Linux System Management Preliminary (four) Linux system firewall-netfilter editing

First, the Linux firewall

Firewall is an important maintenance content in daily application, from the beginning of the firewall we really touch the production environment, network security more and more attention, learn this part of good luck dimension is an important step.

In general, desktop-level environments where few people are concerned about firewalls, even anti-virus software are not installed, the operation of the firewall is of course not familiar. The firewall cannot be opened in a real production environment.

Linux firewall before CENTOS6 (including) is NETFILTER,CENTOS7 began to use the new FIREWALLD, generally we learn from NetFilter, FIREWALLD is compatible with NetFilter rules.

Second, NetFilter learning environment construction

Because CENTOS7 default firewall is CENTOS7, so we have to stop the FIREWALLD, and then switch to CENTOS6 Netfiler, pre-preparation work: Turn off SELinux, Close the firewalld of the Centos7 belt and start the netfilter.

(i) Turn off the SELinux function

1. Temporary closure

Setenforce 0 Close Command
Getenforce View selinux Status commands

Just make sure the Getenforce status is permissive. Just temporarily shut down, the system will still turn on after rebooting, and it needs to be permanently closed by modifying the configuration file.

2. Permanently closed
Permanently turning off this feature requires modifying the SELinux configuration file

Vi/etc/selinux/config

Change selinux=enforcing to Disabled
Note that you cannot change to the selinuxtype=disabled below, or the system will not start.

(ii) Closure of the Centos7 Firewalld

Systemctl Stop Firewalld #关闭firewalld功能
Systemctl Disable FIREWALLD #停止firewalld开机启动

Operation


This step is not like the above step has the operation process prompt, as long as no error is OK.

(iii) Launch of the CENTOS6 or 5 supported NetFilter firewall

Yum install Iptables-services #安装netfilter功能, which is often said Iptables, note that the end of the package name is iptables and services plural form, knocking into the iptables-service there is no this package
Systemctl Enable Iptables #设置开机启动iptables服务
Systemctl start Iptables #开启iptables程序
IPTABLES-NVL #查看iptables的默认规则

Operation

1 is set to boot, 2 is under current bash startup iptables,3 is the default rule to view iptables.

Iii. netfilter table and Chain (chain)

NetFilter uses 5 tables with 5 chain control network ports to transmit packets, which need to be discarded, which are allowed to come in and so on.

The 5 tables were:
Filter: Mainly used for filtering packets, is the System preset table. Contains 3 chains: INPUT, OUTPUT, foward, which means that as long as the packet is in these three chains, you can use the rules in the filter table to handle him.
NAT: Mainly used for network address translation, contains 3 chains: Prerouting, OUTPUT, postrounting.
Mangle: Used primarily to mark packages, and then to process packages based on tags. Contains all five chains
Raw: Can be used to set data packets that are not tracked by the system, and this table can specify that some port incoming data will not be tracked. 2 chains included: Prerounting and output
Security: No in CENTOS6, network planning for mandatory access control is not studied for the time being.

The 5 strands were:
Prerouting: Before packets enter the routing table
INPUT: Destination is native after routing table
FORWARDING: The destination is not native after routing the table.
OUTPUT: Generated by this machine, forwarded outward.
Postrouting: Before sending to Nic interface

NetFilter of network packets in the system after startup: (reprint to Wiki)

Iv. iptables Command

Iptables is used to manipulate the NetFilter firewall, he can directly add, modify or delete prerouting, INPUT, FORWARDING, OUTPUT, POSTROUTING5 chain rules, to filter the purpose of the packet

iptables command notation

IPTABLES-T table name <-A/I/D/R> chain name [rule number] <-I/O nic name >-P protocol name <-s source ip/Source Subnet >--sport source port <-d destination ip/target subnet >--dpo RT Target Port-j action

Option meaning
-t< table;: Specifies the table to manipulate;
-A: Add an entry to the chain rule;
-D: Remove entries from the chain rules;
-I: Inserting entries into the chain rules;
-R: The entry in the substitution chain rule;
-L: Displays the entries already in the chain rules;
-F: Clears firewall rules;
-Z: Empty The chain rule in the packet counter and the connection counter;
-N: Create a new user-defined rule chain;
-P: Defines the default disposition method in chain rules, such as;
-H: Displays help information;
-P: Specifies the type of packet protocol to match;
-S: Specifies the packet source IP address to match;
-j+ action: How to deal with the filter out of the package, the common have accept,;
-i< network interface;: Specifies that the packet enters the local network interface;
-o< Network Interface: Specifies the network interface to be used by the packet to leave the computer.
--dport
--sport

Table names include:

raw：高级功能，如：网址过滤。mangle：数据包修改（QOS），用于实现服务质量。nat：地址转换，用于网关路由器。filter：包过滤，用于防火墙规则。

The chain name includes:

INPUT链：处理输入数据包。OUTPUT链：处理输出数据包。PORWARD链：处理转发数据包。PREROUTING链：用于目标地址转换（DNAT）。POSTOUTING链：用于源地址转换（SNAT）。

Actions include:

ACCEPT：接收数据包。DROP：丢弃数据包。REDIRECT：重定向、映射、透明代理。SNAT：源地址转换。DNAT：目标地址转换。MASQUERADE：IP伪装（NAT），用于ADSL。LOG：日志记录

V. Iptables operation Example 1, display, empty, and save operations existing NetFilter rules

IPTABLES-NVL #显示现有规则, the table shows the
Iptables-f #清空所有规则
Iptables-z #置零计数器 for network attack analysis
Service Iptables Save #将规则保存到 the/etc/sysconfig/iptables file
Systemctl Restart Iptables.service #重启iptables服务使指定的规则生效

The default rules for iptables are saved under the/etc/sysconfig/iptables file

2, the chain processing rules of the addition, deletion and modification

Firewall rules added to chain rule trailer

Iptables-a INPUT

Firewall rules added to the chain rule header

Delete a firewall rule

Modify the firewall default chain processing rule

3.

Linux System Management Preliminary (four) Linux system firewall-netfilter editing