Linux iptables principles and linuxiptables

Linux iptables principles and linuxiptables

Directory:

I. netfilter and iptables

Ii. filter, nat, mangle, and other rule tables

3. INPUT, FORWARD, and other rule chains and rules

Iv. Linux packet routing Principle

5. iptables writing rules

  I, Netfilter, and iptables

　　

(1) Netfilter is a Linux 2.4 kernel firewall framework proposed by Rusty Russell. It is simple and flexible, and can implement many functions in security policy applications, such as packet filtering, packet processing, Address disguise, transparent proxy, dynamic Network Address Translation (NAT), and Media Access Control (MAC) address filtering, status-based filtering, and packet rate restriction. These rules of Iptables/Netfilter can be flexibly combined to form a lot of functions and cover all aspects, all thanks to its excellent design ideas.

Netfilter is a data packet processing module in the Linux operating system core layer. It has the following functions:

• Network Address Translation)
• Packet content modification
• Packet Filtering Firewall

(2) In the Netfilter platform, five mount points (Hook points) of data packets are defined as Callback Function Points. When data packets reach these locations, they will actively call our functions, this gives us the opportunity to change the direction and content of data packet routing.) These five mount points arePRE_ROUTING,INPUT,OUTPUT,FORWARD,POST_ROUTING.

 

(3) The rules set by Netfilter are stored in the kernel memory, while iptables is an application at the application layer, it modifies the XXtables (Netfilter configuration table) stored in the kernel memory through the interface released by Netfilter. This XXtables tabletables, Chainchains, RulesrulesIptables is responsible for modifying the rule file at the application layer. Similar applications include firewalld.

 

Ii. filter, nat, mangle, and other rules

(1) tables have filter, nat, mangle, and other rule tables;

　　Filter table

It is mainly used to filter data packets and decide whether to allow the data packets (such as DROP, ACCEPT, REJECT, and LOG) based on specific rules ). The kernel module corresponding to the filter table is iptable_filter, which contains three rule chains:

• INPUTChain:INPUT is applicable to packages whose destination is local.
• FORWARDChain:FORWARD filters all non-locally generated and the destination is not local (that is, the local machine is only responsible for forwarding)
• OUTPUTChain:OUTPUT is used to filter all locally generated packages.

Nat table

　　　　It is mainly used to modify the IP address and port number of data packets (Network Address Translation, such as SNAT, DNAT, MASQUERADE, REDIRECT ). The package that belongs to a stream (because of the size limit of the package, data may be divided into multiple data packets) will only pass through

This table is created once. If the first package is allowed for NAT or Masqueraded, the remaining package will be automatically operated in the same way, that is, the remaining package will not pass through this table. The table corresponds to the kernel module iptable_nat, which contains three links.

• PREROUTINGChain:The function is to change the destination address of a package when it reaches the firewall.
• OUTPUTChain:Change the destination address of the locally generated package
• POSTROUTINGChain:Change the source address before the package leaves the firewall.

　　Mangle table

It is mainly used To modify the Type Of Service (TOS), TTL (Time To Live) Of data packets, and To set Mark for data packets To realize Qos (Quality Of Service, service quality) Adjustment and Policy Routing

It is not widely used because it requires the support of corresponding routing devices. There are five rule chains: PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD.

　　Raw table

It is a new table in iptables Versions later than 1.2.9. It is mainly used to determine whether data packets are processed by the status tracking mechanism. When matching data packets, the raw table rules take precedence over other tables. Contains two rule chains: OUTPUT and PREROUTING.

 

(2) packets andFour types of Tracked connectionsFour differentStatus:

• NEW:This package wants to start a connection (reconnect or redirect the connection)
• RELATED:This package is a new connection established by a established connection. For example, the FTP data transmission connection controls the connection RELATED.--icmp-type 0(Ping response) is--icmp-type 8(Ping request) RELATED.
• ESTABLISHED:As long as the request is sent and received, a data connection changes from NEW to ESTABLISHED, and the status will continue to match the subsequent data packets of the connection.
• INVALID:A data packet cannot be identified as a connection or has no status such as memory overflow. When receiving an ICMP error message for a connection that you do not know, you should generally DROP any data in this status.

 

Iii. rules such as INPUT and FORWARD

 

(1) when processing various data packets, iptables provides five default rule chains based on the different intervention time of firewall rules to understand these chains from the perspective of application time points:

• INPUTChain:Apply the rules in this link when receiving packets from the firewall's local address (inbound.

• OUTPUTChain:When the firewall sends packets (outbound) to the local machine, the rules in this chain are applied.

• FORWARDChain:When you receive a packet (forwarding) that needs to be sent to another address through the firewall, apply the rules in this chain.

• PREROUTINGChain:Apply the rules in this chain, such as DNAT, before routing data packets.

• POSTROUTINGChain:Apply the rules in this chain, such as SNAT, after routing the data packets.

 

(2) more applications in the INPUT and OUTPUT links are in the host firewall, which is mainly used to control the security of incoming and outgoing data on the server; more FORWARD, PREROUTING, and POSTROUTING links are used in the network firewall, especially when the firewall server is used as a gateway.

　　

Iv. Linux packet routing Principle

 

(1) understand the architecture and functions of Netfilter and Iptables, and learn the structure of the Xtables table that controls Netfilter behaviors, so how does this Xtables table play a role in the packet routing of the kernel protocol stack?

Workflow: The network port data packet is received by the underlying NIC. After the packet is unwrapped through the data link layer (removing the data link frame header ), it enters the packet processing process of the TCP/IP protocol stack (essentially a kernel driver for processing network packets) and Netfilter. The packet receiving, processing, and forwarding processes constitute a finite state vector machine, which goes through kernel processing functions of some columns and Netfilter Hook points, it is finally forwarded or digested by the upper-layer application.

We can summarize the following rules:

• When a packet enters the NIC, the packet first entersPREROUTING chainIn the PREROUTING chain, we have the opportunity to modify the data packet's DestIP (Destination IP ), then, the kernel's "routing module" determines whether to forward data packets based on "the destination IP address of the data packet" and "route table in the kernel" (note, at this time, the DestIP of the data packet may have been modified)
• If the data packet enters the Local Machine (that is, the destination IP address of the data packet is the IP address of the local network port), the data packet will move down the graph and reachINPUT chain. After the packet arrives at the INPUT chain, any process will receive it.
• Programs running on the local machine can also send data packets that pass throughOUTPUT chain,Then arrivePOSTROTING chain output(Note: The SrcIP of the data packet may have been modified)
• If the data packet is to be forwarded (that is, the destination IP address is no longer in the current subnet), and the kernel allows forwarding, the data packet will move to the right.FORWARD chainAnd then arrivePOSTROUTING chain output(Select the network port of the corresponding subnet for sending)

　　When writing iptables rules, keep this route order chart in mind. You can flexibly configure rules based on different Hook points.

 

5. iptables writing rules

 

Command Format:

　　Example:

1 iptables-I INPUT-s 0/0-d 192.168.42.153-p tcp-m multiport -- dports 22,80, 3306-j ACCEPT

1 iptables-t filter-I INPUT-d 192.168.42.153-p tcp -- dport 80-j ACCEPT

　　1. [-t table name]: The table to which the rule operates. filter and nat can be used. If not specified, the default value is filter.

• -A: Adds a rule to the last row of the Rule Chain List.
• -I: Insert a rule. The rule at the specified position will move in sequence. If no number is specified, it is 1.
• -D: Delete a rule from the rule chain. Either enter the complete rule or specify the rule number to delete it.
• -R: To replace a rule, the Rule Replacement sequence is not changed, and the number must be specified.
• -P: Sets the default action of a rule chain.
• -nL:-L,-nTo view the list of currently running firewall rules.

　　2.Chain name: Specifies the chain of the rule table, such as INPUT, OUPUT, FORWARD, and PREROUTING.

• [Rule number]: Used to insert, delete, or replace rules,--line-numbersDisplay number
• [-I | o Nic name]: I indicates the NIC from which the data packet enters, and o indicates the NIC from which the data packet is output.
• [-P protocol type]: You can specify the protocol used by the rule, including tcp, udp, and icmp.
• [-S source IP address]: IP address or subnet address of the source host
• [-- Sport source port number]: Source Port Number of the IP address of the Data Packet
• [-D target IP address]: IP address or subnet address of the target host
• [-- Dport destination port number]: Destination Port Number of the IP address of the Data Packet

　　3.-m: Extend matches. This option is used to provide more matching parameters, such:

• • -M state -- state ESTABLISHED, RELATED
  • -M tcp -- dport 22
  • -M multiport -- dports 80, 80
  • -M icmp -- icmp-type 8

　　4. <-j action>: Actions for processing data packets, including ACCEPT, DROP, and REJECT

• • ACCEPT:Allow data packets to pass through
  • DROP:Directly discard data packets without any response information

  • REJECT:Deny data packet passing and send a response to the data sender if necessary.

  • SNAT:Source Address conversion. After entering the route-level route, before the local network stack is released, rewrite the source address, the target address remains unchanged, and create a NAT table entry on the local machine. when data is returned, rewrite the destination address data to the source address when the data is sent out based on the NAT table and send it to the host. Solve the problem that intranet users use the same public address to access the Internet.
    MASQUERADEIs a special form of SNAT, suitable for temporary changes of ip addresses such as adsl

  • DNAT:Destination Address conversion. In contrast to SNAT, the destination address of an IP packet is changed again before it passes through the route. The source address remains unchanged. a nat table entry is created on the local machine. when data is returned, modify the source address to the target address when the data is sent according to the NAT table and send it to the remote host. You can hide the real address of the backend server. (Thanks to the netizens for proposing that this location was reversed with SNAT)
    REDIRECT: It is a special form of DNAT. It forwards network packets to a local host (no matter what the destination address is in the IP header) to facilitate port forwarding on the local host.

  • LOG:Record the log information in the/var/log/messages file, and then pass the data packet to the next rule.

Remove the lastLOGAfter the first three rules match the data packet, the data packet will not continue to match, so the order of the rules written is extremely critical.