Linux System Firewall Knowledge learning

Firewall is divided into hardware or software firewall two kinds. Work on the edge of the network, regardless of the network. Our task is to define the firewall security policy, rules, to allow it to access the network of IP, data detection. Common 3, 4 layers of firewalls, called the network layer of firewalls, and 7 layers of firewalls, in fact, is the proxy layer of the gateway.

1. Working mechanism of Iptables

These five positions are also known as five hooks (hook functions), also called Five rule chains.

1.PREROUTING (before routing)

2.INPUT (packet inflow port)

3.FORWARD (forward tube card)

4.OUTPUT (packet egress)

5.POSTROUTING (after routing)

This is the NetFilter rules of the five rule chain, any one packet, as long as through this machine, will pass through one of these five chains.

2, the firewall policy

Firewall policy is generally divided into two kinds, called "Pass" strategy, a "blocking" strategy,

The default door is closed and you have to define who can enter it.

Blocking strategy is that the door is open, but you must have identity authentication, otherwise you cannot enter.

So the pass, is to all pass, and plugging, then is to choose. When we define a strategy, we define several functions, including the ability to define a policy that is allowed or disallowed in a packet, the function of filter filtering, and the NAT option to define the function of address translation. In order for these functions to work alternately, we have developed the definition of "table" to define and differentiate the different working functions and processing methods.

We now use more than 3 different features:

1.filter definition allows or does not allow

2.nat defines the address translation

3.mangle function: Modify message original data

We modify the message original data is to modify the TTL. It is possible to disassemble the metadata of the packet and mark/modify the contents. and the firewall tag, in fact, is to rely on mangle to achieve.

For filter generally can only be done on 3 chains: INPUT, FORWARD, OUTPUT

In general, Nat can only be done on 3 chains: Prerouting, OUTPUT, postrouting

And Mangle is a 5 chain can do: prerouting,input,forward,output,postrouting

Note that the order of the rules is very critical, the more stringent the rules, should put the more forward, and check the rules, is to follow the way from the top down to check.

3. The wording of the rules

Format: iptables [-t table] COMMAND chain Cretiria-j ACTION

For example: 172.16.0.0/24 is not allowed to access.

Iptables-t filter-a input-s 172.16.0.0/16-p UDP--dport 53-j DROP

Of course, if you want to refuse more thoroughly:

Iptables-t filter-r INPUT 1-s 172.16.0.0/16-p UDP--dport 53-j REJECT

Iptables-l-n-v #查看定义规则的详细信息

3.1. Detailed command

3.1.1, chain management commands (which are immediately effective)

-P: Set Default policy (set default door is closed or open)

The default policy generally has only two

iptables-p INPUT (drop| ACCEPT) is off by default/open by default

For example:

iptables-p INPUT Drop This will deny the default rule. And there is no action defined, so all the rules about the outside connection, including the Xshell connection, are rejected by the remote connection.

-f:flash, emptying the rule chain (note the administrative permissions for each chain)

iptables-t nat-f prerouting

iptables-t Nat-f Clears all the chains of the NAT table

-n:new enables users to create a new chain

The Iptables-n inbound_tcp_web indicates that it is attached to the TCP table for checking the web.

-X: Used to delete a user-defined empty chain

The use method is the same as-N, but the chain must be emptied before it is deleted.

-E: Used to rename chain is primarily used to rename a user-defined chain

-E oldname newname

-Z: Empty The chain, and the default rule in the chain counter (there are two counters, the number of packets to match, how many bytes)

Iptables-z: Empty

3.1.2, rule management commands

-A: Append, add a rule at the end of the current chain

-I num: Insert to insert the current rule into the first few.

-I 3: Insert as third article

-R num:replays Replace/modify the rules

Format: Iptables-r 3 ......

-D Num: Delete, explicitly specify delete rule

3.1.3, view admin command "-l"

Additional subcommands

-N: Displays the IP in a digital manner, which displays the IP directly and, if not, resolves the IP back to the hostname.

-V: Show more information

-VV,-VVV: The more the more detailed

-x: Displays the exact value on the counter, does not do the unit conversion

--line-numbers: Displays the line number of the rule

3.1.4, detailed matching standard

-S: Specifies that the host name cannot be specified as the source address, and must be an IP

-D: Indicates matching destination address

-P: For matching protocol (there are usually 3 protocols here, TCP/UDP/ICMP)

-I eth0: Incoming data flows from this NIC are typically used on input and prerouting

-o eth0: Data outflow from this NIC is generally on output and postrouting

3.1.5, extended match

The extension of the-P TCP:TCP protocol. There are generally three types of extensions

--dport xx-xx: Specify the destination port, you cannot specify multiple noncontiguous ports, you can specify only a single port, such as

--dport 21 or--dport 21-23 (this means 21,22,23)

--sport: specifying the source port

--TCP-FIAGS:TCP's flag (Syn,ack,fin,psh,rst,urg)

for it, two parameters are usually followed:

1. Check the flag bit

2. Must be 1 of the flag bit

--tcpflags Syn,ack,fin,rst syn =--syn

indicates that the 4 bits are checked, that the SYN in the 4 bits must be 1, and the other must be 0. So this is the first time the package is used to detect three handshakes. For this package that specifically matches the first packet of SYN 1, there is also a shorthand method called--syn

Extension of-P UDP:UDP protocol

--dport

--sport

Extension of the-P ICMP:ICMP data message

--icmp-type:

echo-request (Request echo), generally denoted by 8来

so--icmp-type 8 matches the request Echo packet

echo-reply (response packets) are generally expressed in

-M multiport: indicates enabling multiport expansion

Then we can enable it, like--dports 21,23,80.

Linux Firewall Learning Notes ~

Linux System Firewall Knowledge learning