Linux network security Model and iptables detailed (1)

Linux network security model and iptables explanation

Basic concepts

Firewall: Works on the host or network edge, checks incoming and outgoing messages according to pre-defined rules,

And a set of hardware or software that is processed by matching rules, or even a combination of the two

Hardware firewall: A firewall that implements some features at the hardware level: Another part of the functionality is based on software implementation

Software firewall: Application software processing logic running on the general hardware platform on the firewall;

Host firewall : Works on the edge of the host and can only protect a single host

Network firewall : Work at the edge of the network to protect multiple hosts (orientation rules)

iptables: Firewall rule Authoring tool, located in user space

netfilter: Network filter, is a framework (let the rules take effect), in the kernel space

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/8B/04/wKioL1hCTS_DyVf6AAAtAbjvZZ8272.png-wh_500x0-wm_3 -wmp_4-s_799099936.png "title=" 1.png "alt=" Wkiol1hcts_dyvf6aaatabjvzz8272.png-wh_50 "/>

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/8B/08/wKiom1hCTTyQo7aIAAAnb6lXhvU518.png-wh_500x0-wm_3 -wmp_4-s_4109837465.png "title=" 2.png "alt=" Wkiom1hcttyqo7aiaaanb6lxhvu518.png-wh_50 "/>

Message Flow

Message to a process inside this machine: prerouting---input

Messages forwarded by this machine: prerouting--forward-postrouting

A message sent by a process from this machine: output---postrouting

4 table

Filter: Filtering, Firewall nat: Network address translation mangle: disassembling messages, making modifications, and reseal raw: Turn off the connection tracking mechanism enabled on the NAT table

The correspondence between the table and the chain

FORWARD--Filter, mangleinput-to-filter, mangleout-to-filter, mangle, natprerouting--mangle, Natpostrouting--Mangle, NAT

4 Table 5 Chain (Image source network)

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/8B/04/wKioL1hCTd6QwbiNAACIWPl9d7Y562.png "title=" 3.png " alt= "Wkiol1hctd6qwbinaaciwpl9d7y562.png"/>

Rules:

Pass: Whitelist, default is blocked, only to be able to identify other to release

Block: Blacklist, default is pass, only can identify others to intercept

Check condition

Ip:sip,diptcp:sport,dport,flags (Syn,ack,fin ...) Udp:sport,dporticmp:icmp-type (message type) ...

Processing mechanism:

Drop (Discard), REJECT (Deny, and return) ACCEPT (allow) SNAT (source address translation) DNAT (destination address translation) return (return) REDIRECT (port forwarding) log (log only)

This article is from the "Homecoming" blog, make sure to keep this source http://sixijie123.blog.51cto.com/11880770/1879090

Linux network security Model and iptables detailed (1)