Basic use of iptables firewall

The Firewall works on the edge of the network or host, A combination of components that check incoming and outgoing data packets on the network or host according to the preset rules and can be processed by the preset actions after the packets match (compliant with the conditions, host Firewall: manages the current host, network Firewall: manages the Firewall, and works on the edge of the network or host, A combination of components that check incoming and outgoing data packets on the network or host according to the preset rules and can be processed by the preset actions after the packets match (compliant with the conditions, the action specified by the rule is processed );
Host firewall: manages hosts;
Network Firewall: manages the entire network;
Classification of firewalls:
1. Packet Filter Firewall: works on the TCP/IP layer, which is determined based on the data of the TCP header or IP header.
Low, high efficiency;
1. simple package filtering;
2. packet filtering with status detection;
1) NEW status;-establish a connection;
2) ESTABLISHED status;-establish a connection and transmit data;
3) INVALID status (unrecognized status );
4) RELATED (associated status );
2. Application-Layer Gateway Firewall: works at the application layer and is determined based on the actual data transmitted by data packets. it is highly secure and inefficient;
When a firewall works in the kernel space, you need to define rules in the kernel space (only the administrator can define rules, and whether the commands are correct). Netfilter (network filter) is used in the kernel );
Address Translation: NAT network address translation;
1) SNAT source network address translation; translation on POSTROUTING;
Connection tracking;
2) DNAT destination address translation; translation on PREROUTING;
Each time a mangle packet passes through a route minus 1, the ip address header is opened and the TTL value is increased by 1, so that the user does not know
There is a firewall;
Raw ---- no more explanation;
Filters are filtered on the INPUT, OUTPUT, and FORWARD interfaces;
The nat address is converted to the PREROUTING, POSTROUTING, and OUTPUT interfaces;
Mangle is torn down on the PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING interfaces;
Raw on the PREOUTING and OUTPUT interfaces;
Sort priorities: raw ---> mangle ---> nat ---> filter
IptablesCommand usage:
Iptables [-t TABLE] command chain [creteria]-j ACTION
-T {raw | mangle | nat | filter}, default filter
COMMAND Category:
Rule Management:
-Append A to the last one (append );
-I # insert the nth entry (insert );
-D # indicates the number of deletes );
-R # indicates replacing a rule;
Link Management class:
-F clears the rules in the (flush) chain. adding a chain indicates clearing a chain;
-N: create a chain (new). you can use-j to jump to the chain;
-X deletes the custom empty chain;
-E rename );
Default policy:
-P (policy );
Clear counter:
-Z (zero );
Each rule (including the default policy) has two calculators;
1) number of all data packets matched by this rule;
2) the sum of the sizes of all data packets matched by this rule;
View class:
-L (list) list format display;
-L sub-options:-n (displays numeric in pure numeric format );
-V details (verbose),-vv or-vvv for more details;
-Exactly is not used to display precise information );
-- The line-numbers rule displays the row number;
Matching Condition creteria:
Basic match:
-S SOURCE :( IP, NETWORK) or add! Indicates reverse (for example :! -S NETWORK); (it can be omitted to indicate multiple hosts)
-D DESTIONIP (target address );
-P {tcp | udp | icmp };
-I INTERFACE indicates the network INTERFACE from which the stream comes in. (only used for INPUT, FORWARD, POSTROUTING)
-O INTERFACE indicates the network card from which the stream is sent; (only used for OUTPUT, FORWARD, PRETROUTING)
Extended matching: it refers to calling the iptables module to expand the iptables matching function;
Implicit extension
-P tcp
-- Sport PORT
-- Dport PORT
-- Tcp-flags check tcp flag;
Only check ACK, SYN, RST, FIN
SYN-syn
-P udp
-- Sport PORT
-- Dport PORT
-P icmp
-- Icmp-type
TYPE of the ping command:
Echo-request is replaced by 8;
The echo-reply response is replaced by 0;
3 ---- view the TCP/IP explanation book by yourself;
Display Extension (you must use-m to specify the detection status );
-M state -- state detection status
-M multiport: This module matches a group of source or target ports. up to 15 ports can be specified;
-- Source-ports, 80
-- Destination-ports 22, 53, 80
-- Ports 22, 53, 80
-M iprange (specifying the ip range)
-- Src-range ip-ip
-- Dst-range ip-ip
-M connlimit (Concurrent connection limitation)
-- Connlimit-above # (more)
-M limit
-- Limit rate;
-- Limit-burst number limit the peak value;
-M string matching;
-- Algo bm | kmp (algorithm );
-- String "STRING"
-M time limit;
-- Timestart value (10: 00 );
-- Timestop value
-- Days lsitofday
-- Datestart date
-- Datestop date
-J ACTION (ACTION option );
ACCEPT allowed;
DROP reject (quietly discard );
REJECT rejection (direct rejection );
SNAT source address conversion;
DNAT target address translation;
REDIRECT redirection port;
RETURN returns the INPUT chain;
How to open the FTP service:
In active mode:
Tcp 20 (data), 21 (command );
In passive mode:
Tcp 21,> 1023 port;
The RELATED (associated status) must be enabled;
Modprobe ip_nat_ftp
Lsmod | grep tcp
In redhat, The iptables script file is/etc/rc. d/init. d/iptables.
Service iptables start enables the save rule;
Service iptables stop to clear the chain;
/Etc/sysconfig/iptables: save the rule file;
/Etc/sysconfig/iptables-config provides the configuration file to the iptables script;
How to save the rule to the configuration file:
1) service iptables save the command to save the rule to the configuration file;
2) iptables-save>/etc/sysconfig/iptables-test (save the effective rule to your specified file );
Iptables-restore </etc/sysconfig/iptables-test (enable the rule from another rule file specified by yourself );
Address translation:
SOURCE address conversion:
-J SNAT -- to-source 192.168.100.1 indicates that the source address is converted to another address;
-J MASQUERADE (address disguise, which occupies more resources than SNAT. it is commonly used for ADSL dial-up Internet access conversion );
Target address translation: Generally, the protocol and port must be limited;
-J DNAT -- to-destination 192.168.100.2
PNAT Port conversion:
-J DNAT -- to-destination 192.168.100.2 [: port] the same request and forwarding can be omitted, not
Not omitted;
-J LOG: forward logs;
-- Log-prefix "DNAT for web" can be used with-m limit -- limit 3/minute -- limit-burst 3;
Use the recent module of iptables to defend against DOS attacks. (it is implemented in denial-of-service mode and is limited)
-M recent
-- Set -- name SSH
-- Update -- second 300 -- hitcount 3
Use the recent module of iptables to defend against DOS attacks;
Ssh: remote connection,
Iptables-I INPUT-p tcp -- dport 22-m connlimit -- connlimit-above3-j DROP
Iptables-I INPUT-p tcp -- dport 22-m state -- state NEW-m recent -- set -- name SSH
Iptables-I INPUT-p tcp -- dport 22-m state -- state NEW-m recent -- update -- seconds 300 -- hitcount 3 -- name SSH-j DROP
1. use the connlimit module to set the concurrency of a single IP address to 3, which will mistakenly kill users who use NAT to access the internet. you can increase the value according to the actual situation;
2. use the recent and state modules to limit that a single IP address can only establish three new connections with the local machine within S. access can be restored after one minute;
The following describes the last two sentences:
1. the first sentence is to record the new connection to access tcp port 22, and the record name is SSH;
-- Set records the source IP address of the data packet. if the IP address already exists, the existing entries are updated;
2. the third sentence refers to the IP address in the SSH record. if more than three connections are initiated within S, the connection of this IP address is rejected;
-- Update indicates that the list is updated every time a connection is established;
-- Seconds must be used together with -- rcheck or -- update;
-- Hitcount must be used together with -- rcheck or -- update;
3. iptables record:/proc/net/ipt_recent/SSH