What is a firewall?
Work on the edge of a host or network, and check for incoming and outgoing messages according to pre-defined rules, and the components that can be processed by the messages matched by the rules.
Firewall components on the centos6.6:
netfilter: Filters, frameworks working in the kernel on TCP/IP network protocol stacks
iptables: The authoring tool for filtering rules, the defined rules are sent directly to the kernel through the kernel interface, immediately effective, but not permanently valid, expected to have a permanent effect, need to be saved to the configuration file, this file is loaded and manually loaded by the user Iptables can automatically implement rule syntax checking.
The NetFilter defines 5 card points (Hook functions) on the TCP/IP stack to control the message:
hooks function (Hook functions):
Prerouting: Before entering the native posterior function
Input: Arrives inside the machine
Output: issued by this machine
Forward: forwarded by local machine
Postrouting: After the routing function occurs, before leaving the machine
According to the classification of the message, the card points to pass are as follows:
To the inside of the machine: Prerouting,input
Issued by this machine: output,postrouting
Forwarded by native: Prerouting,forward,postrouting
function table:
Filter Function: Filter Table
Card point: Input, Forward,output
Modify function: Net table: Modify the source address and destination address of the message.
Card point: prerouting,output,postrouting
Mangle Table: Modify some information of the message IP,TCP message header.
Card point: Prerouting,postrouting,input,output,forward
tracking function: Raw Table
Card point: Prerouting,output
priority (from high to low): raw------mangle------filter (most commonly used)
Basic format:
iptables [-t TABLE] subcommand CHAIN creteria -j TARGET
-T TABLE:
The default is filter, a total of filter, NAT, Mangle, raw four are available;
Subcommand (Sub-command):
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6D/12/wKioL1VcAi-SyZtQAAHzR1xCaZ4155.jpg "title=" image 11. PNG "style=" Float:none; "alt=" wkiol1vcai-syztqaahzr1xcaz4155.jpg "/>650" this.width=650; "src=" http:// S3.51cto.com/wyfs02/m01/6d/18/wkiom1vcbwygd7wkaab8bbwuroy484.jpg "title=" image 12.png "alt=" Wkiom1vcbwygd7wkaab8bbwuroy484.jpg "/>650) this.width=650;" Src= "http://s3.51cto.com/wyfs02/M02/6D/18/ Wkiom1vcbybdmeetaad8aa4naki832.jpg "title=" image 13.png "alt=" Wkiom1vcbybdmeetaad8aa4naki832.jpg "/>
Creteria: Matching Criteria
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6D/18/wKiom1VcBEqgncahAAFhyLWukQ0900.jpg "title=" image 15. PNG "alt=" wkiom1vcbeqgncahaafhylwukq0900.jpg "/>
Extended match:
implicit extension: If the protocol is indicated by using the-p option on a generic match, the-m option is used to indicate that the extension to its protocol becomes optional;
Tcp:
--dport Port[-port]
--sport
--tcp-flags LIST1 LIST2
LIST1: The mark to be checked;
LIST2: Appears in the LIST1 and must be a 1 mark, while the remainder must be 0;
Example:--tcp-flags syn,ack,fin,rst syn
--syn: The first time to match the three-time handshake of a TCP session;
Udp:
--sport
--dport
Icmp:
--icmp-types
8:echo Request
0:echo reply
Explicit extension: You must indicate the extension mechanism used;
-M module name (each module will introduce a new matching mechanism);
Want to know which modules are available:
RPM-QL iptables
lowercase letters, ending with. so;
multiport Extension: Multi-port matching with discrete definition; specify up to 15 ports;
Dedicated options:
--source-ports,--sports Port[,port,...]
--destination-ports,--dports Port[,port,...]
--ports Port[,port,...]
Example:
Iptables-i INPUT 1-d 172.16.100.11-p tcp-m multiport--dports 22,80,443-j ACCEPT
Iptables-i OUTPUT 1-s 172.16.100.11-p tcp-m multiport--sports 22,80,443-j ACCEPT
iprange Extension: Specifies a contiguous range of IP addresses, which is used when matching a non-entire network address ;
Dedicated options:
[!] --src-range Ip[-ip]
[!] --dst-range Ip[-ip]
Example:
Iptables-a input-d 172.16.100.11-p tcp--dport 23-m iprange--src-range 172.16.100.1-172.16.100.100-j ACCEPT
Iptables-a output-s 172.16.100.11-p tcp--sport 23-m iprange--dst-range 172.16.100.1-172.16.100.100-j ACCEPT
String Extension: Checks for strings that appear in the message and matches the given string;
Dedicated options:
--algo {KMP|BM}: two string matching algorithms
--string "string"
--hex-string "hex_string": hex_string as a string encoded in 16 binary format;
Example:
Iptables-i OUTPUT 1-s 172.16.100.11-p tcp--sport 80-m string--string "Sex"--algo kmp-j REJECT
Time Extension: Access control based on interval
Dedicated options:
--datestart Yyyy[-mm][-dd][hh[:mm[:ss]]: start date
--dattestop: Stop Date
--timestart: Start time
--timestop: Stop Time
--weekdays Day1[,day2,...] : Controls the week of the week
Example:
# iptables-r INPUT 1-d 172.16.100.11-p tcp--dport 80-m time--timestart 08:30--timestop 18:30--weekdays Mon,Tue,Thu , Fri-j REJECT
connlimit Extension: Limit based on number of connections, limit the number of concurrent connections each IP can initiate ;
Dedicated options:
--connlimit-above [n]
Example:
# iptables-i INPUT 2-d 172.16.100.11-p tcp--dport 22-m connlimit--connlimit-above 5-j REJECT
limit Extension: Based on the rate of the packet;
Private options: Token bucket algorithm
--limit N[/second|/minit|/hour|/day]
--limit-burst N
Example:
Iptables-r INPUT 172.16.100.11-p ICMP--icmp-type 8-m limit--limit 10/minute--limit-burst 5-j ACCEPT
TARGET:
-j:jump, Jump Target
Built-in targets:
Accept: Acceptance
Drop: Discard
REJECT: Reject
Custom chain:
Not finished .....
Firewall under Linux (iptables/netfilter)--My Learning record