Security Configuration of Web security firewall

Iptables Introduction

Iptables is an IP packet filtering system integrated with the latest 2.6.x version of the Linux kernel. If a Linux system is connected to an Internet LAN, a server, or a proxy server that links the LAN and the Internet, the server facilitates better control over IP packet filtering and firewall configuration on Linux systems.

Neitfilter/iptables IP packet Filtering system is a powerful tool that can be used to add, edit, and go out rules that are in the making of packet filtering decisions that the firewall follows and consists of. These rules are stored in a dedicated packet filtering table, and these tables are integrated into the Linux kernel. In the Packet filter table, the rules are grouped in our so-called chain.

The Santan netfilter/iptables IP packet filtering system is called a single entity, but there are actually two components NetFilter and iptables.

The Neitfilter component, also known as kernel Space (kernelspace), is part of the kernel and consists of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering processing.

The Iptables component is a tool that also becomes user space (Userpace), which makes it easy to insert, modify, and remove rules from packet filtering tables. Unless Jin is using red HAT LINUX 7.1 or later

, otherwise you will need to download the tool and install it using it.

packet switching and condition monitoring

The main security control methods used by firewalls are packet filtering, condition monitoring, and proxy services. Packet filtering service is a simple and effective security control technology. It is through the connection between the network devices to allow, prohibit from some specific original address, destination address, TCP port number rules, the packet through the device through the line detection, limit the packet access to the internal network.

The biggest advantage of packet filtering is transparent to the user, high transmission performance. Anti-security control hierarchy in the network layer, the transport layer. Security controls are limited to the original address, destination address, and port number. Therefore, only a relatively preliminary security monitoring, for malicious congestion attacks, memory coverage or viruses and other high-level attacks, there is nothing to do.

Condition monitoring is a more effective method of security control than packet filtering. Connection to the new application, condition monitoring monitoring and the security rules of the case, allowing a compliant connection to pass, and recording information about the link in memory, generating a status table. Subsequent packets to the connection can be passed as long as the status table is met. The advantage of this control is that, since no rule checking is required for each packet, a subsequent packet of a connection (usually a large number of packets) is checked directly through the hashing algorithm, which makes the performance greatly improved: And because the state is dynamic, it can be selected, Dynamic opening of more than 1024th ports, so that security has been further improved.

Now the firewall is mainly divided into the following three types: packet filtering, application agent, condition monitoring

Packet filtering firewall: Now static packet filter firewall is not available on the market, instead of dynamic packet filtering technology firewall ha ~

Proxy firewall: Because some special Envoy's message can easily break through the protection of packet filter firewall, such as known SYN attack, ICMP flood attack, so a proxy server as a special health user confidentiality or breakthrough access restrictions of the application of the data forwarding channel failing firewall appeared ha ~ In fact, a new technology of application protocol analysis is used.

State Monitoring firewall: its development based on dynamic packet filtering technology, adding a State monitoring module, the development of a session filtering function, session state retention is time-limited, the firewall can also be reported in the internal pass analysis, so as to avoid opening too many ports.

iptables function Introduction

Basic methods of operation

Start command: Service iptables start

Restart command: Service iptables restart

Shutdown command: Service iptables stop

Iptables's Table and chain

Iptables has filter.nat,mangle,raw four types of built-in tables:

1Filter table

The filter represents the default table for iptables, so if you do not have a custom table, the filter table is used by default for a long time, and it has the following three kinds of inline chains:

Input chain-processes data from external.

Outpot chain-handles outgoing data.

Forward chain-transmits data to other NIC devices on this machine.

2 NAT Table

There are three types of built-in links to the NAT table:

Prerouting chain-handles packets that have just arrived at the native and before the route is forwarded. He will convert the destination IP address (destination) in the packet, typically used for Dnat (destination NAT).

Postrouting chain-The packet that is about to leave the machine. He converts the original IP address in the packet, which is typically used for snat (source NAT).

Output chain-processes the packets generated by the machine.

3 Mangle Table

The Mangle table is used to specify how packets are processed. He can change the total QoS bit of the TCP header. The mangle table has 5 built-in chains:

Prerouting

OUTPUT

FORWARD

INPUT

Postrouting

4 Raw tables are used to handle exceptions, and he has 2 built-in chains:

Prerouting Chain

Putput Chain

The three built-in tables for iptables are shown below:

Ii. IPTABLES rule (rules)

Keep in mind the following three-point understanding of the key to iptables rules:

The RULES include a condition and a goal (target)

If the condition is met, the rule or specific value in the target is executed.

If the condition is not met, the next rule is judged

Destination value (target values)

Here are the special values you can specify in the target example:

accept-allow firewalls to receive packets

Drop-Firewall Drop package

queue-firewall packet Handover user space

Return-The firewall stops subsequent rules in the current connection and returns to the call chain (the calling chain).

If you execute iptables--list you will turn off the available rules on the firewall, the following instructions are not currently defined by the system firewall, you can see that he shows the default filter table, as well as the default input crossbow, forward chain, the output chain.

View Mangle table:

To view the NAT table:

View Raw Tables

Three, clear all iptables rules

Before you configure iptables, you usually need to use the Iptables--list command or the Iptables-save command to see if there are any rules, because you sometimes need to delete existing iptables rules:

These two commands are equivalent. But not after it's done. You still need to check whether the rules are really emptied, because this command on the Linux hairstyle does not clear the rules in NAT, except that, at this point, it can only be cleared manually:

Iv. Permanent entry into force

When you delete, add rules, these changes do not take effect permanently, and these rules are most likely to revert back to the system after a reboot. To make the configuration permanent, depending on the platform, the specific operation is different, the following is a brief introduction:

1 Ubuntu

First, save the existing rule:

Then create a new bash script and save it to the/etc/network/if-pre-up.d/directory:

In this way, iptables rules are automatically loaded after each system reboot.

/! Note: Do not try on the. BASHBRC or. Profile executes the above command because the user is usually not root, and this can only load the iptables rule at login time.

2 centos,red Hat

To view the current rule:

V. Additional iptables rules

You can use the IPTABLES-A command to append a new rule where-A represents append. Therefore, the new rule is appended to the end of the chain.

In general, the last rule is used to discard (drop) all packets. If you already have such a rule and use the-a parameter to add a new rule, you are useless.

1 syntax

Iptables-a chain Firewall-rule

-A chain-specify add rule chain

Filewall-rule-specific rule parameters

2 Describe the basic parameters of a rule

The following rule parameters describe the protocol, the original address, the destination address, the network interface allowed, and how the packets are processed. These descriptions are the basic descriptions of the rules

-P Protocol (Protocol)

The specified protocol, such as TCP,UDP,ICMP, can be used to specify all protocols.

If you do not specify the-p parameter, the default is the all value. This is not advisable, always specify the protocol name explicitly.

You can use protocols such as TCP, or protocol values (such as 6 for TCP) to specify the protocol. Mapping relationships See/etc/protocols

You can also use the-protocol parameter instead of the-p parameter

-S original address (source)

Specify the original address of the packet

Parameters can use IP address, network address, host name

For example:-S 192.168.1.101 IP address specified

Example:-S 192.168.1.10/24 Specify network address

If you do not specify the-s parameter, all addresses are represented

You can also use-SRC or-source

-D Destination Address (destination)

Specify Destination Address

Parameter-S is the same

You can also use-DST or-destination

-j execution target (jump to target)

-j represents jump to target

-J Specifies how the packet is handled when matched to a rule

The possible value is the Accept DROP QUEUE RETURN

You can also specify other chains (Chain) as targets

-I Input interface (input interface)

-I represents the input interface (inputs interface)

-I specifies the packet to process from which interface

These packets are about to enter input FORWARD Preroute

For example:-I Etho has developed a packet to process via Etho

If you do not specify the-I parameter, packets that go into all interfaces are processed

If it appears! -I etho, then all packets that go through an interface other than Etho will be processed

If the-I ETH + is present, all packets entering through the ETH will be processed

You can also use the-in-interface parameter

-O output (out interface)

-O stands for Out interface

-o Specifies which interface the packet is output from

These packets are about to enter the forward OUTPUT postrouting chain

If you do not specify-o Etho then all interfaces on the system can be used as output interfaces

If it appears! -o Etho, then output the interface from Etho

If the-I eth+ appears, then only the interface that starts with the ETH outputs

You can also use the-out-interface parameter

3 describing extended parameters for a rule

Once we have a basic description of the rules, we sometimes want to specify such things as the wide port, the TCP flag ICMP type, and so on.

-Sport Source ports (source port) for-p TCP and-sport SSH

The/etc/services file describes the mapping relationships described above.

Using port numbers is better from performance

Use colons to match port ranges, such as-sport 22:100

You can also use the-source-port

--dport Destination port (destination port) for-p TCP or-p UDP

The parameters are similar to-sport

You can also use--destination-port

--tcp-flags TCP Flag for-p TCP

You can specify multiple parameters that are separated by good =

Valid values can be: SYN ACK FIN RST URG PSH

You can use all or none

--icmp-type ICMP type for-p ICMP

-icmp-type 0 means Echo Reply

-icmp-type 8 means Echo

Security Configuration of Web security firewall