A detailed explanation of Linux iptables principles

Directory:

First, NetFilter and iptables

Second, filter, Nat, mangle and other rules table

Third, INPUT, forward and other rules chain and rules

Four, the Linux packet routing principle

V. Iptables preparation of rules

a, NetFilter and Iptables

　　

(1) NetFilter is a Linux 2.4 kernel firewall framework proposed by Rusty Russell, which is both concise and flexible, enabling many features in security policy applications such as packet filtering, packet processing, address spoofing, transparent proxies, dynamic network address translation (net Address Translation,nat), as well as filtering and state-based filtering, packet rate throttling, and so on, based on user and media access controls (media access Control,mac) addresses. These rules of iptables/netfilter can be flexibly combined to form a lot of functions, covering all aspects, all thanks to its excellent design ideas.

NetFilter is a packet processing module inside the core layer of the Linux operating system, which has the following functions:

• Network address translation (Translate)
• Packet Content Modification
• Packet filtering firewall

(2) The NetFilter platform has five mount points for the packet (Hook point, which we can understand as the callback function point, when the packet arrives at these locations, it actively calls our functions, giving us the opportunity to change their direction and content when the packet is routed). These 5 mount points are,,,, and, respectively PRE_ROUTING INPUT OUTPUT FORWARD POST_ROUTING .

(3) The rules set by NetFilter are stored in kernel memory, and Iptables is an application-level application that modifies the Xxtables (NetFilter configuration table) that is stored in kernel memory by netfilter the interface it emits. This xxtables is made tables up of tables, chains chains , and Rules rules , and iptables is responsible for modifying this rule file at the application level. Similar applications also include FIREWALLD.

Second, filter, Nat, mangle and other rules four table

(1) Table has filter, NAT, mangle and other rules;

　　Filter table

It is mainly used to filter packets and decide whether to release the packets (such as drop, ACCEPT, REJECT, LOG) according to the specific rules. The kernel module corresponding to the filter table is Iptable_filter, which contains three rule chains:

• INPUT chain:input is a local package for those destinations
• FORWARD Chain:forward filter all not locally generated and destination is not local (that is, this machine is only responsible for forwarding)
• OUTPUT chain:output is used to filter all locally generated packages

　Nat table

　　　　Mainly used to modify the packet IP address, port number and other information (network address translation, such as Snat, DNAT, Masquerade, REDIRECT). A package that belongs to a stream (because the size limit of the package causes the data to be split into multiple packets) only through

This table once. If the first package is allowed to do NAT or masqueraded, then the remaining packets will be automatically done the same, that is, the remaining packets will not pass through the table again. The kernel module for the table is Iptable_nat, which contains three chains

• PREROUTING chain: The function is to change the destination address when the package has just arrived at the firewall
• OUTPUT chain: Changing the destination address of a locally generated package
• POSTROUTING chain: Change the source address of the package before it leaves the firewall

　　mangle table

The TOS used primarily to modify packets (type of services, service type), TTL (Time to Live, lifetime) refers to and sets the mark mark for the packet for QoS (quality of service, quality of services) tuning and Policy Routing, etc.

Applications are not widely available due to the need for appropriate routing device support. Contains five rule chain--prerouting,postrouting,input,output,forward.

　　Raw table

is a new table from the 1.2.9 later version of Iptables, which is used primarily to determine whether the packet is handled by the state tracking mechanism. When matching a packet, the rules of the raw table take precedence over the other tables. Contains two rule chains--output, prerouting

(2) 4 different states of packets and 4 tracked connections in iptables :

• NEW : The package wants to start a connection (reconnect or redirect the connection)
• RELATED : The package is a new connection established by a connection that has already been established. For example, the FTP data transfer connection is to control the connection that the connection related out. --icmp-type 0(ping answer) is --icmp-type 8 The related (ping request).
• ESTABLISHED : A data connection changes from new to established as soon as it is sent and received, and the status continues to match subsequent packets for that connection.
• INVALID : packets cannot be identified by which connection or no state such as memory overflow, receive ICMP error messages that do not know which connection it belongs to, and should generally drop any data in this state.

Third, INPUT, forward and other rules five chains and rules

(1) When dealing with various kinds of data packets, according to the different intervention time of firewall rules, iptables for 5 kinds of default rule chain, understand these chains from the point of view of application time:

• INPUT Chain: applies the rules in this chain when a packet (inbound) of the firewall's native address is received.

• OUTPUT Chain: applies the rules in this chain when the firewall natively sends packets out (outbound).

• FORWARD chain: Apply the rules in this chain when you receive packets (forwards) that need to be sent through the firewall to other addresses.

• PREROUTING chain: Apply the rules in this chain, such as Dnat, before routing the packet.

• POSTROUTING chain: After routing the packet, apply the rules in the chain, such as Snat.

(2) in which the input, output chain more applications in the "host Firewall", which is mainly for the server native access to data security control, and forward, prerouting, postrouting chain more applications in the "Network Firewall", This is especially the case when the firewall server is used as a gateway.

　　

Four, the Linux packet routing principle

(1) Understanding the architecture and function of NetFilter and iptables, and learning the structure of xtables tables that control netfilter behavior, how does this xtables table work in packet routing of the kernel stack?

Workflow: The network port packet is received by the underlying NIC NICs, and after unpacking the data link layer (removing the data link frame header), it enters the TCP/IP protocol stack (essentially a kernel driver for processing network packets) and the NetFilter mixed packet processing flow. The process of receiving, processing, and forwarding a packet consists of a finite state vector machine, which passes through some of the kernel processing functions of the columns, as well as the NetFilter Hook point, which is eventually forwarded or digested by the upper-level application.

From this, we can summarize the following rules:

• When a packet enters the network card, the packet first enters the prerouting chain , in the prerouting chain we have the opportunity to modify the packet destip (destination IP), and then the kernel "routing module" according to "Packet Destination IP" and "Kernel routing table" Determine if it needs to be forwarded (note that the destip of the packet may have been modified by us at this time)
• If the packet is in the native (that is, the destination IP of the packet is the network port IP of the native), the packet moves down the graph to reach the input chain . After the packet arrives in the input chain, any process will-receive it
• Programs running on this machine can also send packets that go through the output chain and then reach the postroting chain output (note that this time the SRCIP of the packet may have been modified by us)
• If the packet is to be forwarded out (that is, the destination IP address is no longer in the current subnet), and the kernel allows forwarding, the packet will move to the right, through the forward chain , and then to the postrouting chain output (select the corresponding subnet of the network port to send out)

　　When writing iptables rules, always keep this route sequence diagram in mind, and flexibly configure the rules according to the different hook points.

V. Iptables preparation of rules

Command format:

　　Example:

1 iptables-i input-s 0/0-D 192.168.42.153-p tcp-m multiport--dports 22,80,3306-j ACCEPT

1 iptables-t filter-i input-d 192.168.42.153-p tcp--dport 80-j ACCEPT

　　1.[-t 表名]: Which table the rule operates on, filter, Nat, and so on, and default to filter if not specified

• -A: Add a rule to the last row of the list of rule chains
• -I: Inserts a rule that the rule in that position will be moved in a backward order without a specified number of 1
• -D: Delete a rule from the rule chain, either enter a complete rule or specify a rule number to delete
• -R: Replaces a rule, the rule substitution does not change the order, and the number must be specified.
• -P: Sets the default action for a rule chain
• -nL: -L , -n , view the list of currently running firewall rules

　　2. chain名 : Specify which chain of the rule table, such as input, ouput, FORWARD, prerouting, etc.

• [规则编号]: Insert, delete, replace rule, --line-numbers display number
• [-i|o 网卡名称]: I is the specified packet from which Nic enters, O is the specified packet from which NIC output
• [-p 协议类型]: You can specify the protocol that the rule applies to, including TCP, UDP, and ICMP
• [-s 源IP地址]: The IP address or subnet address of the source host
• [--sport 源端口号]: The source port number of the IP for the packet
• [-d目标IP地址]: The IP address or subnet address of the destination host
• [--dport目标端口号]: Destination port number of the IP of the packet

　　3.-m: Extend matches, this option is used to provide more matching parameters, such as:

• • -M State--state established,related
  • -M TCP--dport 22
  • -M multiport--dports 80,8080
  • -M ICMP--icmp-type 8

　　4.<-j 动作>: Handles the action of the packet, including accept, DROP, reject, etc.

• • ACCEPT : allow packets to pass
  • DROP : drop the packet directly without giving any response information

  • REJECT : reject the Packet pass, and, if necessary, give a response to the data sender.

  • SNAT : Source address translation. After entering the routing level route, before the local network stack, overwrite the source address, the destination address is not changed, and set up a NAT table entry in this machine, when the data is returned, according to the NAT table to the destination address data is overwritten as the data sent out when the source address, and sent to the host. Solve the problem that intranet users use the same public network address to surf the Internet.
    MASQUERADE, is a special form of snat, which is suitable for temporarily changing IP like ADSL

  • DNAT : Destination address translation. In contrast to Snat, the IP packet modifies the destination address before it passes the route, the source address is unchanged, a NAT table entry is established on the local computer, and when the data is returned, the source address is modified to the destination address when the data is sent over the NAT table and sent to the remote host. You can hide the real address of the backend server. (Thanks to the Netizen proposed before this place and Snat write counter)
    REDIRECTis a special form of dnat that forwards the network packet to the local host (regardless of the destination address specified by the IP header) and facilitates port forwarding in this machine.

  • LOG : log information is logged in the/var/log/messages file, and then the packet is passed to the next rule

After the last LOG 3 rules match the packet, the packet no longer continues to match, so the order of the rules written is extremely critical.

The iptables principle of Linux is detailed