Detailed diagram of iptables firewall

Source: Internet
Author: User
Firewall refers to a combination of components set between different networks or network security domains, which enhances the security of the internal network of the organization. It uses the access control mechanism to determine which internal services allow external access and which external requests are allowed to access internal services. It determines whether an IP packet can be uploaded or transmitted according to the network transmission type. Introduction to firewall
A firewall is a combination of components set between different networks or network security domains. it enhances the security of the internal network of an organization. It uses the access control mechanism to determine which internal services allow external access and which external requests are allowed to access internal services. It determines whether an IP packet can be transmitted to or from the Intranet based on the network transmission type.
The firewall checks every data packet that passes through the review to determine whether it has matched filtering rules, and compares them one by one based on the rule sequence until one of the rules is met, then, the corresponding action is made based on the control mechanism. If none of the above conditions are met, data packets are discarded to protect network security.
A firewall can be considered as a mechanism to block transmission of circulation rows, and a mechanism to allow transmission of circulation. Some firewalls tend to block the passage of transmission streams, while others tend to allow transmission flow.
Firewall can be used to protect vulnerable services, control access to network systems between intranet and internet, and centrally manage intranet security to reduce management costs; improves the confidentiality and privacy of the network. records the use status of the network to provide a basis for security planning and network maintenance.


Firewall classification
Firewall technology is divided into many types based on different defense methods and focuses, but generally it can be divided into two types: packet filtering firewall and proxy server.

Working Principle of firewall

1. how packet filtering firewall works



2. working principle of proxy service firewall
Proxy service firewall implements the firewall function at the application layer. It provides transmission-related statuses, application-related statuses, and transmission-related information. It can also process and manage information.
IptablesIntroduction
Netfilter/iptables (iptables for short) is a packet filtering firewall on the Linux platform. like most Linux software, this packet filtering firewall is free of charge, it can replace expensive commercial firewall solutions to implement functions such as packet filtering, Packet redirection, and network address translation (NAT.

Iptables basics
A rule (rules) is actually a predefined condition of the network administrator. The rule is generally defined as "if the data packet header meets this condition, it will process this packet ". Rules are stored in the information packet filtering table of the kernel space. these rules specify the source address, destination address, and Transmission Protocol (such as TCP, UDP, and ICMP) and service types (such as HTTP, FTP, and SMTP. When a packet matches a rule, iptables processes the packet according to the rule-defined method, such as accept, reject, and drop. The main task of configuring a firewall is to add, modify, and delete these rules.
A chain is the path for packet propagation. each chain is actually a check list among many rules. each chain can have one or several rules. When a packet arrives at a chain, iptables checks the first rule in the chain to check whether the packet meets the conditions defined by the rule. If yes, the system will process the packet according to the method defined by the rule; otherwise, iptables will continue to check the next rule. if the packet does not comply with any rule in the chain, iptables processes data packets according to the predefined default policy of the chain.
Table (tables) provides specific functions. iptables has four built-in tables: filter table, nat table, mangle table, and raw table, which are used for packet filtering respectively, network address translation, packet reconstruction (modification), and data tracking.
Iptables tables, links, rules ()



Iptables packet transmission process
① When a packet enters the NIC, it first enters the PREROUTING chain, and the kernel determines whether to forward the packet based on the destination IP address.
② If the data packet enters the local machine, it will move down the graph and reach the INPUT chain. After the packet arrives at the INPUT chain, any process will receive it. Programs running on the local machine can send data packets that pass through the OUTPUT chain and then reach the POSTROUTING chain OUTPUT.
③ If the packet is to be forwarded and the kernel allows Forwarding, the packet will move to the right, go through the FORWARD chain, and then reach the POSTROUTING chain output. ()


Iptables command format
The command format of iptables is complex. the general format is as follows:
Iptables [-t table] Command [chain] [rules] [-j target]
Table -- indicates
Command-the operation command for the chain
Chain -- chain name
Rules -- rules
Target -- how to perform the action

1. table options
The table option specifies the iptables built-in table to which the command applies. iptables includes the filter table, nat table, mangle table, and raw table.

2. command option iptables command format
Command description
-P or? Policy <链名> Define default policy
-L or? List <链名> View the iptables rule list
-A or-append <链名> Add one rule at the end of the rule list
-I or? Insert <链名> Insert 1 rule at the specified position
-D or? Delete <链名> Delete a rule from the rule list
-R or? Replace <链名> Replace a rule in the rule list
-F or? Flush <链名> Delete all rules in the table
-Z or? Zero <链名> Returns the data packet counter and traffic counter in the table to zero.

3. matching options
Matching Description
-I or? In-interface <网络接口名> Specify the network interface from which the data packet enters, such as ppp0, eth0, and eth1.
-O or? Out-interface <网络接口名> Specify the network interface from which data packets are output, such as ppp0, eth0, and eth1.
-P or-proto protocol type <Protocol Type> specifies the Protocol for Packet matching, such as TCP, UDP, and ICMP.
-S or? Source <源地址或子网> SOURCE address of the specified data packet matching
? Sport <源端口号> Specify the source port number that the data packet matches. you can use the "start Port: end port number" format to specify a port range.
-D or? Destination <目标地址或子网> Specify the target address for packet matching
? Dport destination port number specifies the destination port number that the data packet matches. you can use the format of "starting port number: ending port number" to specify a port range.

4. action options
Action description
ACCEPT data packets
DROP dropped data packets
REDIRECT and DROP are basically the same. The difference is that in addition to blocking packets, REDIRECT also returns error messages to the sender.
SNAT source address conversion, that is, changing the source address of the data packet
DNAT destination address translation: changes the destination address of the data packet.
MASQUERADEIP disguise is often referred to as the NAT technology. MASQUERADE can only be used for IP spoofing of dial-up Internet access such as ADSL, that is, the IP address of the host is dynamically allocated by the ISP; if the IP address of the host is static and fixed, use SNAT
LOG function, which records information about data packets that comply with the rules in logs for administrator analysis and troubleshooting.
Iptables command format ()

Iptables filter condition ()


Iptables syntax
1. define the default policy
When a packet does not comply with any rule in the chain, iptables processes the packet based on the predefined default policy of the chain. the format of the default policy is as follows.
Iptables [-t table name] <-P> <链名> <动作> ? The parameters are described as follows.
[-T table name]: the table to which the default policy applies. filter, nat, and mangle can be used. If no table is specified, iptables uses the filter table by default.
<-P>: defines the default policy.
<链名> : The chain to which the default policy applies. INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING can be used.
<动作> : Action to process data packets. you can use ACCEPT (ACCEPT data packets) and DROP (discard data packets ).
2. View iptables rules
The command format for viewing iptables rules is:
Iptables [-t table name] <-L> [chain name]
The parameters are described as follows.
[-T table name]: lists the rules of a table. you can use filter, nat, and mangle to list the rules. If no table is specified, iptables displays the rule list of the filter table by default.
<-L>: view the list of rules for the specified table and chain.
[Chain name]: it refers to the list of chain rules in a specified table. INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING can be used. If no chain is specified, the rule list of all links in a table is displayed.
3. add, insert, delete, and replace rules
The rules are defined in the following format:
Iptables [-t table name] <-A | I | D | R> chain name [rule number] [-I | o Nic name] [-p protocol type] [-s source IP address | source subnet] [-- sport source port number] [-d destination IP address | destination subnet] [-- dport destination port number] <-j action>
The parameters are described as follows.
[-T table name]: defines the table to which the default policy applies. filter, nat, and mangle can be used. If no table is specified, iptables uses the filter table by default.
-A: A new rule is added to the last row of the rule list. rule numbers cannot be used for this parameter.
-I: insert a rule. rules at the specified position will be moved in sequence. If no rule number is specified, insert the rule before the first rule.
-D: Delete a rule from the rule list. you can enter a complete rule or specify a rule number to delete it.
-R: If a rule is replaced, the sequence is not changed. you must specify the number of the rule to be replaced.
<链名> : Specifies the chain rule list in the specified table. INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, and POSTROUTING can be used.
[Rule number]: The rule number is used to insert, delete, and replace rules. The number is arranged in the order of the rule list. the number of the first rule in the rule list is 1.
[-I | o Nic name]: I indicates the NIC from which the data packet enters, and o indicates the NIC from which the data packet is output. You can use ppp0, eth0, and eth1 Nic names.
[-P protocol type]: you can specify the protocol applied by the rule, including TCP, UDP, and ICMP.
[-S source IP address | source subnet]: IP address or subnet address of the source host.
[-- Sport source port number]: source port number of the IP address of the data packet.
[-D Target IP address | target subnet]: IP address or subnet address of the target host.
[-- Dport destination port number]: Destination port number of the IP address of the data packet.
<-J action>: Action of processing data packets. for details about each action, see the preceding description.
4. clear rules and counters
When creating a rule, you often need to clear the original and old rules to avoid affecting them? New rules. If there are many rules, it will be very troublesome to delete them one by one ,? In this case, you can use the clearing rule parameter provided by iptables to quickly delete all rules? .
The format of the defined parameters is:
Iptables [-t table name] <-F | Z>
The parameters are described as follows.
[-T table name]: specifies the table to which the default policy applies. filter, nat, and mangle can be used. If no table is specified, iptables uses the filter table by default.
-F: delete all rules in the specified table.
-Z: returns the data packet counter and traffic counter in the specified table to zero.
NAT definition
NAT stands for Network AddressTranslation. it refers to Network address translation. it is an IETF standard that allows an organization to appear on the Internet with an address. NAT converts the addresses of each Lan node into one IP address, and vice versa. It can also be applied to the firewall technology to hide individual IP addresses from external discovery, so that external networks cannot directly access internal network devices. at the same time, it also helps the network to surpass address restrictions, reasonably arrange the use of public and private IP addresses in the network.
NAT type
Static NAT)
Static NAT is the simplest and easiest to implement. each host in the internal network is permanently mapped to a valid address in the external network.
Dynamic address NAT (Pooled NAT)
Dynamic address NAT defines a series of valid addresses in the external network and maps them to the internal network using dynamic allocation.
Dynamic address NAT only converts IP addresses. it allocates a temporary external IP address for each internal IP address, which is mainly used for dialing. Dynamic NAT can also be used for frequent remote connections.
Network address Port translation NAPT (Port-Level NAT)
NAPT maps internal addresses to different ports of an IP address of an external network.
The most familiar conversion method. NAPT is widely used in access devices. it can hide small and medium networks behind a valid IP address. Unlike dynamic address NAT, NAPT maps internal connections to a separate IP address in the external network, and adds a TCP port number selected by the NAT device to the address.

Iptables instance
Prohibit clients from accessing unhealthy websites
[Example 1] add iptables rules to prohibit users from accessing websites with the domain name www.sexy.com.
Iptables-I FORWARD-d www.sexy.com-j DROP
[Example 2] add an iptables rule to prohibit users from accessing a website with the IP address of 255.255.255.255.20.
Iptables-I FORWARD-d too many limit 20-j DROP
Prohibit some clients from accessing the Internet.
[Example 1] add an iptables rule to disable clients whose IP address is 192.168.1.X from accessing the Internet.
Iptables-I FORWARD-s 192.168.1.X-j DROP
[Example 2] add an iptables rule to disable all clients in the 192.168.1.0 subnet from accessing the Internet.
Iptables-I FORWARD-s 192.168.1.0/24-j DROP
Prohibit clients from accessing certain services
[Example 1] prohibit all clients in the 192.168.1.0 subnet from downloading through FTP.
Iptables-I FORWARD-s 192.168.1.0/24-p tcp? Dport 21-j DROP
[Example 2] disable all clients in the 192.168.1.0 subnet from using Telnet to connect to a remote computer.
Iptables-I FORWARD-s 192.168.1.0/24-p tcp? Dport 23-j DROP
Force access to the specified site
[Example] force all clients to access the Web server 192.168.1.x.
Iptables-t nat-I prerouting-I eth0-p tcp? Dport 80-j DNAT? To-destination 192.168.1.x: 80
Disable ICMP
[Example] do not allow computers on the Internet to ping the ppp0 interface of the NAT server through ICMP, but allow clients on the intranet to ping the computer through ICMP.
Iptables-I input-I ppp0-p icmp-j DROP
Publish an internal network server
[Example 1] publish the Web service for the intranet 10.0.0.3 host. Internet users can access the Web service of the host by accessing the IP address of the firewall.
Iptables-t nat-I PREROUTING-p tcp? Dport 80-j DNAT? To-destination 10.0.0.3: 80
[Example 2] Terminal Services of the intranet host 10.0.0.3 (using port 3389 of the TCP protocol) are released. Internet users access the terminal services of the host by accessing the IP address of the firewall.
Iptables-t nat-I PREROUTING-p tcp? Dport 3389-j DNAT? To-destination 10.0.0.3: 3389
Case details
[Case 1] is used as the basic configuration of the client/terminal? DNS PING LO

[Case 2] basic server configuration: ssh dns www ftp email ()


[Case 3] as the basic configuration of the Gateway: ssh dns www ftp email nat) snat dnat speed limit ()


Case 4: status detection ()


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.