Experience in RHCE Iptables

Iptables is the only tool for managing Netfilter. Netfilter is directly embedded in the Linux kernel. He can create a firewall for his/her personal workstation, or create a firewall for a subnet to protect other system platforms (a large part of the hardware firewalls on the market also use the iptables system ). Netfilter is used in the kernel for filtering without daemon. It inserts policies at Layer 2nd, Layer 3, and Layer 4 of the OSI model. The filtering speed is very fast, because it only reads data packets and does not add burden to information traffic. Iptables is the only tool for managing Netfilter. Netfilter is directly embedded in the Linux kernel. He can create a firewall for his/her personal workstation, or create a firewall for a subnet to protect other system platforms (a large part of the hardware firewalls on the market also use the iptables system ).
Netfilter is used in the kernel for filtering without daemon. It inserts policies at Layer 2nd, Layer 3, and Layer 4 of the OSI model. The filtering speed is very fast, because it only reads data packets, does not add burden to information traffic, and does not require verification.
Netfilter provides a series of tables (tables). Each table consists of several chains, and each chain can be composed of one or more rules (rules. In fact, netfilter is a table container, a table is a chain container, and a chain is a rule container.
Netfilter table and Netfilter chain:
 
Table description:
Filter: This table mainly performs data packet filtering.
Nat: Mainly used for network address translation.
Managle: used to modify special rules.
Link Description:
PREROUTING: the packet that has arrived before the route. (Nat)
INPUT: route the local data packet. (Filter)
FORWARD: The data packet to be forwarded through the local system. (Filter)
OUTPUT: The data packet generated by the local machine and forwarded externally. It is before the POSTROUTING. (Nat and filter)
POSTROUTIONG: The data packet that is about to leave the system after the route is passed. (Nat)
Netfilter data packet process:

Basic Iptables Syntax:
Iptables has three built-in tables: filter, nat, and mangle. We can use the-t parameter to set which table to take effect, or omit the-t parameter. The filter table is operated by default.
In the figure, data packets from the INPUT chain (Source Address) 192.168.0.1 are directly discarded.
Iptables process service command:
Service iptables save saves iptables settings. You must save the settings after editing iptables rules.
Service iptables restart: If you save the settings and do not restart, the settings do not take effect. To enable the settings to take effect, restart.
Service iptables status checks iptables settings. Similar to the iptable-L command.
Basic link operation commands of Iptables:
-L list the rules in a chain or table: service iptables status compares this command with-L
Iptables-L: the rules in the display filter table are equivalent to iptables-t filter-L.
Iptables-t nat-L: displays the settings in the nat table:
-F: delete a chain or table rule:
Iptables-F (iptables-t filter-F) deletes all rules in the filter table;
Iptables-t nat-F: delete all rules in the nat table;
Iptables-t nat-f postrouting deletes all the rules of the POSTROUTING chain in the nat table;
-A: Add A rule (after the current rule, that is, after all rules ):
Iptables-a input-s 192.168.0.1-j DROP
In the same way as in the actual example, the packet from 192.168.0.1 is discarded, and the-t filter is omitted here.
After this statement is added, save the settings and restart the iptalbes service. Run the-L command to view the settings. Then, you will find that the newly added rule is arranged after all the rules.
----------- Iptables matching rules are arranged in order.
-I insert a rule at the specified position:
(If there is A loopback rule (iptables-a input-I lo-j ACCEPT, loopback will always be the first one)
Iptables-I Insert as the first rule.
Iptables X is inserted as the X rule. X indicates the sequence number of the rule.
Iptables-a input-p tcp-s 192.168.0.1 -- dport 22-j ACCEPT
Allow 192.168.0.1 to access the host through port 22 and insert it as the first rule to the iptables rule list.
----------- Iptables matching rules are arranged in order.
-P Assign a connection policy.
Iptables-p input drop Disables any INPUT data packets. Use this sentence with caution.
Iptables-p output accept allows all OUTPUT data packets.
-D. delete a rule:
Iptables-D X Delete the rules of a chain
Iptables-d input 3 deletes the 3rd rules on the INPUT chain.
Iptables-p input drop cannot be deleted using the delete statement. You can only enter iptables-p input accept on the local machine.
Match in Iptables:
Iptables-a input-p tcp-s 192.168.0.1 -- dport 22-j ACCEPT
We have seen this command above. Let's take a look at some other matching parameters.
-P protocol matches the network protocol. In this example, tcp is used.
-S IP address or CIDR Block matches the source IP address or CIDR Block
In this example, the Division matches an IP address. to match a CIDR block, it is as follows:
-S 192.168.0.1/24
If it is all except this CIDR block, it will be :! -S 192.168.0.1/24
If the IP address is exceeded, it is :! -S 192.168.0.1
-D. The IP address or CIDR Block matches the destination IP address or CIDR block.
-- Dport X matches the destination port number, and X represents the specific port number.
-- Sport X matches the source port number, and X represents the specific port number.
Objective In Iptables:
We have seen before-j is followed by the purpose.
ACCEPT: Allow data packets to pass.
DROP: directly drops data packets.
REJECT: discards the data packet and sends a Response Message to the sender.
Set Iptables preset rules (Local Machine firewall ):
1. Clear iptables settings: iptables-F
2. Set a loopback rule. Many services cannot start without this rule:
Iptables-a input-I lo-j ACCETP
3. Connection Tracking settings: the packets that the host of the other Party responds to after the connection is allowed.
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
NEW: The data packet for the NEW connection
INVALID: INVALID data packets, such as corrupted or incomplete data packets
ESTABLISHED: The data packet that has been connected
RELATED: The data packet associated with the sent data packet.
4. iptables-p input drop allows access to data packets ---- use this sentence with caution.
5. iptables-p forward drop disable packet forwarding
6. iptables-p output accept allows outgoing packets
7. After the configuration is complete, you can open the corresponding port as needed.
Iptables-a input-p tcp -- dport 20:21-j ACCEPT open ports 20 and 21 of FTP.
Iptables-a input-P tcp -- dport 80-j ACCEPT open http port 80.
Iptables-I INPUT-p tcp-dport 22-j ACCEPT open port 22 of the SSH service.
Set Iptables FORWORD rules:
In general, FORWORD chain DROP, but when used for NAT, we need to set it.
First, enable the forwarding function: edit the/etc/sysctl. conf file.

Iptables forwarding function (required when the default FORWARD rule is DROP when performing NAT)
# Iptables-a forward-I eth0-o eth1-m state -- state RELATED, ESTABLISHED-j ACCEPT
# Iptables-a forward-I eth1-o eh0-j ACCEPT
Discard bad TCP packets.
# Iptables-a forward-p TCP! -- Syn-m state -- state NEW-j DROP
Number of IP fragments processed to prevent attacks. Up to 100 IP fragments are allowed per second.
# Iptables-a forward-f-m limit -- limit 100/s -- limit-burst 100-j ACCEPT
Set ICMP packet filtering to allow 1 packet per second. The trigger condition is 10 packets.
# Iptables-a forward-p icmp-m limit -- limit 1/s -- limit-burst 10-j ACCEPT
I only allow ICMP packets to pass in the front, because I have restrictions here.
Connection Tracing: checks the "status" of data packets.
Identifiable status:
NEW: The data packet for the NEW connection
INVALID: INVALID data packets, such as corrupted or incomplete data packets
ESTABLISHED: The data packet that has been connected
RELATED: The data packet associated with the sent data packet.
Connection Tracing Module
Ip_conntrack_ftp: automatically tracks the FTP connection and automatically opens the high-end port through the firewall.
Ip_conntrack_tftp: similar to the above functions, it is only a TFTP service.
Ip_nat_ftp: Modify the FTP data packet of the Computer protected by NAT.
Ip_nat_tftp: similar to the above, it is not a TFTP data packet.
You can modify the/etc/sysconfig/iptables-config file
Modify IPTABLES_MODULES = "ip_conntrack_tftp ip_nat_ftp"

You can also use modprobe ip_conntrack_tftp, but it will become invalid after restart.
Connection trace instance:
Allow connection establishment:
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
Tracking rules:
Iptables-a input-m state -- state NEW-p tcp -- dport 25-j ACCEPT
Block all other access links:
Iptables-a input-m state -- state NEW-j DROP
NAT Network Address Translation: convert an IP address to another IP address (input and output)
Network Address Conversion Type:
Destination NAT (DNAT): the time when DNAT modifies the destination address of the package, which must be before the package is about to be sent to the local computer or before it is transferred to another computer, rules with DNAT as the target must be set in the PREROUTING link of the nat table.
Source NAT (SNAT, MASQUERADE): SNAT must modify its source address (or communication port) immediately before the packet is about to leave its core ), therefore, the SNAT rule must be configured in the POSTROUTING link of the nat table. NAT instance:
Iptables-t nat-a prerouting-I ethl-p tcp--dport 80-j DNAT-to-destination 192.168.1.3: 8080
Redirect the packet to port 80 of eth1 (connecting eth1 to the Internet) to port 8080 of 192.168.1.3.
Iptables-t nat-a prerouting-I eth1-p tcp -- dport 80-j DNAT
-- To-dest 192.168.1.3 -- to-dest 192.168.1.4 -- to-dest 192.168.1.5
The first request in the above sentence is sent to 192.168.1.3, and the second request is sent to 192.168.1.4 in such a loop to achieve load balancing.
The preceding statement allows the Internet to access the WEB server with port 8080 activated on the Intranet. How can the Intranet WEB server transmit data? At this time, we need to implement it through SNAT.
Iptables-t nat-a postrouting-j SNAT
Iptables-t nat-a postrouting-j SNAT -- to-source 192.168.1.3-192.168.1.9
Iptables-t nat-a postrouting-j SNAT -- to-source 192.168.1.3: 123
Iptables-t nat-a postrouting-j SNAT -- to-source 192.168.1.3: 123-234
Iptables-t nat-a postrouting-o eth0-j MASQUERADE
The first method is to directly use SNAT as the target. This method is suitable for gateways with fixed IP addresses. The other method is to use MASQUERADE as the target, suitable for gateways with only dynamic IP addresses (for example, ADSL connections using the PPPoE protocol ). Because MASQUERADE is able to cope with sudden offline network interfaces and then resume online with another address, the conversion logic is more complicated and requires a lot of CPU computing power consumption. Therefore, if you have a fixed IP address, try to use SNAT instead of MASQUERADE.