Linux iptables Firewall principle and common configuration

In Linux systems, firewalls (Firewall), url translation (NAT), packet records, traffic statistics, these functions are provided by the NetFilter subsystem, and iptables is the tool for controlling netfilter. Iptables organizes many complex rules into an easy-to-control way, so that administrators can perform group tests, or close and start a set of rules. Iptable only reads the header, does not add a burden to the information flow, and does not require validation.

I ptables Structure

　　The iptables consists of 4 tables, 5 chains, and various rules that the user writes within the chain.

1, table: To accommodate a variety of rules chain;

A table is a class that is divided into functions as follows:

(1) Raw table: used to determine whether a packet is being tracked for status. (not commonly used)

(2) mangle table: Set the tag for the packet, with ACK, SYN, FIN, RST, PSH, Urg and so on. (not commonly used)

(3) NAT table: Modify the IP address, port and other information of the packet. (Gateway-type firewall commonly used)

(4) Filter table: Determines whether the packet is released. Common

2, Chain: To accommodate a variety of firewall rules;

A chain is a class that is divided by timing.

(1) Input: Processing Inbound Request Package

(2) Output: Processing outbound packets (that is, response, answering packets)

(3) Forward: processing forward packets, realizing communication between different network segments

(4) Prerouting: Apply the rules of this chain before the package makes routing choices

(5) Postrouting: rules that apply this chain after a packet has been routed

Processing priority for tables: Raw > Mangle > Nat > Filter

Detailed Packet Flow:

650) this.width=650; "src=" Http://www.linuxidc.com/upload/2013_07/130708065785503.png "alt=" 130708065785503.png "/ >

Iptable Application Scenarios

650) this.width=650; "src=" Http://www.linuxidc.com/upload/2013_07/130708065765111.gif "alt=" Iptable_example.gif " Border= "0" style= "border:0px;"/>

is a simple topological description of the application scenario, and the following scenarios are examples for reference.

When the system starts, all the default policies are accept, in the following scenario example, we are in this premise set iptable. Each of the following scenarios is an example of independent, non-associative.

Gateway server Security Policy

Target: Gateway server System Self-birth security policy, only internal network users open 22 port (sshd service)

#清空 Filter Table
[[Email protected]]# iptables-f-t filter
[[Email protected]]# iptables-x-t filter
[[Email protected]]# iptables-z-t filter

#清空 NAT Table
[[Email protected]]# iptables-f-t NAT
[[Email protected]]# iptables-x-t NAT
[[Email protected]]# iptables-z-t NAT

#设置默认策略 (the input chain defaults to drop)
[Email protected]]# iptables-t filter-p INPUT DROP
[[Email protected]]# iptables-t filter-p OUTPUT ACCEPT
[Email protected]]# iptables-t filter-p FORWARD ACCEPT

#回环接口 (LO), default accept
[Email protected]]# iptables-a input-p all-i lo-j ACCEPT

#只对内网用户开放sshd服务
[Email protected]]# iptables-a input-p tcp-s 192.168.138.0/24--dport 22-j ACCEPT

Description: The policy order of the firewall is generally from untrusted ==> Trust, by default all access rights are turned off, and then each access is opened as required.

Shared Internet (NAT)

Objective: To enable LAN users to access the external network of the server

[[Email protected]]# echo 1 >/proc/sys/net/ipv4/ip_forward
[Email protected]]# iptables-t nat-a postrouting-o ppp0-j Masquerade

Description: SNAT and Masquerade differences

SNAT: Regardless of the number of addresses, you must explicitly specify the IP to SNAT, suitable for the gateway server has a fixed address or a fixed address range. Masquerade: is designed for ADSL dynamic dialing this scenario, from the server's network interface, automatically obtain the current IP address to do NAT, so that the dynamic Snat address translation

Server external service for intranet (port mapping)

Objective: To enable extranet users to access the LAN 192.168.138.21 this HTTP service

[[Email protected]]# echo 1 >/proc/sys/net/ipv4/ip_forward
[[Email protected]]# iptables-t nat-a prerouting-p tcp-m tcp--dport 80-j DNAT--to-destination 192.168.138.21
[Email protected]]# iptables-t nat-a postrouting-o ppp0-j Masquerade

Transparent proxy on the gateway server

Goal: To enable LAN users to access the extranet Web services, automatically use squid as a Web transparent proxy server.

[[Email protected]]# echo 1 >/proc/sys/net/ipv4/ip_forward
[[Email protected]lhost]# iptables-t nat-a prerouting-s 192.168.138.0/24-p tcp--dport 80-i eth0-j DNAT--to 192.168 .138.1
[[Email protected]]# iptables-t nat-a prerouting-s 192.168.138.0/24-p tcp--dport 80-i eth0-j REDIRECT--to 3128
[Email protected]]# iptables-t nat-a postrouting-o ppp0-j Masquerade

Note: The iptables write rule restart is automatically invalidated and needs to be saved to a file using/etc/rc.d/init.d/iptables save, the restart will automatically read the configuration on the file, and after saving with iptables save, Restart Iptables Services: Service iptables restart

iptables command details iptables (options) (parameters)-t< table;: Specifies the table to manipulate;-A: Add entries to the rule chain;-D: Delete entries from the rule chain;-I: Inserts entries into the chain;-R: Replaces entries in the chain of rules; L: Displays the entries already in the rule chain;-F: Clear the existing entries in the rule chain;-Z: Empties the packet calculator and byte counter in the rule chain;-N: Creates a new user-defined rule chain;-X: Used to delete user-defined empty chains, using the same method as-n But you have to empty the chain before deleting it;-P: Defines the default target in the rule chain;-P: Specifies the packet protocol type to match;-S: Specifies the packet source IP address to match;-j<;: Specifies the target to jump to;-i< Network interface;: Specifies the network interface to which the packet enters the computer;-o< network interface;: Specifies the network interface to be used by the packet to leave the computer.

iptables command Option Input Order:

IPTABLES-T table name <-A/I/D/R> rule chain name [rule number] <-I/O nic name >-P protocol name <-s source ip/Source Subnet >--sport Source port <-d Destination IP /target subnet >--dport target port-j action

Table names include:

Raw: Advanced features, such as: URL filtering.

Mangle: Packet Modification (QOS) for quality of service implementation.

Nat: Address translation for the gateway router.

Filter: Packet filtering, for firewall rules.

The rule chain name includes:

Input chain: Processes the incoming packet.

Output chain: Processes the outgoing packets.

Porward Chain: Handles forwarding packets.

Prerouting chain: Used for destination address translation (DNAT).

Postouting chain: For source address translation (SNAT).

Actions include:

Accept: Receive packets.

Drop: Drops the packet.

REDIRECT: Redirect, map, transparent proxy.

SNAT: Source address translation.

DNAT: Destination address translation.

Masquerade:ip Camouflage (NAT) for ADSL.

log: Logging.

This article is from the "Night" blog, please be sure to keep this source http://liuqun.blog.51cto.com/3544993/1982094

Linux iptables Firewall principle and common configuration