6--enterprise commonly used firewall iptables related principle detailed

The firewall works at the network edge.

Firewalls are categorized as software firewalls and hardware firewalls.

Types of software firewalls:

1. Packet filter firewall: mainly implemented in Network layer and Transport layer (2,3,4 layer). Packet filtering firewall is divided into two categories.

1.1 Simple packet filtering firewall, directly based on some of the message header properties as a matching rule to detect. Match the source IP, destination IP, source port, destination port, and so on.

1.2 Packet filtering firewall with stateful inspection, simple packet filtering cannot trace the state of the packet, and the state here refers to the state of the connection, not the state of the TCP finite state automaton. Efficiency is lower than simple packet filtering.

2. Application Layer Gateway Firewall: Working at the application layer, filtering (checking) the specific application layer protocol. Application layer firewall does not care about the source IP, target IP, etc., directly check the application layer header, even the application layer data itself. The application layer firewall checks for real data, so security is higher. Both the source IP and the destination IP are very easy to disguise. However, the application layer firewall is inefficient because the content detection is very strong. And to check the content must be the transport layer, network layer, link layer header are open, this is the practice of reducing efficiency.

A routing table is maintained in the kernel state of the Linux host.

When a packet arrives, in the Linux kernel state, according to the route table to see whether the packet arrived at this machine, if it is, then left the packet in the machine, and sent to the user state corresponding to the process Central. If it is forwarded from the local, it is forwarded out from the local computer, the data table forwarded from the local user state, only in the kernel state to stay a bit from the local machine sent out.

To view the Linux routing table:

[Email protected] ~]# netstat-rnkernel IP routing tabledestination    Gateway         genmask         Flags  MSS window< C4/>irtt Iface192.168.128.0  0.0.0.0         255.255.255.0   U        0 0          0 eth0169.254.0.0    0.0.0.0         255.255.0.0     U        0 0          0 eth00.0.0.0        192.168.128.254 0.0.0.0        UG        0 0          0 eth0      

When a Linux host sends requests out of the box, the request is bound to reach the kernel, check the routing table, and, if you are accessing an external address, determine from which network card the routing table information will go.

To implement packet filtering (rule detection), first determine the type of packet (stream in, out, forward), and after you have finished querying the routing table, you will know the type of the packet. Based on different types of packets, check them in different places (these checkpoints are in the kernel).

After the routing table has seen the flow of packets, the packet is checked.

Checking a packet requires multiple validation rules, and it is important to verify the order of the rules.

From the above analysis, the firewall settings are all done in the kernel state, and iptables is the user-state tool, iptables itself is not a firewall, but to write firewall validation rules tool. Iptables itself must adhere to user-written validation rules, write the wrong iptables will not let the rules take effect.

A framework (framework) is provided in the Linux kernel, providing a basic platform for processing packets called NetFilter.

Iptables write rules, write to the netfilter in a test point (a total of 5), you can achieve the detection of the packet.

NetFilter has five hook functions (hook function, position in red circle, not finished):

1. After the kernel routing table checks the packet flow, the packet flows to the local machine, there is a hook function, the packet is suspended to check if there is a problem.

2. After checking the packet flow, the kernel routing table has a hook function to lift the packet to check for any problems before the packet is forwarded natively.

3. The kernel routing table after checking the packet flow, the packet after the local issue, there is a hook function, the packet hanging up to check if there is a problem.

4. When the data Baogang arrives at the network card, crossing by the table, hook the packet up, the destination IP address of the packet (DNAT), the target port (to achieve load balancing) and so on.

5. Packet crossing by the table, before the network card, with a hook to the packet hanging up, the source IP address of the packet (SNAT), and so on to do the conversion.

The hook function acts on the rule chain, and the chain corresponding to the above 5 hook functions is as follows:

1. Input rule chain: Check the data packets entering the computer.

2. Output rule chain: Check the packets that go out of the computer.

3. Forward rule chain: Check the packets forwarded through the computer.

4, prerouting rule chain: Incoming packet just to the network card, do address translation, access restrictions and other rules chain.

5, postouting rule chain: Out of the packet just to the network card, do address translation, access restrictions and other rules chain.

Main features of the firewall:

1. Filter: Filtering.

2. Nat: Address translation.

3. Mangle: Do not filter, do not do address conversion, only change some of the first format. This function is available in 5 locations.

4. Raw (not highlighted)

The above four functions have a specific salutation: table. Chain of four functional functions:

A table (function) has a variety of chains, each chain has a hook function guarding.

Packet matching process:

Example:

Deny all hosts from 172.160.0.0 access to the native internal Web service.

First determine what this feature is: Deny access, filter. The filter acts on three chains: input, output, forward. Obviously it should be done on the input chain.

There are two steps to writing filter: Match condition, processing action.

Match condition: NetFilter has a lot of check modules that are used to extend the NetFilter matching criteria. Of course NetFilter also has the core module, that is, the basic detection conditions, check the source address, the target address and so on belong to the core module.

The filter's processing action: Accept, drop (discards the packet, and does not tell you why it was discarded), reject (drops the packet, and responds to you for the reason of the rejection).

In addition to the 5 links described above, we can customize the chain. The custom chain is not valid, because there is no corresponding hook function, in order to make it effective, you need to associate the custom chain to the default chain (input, output, forward, preruting, postrouting), let the default chain call the custom chain.

6--enterprise commonly used firewall iptables related principle detailed