Shulou(Shulou.com)06/01 Report--

How to describe the implementation of the firewall? Since you don't understand, then don't say it, and understand it yourself!

First, what is the firewall?

Through some rules to restrict the port on several hooks that the network data message must pass through, the function of data filtering is realized.

Second, what is the path of data message transmission?

1. The client sends a data message-> the network interface that arrives at the server-- (judging that the target is the server itself) and sends the message to the kernel for processing-> forward the processed data message-> send it back to the client through the network interface.

2. The client sends a data message-> the network interface that arrives at the server-- (determines that the target is not the server) and forwards the data out-> sends it to the destination address through the network interface.

3. Where are the necessary points for data flow?

1. The message enters the network card, but it hasn't been routed yet. This point is called prerouting.

two。 Before the message is routed and sent to the kernel, this point is called input

3. Routing function node, this point is called forward

4. This point is called output before the message is processed by the kernel and sent to the route.

5. After the message is routed, it will be sent through the network card. This point is called postrouting.

In technical terms, these points are called hooks funcation, or hook functions, and because all data flows must pass through these five points, our firewall rules can be written on these five points.

4. What are the rules for fire prevention?

This is about to talk about the history of firewalls. At first, linux was designed without firewalls. Based on security considerations, OpenBSD first implemented the concept of firewalls in its unix kernel. Later, when the maintainers of linux saw such a good thing, they ported it to the kernel of linux. At first, this rule was called firewall, but it was so crude that it only served as a filter filter for data packets. With the development of time, its functions have been a lot of expansion, such as the implementation of nat, mangle, raw and other functions, so later to these functions together to give a good name-netfilter, how about? It sounds good.

Netfilter is called rule, and it has four functions:

1.filter filtering

2.nat network address translation

3.mangle modifies modifiable information in the header of a Datagram

4.raw turns off the connection tracking function started on the net table

What is a chain? Chain?

A lot of rule functions have been added to a hook, which together are called chain. But some features work only on specific hooks. Here are the corresponding tables for the five chains:

Preroutingrawmanglenat

Inputmanglefilter

Outputrawmanglenatfilterforwardmanglefilter

Postroutingmanglenat

The rule checks on the chain are checked sequentially:

1. The same kind of rule matches the square with a small range.

two。 Different kinds of rules, above the party with frequent matching times.

3. Default rules should be set

What is a watch? Table

Each function corresponds to several chains. Putting these chains together is a table. Here are four function sheets:

Filterinputforwardoutput

Natpreroutingoutput

Postrouting

Mangle

Preroutinginputoutputforwardpostroutingrawpreroutingoutput

7. How can the rule function mentioned above be added to linux?

Iptables is an interface and a tool that allows programmers to input set rules to a specified hooks funcation using command line mode to achieve the function of a firewall.

Format:

# iptables [- t TABLE] SUBCOMMAND CHAIN CRETERIA-j TARGET

TABLE: filter, nat, mangle, raw

SUBCOMMAND:

Default handling of the-P setting chain # iptables-P INPUT DROP

-F clear all rules on the specified chain # iptables-F INPUT

-Z zeros the data packets that flow through the chain

-N create a new chain, custom chain

-X removes a user-defined empty chain

-E rename custom chain

-An adds a rule to the end of the specified chain

-I insert a rule, which is the first by default

-D Delete the specified rule

-R replaces the specified rule

-L lists all rules on the specified chain

-L-n is listed digitally

-L-n-v more trusted information

-L-n-- line-numbers display rule number

-L-n-v-x displays the exact value of the counter

CHAIN: PREROUTING INPUT FORWARD OUTPUT POSTROUTING

CRETERIA:

Generic:-p check protocol tcp,udp,icmp

-s source IP

-d Target IP

-I enter the interface of the network card

-O exit Nic interface

Implicit: (if-p indicates the protocol-m and the protocol can be omitted)

-m tcp--dport | sport | syn | tcp-flags LIST1 LIST2

-m udp-- dport | sport

-m icmp--icmp-type 8 | 0 (8 is ping request, 0 is ping response)

Display:

-m multiport specifies multiple ports

-- sports

-- dports

-m iprange specifies the IP range

-- src-range source (Note: can be used earlier! Express negative meaning)

-- dst-range Target

-m string specifies the filtered string

-- algo {kmp | bm} specifies the parsing algorithm

-- string string

-- hex-string hexadecimal encoded string

-m time makes time-based restrictions

-- datestart

-- datestop

-- timestart

-- timestop

-- weekdays

-m connlimit limits based on the number of concurrent connections

-- connlimit-above

-m limit limits based on link rate

-- limit n [/ second | / minit | / hour | / day] how often does the link speed limit

-- limit-burst n burst link rate up to n per second

TARGET:

Built-in targets: ACCEPT (accept), DROP (do not respond), REJECT (reject)

Custom chain chain

8. Unfinished to be continued

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.