In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-07 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
1. Basic concepts of iptables packet filtering firewall
The firewall works on the host or the edge of the network, and you can match the matched messages according to our pre-defined rules and take corresponding processing actions for the matched messages.
Iptables/netfilter:
In fact, the iptables firewall includes two parts: netfilter and iptables. Netfilter is the firewall framework in the kernel, and iptables is the command program in user space. All these two add up to make a complete iptables.
Four tables:
Raw: turns off NAT's connection tracking mechanism to prevent memory overflow from the server under highly concurrent access, which is implemented by PREROUTTING OUTPUT
Mangle: the data of the matched message can be disassembled and re-encapsulated. It is implemented by five chains.
Nat: network address translation, nat table can be implemented by PREROUTING FORWARD POSTROUTING
Filter: implement packet filtering, which can be implemented by INPUT FORWARD OUTPUT
Five chains:
PREROUTING: apply the rules in this chain before routing packets
INPUT: apply the rules in this chain when you receive a packet (inbound) that accesses the local address of the firewall
FORWARD: apply the rules in this chain when you receive a packet that needs to be forwarded to another address through the firewall (forwarding)
OUTPUT: apply the rules in this chain when the firewall sends outbound packets this week
POSTROUTING: when the packet is routed now, apply the rules in this chain
Rule: try to match the message according to the matching condition of the rule, and deal with the successful message according to the processing action defined by the rule.
Matching criteria:
Basic matching condition: netfilter's own matching mechanism
Extended matching criteria: a matching mechanism introduced by the extension module
II. Introduction of basic commands for iptables
Command format: iptables [- t table] SUBCOMMAND chain [matches...] [target]
1. Command operations of management classes:
Chain management:
-N: add a new custom chain (custom takes effect only when it is called by rules on the built-in chain,-j custom chain name)
-X: delete custom empty chains (empty chains with a reference count of 0)
-P: the default policy for setting the chain
-E: rename a custom unreferenced chain (reference count is 0)
-F: clear
Rule management
-A: append. Default is the last.
-I: insert, default to the first
-D: delete the specified rule
-R: replace the modification, replacing the specified chain rule with the new rule
-Z: reset the packets and bytes calculators to 0
View:
-L: list rules
-n: displays addresses and ports in numeric form
-v: displays detailed information
-x: displays the exact value of the counter instead of the result of unit conversion
-- line-numbers: displays the rule number on the chain
Example:
Iptables-I 2 INPUT-s 192.168.1.1-d 192.168.1.2-j DROP # # insert this rule into the second iptables-vnL # # of the input chain display details iptables-vnL-- line-number## display chain rule number iptables-F # # clear rule iptables-F INPUT # # clear all rule iptables-D INPUT 1 # on the specified INPUT chain delete the rule number on the INPUT chain The first rule iptables-R INPUT 2-s 192.168.22.2-d 192.168.1.1-j ACCEPT # # replace the second rule of INPUT chain iptables-P INPUT DROP # # set the default rule of INPUT chain to reject iptables-P OUTPUT DROP # # set the default rule of OUTPUT chain to reject iptables-P FORWARD DROP # set the default rule of FORWARD chain to reject
2. Match condition rule command:
Basic matching: netfilter's own matching mechanism
[!]-s,-- source address [/ mask] [,...]: original address match
[!]-d,-- destination address [/ mask] [,...]: destination address match
[!]-I,-- in-interface name: the API that restricts the inflow of messages. It can only be used for PREROUTING,INPUT and FORWARD.
[!]-o,-- out-interface name: an API that limits the outflow of messages. It can only be used for OUTPUT,FORWARD and POSTROUTING.
[!]-p {tcp | udp | icmp}: restriction protocol
Example: deny the 192.168.1.0 network segment access to the native 192.168.1.1
Iptables-An INPUT-s 192.168.0 iptables 24-d 192.168.1.1-j REJECTiptables-An OUTPUT-s 192.168.1.1-d 192.168.1.1-d 192.168.0 DORP 24-j REJECTiptables-An INPUT-s 172.16.100.67-d 172.16.0.0 eth0-j DORP
Expansion matching: the expansion module needs to be loaded
Implicit extension: you can load the corresponding module without using the-m option; only if you use the-p option to match which protocol
Display extension: the corresponding module must be loaded specifically by the-m option
[implicit expansion]
[!]-p protocol: tcp, udp, icmp, icmpv6, esp, ah, sctp, mh or "all"
-p tcp:
[!]-- source-port,--sport port [: port]: matches the source port of the tcp header in the message; it can be a port range
[!]-- destination-port,--dport port [: port]: the destination port of the tcp header in the match message; it can be a port range.
[!]-- tcp-flags mask comp: (where flags includes: syn,fin,ack,rst syn)
Mask: a comma-separated list of flag bits to check
Comp: the flag bit must be 1, and the rest appears in the mask list
-p udp:
[!]-- source-port,--sport port [: port]: matches the source port of the udp header in the message; it can be a port range
[!]-- destination-port,--dport port [: port]: the destination port of the udp header in the match message; it can be a port range.
-p icmp:
[!]-- icmp-type {type [/ code] | typename}
0/0:echo reply response
8/0:echo request request
Example:
Allow the 192.168.1.0 network segment to access the ssh service of the native 192.168.1.1, and deny all the rest
Iptables-An INPUT-s 192.168.1.0 OUTPUT 24-d 192.168.1.1-p tcp-- dport 22-j ACCEPT iptables-An OUTPUT-d 192.168.1.0 sport 24-s 192.168.1.1-p tcp-sport 22-j ACCEPT iptables-P INPUT DORP iptables-P OUTPUT DORP iptables-P FORWARD DORP### only allow 172.16.100.67 host ping anyone iptables-An INPUT-s 0max 0-d 172.16.100.67 -p icmp--icmp-type 0-j ACCEPTiptables-An OUPUT-d 0go 0-s 172.16.100.67-p icmp--icmp-type 8-j ACCEPT# allows native 172.16.100.1 ping owner At the same time, all owners are allowed to ping native iptables-An INPUT-s 0ACCEPTiptables 0-d 172.16.100.1-p icmp--icmp-type 0-j ACCEPTiptables-An OUTPUT-d 0-s 172.16.100.1-p icmp--icmp-type 8-j ACCEPTiptables-An INPUT-s 0-d 172.16.100.1-p icmp--icmp-type 8-j ACCEPTiptables-An OUTPUT-d 0max 0-s 172.16.100.1-p imcp-icmp-type 0-j ACCEPT
[explicit extension]: need to use the-m option
Multiport: multi-port matching
[!]-- source-ports,--sports port [, port |, port:port] Specify multiple original ports
[!]-- destination-ports,--dports port [, port |, port:port] Specify multiple destination ports
[!]-- ports port [, port |, port:port] Specify multiple ports, unlimited source and destination ports
Example: developing native ssh Telnet and web services
Iptables-I INPUT-s 0 multiport 0-d 172.18.100.6-p tcp-m multiport-- dports 22 Magi 23 80-j ACCEPT (discrete type designation) iptables-I OUTPUT-d 0 multiport 0-s 172.18.100.6-p tcp-m multiport-- sports tcp 2223 ACCEPT 80-j ACCEPT (continuous and discrete assignments)
Iprange: indicates a contiguous range of ip addresses as a source or destination address match
[!]-- src-range from [- to]: source address range
[!]-- dst-range from [- to]: destination address range
Example: allow hosts in the range of 172.16.100.1 to 172.16.100.20 to access mysql service
Iptables-An INPUT-s 0OUTPUT 0-d 172.16.1.1-p tcp-- dport 3306-m iprange-- src-range 172.16.100.1-172.16.100.20-j ACCEPTiptables-An OUTPUT-d 0Uniplex 0-s 172.16.1.1-P tcp-- sport 3306-m iprange-- dst-range 172.16.100.1-172.16.100.20-j ACCEPT
String: do string matching detection for application layer data in the message
-- algo {bm | kmp}
[!]-- string pattern: given the string pattern to check
[!]-- hex-string pattern: given the string pattern to check; hexadecimal encoding
Example: anyone accessing the 172.18.100.6web service contains an admin rejection in the content character
Iptables-I OUTPUT-s 172.18.100.6-d 0 tcp-- sport 80-m string-- algo bm-- string "admin"-j REJECT
Time: match the time / date of receipt of the message with the specified time / date range
-- datestart YYYY [- MM [- DD [Thh [: mm [: ss]: start date time
-- datestop YYYY [- MM [- DD [Thh [: mm [: ss]: end date time
-- timestart hh:mm [: ss]: start time
-- timestop hh:mm [: ss]: end time
[!]-- monthdays day [, day...]: which days of the month match
[!]-- weekdays day [, day...]: which days of the week match
Example: allow hosts within 172.16.100.1-172.16.100.100 from 9am to 16:00 from Monday to Friday to Telnet172.16.100.6
Iptables-R INPUT 4-d 172.16.100.6-p tcp-- dport 23-m iprange-- src-range 172.16.100.1-172.16.100.100-m time-- timestart 09:00:00-- timestop 16:00:00-- weekdays 1Jing 2Jing 4jJJI ACCEPT
Connlimit: limit the number of concurrent connections per client host, that is, the maximum number of connections that can be initiated simultaneously per client
-- connlimit-upto n: match if the number of connections is less than or equal to n
-- connlimit-above n: match if the number of connections is greater than n
Iptables-An INPUT-s 0Bank 0-d 172.18.100.6-p tcp-- dport 23-m connlimit--connlimit-upto 2-j ACCEPT # # can connect up to 2
Limit: match the rate of sending and receiving messages based on token bucket algorithm
-- limit second [/ second | / minute | / hour | / day]
-- maximum rate of limit-burst number
Iptables-R INPUT 3-d 172.18.100.6-p icmp--icmp-type 8-m limit--limit 20/minute-- limit-burst 3-j ACCEPT
State: a subset of the connection tracking mechanism, which is used to trace the status of a message. This module needs to be loaded before use: modprobe nf_conntrack.
[!]-state state
INVALID: unrecognized connection
ESTABLISHED: there is a record connection in the connection tracking template
NEW: connection requests that are not stored in the connection tracking template
RELATED: associated connection
UNTRACKED: untracked connections
Connections that have been tracked and recorded: / proc/net/nf_conntrack
The maximum number of connections that can be recorded by the connection tracking function (adjustable): / proc/sys/net/nf_conntrack_max
Example:
Iptables-An INPUT-d 172.16.100.67-m state-- state ESTABLISHED-j ACCEPT iptables-An OUTPUT-s 172.16.100.67-m state-- state ESTABLISHED-j ACCEP
REDORECT: Port redirection is port mapping
-- to-ports port [- port]
Example: map port 80 of 172.16.100.67 to 8080
Iptables-t nat-A PREROUTING-d 172.16.100.67-p tcp-- dport 80-j REDIRECT-- to-ports 8080
SNAT: used in nat tables, only available using POSTROUTING INPUT chains
-- to-source [ipaddr [- ipaddr]]
Example: use the address 192.168.1.0 of the intranet to communicate with the external address using a unified address
Iptables-t nat-A POSTROUTING-s 192.168.1.0 Universe 24-j SNAT-- to-source 172.16.100.6
DNAT: used in nat tables, only available using PREROUTING OUTPUT chains
-- to-destination [ipaddr [- ipaddr]] [: port [- port]]
Example: publish the service using a unified address for the total address of the local network
Iptables-t nat-A PREROUTING-s 192.168.1.1 pick 24-j DNAT-- to-destination 172.16.100.1
Save the rule:
Iptables-save > / PATH/TO/SOME_RULE_FILE
Iptables-S > / PATH/TO/SOME_RULE_FILE
Reload stored rules:
Iptables-restore < / PATH/FROM/SOME_RULE_FILE
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.