First, the classification of firewalls
(a), packet filter firewall.
Packet filtering (packet Filtering) technology is the choice of packets at the network layer, based on the filtering logic set in the system, called the Access Control table. By examining the source and destination addresses of each packet in the data stream, the port number and protocol status used, or their combination, determines whether the packet is allowed to pass.
The advantage of a packet filtering firewall is that it is transparent to the user, fast to handle, and easy to maintain. The disadvantage is that illegal access can attack the software and configuration vulnerabilities on the host once the firewall is breached, and the source address, destination address, and IP port number of the packet are all in the header of the packet, so it is easy to forge. IP address spoofing is a common attack tactic used by hackers for this type of firewall.
(ii), Proxy service-type firewall
The proxy service is also known as a link-level gateway or a TCP channel. It is a firewall technology which is introduced to the disadvantage of packet filtering and application gateway technology, which is characterized by dividing the network communication link of all cross-hop firewalls into two segments. When the proxy server receives a user's access request to a site, it checks to see if the request complies with the control rule. If the rule allows users to access the site, the proxy server will go to that site for users to retrieve the required information, and then forwarded to the user, both inside and outside the network user access is through the proxy server "link" to achieve, so as to isolate the role of computer systems inside and outside the firewall.
In addition, the proxy service analyzes and registers the past packets, and forms a report, and warns the network administrator when there are signs of attack, and preserves the attack log, providing support for evidence collection and network maintenance.
Second, the working principle of the firewall
(a), packet filter firewall working principle
Packet filtering is implemented at the IP layer, so it can be done only with routers. Packet filtering is based on header information such as the source IP address of the package, destination IP address, source port, destination port, and packet delivery direction to determine whether the packet is allowed to pass through, filtering user-defined content, such as an IP address. It works by checking packets at the network level, regardless of the application layer. Packet filters are widely used because the CPU's time to handle packet filtering is negligible. And this protection measures for users transparent, legitimate users in and out of the network, there is no sense of its existence, easy to use. This system has very good transmission performance, easy to expand.
But this kind of firewall is not very secure, because the system is not aware of the application layer information-that is, they do not understand the content of the communication, can not be filtered at the user level, that is, not to identify different users and prevent the misappropriation of the address. If an attacker sets the IP address of his or her host to the IP address of a legitimate host, it can easily pass through the packet filter, which is more easily compromised by hackers. Based on this working mechanism, packet filtering firewalls have the following drawbacks:
1. Communication information: Packet filtering firewall can only access the header information of some packets.
2. Communication and Application status information: Packet filtering firewalls are stateless, so it is not possible to save state information from communications and applications.
3, Information Processing: Packet filtering firewall processing information capacity is limited.
(ii), Proxy service-type firewall working principle
The Proxy service firewall implements the firewall function on the application layer. It provides a part of the transport-related state, the outer ring provides information about the state and part of the transmission associated with the application, and it can process and manage information.
Third, using iptables to implement packet filtering firewall
(a), iptables Overview and principles
Using the new kernel-pack filtering management tool--iptables after kernel 2.4, this tool makes it easier for users to understand how it works, is easier to use, and has more powerful features.
Iptables is just a tool for managing kernel packet filtering that can add, insert, or remove rules from core packet filtering tables (chains). In fact, the actual implementation of these filtering rules is netfilter (a common architecture in the Linux kernel) and its associated modules (such as iptables modules and NAT modules).
NetFilter is a common architecture in the Linux core that provides a series of "Tables" (tables), each of which consists of several "chains" (chains), each of which can consist of one or more rules (rule). It can be understood that netfilter is a container for a table, a container for a chain, and a container for rules.
The default table for the system is "filter", which contains 3 chains of input, forward, and output. There can be one or more rules in each chain, and each rule is defined as: "If the packet header meets such a condition, it will handle the packet." When a packet arrives at a chain, the system checks from the first rule to see if it meets the criteria defined by the rule and, if satisfied, processes the packet according to the method defined by the rule, and, if not satisfied, continues to check the next rule, and finally, if the packet does not conform to any of the rules in the chain, The system processes the packet based on the policy that the chain is pre-defined.
(ii), iptables the process of transmitting packets
When a packet enters the system, the system first decides which chain to send the packet to, depending on the routing table, there are 3 possible scenarios:
1, the destination address of the packet is local, the system will send the packet to the input chain, if the rule check, the package is sent to the corresponding local process processing, if not through the rule check, the system will discard the package.
2, the address on the packet is not the local machine, that is, the packet will be forwarded, the system will send the packet to the forward chain, if through the rule check, the package is sent to the corresponding local process processing, if not through the rule check, the system will discard the package.
3, the packet is generated by the local system process, the system will be sent to the output chain, if the rule check, the package is sent to the corresponding local process processing, if not through the rule check, the system will discard the package.
The user can define rules for each chain, and when the packet reaches each of these chains, Iptables will process the package according to the rules defined in the chain. Iptables compares the header information of a packet to each rule in the chain it passes to, to see if it matches each rule exactly. If the packet matches a rule, iptables executes the action specified by the rule on the packet. For example, a rule in a chain decides to drop the packet, the packet is discarded at that link, and if the rule in the chain accepts the packet, the packet can move forward, but if the packet does not match this rule, it is compared to the next rule in the chain. If the packet does not conform to any of the rules in the chain, then Iptables will decide how to handle the packet based on the default policy defined by the chain, and the ideal default policy should tell iptables to drop the packet.
(iii) Advantages of iptables
The biggest advantage of netfilter/iptables is that it can configure stateful firewalls, which are an important feature that previous tools such as IPFWADM and IPChains cannot provide. Stateful firewalls can specify and remember the state of the connection established for sending or receiving packets. The firewall can obtain this information from the connection tracking state of the packet. When deciding on new packet filtering, these state information used by the firewall can increase its efficiency and speed. There are 4 valid states, named established, INVALID, new, and related, respectively.
State established indicates that the packet belongs to an already established connection that is used to send and receive packets and is fully valid. The invalid state indicates that the packet is not associated with any known stream or connection, and it may contain incorrect data or headers. The state new indicates that the packet has been or will start a new connection, or it is associated with a connection that has not been used to send and receive packets. Finally, related indicates that the packet is starting a new connection and that it is associated with an established connection.
Another important advantage of netflter/iptables is that it gives users full control over firewall configuration and packet filtering. You can customize your own rules to meet specific needs, allowing only the desired network traffic to enter the system.
(iv) basic knowledge of iptables
1. Rules (rule)
A rule is a predetermined condition for a network administrator, and the rule is generally defined as "if the packet header conforms to such a condition, the packet is handled in this way." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (TCP, UDP, ICMP), and service type (such as HTTP, FTP, SMTP), respectively. When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (REJECT), or drop (drop). The primary rule for configuring firewalls is to add, modify, and delete these rules.
2. Chain (Chains)
Chain (chains) is the path of packet propagation, each chain is actually a checklist in many rules, each chain can have one or several rules. When a packet arrives at a chain, Iptables starts checking from the first rule in the chain to see if the packet satisfies the condition defined by the rule, and if so, the system processes the packet according to the method defined by the rule, otherwise iptables will continue to check the next rule. If the packet does not conform to any of the rules in the chain, Iptables will process the packet according to the default policy defined by the chain.
3. Table (Tables)
Table (tables) provides specific functionality, Iptables built-in 3 tables, the filter table, the NAT table, and the Mangle table, respectively, to implement packet filtering, network address translation, and packet refactoring functions.
(1) Filter table. The filter table is primarily used to filter packets, which filter the eligible packets according to a set of rules that the system administrator has predefined. For the firewall, the main use of the filter table to specify a series of rules to implement the filtering operation of the packet.
The filter table is the default table for Iptables, and if you do not specify which table to use, Iptables uses the filter table by default to execute all commands. The filter table contains the input chain (processing incoming packets), the forward chain (processing the forwarded packets), and the output chain (processing locally generated packets). Only operations that accept or discard packets are allowed in the filter table, and the packets cannot be changed.
(2) Nat table. Nat Green is mainly used for network address translation NAT, the table can achieve a pair of one or one-to-many and many-to-many NAT work, Iptables is the use of this table to achieve shared Internet function. The NAT table contains the prerouting chain (modifying the incoming packet), the output chain (modifying packets generated locally before the route), and the postrouting chain (modifying the outgoing packet).
(3) mangle table. The mangle table is primarily used to modify the specified package, because some special applications may be able to overwrite some of the transmission characteristics of the packet, such as the TTL and the TOS of the rational packet, but the usage of the table is not high in the actual application.
(v), shut down the system firewall
Because the firewall function of the system is also implemented using Iptables, if the user sets rules on the iptables of the system, it is very easy to conflict, so it is recommended to turn off the firewall function of the system before iptables learning.
(vi), iptables command format
iptables command format is more complex, the general format is as follows:
#iptables [-t table]-command matching operation
Note: Iptables is case sensitive to all options and Parameters!
1. Table Options
The table option specifies which iptables built-in table the command applies to. The iptables built-in table includes a filter table, a NAT table, and a mangle table.
2. Command options
The command options specify how iptables is executed, including insert rules, delete rules, add rules, and so on:
-P or--policy define default policy
-L or--list view iptables rule list
-A or--append adds a rule at the end of the rule list
-I or--insert inserts a rule at the specified location
-D or--delete delete a rule in the list of rules
-R or--replace a rule in the list of substitution rules
-F or--flush Delete all rules in a table
-Z or--zero the count and flow counters of all chains in the table are zeroed
3. Matching options
The match option specifies the characteristics that the packet should have to match the rule, including the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and port number (such as 80, 21, 110), and so on:
-I or--in-interface specifies the network interface from which the packet is entered
-O or--out-interface specifies which network interface the packet is output from
-P or--porto specifies packets that match the protocol, such as TCP, UDP
-S or--source specifies the source address of the packet match
--SPORT Specifies the source port number of a packet match, you can specify a range of ports using the format "start port number: End Port number"
-D or--destination specifies the destination address of the packet match
--DPORT Specifies the destination port number for which the packet matches, you can specify a range of ports using the format "start port number: End Port number"
4. Action Options
Action options specify what actions should be taken when a packet matches a rule, such as accept or discard.
Accept Packet
Drop Drop Packet
REDIRECT the packet back to a port on the native or another host, typically using this feature to implement a transparent proxy or to open some services in the intranet
SNAT Source address translation, which changes the source address of the packet
DNAT Destination address translation, that is, changing the destination address of the packet
Masquerade IP Spoofing, which is commonly said NAT technology. Masquerade can only be used for ADSL and other dial-up Internet IP camouflage, that is, the host's IP address is dynamically assigned by the ISP, if the IP address of the host is static fixed, it is necessary to use Snat
Log log feature that records information about rules-compliant packets in the logs for administrators to analyze and debug
(vii) Use of the iptables command
1. View Iptables Rules
There are no rules for the initial iptables, but if you choose to install the firewall automatically at the time of installation, a default rule exists in the system and you can view the default firewall rules first:
#iptables [-t table name]
[-t table name]: Defines the list of rules to see which table, table names can use filter, NAT, and mangle, and if there is no definitive table name, use the Fliter table by default
: Lists the rules for the specified table and the specified chain
: Defines the rules that view which chains in the specified table, and if not which chain, will view the rules for all chains in a table
#iptables-L-N (view rules for all chains in the filter table)
Note: At the end of the add-n parameter, you can not convert the IP and hostname, the display will be much faster.
#iptables-T Nat-l output (rules for viewing the NAT table output chain)
2. Define the default policy
When a packet does not conform to any of the rules in the chain, iptables processes the packet according to the chain's default policy, which is defined by the following method
#iptables [-t table name]
[-t table name]: Defines which table's rules to see, table names can use filter, NAT, and mangle, and if no treasure, default to use the filter table
: Define a default Policy
: Defines the rules that view which chain in the specified table, and if not, the rules for all chains in a table
: Handle the action of the packet, you can use accept and drop (discard)
#iptables-P Input Accept (defines the default policy for the filter table input chain as accepted)
#iptables-t nat-p output drop (defines the default policy for the NAT table output chain as discarded)
Create an example of the simplest rule. For users who have no experience and time, it is necessary to set up a simple and practical rule, and the most basic principle is to "reject all packets before allowing the required packets", that is, the chain definition of the filter table. Input is generally defined as drop, which prevents any packets from entering and other items are defined as accept so that the data sent out can go out.
#iptables-P INPUT DROP
#iptables-P FORWARD ACCEPT
#iptables-P OUTPUT ACCEPT
3. Add, insert, delete, and replace rules
#iptables [-t table name] Chain name [rule number] [-i | o nic] [-P protocol type] [-s Source IP | source subnet] [--sport source port number] [-D Destination IP | target subnet] [--dport destination port number]
[-t table name]: Defines which table's rules to see, table names can use filter, NAT, and mangle, and if not defined, use the filter table by default
-A: Adds a rule that adds to the last line of the list of rules, which cannot use the rule number
-I: Inserts a rule that the rules in that position move in the order behind them, and if no rule number is specified, insert it before the first rule
-D: Delete a rule, you can enter a complete rule, or specify the rule number directly
-R: Replace a rule, the rule is replaced does not change the order, you must specify the replacement rule number
: Specifies the rule to view a chain in the specified table, using input, output, FORWARD, prerouting, output, Postroutin
[Rule number]: The rule number is used when inserting, deleting, and replacing rules, the number is in the order of the list of rules, the first rule number is 1
[-i | o network card name]:I refers to the packet from which NIC input, O is the batch packet from which NIC output
[-P protocol type]: You can specify the protocol that the rule applies to, including TCP, UDP, ICMP, and so on
[-S Source IP | Source Subnet]: The source IP or subnet of the packet
[--sport Source port number]: The source port number of the packet
[-D Destination IP | Destination Subnet]: Destination IP or subnet of the packet
[--dport Target port number]: Destination port number of the packet
: Handling the action of a packet
#iptables-A input-i lo-j accept (append a rule that accepts all packets from the Lo interface)
#iptables-A input-s 192.168.0.44-j accept (append a rule that accepts all packets from 192.168.0.44)
#iptables-A Input-s 192.168.0.44-j drop (append a rule that discards all packets from 192.168.0.44)
Note: Iptables rules are read sequentially, and if two rules conflict, the preceding rules prevail.
#iptables-I INPUT 3-s 192.168.1.0/24-j drop (inserts a rule before the 3rd rule in the input chain, discarding all packets from 192.168.1.0/24)
Note: the-i parameter is inserted at the top of all rules if no inserted position is specified
#iptables-D Input 2 (delete the 2nd rule in the INPUT chain in the filter table)
#iptables-R INPUT 2-s 192.168.10.0/24-p TCP--dport 80-j DROP (replaces the 2nd rule in the input chain of the filter table, prohibiting 192.168.10.0/24 access to TCP port 80)
4. Purge Rules and counters
When you create a new rule, you often need to clear the original or old rules to avoid affecting the new rules. If you have more rules, you can quickly delete all the rules using the purge rule parameter.
#iptables [-t table name]
[-t table name]: Specifies which table the policy will apply to, and can use filter, NAT, and mangle, which, if not specified, defaults to the filter table
-F: Delete all rules in the specified table
-Z: Zeroing the packet counter and traffic counter in the specified table
#iptables-Z (Set the packet counter in the filter table and the traffic counter please 0)
#iptables-F (Delete all rules in the filter table)
5. Record and restore firewall rules
You can use the record and restore firewall rules command to copy existing firewall mechanisms and restore them directly when recovery is required.
#iptables-save > file name (record current firewall rules)
#iptables-restore > file name (Restore firewall rules to the current host environment)
Basic knowledge of Linux firewalls