Shulou(Shulou.com)06/02 Report--

Introduction to iptables

Netfilter/iptables (abbreviated as iptables) constitutes a packet filtering firewall under the Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering, packet redirection and network address translation (NAT) and other functions.

Iptables Foundation

A rules is actually a condition predefined by a network administrator, which is generally defined as "if the packet header meets such a condition, the packet will be processed in this way." Rules are stored in the packet filtering table in kernel space, specifying the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP), respectively. When packets match the rules, iptables processes the packets according to the methods defined by the rules, such as accept, reject, drop, and so on. The main job of configuring a firewall is to add, modify, and delete these rules.

The relationship between iptables and netfilter:

This is the first place to say, the relationship between Iptables and netfilter is a very confusing issue. Many people know iptables but don't know netfilter. In fact, iptables is just an administrative tool for Linux Firewall, located at / sbin/iptables. The real firewall function is netfilter, which is the internal structure of packet filtering in the Linux kernel.

The process of transmitting a packet by iptables

① when a packet enters the network card, it first enters the PREROUTING chain, and the kernel determines whether it needs to be forwarded according to the packet destination IP.

② if the packet enters the machine, it will move down the diagram to reach the INPUT chain. After the packet reaches the input chain, any process will receive it. Programs running on this machine can send packets that pass through the OUTPUT chain and then reach the POSTROUTING chain output.

③ if the packet is to be forwarded and the kernel allows it to be forwarded, the packet moves to the right as shown in the figure, through the FORWARD chain, and then to the POSTROUTING chain output.

Iptables's rule table and chain:

Tables provides specific functions. Iptables has built-in four tables, namely, filter table, nat table, mangle table and raw table, which are used for packet filtering, network address translation, packet reconstruction (modification) and data tracking processing.

Chains is the path of packet propagation, and each chain is actually a checklist of many rules, and there can be one or more rules in each chain. When a packet reaches a chain, iptables checks from the first rule in the chain to see if the packet meets the conditions defined by the rule. If so, the packet is processed according to the method defined by the rule; otherwise, iptables will continue to check the next rule, and if the packet does not meet any of the rules in the chain, iptables will process the packet according to the default policy predefined by the chain.

Iptables adopts a hierarchical structure of "table" and "chain". In REHL4, there are three tables and five chains. Now REHL5 has four tables and five chains, but the extra watch doesn't use much, so it's basically the same as before. Below is a list of these four tables and five chains. Be sure to understand the relationship and function of these tables and chains.

Rule table:

1.filter table-three chains: INPUT, FORWARD, OUTPUT

Function: filter packet kernel module: iptables_filter.

2.Nat table-three chains: PREROUTING, POSTROUTING, OUTPUT

Function: for network address translation (IP, port) kernel module: iptable_nat

3.Mangle table-five chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, FORWARD

Purpose: modify the service type of the packet, TTL, and configure routing to implement the QOS kernel module: iptable_mangle (don't look at this table so troublesome, we hardly use it when setting policies)

4.Raw table-two chains: OUTPUT, PREROUTING

Function: determine whether the packet is processed by the state tracking mechanism kernel module: iptable_raw

(this is not available in REHL4, but don't be afraid, it doesn't use much.)

Rule chain:

1. Inbound packets apply the policies in this rule chain

2. Output-outgoing packets apply the policies in this rule chain

3. Forward _ color-apply the policies in this rule chain when forwarding packets

4. PREROUTINGML-apply the rules in this chain before routing a packet

Remember! All packets are handled by this chain first when they come in)

5. POSTROUTINGmuri-apply the rules in this chain after routing packets

(all packets are handled by this chain when they come out.)

Priority between rule tables:

Raw--mangle--nat--filter

Priority between rule chains (in three cases):

The first case: inbound data flow

Packets arriving at the firewall from the outside are first processed by the PREROUTING rule chain (whether to modify the packet address, etc.), and then routed (to determine where the packet should be sent). If the target host of the packet is the firewall local machine (for example, the Internet user accesses the web server in the firewall host), then the kernel passes it to the INPUT chain for processing (to determine whether to allow it to pass, etc.) Respond by handing it to the upper application of the system (such as the Apache server) later.

Second impulse: forward data flow

After arriving at the firewall, the packet from the outside is first processed by the PREROUTING rule chain, and then it will be routed. If the destination address of the packet is another external address (such as a packet accessed by a local area network user to a QQ site through a gateway), the kernel passes it to the FORWARD chain for processing (whether to forward or block it), and then to the POSTROUTING rule chain (whether to change the address of the packet, etc.) for processing.

The third case: outbound data flow

Packets sent locally by the firewall to external addresses (for example, when testing a public network DNS server in a firewall host) are first processed by the OUTPUT rule chain, then routed, and then passed to the POSTROUTING rule chain (whether to modify the address of the packet, etc.) for processing.

Basic grammatical format of iptables

Iptables [- t table name] command option [chain name] [condition match] [- j target action or jump]

Description: the table name and chain name are used to specify the tables and chains operated by the iptables command, and the command options are used to specify the way to manage iptables rules (such as insert, add, delete, view, etc.; condition matching is used to specify the processing of packets that meet the conditions; the target action or jump is used to specify the processing method of the data packet (such as allow pass, reject, discard, jump (Jump) to other chain processing.

Administrative control options for the iptables command

-An adds (append) a new rule at the end of the specified chain-D deletes (delete) a rule in the specified chain. You can delete (insert) a new rule in the specified chain by rule serial number and content. By default, add-R modify and replace (replace) a rule in the specified chain on the first line. You can view all the rules in the specified chain by rule serial number and content replacement-L list (list).

-E renames the user-defined chain without changing the chain itself-F empties (flush)-N creates (new-chain) a user-defined rule chain-X deletes the user-defined rule chain (delete-chain)-P sets the default policy (policy) of the specified chain

-Z zeros the bytes and packet counters of all chains of all tables-n displays the output in digital form (numeric)-v View rules table details (verbose)-V View version (version)-h get help (help)

Four ways for firewalls to process data packets

ACCEPT allows packets to pass through

DROP discards packets directly and does not give any response information

REJECT refuses the packet to pass and gives the data sender a response message if necessary.

LOG records log information in the / var/log/messages file, and then passes the packet to the next rule

Preservation and recovery of iptables Firewall rules

Iptables-save saves the rules to a file, which is automatically loaded by the script (/ etc/rc.d/init.d/iptables) in the directory rc.d.

Use the command iptables-save to save the rule. General use

Iptables-save > / etc/sysconfig/iptables

Generate a file / etc/sysconfig/iptables to save the rule

It can also be used

Service iptables save

It automatically saves the rules in / etc/sysconfig/iptables.

When the computer starts, the script under rc.d invokes the file with the command iptables-restore, which automatically restores the rules.

Delete the first rule of the INPUT chain

Iptables-D INPUT 1

I. actual combat case of enterprise firewall

Let's configure a firewall for the filter table.

(1) check the settings of IPTABLES on this machine.

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

Chain RH-Firewall-1-INPUT (0 references)

Target prot opt source destination

ACCEPT all-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT icmp-0.0.0.0Universe 0 0.0.0.0Compare 0 icmp type 255i

ACCEPT esp-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT ah-- 0.0.0.0Universe 0 0.0.0.0Universe 0

ACCEPT udp-0.0.0.0 udp dpt:5353 0 224.0.0.251

ACCEPT udp-0.0.0.0Universe 0 0.0.0.0Universe 0 udp dpt:631

ACCEPT all-0.0.0.0Universe 0 0.0.0.0Universe 0 state RELATED,ESTABLISHED

ACCEPT tcp-0.0.0.0Universe 0 0.0.0.0Universe 0 state NEW tcp dpt:22

ACCEPT tcp-0.0.0.0Universe 0 0.0.0.0Universe 0 state NEW tcp dpt:80

ACCEPT tcp-0.0.0.0Universe 0 0.0.0.0Universe 0 state NEW tcp dpt:25

REJECT all-0.0.0.0Universe 0 0.0.0.0Universe 0 reject-with icmp-host-prohibited

It can be seen that when I installed linux, I chose to have a firewall and opened the port 22-80-25.

If you don't choose to turn on the firewall when installing linux, here's the thing.

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

There are no rules.

(2) clear the original rules.

Whether or not you start the firewall when you install linux, if you want to configure your own firewall, clear all current filter rules.

[root@tp ~] # iptables-F clears all rule chains in the preset table filter

[root@tp ~] # iptables-X clears the rules in the user customized chain in the preset table filter

Let's take a look.

[root@tp] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

There's nothing left, just like we didn't start the firewall when we installed linux.

(by the way, these configurations are like configuring IP with commands, restarting will lose its effect.) how to save.

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

[root@tp ~] # service iptables restart

Now that there is no configuration in the IPTABLES configuration table, let's start our configuration.

(3) set preset rules

[root@tp ~] # iptables-P INPUT DROP

[root@tp ~] # iptables-P OUTPUT ACCEPT

[root@tp ~] # iptables-P FORWARD DROP

What it means is that when you go beyond the two chain rules (INPUT,FORWARD) in the filter table in IPTABLES

How to deal with packets that are not in these two rules, that is, DROP. It should be said that this configuration is very safe. We need to control the inflow of packets.

As for the OUTPUT chain, that is, we do not have to do too many restrictions on the outflow of the package, but adopt ACCEPT, that is, what to do if the package is not in the rule, that is, through. You can see what packets are allowed in the INPUT,FORWARD chain and what packets are not allowed in the OUTPUT chain.

This setting is quite reasonable, of course, you can DROP all three chains, but I don't think it is necessary to do so, and the rules to be written will be increased. But if you only want a limited number of rules, such as only do WEB servers. It is recommended that all three chains are DROP.

Note: if you log in remotely from SSH, you should drop it when you enter the first command. Because you didn't set any rules.

What to do, go to the local operation!

(4) add rules.

First add the INPUT chain. The default rule for the input chain is DROP, so we'll write the chain that requires ACCETP (pass).

In order to log in using remote SSH, we need to open port 22.

[root@tp] # iptables-An INPUT-p tcp-- dport 22-j ACCEPT

[root@tp] # iptables-An OUTPUT-p tcp-- sport 22-j ACCEPT

(note: this rule should be written in this one if you set OUTPUT to DROP.

Many people are looking to write this rule led to, always can not SSH. Let's take a look at the remote, isn't it?

The same is true for other ports. If the web server is enabled and OUTPUT is set to DROP, a chain should also be added:

[root@tp] # iptables-An OUTPUT-p tcp-- sport 80-j ACCEPT.)

If you make a WEB server, open port 80.

[root@tp] # iptables-An INPUT-p tcp-- dport 80-j ACCEPT

If you do a mail server, open port 25110.

[root@tp] # iptables-An INPUT-p tcp-- dport 110j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-- dport 25-j ACCEPT

If you make a FTP server, open port 21

[root@tp] # iptables-An INPUT-p tcp-- dport 21-j ACCEPT

[root@tp] # iptables-An INPUT-p tcp-- dport 20-j ACCEPT

If you make a DNS server, open port 53

[root@tp] # iptables-An INPUT-p tcp-- dport 53-j ACCEPT

If you have made other servers, which port you need to open, just write it.

What is written above is mainly INPUT chain, and all those that are not in the above rules are DROP.

Allow icmp packets to pass, that is, allow ping

[root@tp ~] # iptables-An OUTPUT-p icmp-j ACCEPT (if OUTPUT is set to DROP)

[root@tp ~] # iptables-An INPUT-p icmp-j ACCEPT (if INPUT is set to DROP)

Allow loopback! (otherwise, it will cause problems such as DNS not shutting down normally.)

IPTABLES-An INPUT-I lo-p all-j ACCEPT (if INPUT DROP)

IPTABLES-An OUTPUT-o lo-p all-j ACCEPT (if OUTPUT DROP)

Next write the OUTPUT chain, the default rule of the OUTPUT chain is ACCEPT, so we write the chain that needs DROP.

Reduce insecure port connections

[root@tp] # iptables-An OUTPUT-p tcp-- sport 31337-j DROP

[root@tp] # iptables-An OUTPUT-p tcp-- dport 31337-j DROP

Some Trojans scan for services on ports 31337 to 31340 (that is, the elite port in the language). Since legitimate services do not use these non-standard ports to communicate, blocking these ports can effectively reduce the chances of potentially infected machines on your network communicating independently with their remote master servers.

There are other ports as well, such as: 31335, 27444, 27665, 20034 NetBus, 9704, 137139 (smb), 2049 (NFS) ports should also be banned

Of course, for a more secure consideration, you can also set the OUTPUT chain to DROP, then you can add more rules, like the one above

It's like allowing SSH to log in. Just write according to it.

Let's write down a more detailed rule, which is limited to a certain machine.

For example, we only allow 192.168.0.3 machines to make SSH connections

[root@tp] # iptables-An INPUT-s 192.168.0.3-p tcp-- dport 22-j ACCEPT

If you want to allow or restrict a segment of IP address, you can use 192.168.0. 0.

24 represents the number of subnet masks. But remember to delete this line from / etc/sysconfig/iptables.

-An INPUT-p tcp-m tcp-- dport 22-j ACCEPT because it means that all addresses can be logged in.

Or by command:

[root@tp] # iptables-D INPUT-p tcp-- dport 22-j ACCEPT

Then save, I say again, on the contrary, by way of command, which is only effective at that time.

If you want it to work again, you have to save it. Write to the / etc/sysconfig/iptables file.

[root@tp ~] # / etc/rc.d/init.d/iptables save

Write this way! 192.168.0.3 means except for the ip address of 192.168.0.3

The same is true for other regular connections.

Below is the FORWARD chain, and the default rule of the forward chain is DROP, so we write the chain that needs ACCETP (through) to monitor the forwarding chain.

Enable forwarding. (when doing NAT, the default rule of FORWARD is DROP.)

[root@tp] # iptables-A FORWARD-I eth0-o eth2-m state-- state RELATED,ESTABLISHED-j ACCEPT

[root@tp] # iptables-A FORWARD-I eth2-o eh0-j ACCEPT

Discard bad TCP packets

[root@tp] # iptables-A FORWARD-p TCP!-- syn-m state-- state NEW-j DROP

Handle the number of IP fragments to prevent * *, allowing 100s per second.

[root@tp] # iptables-A FORWARD-f-m limit--limit 100max s-limit-burst 100-j ACCEPT

Set ICMP packet filtering to allow 1 packet per second and limit the trigger condition to 10 packets.

[root@tp] # iptables-A FORWARD-p icmp-m limit--limit 1 ACCEPT s-limit-burst 10-j

I only allow ICMP packets to pass in front because I have restrictions here.

2. Configure a NAT table ignition wall

1. Check the settings of NAT on this machine.

[root@tp rc.d] # iptables-t nat-L

Chain PREROUTING (policy ACCEPT)

Target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

Target prot opt source destination

SNAT all-192.168.0.0 Compact 24 anywhere to:211.101.46.235

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

My NAT has been configured (only provides the simplest proxy access function, no firewall rules have been added)

Of course, if you haven't configured NAT, you don't have to clear the rules, because NAT has nothing by default.

If you want to clear it, the order is

[root@tp] # iptables-F-t nat

[root@tp] # iptables-X-t nat

[root@tp] # iptables-Z-t nat

2, add rules

Add basic NAT address translation, (see my other article on how to configure NAT)

To add rules, we only add DROP chains. Because the default chain is all ACCEPT.

Prevent the spoofing of IP in the external network

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 10.0.0.0 8-j DROP

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 172.16.0.0 12-j DROP

[root@tp sysconfig] # iptables-t nat-A PREROUTING-I eth0-s 192.168.0.0 16-j DROP

If we want to, for example, stop MSN,QQ,BT, we need to find the port or IP they use (personally, I don't think it's necessary)

Example:

Prohibit all connections to 211.101.46.253

[root@tp] # iptables-t nat-A PREROUTING-d 211.101.46.253-j DROP

Disable FTP (21) port

[root@tp] # iptables-t nat-A PREROUTING-p tcp-- dport 21-j DROP

The scope of writing in this way is too wide, we can define it more precisely.

[root@tp] # iptables-t nat-A PREROUTING-p tcp-- dport 21-d 211.101.46.253-j DROP

This only disables the FTP connection at address 211.101.46.253, and other connections are OK. Such as web (port 80) connection.

According to what I wrote, all you have to do is to find the IP address, port and protocol of other software such as QQ,MSN.

Third, finally

Illegal drop connection

[root@tp] # iptables-An INPUT-m state-- state INVALID-j DROP

[root@tp] # iptables-An OUTPUT-m state-- state INVALID-j DROP

[root@tp] # iptables-A FORWARD-m state-- state INVALID-j DROP

Allow all established and related connections (must be configured or httpd cannot connect)

[root@tp] # iptables-An INPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

[root@tp] # iptables-An OUTPUT-m state-- state ESTABLISHED,RELATED-j ACCEPT

[root@tp ~] # / etc/rc.d/init.d/iptables save

So you can write it in the / etc/sysconfig/iptables file. Remember to restart the firewall after writing in order to work.

[root@tp ~] # service iptables restart

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.