Shulou(Shulou.com)06/03 Report--

1. The foundation of Linux firewall, whether it is Linux system, Windows system firewall or hardware firewall, is a combination of a series of components between different networks and network security, and it is also the only exit (entry) of information between different security domains. By detecting, restricting, and changing the data flow across the firewall. Try to shield the internal information, structure and operation status of the network as much as possible, and can selectively accept the access of the external network. Set up a security barrier between the internal and external networks to avoid unwitting access to the internal network, resulting in a certain degree of emergency to our internal network.

In the traditional sense, firewalls are divided into three categories: packet filtering, application proxy and state detection. No matter how complex the implementation process of a firewall is, in the final analysis, it is extended on the basis of these three technologies.

Overview

Firewalld provides dynamic firewall management tools that support network links and interface security levels defined by the network area, supports ipv4, ipv6 firewall and Ethernet bridge, and has two configuration modes: run-time configuration and permanent configuration. It also supports services or applications to add firewall rules directly.

Regional firewalld data processing flow: the first thing to check is its source address. If the source address is associated to a specific area, the rules made by that area are executed; if the source address is not associated to a specific area, the area of the incoming network interface is used and the rules made by that area are enforced; if the network interface is not associated to a specific area, the default area is used and the rules made by that area are enforced

Firewall configuration method firewall-config graphical tool; firewall-cmd command line tool; configuration file in / etc/firewalld/; II. IptabLes overview operation order

Fall down from the top and default (release or block) if there is no match

Four watches and five chains

Chains is the path of packet propagation, and each chain is actually a checklist of many rules, and there can be one or more rules in each chain. When a packet reaches a chain, iptables checks from the first rule in the chain to see if the packet meets the conditions defined by the rule. If it is satisfied, the packet will be processed according to the method defined by the rule; otherwise, iptables will continue to check the next rule, and if the packet does not meet any of the rules in the chain, iptables will follow the default policy predefined by the chain

The rule chain (five chains) processes packets (PREROUTING) before routing; processes incoming packets (INPUT); processes outgoing packets (OUTPUT); processes forwarded packets (FORWARD); and processes packets after routing (POSTROUTING).

Tables provide specific functions. There are four tables in iptables: filter table, nat table, mangle table and raw table, which are used for packet filtering, network address translation, packet reconstruction and data tracking processing respectively.

Each table contains multiple chains.

The actions performed by ACCEPT (allow traffic), REJECT (deny traffic), LOG (log information) and DROP (deny traffic) are accept: receive packets; DROP: drop packets; REDIRECT: redirect, map, transparent proxy; SNAT: source address translation; DNAT: destination address translation; MASQUERADE:IP masquerade (NAT) for ADSL;LOG: logging Common option-P set default policy-F clear rule chain-L view rule chain-An add a new rule at the end of the rule chain-I num add a new rule at the head of the rule chain-D num delete a rule-s match source address IP/MASK, add an exclamation point "!" Indicates that in addition to this IP-d matches the destination address-I network card name matches the data flowing in from this network card-o network card name matches the data outflow from this network card-p matching protocol For example, TCP, UDP, ICMP--dport num match the destination port number-sport num matches the difference between the source port number TCP and UDP 1, TCP is connection-oriented (establishing a connection before transferring data between the client and server), UDP is connectionless (no connection is required before sending data) 2, TCP provides reliable services (data transmitted through TCP. No error, no loss, no repetition, and orderly arrival); UDP provides simple, unreliable transaction-oriented transmission. 3. UDP has better real-time performance and higher working efficiency than TCP, so it is suitable for high-speed transmission and high real-time communication or broadcast communication. With the increase of network speed, UDP is used more and more. 4. Each TCP connection can only be point-to-point, and UDP supports one-to-one, one-to-many and many-to-many interactive communication. 5. TCP needs more system resources, UDP requires less system resources, UDP program structure is simpler, TCP is stream mode, UDP is the default rule policy of Datagram mode area drop: discard all incoming packets without giving any response block: reject all externally initiated links, allow internally initiated links public: allow specified access links (default area) external: through public Handle camouflaged inbound links, generally used for routing and forwarding dmz: allow restricted access to links work: allow restricted access to trusted computers home: with work, if traffic and services such as ssh,dhcpv6-client are related, then allow internal: with work Range for all Internet users trusted: trust the basic syntax format of all linked iptables iptables [- t table name] command options [chain name] [conditional match] [- j target action or jump description: table name and chain name are used to specify the tables and chains operated by the iptables command, and command options are used to specify how to manage iptables rules (such as insert, add, delete, view, etc.) Condition matching is used to specify what conditions the packet meets; the destination action or jump is used to specify the processing of the packet (such as allow pass, reject, discard, jump (Jump) to other chain processing). Case [root@localhost] # iptables-F / / clear all firewall rules [root@localhost] # iptables-F INPUT / / clear all rules on the specified chain INPUT [root@localhost ~] # iptables-X / / remove the user-defined empty chain [root@localhost ~] # iptables-Z / / empty count [root@localhost ~] # Iptables-P INPUT DROP / / configure default do not let in [root@localhost ~] # iptables-P FORWARD DROP / / default does not allow forwarding [root@localhost ~] # iptables-P OUTPUT ACCEPT / / default can go out and set the INPUT rule chain to allow only hosts with specified network segments to access local port 22 Deny traffic from all other hosts: [root@localhost ~] # iptables- I INPUT-s 192.168.1.0 take 24-p tcp-- dport 22-j ACCEPT [root@localhost ~] # iptables- An INPUT-p tcp-- dport 22-j REJECT [root@localhost ~] # iptables-save / / Save configuration if I only allow the PING commands of 192.168.1.100 and 192.168.1.110 How should I add [root@localhost ~] # iptables-I INPUT-s 192.168.1.110-p icmp-j ACCEPT [root@localhost ~] # iptables-I INPUT-s 192.168.1.100-p icmp-j ACCEPT [root@localhost ~] # iptables-An INPUT-p icmp-j DROP if I only allow 192.168.1.0, but reject the PING commands of 192.168.1.100 and 192.168.1.110 How to add [root@localhost ~] # iptables-I INPUT-s 192.168.1.0 ACCEPT 24-p icmp-j ACCEPT [root@localhost ~] # iptables-I INPUT-s 192.168.1.100-p icmp-j DROP [root@localhost ~] # iptables-I INPUT-s 192.168.1.110-p icmp-j DROP to the INPUT rule chain to add a policy rule that denies everyone access to port 12345 of the machine [root@localhost ~] # iptables- I INPUT-p tcp-- dport 12345-j REJECT [root@localhost ~] # iptables-I INPUT-p UDP-- dport 12345-j REJECT adds a policy rule to the INPUT rule chain that denies all hosts access to the native 1000mm 1024 port [root@localhost ~] # iptables-An INPUT-p tcp-- dport 1000dport 1024-j REJECT [root@localhost ~] # iptables-An INPUT-p UDp-dport 1000Rank 1024-j REJECT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.