"Linux Basics" 22, iptables (top)

First, the network security model

1. Introduction of Firewall

Firewall (Firewall): Also known as a protective wall, It is a network security system located between the internal network and the external network.

A set of hardware or software that works at the edge of a host or network, checks incoming and outgoing messages according to predefined rules, and is processed by matching rules, or even a combination of both

Host Firewall: works on the edge of the host, only protects a single host

Network firewall: work at the edge of the network and protect multiple hosts

Host firewall + network firewall

Hardware firewall: can efficiently handle network messages, the CPU is special, on the basis of hardware can directly process the message (unpacking)

Network layer: Network Firewall

Application layer: gateway or proxy server (more secure, more complex detection mechanism, more practical application, less efficient)

IDS: Intrusion Detection System

HIDS:OSSEC Host Intrusion Detection system

Nids:snort Network intrusion Detection system,

Filesystem:tireware File system level detection

Ips:ids + Firewall Intrusion Prevention System

Honeypot: Honeypot #诱捕

Nessus,nmap Sniffer (scan) tool

2, Iptables

Iptables/netfilter: Network layer firewall, support for connection tracking (stateful detection)

Software program for a firewall based on software form

Iptables, formerly known as Ipfirewall (Kernel 1.x ERA), is a simple access control tool that is ported from FreeBSD to work in the kernel to detect packets. But the ipfirewall work is extremely limited (it requires that all rules be put into the kernel so that rules can be run and put into the kernel, which is generally extremely difficult). When the kernel developed into the 2.x series, the software was renamed IPChains, it can define multiple rules, string them together, and now, it is called iptables, you can make a list of rules to achieve detailed access control functions.

The relationship between Iptables and NetFilter is a problem that is easily confusing. A lot of know iptables but don't know netfilter. in fact, Iptables is just a Linux firewall management tool, located in/sbin/iptables. The real firewall function is NetFilter, which is the internal structure of implementing packet filtering in the Linux kernel.

iptables: Firewall Rule authoring Tool #用户空间

NetFilter: Framework (framework) network filters, really let the rule implementation #内核空间

3. Rules

Rules are actually the pre-defined conditions of the network administrator and are the basis of iptables.

The rule is generally defined as " if the packet header conforms to such a condition, the packet is handled in this way." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). the primary task of configuring a firewall is to add, modify, and delete these rules.

4. Working principle

After the packets are routed from the extranet to the firewall, the firewall forwards the packets to the inspection module before the IP layer transmits to the TCP layer. the process is as follows.

⑴ is first compared to the first filter rule.

⑵ if the same as the first rule, it is audited to determine whether to forward the packet, the result of the audit is to forward the packet, the packet is sent to the TCP layer for processing, otherwise it is discarded.

⑶ if it differs from the first filter rule, it is then compared to the second rule, and if it is the same, it is audited with the same procedure as the previous step.

⑷ if it differs from the second filter rule, it continues to be compared to the next filter rule until it is compared with all filter rules. If all filtering rules are not met, the data is discarded.

Second, the working mechanism of iptables

1, five chain

Iptables in the network must pass the place, selected 5 locations, to take control of the place. These five positions are also known as five hooks (hook functions), also called Five rule chains.

These five locations are:

prerouting before routing

The data packet will be prerouting "hook" before entering the TCP/IP stack routing, and the corresponding operation of the packet is analyzed, note: Prerouting chain cannot filter the packet, prerouting chain is the first level in the whole netfilter frame.

INPUT Inflow

Routing after prerouting if the packet is inside the internal, then forwards to the input chain, theinput chain can filter the packet by pre-defined rules, and if the match is executed,the input chain can filter the packet. Input chain is the only way for data messages to enter user space

FORWARD forwarding Levels

Routing after prerouting if the packet is only forwarded through this machine, then forwards to the forward chain, the forward chain is able to match the packet by pre-defined rules to check and perform the corresponding action, the input chain can filter the packet, It is with the forward chain iptables to be able to run as a network firewall at the edge of the network to filter the data packets in and out of the network

OUTPUT Outflow

The packet is routed from the process of the user space to the output chain by routing the specific NIC interface through the route, and the output chain is able to match the data message by implementing the defined rules to check and perform the corresponding action, and the output chain can filter the packet

postrouting after routing

Packets are forwarded from output or forward, reaching the last level in the NetFilter frame, analyzing the packet and performing the corresponding action, and not filtering the packet as Postrouting  

Data flow through NetFilter flowchart:

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/8C/0C/wKioL1hgxkfAzQJaAAC-hQukLGU616.jpg "title=" 20160923223814545.jpg "alt=" Wkiol1hgxkfazqjaaac-hquklgu616.jpg "/>

#OUPUT这里出去应该也要经过路由决策

It is not filtered before and after routing because there is no routing decision, and our (Input\forword\output) can basically implement the entire block control of the path. Then why do we have to place them?

This is mainly because when we are doing snat and Dnat, the source address translation must be transformed after the route, and the destination address translation must be converted before the route, which is what they exist for.

2. Four tables

NetFilter the rules for filtering packets are defined by four tables

or four functions.

Filter

The whole iptables is the most critical table, which realizes the filtering of the packet, and can be composed by the Input,forward,output three chain which can realize the filtering function.

Nat

NAT ( network address translation),

NAT can also be implemented in iptables, such as snat (source address translation), DNAT (destination address translation), Masquerade and other functions; Nat tables can be composed of prerouting, OUTPUT, postrouting

Mangle

mangle can be used to disassemble the number of matched packets , make modification, re-encapsulation and other operations; generally we use very little, five chain can realize mangle function

Raw

raw off Nat's connection tracing mechanism, which prevents memory overflow of the server under high concurrent access , and can be implemented by prerouting,output with less.

3. Define the rules "unspoken rules"

Points to consider when adding rules

what features are implemented: decide on which table to add

the path through which the message flows: determine which chain to add and the order of the rules on the chain

1) Similar rules (access the same program), the matching range is small on top

2) different classes of rules (access to different applications), matching to the high frequency of the message on the top

3) combine multiple rules that can be described by one rule into a single

4) Set default Policy

4, the firewall policy

Firewall policies are generally divided into two types:

A " pass" strategy, called "blocking" strategy,

The strategy is actually white list, the default port is closed, you must specify the user's ability to come in.

blocking strategy can be understood to be blacklisted, the prescribed range of people can not come in. There, but you have to have identity authentication, or you can't go in . in order for these functions to work alternately, we have developed the definition of "table" to define and differentiate the different working functions and processing methods.

5. Inspection and processing mechanism

Check condition: # According to what to check

IP: Source Address, Destination address

Tcp:sport,dport,flags

Udp:sport,dport,flags

Icmp:icmp-type

Extended check mechanism:

Can also be based on time, protocol, string,state (connection-tracking)

Processing mechanism: #匹配到规则的数据包该怎样处理

Drop (silently discarded), REJECT (return message explicitly rejected), accept (accepted)

Snat,dnat:

RETURN: Jump Back

REDIRECT: Doing port mapping

LOG: Logs

"Linux Basics" 22, iptables (top)