Shulou(Shulou.com)06/01 Report--

Iptables firewall

The firewall in linux is divided into three tables, which are filter,nat,mangle. The filter table is used for IP address filtering, the nat table is used for network address translation, and the mangle table is used to mark certain applications (http and https).

Filter table is divided into INPUT chain, OUTPUT chain and FORWARD chain. The INPUT chain refers to the destination address is itself, the OUTPUT chain refers to the source address is itself, and the FORWARD chain only provides the forwarding function (you need to enable the forwarding function in the linux kernel).

Nat table is divided into POSTROUTING chain, PREROUTING chain, POSTROUTING chain refers to routing first and then NAT,PREROUTING chain refers to first NAT and then routing.

The mangle table is used to mark the corresponding protocols. It is divided into POSTROUTING chain and PREROUTING chain.

Example:

A packet of filter firewall

1. Set default rules for firewalls

Iptables-P INPUT ACCEPT

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD ACCEPT

Hierarchical Design of 2.iptables

Iptables-N NET1 create a new chain for the firewall, chain name NET1.

Iptables-An INPUT-s 192.168.1.0 NET1 24-j jump to NET1 chain.

Iptables-A NET1-s 192.168.1.254-j DROP sets more detailed rules.

3. Delete a chain

Iptables-D INPUT removes INPUT chains (related to NET1 chains)

Iptables-X NET1 delete NET1 chain

Iptables-F NET1 emptying chain rule

-F is to clear all rule settings within a specified chains. For example, iptables-F-t filter, that is to clear all the rules set by INPUT/OUTPUT/FORWARD chain in filter table.

-X deletes custom table items. Generally, after adding a custom chain using iptables-N xxx, you can delete it using iptables-X xxx.

-D is to delete a chain.

Two-state detection firewall

NEW New connection

ESTABLISH connection has been established

A subconnection (such as a subconnection derived from ftp) derived from a connection.

Iptables-An INPUT-m state-- state RELATED,ESTABLISH-j ACCEPT

Iptables-An INPUT-m state-- state NEW-p tcp-- dport 25-j ACCEPT (port 25 allows)

Iptables-An INPUT-m state-- state NEW-j DROP all other ports are rejected.

Third, based on application proxy firewall

On Linux, you can use iptables to forward the request for Web port 80 directly to Squid port 3128, which is taken over by Squid, while the user browser still thinks it is accessing port 80 of the other party. For example, the following command:

Iptables-t nat-A PREROUTING-s 192.168.0 tcp 32-p tcp-- dport 80-j REDIRECT-- to-ports 3128

After all the settings are completed, the key and important task is access control. Squid supports many management methods and is easy to use (which is why some people would rather use Squid without any caching than use iptables alone).

Four NAT address translation

Iptables-t nat-A POSTROUTING-s 1922.168.1.0 to-source 24-o eth2-j SNAT-- to-source 1.1.1.1

Iptables-t nat-A PREROUTING-d 2.2.2.2-p tcp-- dport 80-I eth2-j DNAT-- to-destination 192.168.0.1 PREROUTING 80

Iptables-t nat-A POSTROUTING-s 1922.168.1.0 IP 24-o eth2-j MASQUERADE (for IP address is not fixed)

Iptables-F-t nat rules for emptying nat tables

Save iptables rules

Service iptables save

Rules are saved in / etc/sysconfig/iptables

Note: after the / etc/sysconfig/iptables file is distributed, each system executes the / sbin/service iptables restart command to make the rules take effect.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.