletes the user-defined rule chain (delete-chain) in the specified table

-P sets the default policy (policy) for the specified chain

-Z zeros all bytes and packet counters in all chains of all tables

-n display the output results in digital form (numeric)

-v View information about rule table details (verbose)

-V View version (version)

-h get help (help)

Four ways for firewalls to process data packets

ACCEPT allows packets to pass through

DROP discards packets directly and does not give any response information

REJECT refuses the packet to pass and gives the data sender a response message if necessary.

LOG records log information in the / var/log/messages file, and then passes the packet to the next rule

Preservation and recovery of iptables Firewall rules

Iptables-save saves the rules to a file, which is automatically loaded by the script (/ etc/rc.d/init.d/iptables) in the directory rc.d.

Use the command iptables-save to save the rule. General use

Iptables-save > / etc/sysconfig/iptables

Generate a file / etc/sysconfig/iptables to save the rule

It can also be used

Service iptables save

It automatically saves the rules in / etc/sysconfig/iptables.

When the computer starts, the script under rc.d invokes the file with the command iptables-restore, which automatically restores the rules.

Delete the first rule of the INPUT chain

Iptables-D INPUT 1

Strategies commonly used in iptables Firewall

1. All ICMP protocol packets that are denied access to the firewall

Iptables-I INPUT-p icmp-j REJECT

two。 Allow the firewall to forward all packets except the ICMP protocol

Iptables-A FORWARD-p! Icmp-j ACCEPT

Description: use "!" The condition can be reversed.

3. Refuse to forward data from 192.168.1.10 host, and allow data from 192.168.0.0Universe 24 network segment to be forwarded.

Iptables-A FORWARD-s 192.168.1.11-j REJECT

Iptables-A FORWARD-s 192.168.0 ACCEPT 24-j

Explanation: be careful to put the rejected first or it won't work.

4. Discard packets whose source address is private address from the external network interface (eth2) to the firewall

Iptables-An INPUT-I eth2-s 192.168.0.0 Universe 16-j DROP

Iptables-An INPUT-I eth2-s 172.16.0.0 Universe 12-j DROP

Iptables-An INPUT-I eth2-s 10.0.0.0 Universe 8-j DROP

5. Block the network segment (192.168.1.0) and unseal it two hours later.

# iptables-I INPUT-s 10.20.30.0 DROP 24-j

# iptables-I FORWARD-s 10.20.30.0 DROP 24-j

# at now 2 hours at > iptables-D INPUT 1 at > iptables-D FORWARD 1

Explanation: it would be better for us to complete this strategy with the help of crond planning tasks.

[1] Stopped at now 2 hours

6. Administrators are only allowed to log in to the firewall host remotely using SSH from the 202.13.0.0amp 16 network segment.

Iptables-An INPUT-p tcp-- dport 22-s 202.13.0.0 ACCEPT 16-j

Iptables-An INPUT-p tcp-- dport 22-j DROP

Note: this usage is suitable for remote management of devices, such as when the SQL server located in the branch needs to be managed by the administrator of the head office.

7. Allow native access to application services provided from TCP ports 20-1024.

Iptables-An INPUT-p tcp-- dport 20pur1024-j ACCEPT

Iptables-An OUTPUT-p tcp-- sport 20pur1024-j ACCEPT

8. Allows forwarding of DNS parsing request packets from the 192.168.0.0 Universe 24 LAN segment.

Iptables-A FORWARD-s 192.168.0 ACCEPT 24-p udp-- dport 53-j ACCEPT

Iptables-A FORWARD-d 192.168.0 ACCEPT 24-p udp-- sport 53-j ACCEPT

9. Disable other hosts ping firewall hosts, but allow ping of other hosts from the firewall

Iptables-I INPUT-p icmp--icmp-type Echo-Request-j DROP

Iptables-I INPUT-p icmp--icmp-type Echo-Reply-j ACCEPT

Iptables-I INPUT-p icmp--icmp-type destination-Unreachable-j ACCEPT

10. Prohibit forwarding packets from and hosts with MAC address 00:0C:29:27:55:3F

Iptables-A FORWARD-m mac--mac-source 00:0c:29:27:55:3F-j DROP

Description: iptables uses the form of "- m module keyword" to call display matching. We use "- m mac- mac-source" here to indicate the source MAC address of the packet.

11. Allow firewalls to open TCP ports 20, 21, 25, 110 and passive mode FTP ports 1250-1280 natively

Iptables-An INPUT-p tcp-m multiport-- dport 20, 21, 25, 110, 1250, tcp, 1280-j ACCEPT

Description: use "- m multiport-dport" to specify the destination port and range

twelve。 The forwarding of TCP packets with source IP addresses of 192.168.1.20-192.168.1.99 is prohibited.

Iptables-A FORWARD-p tcp-m iprange-- src-range 192.168.1.20-192.168.1.99-j DROP

Note: "- m-iprange-src-range" is used here to specify the IP range.

13. Forbidden to forward non-syn request packets that are not related to a normal TCP connection.

Iptables-A FORWARD-m state-- state NEW-p tcp!-- syn-j DROP

Note: "- m state" indicates the connection status of the packet, and "NEW" indicates that it has nothing to do with any connection.

14. Deny access to new packets from the firewall, but allow responses to connections or packets related to existing connections

Iptables-An INPUT-p tcp-m state-- state NEW-j DROP

Iptables-An INPUT-p tcp-m state-- state ESTABLISHED,RELATED-j ACCEPT

Note: "ESTABLISHED" indicates a packet that has responded to a request or has established a connection, and "RELATED" indicates that it is related to the established connection, such as an FTP data connection.

15. Only the local web service (80) and FTP (20, 21, 20450-20480) are opened, the external host is allowed to send reply packets from other ports of the server, and other inbound data packets are discarded.

Iptables-I INPUT-p tcp-m multiport-- dport 20, 21 ACCEPT, 80-j ACCEPT

Iptables-I INPUT-p tcp-- dport 20450 tcp 20480-j ACCEPT

Iptables-I INPUT-p tcp-m state-- state ESTABLISHED-j ACCEPT

Iptables-P INPUT DROP

16 surfing the Internet at a specified time

Iptables-A Filter-s 10.10.10.253-m time-- timestart 6:00-- timestop 11:00-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j DROP

Iptables-A Filter-m time-- timestart 12:00-- timestop 13:00-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT

Iptables-A Filter-m time-- timestart 17:30-- timestop 8:30-- days Mon,Tue,Wed,Thu,Fri,Sat,Sun-j ACCEPT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.