Iptables Simple Introduction and application of Linux firewall

Iptables is the simple introduction of Linux firewall and the use of iptables effective location such as:

Among them, the network firewall can also use a iptables-enabled Linux host instead; Facilities such as routers or hubs are omitted from the topology;

That shows where Iptables is, here's how Iptables works:

We know that all the packets received and sent in Linux are done in the kernel, but iptables is not working in the kernel, how do we implement the firewall function?

Iptables work in the user space and define rules to the netfilter that work in the kernel, and the function of filtering packets is done by NetFilter; NetFilter is the framework provided by the kernel;

So how did iptables command it? (iptables rule definition, four-sheet five-chain)

Five chains include: INPUT, OUTPUT, FORWARD, prerouting, postrouting, Position please refer to, if there is no wrong, please correct me;

Four tables include: Filter <--nat <--mangle <--Raw (with priority order)

The function of the linked list is implemented:

Filter: Filtering: INPUT, FORWARD, OUTPUT
Nat:prerouting (Dnat do destination address translation), OUTPUT, postrouting (SNAT, Destination address translation)
Mangle: Unpacking the message, all locations
Raw: Connection tracking, prerouting, OUTPUT

Note: Connection tracking is a relatively resource-intensive thing, do not use the general situation;

Summary: iptables with four table five chain to set the rules of filtering messages, and NetFilter according to the rules set by the elder brother; then let's briefly describe the iptables command application:

The iptables command uses:

Iptables [-t table] subcommand CHAIN creteria -j TARGET

which table to work on              Sub-command chain matching standard processing action

　-T table omitted, the default action is on the filter

For specific instructions, please see the link for more information.

IPTABLES-T table name <-A/I/D/R> rule chain name [rule number] <-I/O nic name >-P protocol name <-s source ip/Source Subnet >--sport source port <-d destination ip/target subnet >--d Port Target Ports-j action

We list a few common:

View: Iptables-l-N

Empty: Iptables-f

To delete an empty custom chain: iptables-x

Sets the default policy for the specified chain: iptables-p {INPUT | OUTPUT | ... } {DROP | ACCEPT | REJECT ...}

Let's say you've seen the links above and learned the meaning of-s-d-p-i-o options, so here are a few simple examples:

First, we open a CentOS 7 virtual machine and use Iptables-l-N to view the current rule settings:

Note: If you find more rules, you can first disable FIREWALLD and use iptables-f && iptables-x to clean up and then display;

Remarks: Disable Firewalld method: Systemctl Disable FIREWALLD

At this point, we are remotely logged on to Linux via SSH, then we must first ensure that SSH login, in other words, open 22 port input and output

# iptables-i input-d your Linux IP address-p tcp-dport 22-j ACCEPT

# iptables-i output-s your Linux IP address-p tcp-sport 22-j ACCEPT

Next, we'll change the default policy for INPUT and OUTPUT to DROP

# iptables-p INPUT DROP

# iptables-p OUTPUT DROP

No accident, if your host has 80 ports to provide Web services, it is now inaccessible; Why is it?

Because we dropped all the packets except for the access to Port 22, and the response from Port 22;

Why do I have to explain open port 22 first? Because the first time I set it, I changed the default policy of input to drop, and then I was locked out of my door ...

So now I need to make the Web service accessible:

# iptables-i input-d your Linux IP address-p tcp-dport 80-j ACCEPT

# iptables-i output-s your Linux IP address-p tcp-sport 80-j ACCEPT

So is it not the same as opening the 22 port above, just changing a port? Yes, just a change of port ...

Is there any way to get it done at once? Yes:

# iptables-i input-d your Linux IP address-p tcp-m multiport--dports 22,80-j ACCEPT

# iptables-i output-s your Linux IP address-p tcp-m multiport--sports 22,80-j ACCEPT

What is the-m?

Explicit extension: You must explicitly indicate which extension module is used; To view the extension modules supported by the current host: Rpm-ql iptables | grep "\.so"

Articles about explicit extensions

How to save and reload rules:

Save the rule to the specified file:
Iptables-save >/root/iptables.1 Store Current firewall rules

Overload rules from the specified file:
Iptables-restore </root/iptables.1 read and enable to save firewall rules

The above mentioned using Linux as a network firewall to use, the following simple introduction:

• Preparation: Linux host four, one to do network firewall, configure two network cards; One to do external network host; Two do intranet host;
• Network firewall Host: A NIC internal, set the IP address is 192.168.50.1/24; A network card external
• You need to turn on the address forwarding feature of Linux:
  • Sysctl-w net.ipv4.ip_forward=1
  • Cat/proc/sys/net/ipv4/ip_forward is 1
• Intranet Host: Add any address of 192.168.50.0/24
• Extranet Host: Add routing rules route add-net 192.168.50.0/24 GW 10.0.0.5-Note this is the same network segment IP address used by the extranet host
• Test Ping
• Network firewall host settings iptables FORWARD chain

  # iptables-192.168. 50.2  -j---192.168. 50.2  -j and release

• simultaneously release httpd and SSH Services

   # iptables-i FORWARD-M State--state established-j accept# Ipta Bles -A forward-d 192.168 . 50.2 -P tcp-m multiport--dports 22 , 80 -M State--state new-j ACCEPT 

   

• External network host needs to access the intranet FTP server what to do?
  • Network firewall complete the above three steps to go

    modprobe nf-conntrack_ftp-1 -M state--state related,established  -- 2192.168. 50.2 +-m State --state new-j ACCEPT 

Summary: The use of iptables flexible, slightly more complex, but as long as the principle of understanding, and then complex rules can not withstand the slow scrutiny;

Iptables Simple Introduction and application of Linux firewall