Shulou(Shulou.com)06/02 Report--

Linux Firewall of Linux Network Service

The core of this article:

Familiar with the table and chain structure of Linux firewall; understand the basic flow of packet matching; master the concept of iptables and write its rules; I. preface

​ in the previous service configuration process, before we start the service, the firewall setting is generally directly on the command line to enter "systemctl stop firewalld" and "setenforce 0" two commands to turn off the firewall SELinux function. Such a simple and rough operation of the understanding of the protective wall is obviously superficial and not perfect, so this paper makes a specific explanation and related configuration for the linux firewall.

II. Overview of related concepts 2.1 what is a firewall?

​ firewall, (English: firewall) is a technology that helps computer networks build a relatively isolated protection barrier between their internal and external networks by organically combining all kinds of software and hardware equipment used for security management and screening, so as to protect the security of users' data and information.

​ is simple, for example, a firewall is like an anti-theft door outside every household's door, which mainly plays a protective role. Although this understanding of the concept of firewall is biased, I think it is more convenient to understand. But then again, in a production environment, the real firewall is a hardware firewall. Let's talk about the classification of firewalls first.

From the physical level, ​ is generally divided into hardware firewall and software firewall. As the name implies, the difference is also obvious:

Hardware firewall: part of the firewall function is realized at the hardware level, and the other part is based on software, which has high performance and high cost. Generally, the software firewall is commonly used in large data center enterprises: the firewall based on the application software processing logic and the general hardware platform has low performance and low cost. Most laptops and desktops have firewalls, which must be known to those who have used computers a little bit, so I won't repeat them below. 2.2 Why is a firewall needed?

The existence of ​ is reasonable, since there is a firewall, there is a firewall-related technology, then it must have its significance and value. Therefore, we need to understand its actual function in order to understand its real value.

The main functions of ​ Firewall are as follows:

Virus invasion detection

Network address translation

Audit Monitoring of Network Operation

Strengthen network security service

The above terms of ​ may be really obscure for beginners, but in simple terms, they are to prevent viruses, prevent network intrusion, monitor network data and information, and enhance network security. Its importance lies in that it provides the function of recording data and information in the computer network, preventing staff from visiting websites with security risks and controlling unsafe services, so as to avoid the failure of their own network.

​ also has its own development for firewalls. After all, the technology is constantly improving. Firewall is a kind of defense system that plays a role in the intermediate process of internal and external networks, which has the value and role of security protection. Through the firewall, the effective circulation of internal and external resources can be realized, and various hidden security problems can be dealt with in a timely manner, thus improving the security of information and data. Therefore, because of the development of technology, firewalls also have their own types.

2.3 main types of firewalls

(1) filtering firewall

​ filtering firewall is in the network layer and transport layer, which can be analyzed based on the address of the data source and the type of protocol to determine whether it can be passed. In line with the firewall standards, meet the security performance and type of information transmission, and some unsafe factors will be filtered and blocked by the firewall.

(2) apply proxy type firewall

The main working scope of the application proxy firewall is at the highest layer of OSI, above the application layer. Its main feature is that the network traffic can be completely isolated, and the supervision and control of the application layer can be realized through specific agents. These two kinds of firewalls are widely used, and the application effects of other firewalls are also more obvious. in practical application, it is necessary to choose the type of firewall according to the specific needs and conditions. only in this way can we effectively avoid the external intrusion of the firewall and other problems.

(3) compound type

At present, the widely used firewall technology is compound firewall technology, which combines the advantages of packet filtering firewall technology and proxy firewall technology. for example, the security policy sent is packet filtering policy. then access control can be carried out for the header part of the message If the security policy is a proxy policy, access control can be carried out for the content data of the message, so the composite firewall technology combines the advantages of its components and abandons the original shortcomings of the two kinds of firewalls. it greatly improves the flexibility and security of firewall technology in application practice.

​ above is an overview of the concept of firewall, the following will mainly focus on the specific introduction of the software firewall, that is, Linux firewall. The firewall of Linux system mainly works in the network layer, which filters and restricts TCP/IP packets, which is a typical packet filtering firewall (or network layer firewall). The firewall system of Linux system is implemented based on kernel coding, which has very stable performance and high efficiency, so it has been widely used.

3. The iptables of Linux firewall and the connection between netfilter3.1iptables and netfilter

​ iptables is not really a firewall, we can think of it as a client agent. Users execute their security settings into the corresponding "security framework" through the agent iptables. This "security framework" is the real firewall, and the name of this framework is netfilter.

​ netfilter is the real security framework (framework) of firewalls, and netfilter is located in kernel space.

​ iptables is actually a command-line tool located in user space, and we use this tool to manipulate the real framework.

​ netfilter/iptables (hereinafter referred to as iptables) constitutes a packet filtering firewall under the Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering, packet redirection and network address translation (NAT) and other functions.

​ Netfilter is a packet processing module within the core layer of the Linux operating system that has the following functions:

Firewall functions of ​ network address translation (Network Address Translate), packet content modification, and packet filtering

​ says that although we use service iptables start to start the iptables "service", iptables does not exactly have a daemon, so it is not a real service, but a function provided by the kernel.

The table and chain structure of 3.2iptables (four tables and five chains are critical)

First, let's explain what is the table of iptables and what is the chain of iptables.

3.2.1 the concept of tables

Iptables manages four different tables, each of which is implemented by independent kernel modules.

Filter table: responsible for filtering function, firewall; kernel magic resistance: iptable_filter

Nat table: network address translation, network address translation; kernel module: iptable_nat

Mangle table: the ability to disassemble a message, make changes, and repackage it; iptable_mangle

Raw table: turn off the connection tracking mechanism enabled on the nat table; iptable_raw

3.2.2 the concept of chain

The function of the ​ firewall is to match the rules to the passing packet messages (the relevant concepts of the rules will be described later), and then perform the corresponding action. When the packet packets pass through the various levels of the firewall, the corresponding rules will be matched, and there may be more than one rule on each level, so these rules are concatenated to form a chain when the packet passes through. It is necessary to match all the rules on the chain (that is, the "level" above) once, and then perform the corresponding action.

In fact, ​, to give a simple example, this chain is like a pass between cities in ancient times, each level will go to the process of matching and verifying the identity of people coming and going or customs clearance (such as the above rules) to check whether it is allowed to pass.

​ of course, the specific structure of the chain is as follows:

​

The following is a brief conceptual explanation of these five chains:

PREROUTING chain: incoming packets apply the policy INPUT chain in this rule chain: outgoing packets apply the policy forward chain in this rule chain: apply the policy output chain in this rule chain when forwarding packets: apply the rules in this chain before routing packets (all packets are handled by this chain when they come in) POSTROUTING chain: apply rules in this chain after routing packets (all packets are handled by this chain when they come out.)

Among them, the INPUT and OUTPUT chains mainly play a role in the host firewall, that is, the firewall that mainly protects the server locally, while the rest is mostly used in the "network firewall", such as using the Linux firewall as the gateway server to secure between the company's intranet and Internet.

The relationship between 3.2.3iptables table and chain

The relationship between ​ 's four tables and five chains is shown in the following figure:

According to the above figure, it can be understood that the table contains the corresponding chain, and the chain should correspond to a variety of matching rules. In fact, in the actual use process, we often use the "table" as the operator to define the rules.

Table-function

Chain-hook

Rules in the raw table can be used by these chains: PREROUTING, OUTPUT

Rules in the mangle table can be used by these chains: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

The rules in the nat table can be used by these chains: PREROUTING, OUTPUT, POSTROUTING (INPUT in centos7, not in centos6)

Rules in the filter table can be used by these chains: INPUT, FORWARD,OUTPUT

IV. Matching process of packet filtering

We understand the matching process of packet filtering from the point of view of the order between rule chains:

The grammatical format of iptables

Iptables [- t table name] option [chain name] [condition] [- j control type]

Common parameters

-P sets the default policy: iptables

-P INPUT (DROP | ACCEPT)

-F clear the rule chain

-L View Rule chain

-An adds a new rule to the end of the rule chain

-I num adds a new rule to the head of the rule chain

-D num deletes a rule

-s matches the source address IP/MASK, with an exclamation point "!" In addition to this IP.

-d matches the destination address

-I the name of the network card matches the inflow of data from this network card

-o the name of the network card matches the data outflow from this network card.

-p matching protocols, such as tcp,udp,icmp

-- dport num matches the destination port number

-- sport num matches the source port number

VI. Summary

​ this paper mainly introduces the relevant knowledge of firewall, and focuses on the theoretical knowledge of firewall in Linux system, and introduces what is iptables and its relationship with netfilter.

​ then expounds the four tables and five chains of iptables and the relationship between them, and finally gives the grammatical format of iptables.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.