Firewall under Linux (iptables/netfilter)--My Learning record

What is a firewall?

Work on the edge of a host or network, and check for incoming and outgoing messages according to pre-defined rules, and the components that can be processed by the messages matched by the rules.

Firewall components on the centos6.6:

netfilter: Filters, frameworks working in the kernel on TCP/IP network protocol stacks

iptables: The authoring tool for filtering rules, the defined rules are sent directly to the kernel through the kernel interface, immediately effective, but not permanently valid, expected to have a permanent effect, need to be saved to the configuration file, this file is loaded and manually loaded by the user Iptables can automatically implement rule syntax checking.

The NetFilter defines 5 card points (Hook functions) on the TCP/IP stack to control the message:

hooks function (Hook functions):

Prerouting: Before entering the native posterior function

Input: Arrives inside the machine

Output: issued by this machine

Forward: forwarded by local machine

Postrouting: After the routing function occurs, before leaving the machine

According to the classification of the message, the card points to pass are as follows:

To the inside of the machine: Prerouting,input
Issued by this machine: output,postrouting
Forwarded by native: Prerouting,forward,postrouting

function table:

Filter Function: Filter Table

Card point: Input, Forward,output

Modify function: Net table: Modify the source address and destination address of the message.

Card point: prerouting,output,postrouting

Mangle Table: Modify some information of the message IP,TCP message header.

Card point: Prerouting,postrouting,input,output,forward

tracking function: Raw Table

Card point: Prerouting,output

priority (from high to low): raw------mangle------filter (most commonly used)

Basic format:

iptables [-t TABLE] subcommand CHAIN creteria -j TARGET

-T TABLE:

The default is filter, a total of filter, NAT, Mangle, raw four are available;

Subcommand (Sub-command):

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6D/12/wKioL1VcAi-SyZtQAAHzR1xCaZ4155.jpg "title=" image 11. PNG "style=" Float:none; "alt=" wkiol1vcai-syztqaahzr1xcaz4155.jpg "/>650" this.width=650; "src=" http:// S3.51cto.com/wyfs02/m01/6d/18/wkiom1vcbwygd7wkaab8bbwuroy484.jpg "title=" image 12.png "alt=" Wkiom1vcbwygd7wkaab8bbwuroy484.jpg "/>650) this.width=650;" Src= "http://s3.51cto.com/wyfs02/M02/6D/18/ Wkiom1vcbybdmeetaad8aa4naki832.jpg "title=" image 13.png "alt=" Wkiom1vcbybdmeetaad8aa4naki832.jpg "/>

Creteria: Matching Criteria

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6D/18/wKiom1VcBEqgncahAAFhyLWukQ0900.jpg "title=" image 15. PNG "alt=" wkiom1vcbeqgncahaafhylwukq0900.jpg "/>

Extended match:

implicit extension: If the protocol is indicated by using the-p option on a generic match, the-m option is used to indicate that the extension to its protocol becomes optional;

Tcp:

--dport Port[-port]

--sport

--tcp-flags LIST1 LIST2

LIST1: The mark to be checked;

LIST2: Appears in the LIST1 and must be a 1 mark, while the remainder must be 0;

Example:--tcp-flags syn,ack,fin,rst syn

--syn: The first time to match the three-time handshake of a TCP session;

Udp:

--sport

--dport

Icmp:

--icmp-types

8:echo Request

0:echo reply

Explicit extension: You must indicate the extension mechanism used;

-M module name (each module will introduce a new matching mechanism);

Want to know which modules are available:

RPM-QL iptables

lowercase letters, ending with. so;

multiport Extension: Multi-port matching with discrete definition; specify up to 15 ports;

Dedicated options:

--source-ports,--sports Port[,port,...]

--destination-ports,--dports Port[,port,...]

--ports Port[,port,...]

Example:

Iptables-i INPUT 1-d 172.16.100.11-p tcp-m multiport--dports 22,80,443-j ACCEPT

Iptables-i OUTPUT 1-s 172.16.100.11-p tcp-m multiport--sports 22,80,443-j ACCEPT

iprange Extension: Specifies a contiguous range of IP addresses, which is used when matching a non-entire network address ;

Dedicated options:

[!] --src-range Ip[-ip]

[!] --dst-range Ip[-ip]

Example:

Iptables-a input-d 172.16.100.11-p tcp--dport 23-m iprange--src-range 172.16.100.1-172.16.100.100-j ACCEPT

Iptables-a output-s 172.16.100.11-p tcp--sport 23-m iprange--dst-range 172.16.100.1-172.16.100.100-j ACCEPT

String Extension: Checks for strings that appear in the message and matches the given string;

Dedicated options:

--algo {KMP|BM}: two string matching algorithms

--string "string"

--hex-string "hex_string": hex_string as a string encoded in 16 binary format;

Example:

Iptables-i OUTPUT 1-s 172.16.100.11-p tcp--sport 80-m string--string "Sex"--algo kmp-j REJECT

Time Extension: Access control based on interval

Dedicated options:

--datestart Yyyy[-mm][-dd][hh[:mm[:ss]]: start date

--dattestop: Stop Date

--timestart: Start time

--timestop: Stop Time

--weekdays Day1[,day2,...] : Controls the week of the week

Example:

# iptables-r INPUT 1-d 172.16.100.11-p tcp--dport 80-m time--timestart 08:30--timestop 18:30--weekdays Mon,Tue,Thu , Fri-j REJECT

connlimit Extension: Limit based on number of connections, limit the number of concurrent connections each IP can initiate ;

Dedicated options:

--connlimit-above [n]

Example:

# iptables-i INPUT 2-d 172.16.100.11-p tcp--dport 22-m connlimit--connlimit-above 5-j REJECT

limit Extension: Based on the rate of the packet;

Private options: Token bucket algorithm

--limit N[/second|/minit|/hour|/day]

--limit-burst N

Example:

Iptables-r INPUT 172.16.100.11-p ICMP--icmp-type 8-m limit--limit 10/minute--limit-burst 5-j ACCEPT

TARGET:

-j:jump, Jump Target

Built-in targets:

Accept: Acceptance

Drop: Discard

REJECT: Reject

Custom chain:

Not finished .....

Firewall under Linux (iptables/netfilter)--My Learning record