Detailed description of the firewall configuration file iptables !)

Detailed description of the firewall configuration file iptables (go !)

Detailed description of the firewall configuration file iptables (go !)

(Note: This article provides a comprehensive and in-depth introduction to the use of iptables in Linux! Strongly recommended)

For systems on the internet, make it clear that the network is not secure. Therefore, although creating a firewall does not guarantee 100% system security, it is absolutely necessary.
Linux provides a very good firewall tool-Netfilter/iptables. It is completely free, powerful, flexible to use, and can fine-tune inbound and outbound Information
And can run well on a low-configuration machine. This article briefly introduces the use of Netfilter/iptables for firewall setup, Internet Connection Sharing, and other applications.

Netfilter/iptabels
Application, which is considered to be the fourth-generation application in Linux to implement the package filtering function. Netfilter/iptables is included in the kernel after 2.4, which can implement firewall,
NAT (Network Address Translation) and data packet segmentation. Netfilter works inside the kernel, while iptables allows you to define the table structure of the rule set.
Netfilter/iptables evolved from ipchains and ipwadfm (IP firewall management), providing more powerful functions. Netfilter
/Iptabels is collectively called iptables.

Yes
You can use iptables to create a firewall for UNIX, Linux, and BSD workstations, or create a firewall for a subnet to protect other system platforms. Iptales read only
Data headers do not burden the information flow or require verification. For better security, you can combine it with a proxy server (such as squid.

Basic Concepts
A typical firewall has two NICs: One inbound and the other outbound. Iptables reads the inbound and outbound packet headers and compares them with the Rule Set to forward acceptable packets from one network adapter to another, it can be discarded or processed as defined.

By providing the firewall with instructions on how to filter information packets from a source address, to a destination, or with a specific protocol type. Use the iptables System
The Special Command iptables is provided to create these rules and add them to the chain in the specific information package filtering table of the kernel space. The general syntax for adding, removing, and editing rules is as follows:
Iptables [-T table] command [Match] [target]

1. Table)
[-T
Table] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. There are three available table options: filter, Nat, and
Mangle. This option is not required. If not specified, the filter is used as the default table. The functions of each table are shown in table 1.
Table 1 functions of three types of tables

<! -- [If! VML] --> 2. Command)
Command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. Table 2 is the most common command and example.
Table 2 Functions and Examples

<! -- [If! VML] --> <! -- [Endif] -->
3. Match)

The optional match part of the iptables command specifies the characteristics (such as the source address, destination address, and Protocol) that the information package and rule match should have ). Matching can be classified into general matching and protocol-specific matching. This section describes general matching of information packages that can be used in any protocol. Table 3 is an important and common matching and example description.
Table 3 General matching and example

<! -- [If! VML] --> <! -- [Endif] -->
4. Target)

The target is the operation specified by the rule, and these operations are performed on the information packages that match the rule. In addition to allowing users to define targets, there are also many available target options. Table 4 provides common objectives and examples.

In addition to table 4, there are many other targets for creating advanced rules, such as log, redirect, Mark, mirror, and masquerade.

Table 4 Objectives and Examples

Application iptables

Unlike ipchains and ipfwadm, iptables can be configured
Status of the firewall. Iptables can detect the source address and Destination Address, source port and destination port, and the order of inbound packets, that is, iptables remembers which packets have been
Accepted. This enables temporary ports to be opened only when needed, and rejects all requests that occupy ports permanently, greatly enhancing security. At the same time, those packets whose headers are modified,
Even if there is a permitted destination address and port, it is detected and discarded. In addition, stateful firewalls can specify and remember the status of connections established for sending or receiving information packets. Firewall can send emails
The Connection Tracing status of the information packet to obtain this information. When determining the filtering of new information packets, the status information used by the firewall can increase the efficiency and speed.

1. Start and Stop iptables

The following section uses iptables to create a firewall. The method to start and stop iptables depends on the Linux release version in use. You can view the documentation of the Linux version in use.

Generally, iptables is included in the Linux release. Run iptables -- version to check whether iptables is installed in the system. In Red Hat 9.0, the installed version is iptables v1.2.7a. If the system does not install iptables, you can
Http://www.netfilter.org


Download.

2. View Rule Sets

The above is only a brief introduction to iptables usage. You can run man iptables to view the complete introduction of all commands and options, or run iptables-help to view a quick help. To view the existing iptables planning set in the system, run the following command:

Iptables -- list

The following figure shows the iptables when no planning is defined:

Chain input (Policy accept)
Target prot opt source destination

Chain forward (Policy accept)
Target prot opt source destination

Chain output (Policy accept)
Target prot opt source destination
As shown in the preceding example, each data packet is sent through one of the three built-in chains (input, output, and forward.

Filters are the most commonly used tables. The three most commonly used targets in filter tables are accept, drop, and reject. Drop discards the data packet and does not process it any more. The reject will send the error message to the host that sends the data packet.
<! -- [If! VML] --> <! -- [Endif] -->
In red hat
9.0 provides a GUI program for users to perform simple configuration on the system installation level. The start method of this tool is as follows: Main Menu → system settings → security tool (1 ). Security level
Set to "advanced" and select to use the default firewall rules. Click OK and then use iptables.
-List: iptables is significantly different from that before rules are defined, as shown below:

[Root @ workstation root] # iptables -- list
Chain input (Policy accept)
Target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere Anywhere

Chain forward (Policy accept)
Target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere Anywhere

Chain output (Policy accept)
Target prot opt source destination
......

In reality, this GUI tool is generally not used because it has limited functions and is not transparent. Compared to Suse 9.0, the corresponding configuration tool is much better. It can perform more detailed configuration on the firewall in the GUI (for example, adding the configuration of IP Forwarding and camouflage functions ). In this case, you can add or delete rules by yourself.

. Add Rules

In this example, the rules will block data packets from a specific IP address range, because the IP address range is suspected by administrators that a large number of malicious attackers are active:

# Iptables-T filter-A input-s 123.456.789.0/24-J Drop

It can also easily block all data packets flowing to the attacker's IP address. This command is slightly different:

# Iptables-T filter-A output-D 123.456.789.0/24-J Drop

Note that option A here is used to add rules for existing chains, as described earlier.

4. delete a rule

Malicious attackers on the network are always changing, so the IP address needs to be constantly changed. Assume that an online attacker has moved to a new IP address, and the old IP address is assigned to some innocent users, the packets of these users cannot pass through your network. In this case, you can use a command with the-D option to delete an existing rule:

# Iptables-T filter-D Output-D 123.456.789.0/24-J Drop

5. Default policy

It takes a lot of time to create a rule that is flexible and can withstand various unexpected events. For those who do not have time to do so, the most basic principle is "deny all the packets first and then allow the requests ". Next, we will set the default rules for each chain:

# Iptables-P input drop
# Iptables-P forward drop
# Iptables-P output accept

Here, option-P is used to set the chain policy. Only three built-in chains have a policy. These policies allow information to flow out without restrictions, but do not allow information to flow in. To receive external information, run the following command:

# Iptables-T filter-A input-s 123.456.789.0/24-J accept

6. Use of SYN

You cannot close all ports or specify only some ports that are in the open state. Therefore, you can set a valid rule to allow normal users to pass the rule normally, can they prevent malicious attackers from accessing the network?

People who are using iptables at the beginning can take full advantage of the SYN mark to prevent unauthorized users.
. Iptables only detects the packet header. In fact, many other useful packet analysis methods except iptables are based on the header. For example, when surfing the web
Requests are sent from your PC to the Web server in other places. The server will respond to the request and return a data packet, and get a temporary port on your system. Different from the Response Request, the server
Do not care about the transmitted content. You can use this feature to set rules to prevent all TCP connections that are not authorized by your system:

# Iptables-T filter-A input-I eth0-P TCP -- syn-J Drop

Here-I refers to the NIC,-P refers to the protocol, and -- SYN indicates the TCP packet with the SYN flag. SYN is used to initialize a TCP connection. If no server is running on your machine, no SYN packet will be sent to you.

7. stateful packet Detection

In the example of the frontend, each packet is regarded as independent, rather than interrelated, relying on data packets.
. Iptables checks the source and destination IP addresses of data packets, the Source and Destination Ports, the sequence numbers of inbound data packets, TCP sequence information, and header tags (syn, ack,
Fin, RST, etc.), that is, it will track the entire connection session, so that the entire filtering process is correlated.

8. share an Internet connection

Both Network Address Translation and IP spoofing allow multiple hosts to share an Internet connection,
This LAN can be a multi-system LAN consisting of Linux and Windows systems. Assume that there is a machine with two NICs, eth0 is a "public" Nic, and eth1 is a "private
There is a "Nic", that is, eth0 is assigned a static and routable IP address, and eth1 is assigned a private IP address that cannot be routed, the IP address belongs to the local area network subnet. To achieve the above functions
Yes. You need to add some links to the NAT and filter tables:

# Iptables-T Nat-A postrouting-O eth0-J Masquerade
# Iptables-T filter-a forward-I eth0-O eth1-M state -- state related, established-J accept
# Iptables-T filter-a forward-I eth1-O eth0-J accept

This shows the value of stateful packet detection. Note that inbound data packets are allowed only when they belong to an existing connection, and all inbound data packets from the LAN are allowed to pass. The first rule makes all outgoing information appear from the firewall machine, and does not show that there is a LAN behind the firewall.

The following command sets the default policies for the forward and postrouting chains. When Using camouflage, a default postrouting drop policy is very important, otherwise, a malicious user may break through the gateway and pretend to be his/her identity.

# Iptables-T filter-P forward drop
# Iptables-T nat-P postrouting drop

The following command configures the dial-up connection. It can dynamically allocate IP addresses:

# Iptables-T Nat-A postrouting-O ppp0-J Masquerade

9. server running status

Sometimes the server is placed behind the firewall. In this case, iptables needs to know where to pass the data packet. The settings are as follows:

# Iptables-T Nat-A prerouting-I eth0-P TCP-dport 80-J DNAT-to 192.168.0.10: 80
# Iptables-T Nat-A prerouting-I eth0-P TCP-dport 25-J DNAT-to 192.168.0.11: 25

10. Save the rule

So far, all examples have been carried out in the command line. This is a good way to test new rules, but once the test results are satisfactory, they can be saved as scripts. You can use the iptables-save command to achieve this:

$ Iptables-save>; iptables-script

All rules in the information packet filtering table are saved in the file iptables-script. You can use the iptables-Restore command to restore the rule set from the script file to the information packet filtering table at any time. The recovery command is as follows:

$ Iptables-Restore iptables-script

If you are willing to automatically restore the rule set every time you boot the system, you can put the command specified above in any initialization shell script.

The following example is not a complete script. It only describes how to use variables and provides some additional rule samples.

#! /Bin/sh
# Assign values to variables
Iptables =/sbin/iptables
Lan_net = "192.168.1.0/24"
Iface = "eth0"
Lo_iface = "Lo"
Lo_ip = "127.0.0.1"
# Load the required Kernel
/Sbin/modprobe ip_conntrack
/Sbin/modprobe iptable_nat
# By default, IP Forwarding is unavailable and set to available:
Echo "1">;/proc/sys/NET/IPv4/ip_forward
# Make the dynamic IP Address Allocation Function available
Echo "1">;/proc/sys/NET/IPv4/ip_dynaddr
# It is best to clear the previous rules every time this script is restarted.
$ Iptables-P input drop
$ Iptables-F Input
$ Iptables-P output accept
$ Iptables-F output
$ Iptables-P forward drop
$ Iptables-F forward
$ Iptables-F-T Nat
# Only allow SSH connection in LAN
$ Iptables-A input-s lan_net-p tcp -- destination-port ssh-J accept
# Allow loopback!
$ Iptables-A input-I lo-P all-J accept
$ Iptables-A output-O lo-P all-J accept
# Discard the incoming packets that claim to be from the Local Machine
# Discard the outgoing packets not from the Local Machine
$ Iptables-A input-I $ iface-S $ lan_net-J Drop
$ Iptables-A output-o $ iface-s! $ Lan_net-J Drop
# Restrict outgoing information
$ Iptables-A output-O eth0-p tcp-dport 31337-J Drop
$ Iptables-A output-O eth0-p tcp-sport 31337-J Drop
# In addition, ports 31335, 27444, 27665, 20034 NetBus, 9704, and 137-139 (SMB) should also be disabled.