First, the network security model
1. Introduction of Firewall
Firewall (Firewall): Also known as a protective wall, It is a network security system located between the internal network and the external network.
A set of hardware or software that works at the edge of a host or network, checks incoming and outgoing messages according to predefined rules, and is processed by matching rules, or even a combination of both
Host Firewall: works on the edge of the host, only protects a single host
Network firewall: work at the edge of the network and protect multiple hosts
Host firewall + network firewall
Hardware firewall: can efficiently handle network messages, the CPU is special, on the basis of hardware can directly process the message (unpacking)
Network layer: Network Firewall
Application layer: gateway or proxy server (more secure, more complex detection mechanism, more practical application, less efficient)
IDS: Intrusion Detection System
HIDS:OSSEC Host Intrusion Detection system
Nids:snort Network intrusion Detection system,
Filesystem:tireware File system level detection
Ips:ids + Firewall Intrusion Prevention System
Honeypot: Honeypot #诱捕
Nessus,nmap Sniffer (scan) tool
2, Iptables
Iptables/netfilter: Network layer firewall, support for connection tracking (stateful detection)
Software program for a firewall based on software form
Iptables, formerly known as Ipfirewall (Kernel 1.x ERA), is a simple access control tool that is ported from FreeBSD to work in the kernel to detect packets. But the ipfirewall work is extremely limited (it requires that all rules be put into the kernel so that rules can be run and put into the kernel, which is generally extremely difficult). When the kernel developed into the 2.x series, the software was renamed IPChains, it can define multiple rules, string them together, and now, it is called iptables, you can make a list of rules to achieve detailed access control functions.
The relationship between Iptables and NetFilter is a problem that is easily confusing. A lot of know iptables but don't know netfilter. in fact, Iptables is just a Linux firewall management tool, located in/sbin/iptables. The real firewall function is NetFilter, which is the internal structure of implementing packet filtering in the Linux kernel.
iptables: Firewall Rule authoring Tool #用户空间
NetFilter: Framework (framework) network filters, really let the rule implementation #内核空间
3. Rules
Rules are actually the pre-defined conditions of the network administrator and are the basis of iptables.
The rule is generally defined as " if the packet header conforms to such a condition, the packet is handled in this way." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). the primary task of configuring a firewall is to add, modify, and delete these rules.
4. Working principle
After the packets are routed from the extranet to the firewall, the firewall forwards the packets to the inspection module before the IP layer transmits to the TCP layer. the process is as follows.
⑴ is first compared to the first filter rule.
⑵ if the same as the first rule, it is audited to determine whether to forward the packet, the result of the audit is to forward the packet, the packet is sent to the TCP layer for processing, otherwise it is discarded.
⑶ if it differs from the first filter rule, it is then compared to the second rule, and if it is the same, it is audited with the same procedure as the previous step.
⑷ if it differs from the second filter rule, it continues to be compared to the next filter rule until it is compared with all filter rules. If all filtering rules are not met, the data is discarded.
Second, the working mechanism of iptables
1, five chain
Iptables in the network must pass the place, selected 5 locations, to take control of the place. These five positions are also known as five hooks (hook functions), also called Five rule chains.
These five locations are:
prerouting before routing
The data packet will be prerouting "hook" before entering the TCP/IP stack routing, and the corresponding operation of the packet is analyzed, note: Prerouting chain cannot filter the packet, prerouting chain is the first level in the whole netfilter frame.
INPUT Inflow
Routing after prerouting if the packet is inside the internal, then forwards to the input chain, theinput chain can filter the packet by pre-defined rules, and if the match is executed,the input chain can filter the packet. Input chain is the only way for data messages to enter user space
FORWARD forwarding Levels
Routing after prerouting if the packet is only forwarded through this machine, then forwards to the forward chain, the forward chain is able to match the packet by pre-defined rules to check and perform the corresponding action, the input chain can filter the packet, It is with the forward chain iptables to be able to run as a network firewall at the edge of the network to filter the data packets in and out of the network
OUTPUT Outflow
The packet is routed from the process of the user space to the output chain by routing the specific NIC interface through the route, and the output chain is able to match the data message by implementing the defined rules to check and perform the corresponding action, and the output chain can filter the packet
postrouting after routing
Packets are forwarded from output or forward, reaching the last level in the NetFilter frame, analyzing the packet and performing the corresponding action, and not filtering the packet as Postrouting
Data flow through NetFilter flowchart:
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/8C/0C/wKioL1hgxkfAzQJaAAC-hQukLGU616.jpg "title=" 20160923223814545.jpg "alt=" Wkiol1hgxkfazqjaaac-hquklgu616.jpg "/>
#OUPUT这里出去应该也要经过路由决策
It is not filtered before and after routing because there is no routing decision, and our (Input\forword\output) can basically implement the entire block control of the path. Then why do we have to place them?
This is mainly because when we are doing snat and Dnat, the source address translation must be transformed after the route, and the destination address translation must be converted before the route, which is what they exist for.
2. Four tables
NetFilter the rules for filtering packets are defined by four tables
or four functions.
Filter
The whole iptables is the most critical table, which realizes the filtering of the packet, and can be composed by the Input,forward,output three chain which can realize the filtering function.
Nat
NAT ( network address translation),
NAT can also be implemented in iptables, such as snat (source address translation), DNAT (destination address translation), Masquerade and other functions; Nat tables can be composed of prerouting, OUTPUT, postrouting
Mangle
mangle can be used to disassemble the number of matched packets , make modification, re-encapsulation and other operations; generally we use very little, five chain can realize mangle function
Raw
raw off Nat's connection tracing mechanism, which prevents memory overflow of the server under high concurrent access , and can be implemented by prerouting,output with less.
3. Define the rules "unspoken rules"
Points to consider when adding rules
what features are implemented: decide on which table to add
the path through which the message flows: determine which chain to add and the order of the rules on the chain
1) Similar rules (access the same program), the matching range is small on top
2) different classes of rules (access to different applications), matching to the high frequency of the message on the top
3) combine multiple rules that can be described by one rule into a single
4) Set default Policy
4, the firewall policy
Firewall policies are generally divided into two types:
A " pass" strategy, called "blocking" strategy,
The strategy is actually white list, the default port is closed, you must specify the user's ability to come in.
blocking strategy can be understood to be blacklisted, the prescribed range of people can not come in. There, but you have to have identity authentication, or you can't go in . in order for these functions to work alternately, we have developed the definition of "table" to define and differentiate the different working functions and processing methods.
5. Inspection and processing mechanism
Check condition: # According to what to check
IP: Source Address, Destination address
Tcp:sport,dport,flags
Udp:sport,dport,flags
Icmp:icmp-type
Extended check mechanism:
Can also be based on time, protocol, string,state (connection-tracking)
Processing mechanism: #匹配到规则的数据包该怎样处理
Drop (silently discarded), REJECT (return message explicitly rejected), accept (accepted)
Snat,dnat:
RETURN: Jump Back
REDIRECT: Doing port mapping
LOG: Logs
"Linux Basics" 22, iptables (top)