Linux iptables lay7 configuration (below)

Iptables L7 application layer filter

Okay. We briefly discussed iptales usage last time. We haven't mentioned many of the usage, such as the important SNAT, DNAT conversion, and character matching filtering, the same is the definition of multi-port, maximum number of connections, access time limit, matching rate limit, and l7layer application layer Filtering that is frequently used in enterprises now !! Next we will discuss these very important, useful, but challenging things.

Main Content:

Practical application of iptables and L7 application layer Filtering

Objectives:

Be familiar with ipatbles usage

We will continue to explore more in-depth iptables usage last time. This time, based on the previous theoretical introduction, we used experiments to familiarize ourselves with the usage of each command.

Lab environment:

2: 10. 0.2.100 Telnet vsftp HTTP

Intranet. 0.1.100

Internet: 10.0.3.100

Firewall: eth0: 10.0.2.1 eth1: 10.0.3.1 SSH

Snat dnat:

ÜSNAT

Ü-- To-source ipport

ÜDNAT

Ü-- To-Destination IP: Port

Route Test:

[Root @ station93 ~] # Sysctl-P

Net. ipv4.ip _ forward = 1

Nat translation test:

When the Internet accesses port iptables10.0.3.1, iptables converts the address DNAT into the HTTPd service of the Intranet 10.0.2.100 server. Note that the Internet does not know that the Intranet has the address 10.0.2.100, but only 10.0.3.1.

DNAT conversion =============" one IP Address can implement multiple functions

[Root @ station93 ~] # Iptables-T Nat-A prerouting-s 10.0.3.100-D 10.0.3.1-p tcp -- dport 80-j dnat -- to-Dest 10.0.2.100

[Root @ station93 ~] # Iptables-T Nat-A prerouting-s 10.0.3.100-D 10.0.3.1-p tcp -- dport 22-j dnat -- to-Dest 10.0.1.100

SNAT conversion test: ===========è Intranet users only need one IP address to access the Internet.

Intranet users use the iptables Internet gateway to implement SNAT conversion.

[Root @ station93 ~] # Iptables-T Nat-A postrouting-s 10.0.2.100-p tcp -- dport 80-j snat -- to-source 10.0.3.1

[Root @ 3 httpd] # tail access_log ============ "here we will actually access the internet server using 10.0.3.1 when viewing logs, that is, the Internet gateway of iptables.

10.0.3.1--[09/MAR/2010: 20: 43: 59 + 0800] "Get/HTTP/1.1" 403 3985 "-" "elinks/0.11.1 (textmode; LINUX; 77x24-2 )"

Status-based restrictions

V-M state

ÜNew

ÜEstablished

ÜRelated

ÜInvalid

Only 3.100 of web services can be accessed, and 2.100 of spontaneous responses to 2.100 of Web services are not allowed.

It is mainly used to prevent native viruses and send out information leaks spontaneously.

[Root @ station93 ~] # Iptables-Forward-S 10.0.3.100-D 10.0.2.100-p tcp --Dport
80-M state -- stateNew, established-J accept

[Root @ station93 ~] # Iptables-RForward2-s 10.0.2.100-D 10.0.3.100-p tcp -- Sport 80-M state -- state
Established, related-J accept

Test:

[Root @ 3 ~] # Elinks 10.0.2.100 ======

[Root @ 2 ~] # Elinks 10.0.3.100 ======== "failed

V-M multiport

U -- source-ports port1, port2, port3 ,...

U -- destination-ports port1, port2, port3 ,...

U -- Ports port1, port2, port3 ,...

Practical application of firewalls in Enterprises

In actual enterprise applications, the iptables we have learned above is far from enough. For a simple example, we usually need to restrict QQ, MSN, and thunder in our daily work, the use of chat download tools such as express trains is very simple as we have learned above. However, these tools have a large number of servers and varied ports, it is difficult to control the layer by using common methods. We need to control the Layer 7 Application for the Bank. here we need to re-compile and upgrade the kernel.

Required software package:

VThe 2.4 or 2.6 Linux kernel source (2.6 stronugly preferred) from kernel.org

VThe iptables source from netfilter.org

V"L7-filter kernel version" package (netfilter-layer7-vx.y.tar.gz)

V"Protocol definitions" package (l7-protocols-yyyy-mm-dd.tar.gz)

The procedure is as follows:

U # tar zxvf linux-2.6.28.10.tar.gz-C/usr/src

U # tar zxvf netfilter-layer7-v2.22.tar.gz-C/usr/src

U # ln-S/usr/src/linux-2.6.28.10 // usr/src/Linux

Ü # cd/usr/src/Linux/

U # patch-P1 <../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch

# Cp/boot/config-2.6.18-164.el5/usr/src/Linux/. config

# Make menuconfig here we need to install the corresponding development kitPirut &Edit command

We need to select the following modules:

VNetworking Support → networking options → network packet filtering framework → code netfilter Configuration

Ü & lt; m> netfilter Connection Tracking Support

Ü <m> "layer7" match support

Ü <m> "string" match support

Ü <m> FTP protocol support

Ü <m> "time" match support

Ü <m> "iprange" match support

Ü <m> "connlimit" match support

Ü <m> "state" match support

Ü <m> "conntrack" connection match support

Ü <m> "Mac" address match support

Ü <m> "multiport" multiple port match support

VNetworking Support → networking options → network packet filtering framework → IP: netfilter Configuration

Ü <m> IPv4 Connection Tracking Support (required for Nat)

Ü <m> full Nat

? <M> masquerade target support <m> netmap target support <m> redirect target support

VStart compiling and installing

Ü make

Ü make modules_install

Ü make install

VEdit the/boot/GRUB/grub. conf, set the default booting kernel to the new kernel

VRestart

V# Cp/etc/rc. d/init. d/iptables ~ /Iptables

V# Rpm-e iptables-ipv6 iptables iptstate -- nodeps

V# Tar jxvf iptables-1.4.6.tar.bz2-C/usr/src

V# Iptables-1.4.6/CD/usr/src/

V# CP ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/libxt_layer7. *./extensions/

V./Configure -- prefix =/usr -- With-ksource =/usr/src/Linux

VMake

VMake install

V# Tar zxvf l7-protocols-2009-05-28.tar.gz

V# Cd l7-protocols-2009-05-28

V# Make install

V# Mv ~ /Iptables/etc/rc. d/init. d/

V# Ln-SV/usr/sbin/iptables

VNote that the Service iptables start cannot be started for the first time. You need to first setup before service iptables start.

2.6.28.10 in the kernel, The ip_conntrack_ftp name is nf_conntrack_ftp.

Add module: modprobe nf_conntrack_ftp

Supported Protocol types:

VBitTorrent

Ü P2P filesharing/publishing tool

VEDonkey

Ü edonkey2000-P2P filesharing

VKugoo

Ü kugoo-a Chinese P2P Program

VMSN-filetransfer

Ü MSN (Micosoft Network) Messenger file transfers

VMsnmessenger

Ü Microsoft network chat client

VPPLIVE

Ü Chinese P2P streaming video

VQq

VXunlei

Usage

ÜIptables [specify table & Chain]-M layer7 -- l7proto [protocol name]-J [action]

Disable Internet access to firewall web, ssh, and Telnet services

[Root @ station93 ~] # Iptables-A input-p tcp-M multiport -- source-ports 22,25, 80-J Drop

VConnlimit

V [!] -- Connlimit-aboveN Max connections

U allows you to restrict the number of parallel connections to a server per client IP address (or client address block ).

Ü example:

? Iptables-A input-p tcp -- syn -- dport 22-M connlimit -- connlimit-abve 2-J reject

? Allow 2 SSH connections per client host

The maximum number of connections on the internet is 2.

[Root @ station93 ~] # Iptables-A output-p tcp -- syn -- dport 22
-M connlimit -- connlimit-abve2-J reject

VString

ÜThere are two algorithms: BM KMP

Ü this modules matches a given string by using some pattern matching strategy.

Ü it requires a Linux Kernel & gt; = 2.6.14.

Ü [!] -- String pattern

? Matches the given pattern.

U -- algo {BM | KMP}

? Select the pattern matching strategy. (Bm = Boyer-Moore, KMP = knuth-Pratt-Morris)

Ü examples:

? Iptables-A output-p udp -- dport 53-M string -- string "verycd" -- algo BM-J Drop

? Iptables-A output-p tcp -- dport 80-M string -- string "***" -- algo KMP-J Drop

Restrict Intranet browsing of web pages containing the secert string on the Internet:

[Root @ 3 HTML] # echo "secert" & gt; index2.html

[Root @ 3 HTML] # Cat index2.html

Secret

This is the second test

Secret

[Root @ station93 ~] # Iptables-a forward-s 10.0.2.100-D 10.0.3.100-p tcp -- Sport 80-M string -- string "secert" -- algo BM-J Drop

VTime

Ü this matches if the packet arrival time/date is within a given range.

U -- datestart yyyy [-mm [-dd [thh [: Mm [: SS]

U -- datestop yyyy [-mm [-dd [thh [: Mm [: SS]

? Only match during the given time, the possible time range is 1970-01-01 t00: 00: 00 to 2038-01-19 t04: 17: 07

U -- timestart hh: Mm [: SS]

U -- timestop hh: Mm [: SS]

? The possible time range is 00:00:00 to 23:59:59.

? Leading zeroes are allowed.

VTime

Ü [!] -- Monthdays day [, day...]

? Only match on the given days of the month. Possible values are 1 to 31.

Ü [!] -- Weekdays day [, day...]

? Only match on the given weekdays. Possible values are Mon, Tue, wed, Thu, Fri, SAT, sun, or values from 1 to 7, respectively.

Ü examples:

? -M Time -- weekdays SA, Su

? -M Time -- timestart -- timestop

[Root @ station93 ~] # Iptables-a forward-M Time -- timestart -- timestop-J Drop

V-J log

U -- log-levelLevel

? Level of Logging

U -- log-PrefixPrefix

? Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in the logs.

U -- log-TCP-Options

? Log options from the TCP packet header.

U -- log-IP-Options

? Log options from the IP packet header.

[Root @ station93 ~] # Iptables-a forward-s 10.0.3.100-D 10.0.2.100-p tcp-dport-J log -- log-prefix "ABC"

The l7layer-based rules are very similar. They have been defined for us internally and we only need to call them.

For example, Intranet users are prohibited from using QQ during work hours.

[Root @ station93 ~] # Iptables-a forward-s 10.0.2.100-D 10.0.3.100-p tcp -- dport 80-m Time -- timestart 8:00 -- timestop 18:00-M layer7 -- l7proto QQ-J Drop