Shulou(Shulou.com)06/01 Report--

1. Basic concepts of iptables packet filtering firewall

The firewall works on the host or the edge of the network, and you can match the matched messages according to our pre-defined rules and take corresponding processing actions for the matched messages.

Iptables/netfilter:

In fact, the iptables firewall includes two parts: netfilter and iptables. Netfilter is the firewall framework in the kernel, and iptables is the command program in user space. All these two add up to make a complete iptables.

Four tables:

Raw: turns off NAT's connection tracking mechanism to prevent memory overflow from the server under highly concurrent access, which is implemented by PREROUTTING OUTPUT

Mangle: the data of the matched message can be disassembled and re-encapsulated. It is implemented by five chains.

Nat: network address translation, nat table can be implemented by PREROUTING FORWARD POSTROUTING

Filter: implement packet filtering, which can be implemented by INPUT FORWARD OUTPUT

Five chains:

PREROUTING: apply the rules in this chain before routing packets

INPUT: apply the rules in this chain when you receive a packet (inbound) that accesses the local address of the firewall

FORWARD: apply the rules in this chain when you receive a packet that needs to be forwarded to another address through the firewall (forwarding)

OUTPUT: apply the rules in this chain when the firewall sends outbound packets this week

POSTROUTING: when the packet is routed now, apply the rules in this chain

Rule: try to match the message according to the matching condition of the rule, and deal with the successful message according to the processing action defined by the rule.

Matching criteria:

Basic matching condition: netfilter's own matching mechanism

Extended matching criteria: a matching mechanism introduced by the extension module

II. Introduction of basic commands for iptables

Command format: iptables [- t table] SUBCOMMAND chain [matches...] [target]

1. Command operations of management classes:

Chain management:

-N: add a new custom chain (custom takes effect only when it is called by rules on the built-in chain,-j custom chain name)

-X: delete custom empty chains (empty chains with a reference count of 0)

-P: the default policy for setting the chain

-E: rename a custom unreferenced chain (reference count is 0)

-F: clear

Rule management

-A: append. Default is the last.

-I: insert, default to the first

-D: delete the specified rule

-R: replace the modification, replacing the specified chain rule with the new rule

-Z: reset the packets and bytes calculators to 0

View:

-L: list rules

-n: displays addresses and ports in numeric form

-v: displays detailed information

-x: displays the exact value of the counter instead of the result of unit conversion

-- line-numbers: displays the rule number on the chain

Example:

Iptables-I 2 INPUT-s 192.168.1.1-d 192.168.1.2-j DROP # # insert this rule into the second iptables-vnL # # of the input chain display details iptables-vnL-- line-number## display chain rule number iptables-F # # clear rule iptables-F INPUT # # clear all rule iptables-D INPUT 1 # on the specified INPUT chain delete the rule number on the INPUT chain The first rule iptables-R INPUT 2-s 192.168.22.2-d 192.168.1.1-j ACCEPT # # replace the second rule of INPUT chain iptables-P INPUT DROP # # set the default rule of INPUT chain to reject iptables-P OUTPUT DROP # # set the default rule of OUTPUT chain to reject iptables-P FORWARD DROP # set the default rule of FORWARD chain to reject

2. Match condition rule command:

Basic matching: netfilter's own matching mechanism

[!]-s,-- source address [/ mask] [,...]: original address match

[!]-d,-- destination address [/ mask] [,...]: destination address match

[!]-I,-- in-interface name: the API that restricts the inflow of messages. It can only be used for PREROUTING,INPUT and FORWARD.

[!]-o,-- out-interface name: an API that limits the outflow of messages. It can only be used for OUTPUT,FORWARD and POSTROUTING.

[!]-p {tcp | udp | icmp}: restriction protocol

Example: deny the 192.168.1.0 network segment access to the native 192.168.1.1

Iptables-An INPUT-s 192.168.0 iptables 24-d 192.168.1.1-j REJECTiptables-An OUTPUT-s 192.168.1.1-d 192.168.1.1-d 192.168.0 DORP 24-j REJECTiptables-An INPUT-s 172.16.100.67-d 172.16.0.0 eth0-j DORP

Expansion matching: the expansion module needs to be loaded

Implicit extension: you can load the corresponding module without using the-m option; only if you use the-p option to match which protocol

Display extension: the corresponding module must be loaded specifically by the-m option

[implicit expansion]

[!]-p protocol: tcp, udp, icmp, icmpv6, esp, ah, sctp, mh or "all"

-p tcp:

[!]-- source-port,--sport port [: port]: matches the source port of the tcp header in the message; it can be a port range

[!]-- destination-port,--dport port [: port]: the destination port of the tcp header in the match message; it can be a port range.

[!]-- tcp-flags mask comp: (where flags includes: syn,fin,ack,rst syn)

Mask: a comma-separated list of flag bits to check

Comp: the flag bit must be 1, and the rest appears in the mask list

-p udp:

[!]-- source-port,--sport port [: port]: matches the source port of the udp header in the message; it can be a port range

[!]-- destination-port,--dport port [: port]: the destination port of the udp header in the match message; it can be a port range.

-p icmp:

[!]-- icmp-type {type [/ code] | typename}

0/0:echo reply response

8/0:echo request request

Example:

Allow the 192.168.1.0 network segment to access the ssh service of the native 192.168.1.1, and deny all the rest

Iptables-An INPUT-s 192.168.1.0 OUTPUT 24-d 192.168.1.1-p tcp-- dport 22-j ACCEPT iptables-An OUTPUT-d 192.168.1.0 sport 24-s 192.168.1.1-p tcp-sport 22-j ACCEPT iptables-P INPUT DORP iptables-P OUTPUT DORP iptables-P FORWARD DORP### only allow 172.16.100.67 host ping anyone iptables-An INPUT-s 0max 0-d 172.16.100.67 -p icmp--icmp-type 0-j ACCEPTiptables-An OUPUT-d 0go 0-s 172.16.100.67-p icmp--icmp-type 8-j ACCEPT# allows native 172.16.100.1 ping owner At the same time, all owners are allowed to ping native iptables-An INPUT-s 0ACCEPTiptables 0-d 172.16.100.1-p icmp--icmp-type 0-j ACCEPTiptables-An OUTPUT-d 0-s 172.16.100.1-p icmp--icmp-type 8-j ACCEPTiptables-An INPUT-s 0-d 172.16.100.1-p icmp--icmp-type 8-j ACCEPTiptables-An OUTPUT-d 0max 0-s 172.16.100.1-p imcp-icmp-type 0-j ACCEPT

[explicit extension]: need to use the-m option

Multiport: multi-port matching

[!]-- source-ports,--sports port [, port |, port:port] Specify multiple original ports

[!]-- destination-ports,--dports port [, port |, port:port] Specify multiple destination ports

[!]-- ports port [, port |, port:port] Specify multiple ports, unlimited source and destination ports

Example: developing native ssh Telnet and web services

Iptables-I INPUT-s 0 multiport 0-d 172.18.100.6-p tcp-m multiport-- dports 22 Magi 23 80-j ACCEPT (discrete type designation) iptables-I OUTPUT-d 0 multiport 0-s 172.18.100.6-p tcp-m multiport-- sports tcp 2223 ACCEPT 80-j ACCEPT (continuous and discrete assignments)

Iprange: indicates a contiguous range of ip addresses as a source or destination address match

[!]-- src-range from [- to]: source address range

[!]-- dst-range from [- to]: destination address range

Example: allow hosts in the range of 172.16.100.1 to 172.16.100.20 to access mysql service

Iptables-An INPUT-s 0OUTPUT 0-d 172.16.1.1-p tcp-- dport 3306-m iprange-- src-range 172.16.100.1-172.16.100.20-j ACCEPTiptables-An OUTPUT-d 0Uniplex 0-s 172.16.1.1-P tcp-- sport 3306-m iprange-- dst-range 172.16.100.1-172.16.100.20-j ACCEPT

String: do string matching detection for application layer data in the message

-- algo {bm | kmp}

[!]-- string pattern: given the string pattern to check

[!]-- hex-string pattern: given the string pattern to check; hexadecimal encoding

Example: anyone accessing the 172.18.100.6web service contains an admin rejection in the content character

Iptables-I OUTPUT-s 172.18.100.6-d 0 tcp-- sport 80-m string-- algo bm-- string "admin"-j REJECT

Time: match the time / date of receipt of the message with the specified time / date range

-- datestart YYYY [- MM [- DD [Thh [: mm [: ss]: start date time

-- datestop YYYY [- MM [- DD [Thh [: mm [: ss]: end date time

-- timestart hh:mm [: ss]: start time

-- timestop hh:mm [: ss]: end time

[!]-- monthdays day [, day...]: which days of the month match

[!]-- weekdays day [, day...]: which days of the week match

Example: allow hosts within 172.16.100.1-172.16.100.100 from 9am to 16:00 from Monday to Friday to Telnet172.16.100.6

Iptables-R INPUT 4-d 172.16.100.6-p tcp-- dport 23-m iprange-- src-range 172.16.100.1-172.16.100.100-m time-- timestart 09:00:00-- timestop 16:00:00-- weekdays 1Jing 2Jing 4jJJI ACCEPT

Connlimit: limit the number of concurrent connections per client host, that is, the maximum number of connections that can be initiated simultaneously per client

-- connlimit-upto n: match if the number of connections is less than or equal to n

-- connlimit-above n: match if the number of connections is greater than n

Iptables-An INPUT-s 0Bank 0-d 172.18.100.6-p tcp-- dport 23-m connlimit--connlimit-upto 2-j ACCEPT # # can connect up to 2

Limit: match the rate of sending and receiving messages based on token bucket algorithm

-- limit second [/ second | / minute | / hour | / day]

-- maximum rate of limit-burst number

Iptables-R INPUT 3-d 172.18.100.6-p icmp--icmp-type 8-m limit--limit 20/minute-- limit-burst 3-j ACCEPT

State: a subset of the connection tracking mechanism, which is used to trace the status of a message. This module needs to be loaded before use: modprobe nf_conntrack.

[!]-state state

INVALID: unrecognized connection

ESTABLISHED: there is a record connection in the connection tracking template

NEW: connection requests that are not stored in the connection tracking template

RELATED: associated connection

UNTRACKED: untracked connections

Connections that have been tracked and recorded: / proc/net/nf_conntrack

The maximum number of connections that can be recorded by the connection tracking function (adjustable): / proc/sys/net/nf_conntrack_max

Example:

Iptables-An INPUT-d 172.16.100.67-m state-- state ESTABLISHED-j ACCEPT iptables-An OUTPUT-s 172.16.100.67-m state-- state ESTABLISHED-j ACCEP

REDORECT: Port redirection is port mapping

-- to-ports port [- port]

Example: map port 80 of 172.16.100.67 to 8080

Iptables-t nat-A PREROUTING-d 172.16.100.67-p tcp-- dport 80-j REDIRECT-- to-ports 8080

SNAT: used in nat tables, only available using POSTROUTING INPUT chains

-- to-source [ipaddr [- ipaddr]]

Example: use the address 192.168.1.0 of the intranet to communicate with the external address using a unified address

Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-j SNAT-- to-source 172.16.100.6

DNAT: used in nat tables, only available using PREROUTING OUTPUT chains

-- to-destination [ipaddr [- ipaddr]] [: port [- port]]

Example: publish the service using a unified address for the total address of the local network

Iptables-t nat-A PREROUTING-s 192.168.1.1 pick 24-j DNAT-- to-destination 172.16.100.1

Save the rule:

Iptables-save > / PATH/TO/SOME_RULE_FILE

Iptables-S > / PATH/TO/SOME_RULE_FILE

Reload stored rules:

Iptables-restore < / PATH/FROM/SOME_RULE_FILE

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.