CentOS Firewall with some of its rule settings

Start: Data sources online search, organized into their own notes form

I. iptables check of service status:

Command: Service iptables status

Scenario 1: The Firewall service is installed but not yet running

[Email protected] ~]# service iptables status

Iptables:firewall is not running.

Scenario 2: Indicates that the Firewall service is installed and turned on, but it is still not configured.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/82/B6/wKiom1de2bTxloGFAAAk7E8EJj0979.png "title=" QQ picture 20160614000304.png "alt=" Wkiom1de2btxlogfaaak7e8ejj0979.png "/>

Scenario 3: Indicates that the Firewall service is not installed

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/82/B4/wKioL1de29XC8sruAAAPNpOynIA219.png "title=" QQ picture 20160614000304.png "alt=" Wkiol1de29xc8sruaaapnpoynia219.png "/>

Two. Iptables service installation and opening maintenance methods:

1. Installation: (take Yum for example) Yum install-y iptables

2. Turn on: Service iptables start with this corresponding shutdown: Service iptables stop

Three. Basic configuration knowledge of iptables

I: Common parameters:

-a append at the end

-I insert specified position

-D Destination Address

-D Delete a rule such as: iptables-d INPUT 8

-N displays only IP address and port number, does not resolve IP to domain name

-R replaces a rule such as: Iptables-r INPUT 1-s 192.168.0.1-j drop replace the first rule with the specified source ip:192.168.0.1 do not allow login

-i specifies the NIC name, such as Eth0 #指定进入接口, to be defined on the input chain

-o Specifies the NIC name, such as Eth0 #指定传出接口, to be defined on the output chain

-M module invoke module option load iptables function module

-L View the configuration information for a rule is often used with the--line-numbers option to display the rule's ordinal information

II. Common operations:

1. Clear all Rules: iptables-f
   

2. Conditions custom All rules: Iptables-x

3. Shielded IP segment:

Shaped like:

#屏蔽整个段 (Class A address) from 192.0.0.1 to 192.255.255.254, the following rule is added.

-I input-s 192.0.0.0/8-j DROP

#封IP段 (class B address) from 192.168.0.1 to 192.168.255.254, add the following rule.

-I. input-s 192.168.0.0/16-J DROP

#封IP段 (Class C address) from 192.168.200.1 to 192.168.200.254, add the following rule.

-I. input-s 192.168.200.0/24-J DROP

4. Specify Physical Address access:-M Mac--mac-source

Shaped like iptables-a input-m mac--mac-source aa:bb:cc:dd:ee:ff-j ACCEPT

5. Match the field contents of the packet:-mstring--string "string in the packet you want to match"

Shaped like:

Iptables-a forward-p UDP--dport 53-m string--string "Tencent"--algo kmp-j DROP

#通过UDP协议并匹配关键字

#--algo specifies a string pattern matching policy that supports both KMP and BM Two string search algorithms, either of which can be specified.

6. Network Port forwarding Configuration

For the server used as a firewall or gateway, a network port connected to the public network, the other network port packet forwarding to the network port to the public network communication, assuming that eth0 connected to the intranet, eth1 connected to the public network, the configuration rules are as follows:

Iptables-a forward-i eth0-o eth1-j ACCEPT

7. Port forwarding Configuration

For ports, we can also use Iptables to complete the forwarding configuration:

Iptables-t nat-a prerouting-p tcp-d 192.168.0.1--dport 80-j DNAT--to 192.168.1.1:8080

The above command forwards the 80 port packet of the source ip:192.168.0.1 to the 8080 port of 192.168.1.1

8. Specify the network adapter to configure successive port rules: Iptables-a input-i eth0-p tcp-s 192.168.140.0/24--dport 137:139-j ACCEPT #允许访问137到139端口 Note: Multi-port configuration in addition One way: Separate ports by commas. such as Iptables-a input-i eth0-p tcp-m multiport--dports 22,80,443-j ACCEPT

Four. Rule preservation:

1.service iptables Save or Iptables-save

Save As: Service iptables save >/Specify Directory

Iptables-save >/Designated Directory

Note: Firewall rules do not take effect until they are restarted.

2. #添加到自启动chkconfig
Chkconfig iptables on

3. How to restore rules:

Service iptables Start or Iptables-restore </rule save path

Note: Notice how the Rules table is saved and how to restore the corresponding, using what way to save, you need to use what way to restore.

Five. Advanced knowledge

1. Rule Table Knowledge:

   The five rules table Nat,mangle, filter,raw,security is specified by the-t option, and the default is filter. The function of the rule table is described:

   Nat: HasPrerouting and postrouting two chain of rules, the main function is to conduct a pair of one or one-to-many, many-to-many web site translation work (Snatdnat), due to the characteristics of translation work, the destination URL translation needs to be translated packets, there is no need for source URL translation, and vice versa, so in order to improve the rate of overwriting packets, when the firewall operation, Each packet will only pass through this rule table once. If we define the rules of packet filtering in this data table, we will not be able to make multiple comparison of the same package, so this table is not intended to be used for other purposes other than URL translation.
   mangle: Hasprerouting, FORWARD and postroutingThree chain of rules.
   In addition to the translation of the URL to rewrite the packet, in some special applications may also have to rewrite the packet (TTL, TOS) or set mark (the packet as a token for subsequent filtering), this must be defined in the mangle rules, because the usage is not high, We are not going to discuss the use of mangle here.
   Filter:This rule table is a default table of rules, withINPUT, FORWARD, and OUTPUT three chain of rules, the rule table, as its name implies, is the processing action for packet filtering (for example, DROP, LOG, ACCEPT, or REJECT), and we will set up the basic rules in this rule table.

   NAT: for configuration packets, the packets in raw are not tracked by the system.

   security: used to enforce access control network rules.

2. Rule chain:

A table consists of a chain, which is a list of rules that are arranged sequentially.

Iptables altogether has input, OUTPUT, FORWARD, prerouting, postrouting five rules chain. The corresponding rule chain can be expressed as:

INPUT: Network packet flow to server

OUTPUT: Network packet outflow from server

FORWARD: Network packets are routed through the server

Prerouting, (prerouting, Pre-route, pre-routing, before arrival) network packets can be modified when they reach the server

Postrouting, (postrouting, Post-route, pre-flow) network packets can be modified when they are about to be emitted from the server

3. Common processing actions in the Rules table: ACCEPT, REJECT, DROP, REDIRECT, Masquerade, LOG, DNAT, SNAT, MIRROR, QUEUE, RETURN, MARK:

ACCEPT: The packet is released, after this processing action, will no longer than the other rules, directly jump down a chain of rules (natostrouting).
REJECT: blocking the packet and transmitting the packet notifies the other party that the packet can be routed with several options: ICMP port-unreachable, ICMP echo-reply, or tcp-reset (this packet will require the other side to close the connection). After this processing is done, the filter is no longer directly interrupted than the other rules. A simple example is as follows:

Iptables-a forward-p TCP--dport 22-j REJECT--reject-with tcp-reset

drop: Discard packet is not processed, after this processing action, will no longer than the other rules, directly interrupt the filter program.

REDIRECT: The packet is redirected to another port (Pnat), and after this processing is done, it will continue to be compared to other rules. This feature can be used to implement a transparent porxy or to protect a Web server. For example:

Iptables-t nat-a prerouting-p tcp--dport 80-j REDIRECT--to-ports 8080

LOG: The packet related information is recorded in the/var/log, details can be consulted/etc/syslog.conf configuration file, after this processing action, will continue to be compared to its rules. For example:
Iptables-a input-p tcp-j LOG--log-prefix "INPUT packets"
SNAT: overwrite the packet source IP to a specific IP or IP range, you can specify a range of port, after this processing action, will jump directly down a rule (mangleostrouting). for Snat, regardless of the number of addresses, you must explicitly specify the IP to Snat. If our computer uses ADSL dial-up to surf the internet, then the external network IP is dynamic, we can consider using masquerade corresponding examples are as follows:
Iptables-t nat-a postrouting-p tcp-o eth0-j SNAT--to-source 194.236.50.155-194.236.50.160:1024-32000

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j Masquerade

    

DNAT: overwrite the packet destination IP to a specific IP or IP range, you can specify the range of port, after this processing action, will jump directly down a regulation (filter:input or Filter:forward). Examples are as follows:
Iptables-t nat-a prerouting-p tcp-d 15.45.23.67--dport 80-j DNAT--to-destination
192.168.1.1-192.168.1.10:80-100
MIRROR: Mirror Package, that is, the source IP and destination IP swapped, the packet back, after this processing action, will interrupt the filter program.
Queue: Interrupt the filter program, put the packet into the queue, to other programs processing. Other applications, such as calculating online fees, can be done through a self-developed processing program. such as
return: End the filter in the current rule, return to the main rule to continue filtering, if the custom rule refining as a subroutine, then this action, it is quite early to end the subroutine and return to the main program.
Mark: label the package with a designator so that it can be judged based on the criteria for subsequent filtering, and after the processing is done, it will continue to be compared to the other rules. Examples are as follows:

Iptables-t mangle-a prerouting-p tcp--dport 22-j MARK--set-mark 2

4. Reference Links:

I:http://beginman.cn/python/2015/09/08/linux-firewall/ii:https://wiki.archlinux.org/index.php/iptables_ (%E7%AE %80%e4%bd%93%e4%b8%ad%e6%96%87)

Iii:https://wiki.centos.org/zh/howtos/network/iptables

This article is from the "scraps of Knowledge" blog, be sure to keep this source http://wyh550.blog.51cto.com/10089932/1789371

CentOS Firewall with some of its rule settings